Merge pull request #1 from Lirt/initial-implementation

Initial implementation

.github/workflows/release.yaml

@@ -0,0 +1,29 @@
+---
+name: release
+run-name: Release new tagged version
+on:
+  push:
+    tags:
+    - 'v[0-9]+.[0-9]+.[0-9]+*'
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Build and push Docker image
+        uses: docker/[email protected]
+        with:
+          push: true
+          tags: "lirt/k8s-secret-replicator:${{ github.ref_name }}"
+          file: "docker/Dockerfile"
+          platforms: "linux/amd64,linux/arm,linux/arm64"
+          no-cache: true
+          build-args: |
+            VERSION=${{ github.ref_name }}
+            GIT_SHA=${{ github.sha }}

.github/workflows/tests.yaml

@@ -0,0 +1,46 @@
+---
+name: Tests
+on: [pull_request]
+jobs:
+  lint:
+    name: "Linters (go v${{ matrix.go-version }})"
+    runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        go-version: [ '1.20' ]
+    steps:
+      - name: Checkout k8s-secret-replicator
+        uses: actions/checkout@v3
+      - name: Setup Go ${{ matrix.go-version }}
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Check formatting
+        run: |
+          test -z $(gofmt -l -s ./)
+      - name: Check go vet
+        run: |
+          go vet ./...
+      - name: Verify dependencies
+        run: |
+          go mod verify
+      - name: Check if plugin can be built
+        run: |
+          go build -v .
+  unit-test:
+    name: "Unit tests (go v${{ matrix.go-version }})"
+    needs: lint
+    runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        go-version: [ '1.20' ]
+    steps:
+      - name: Checkout k8s-secret-replicator
+        uses: actions/checkout@v3
+      - name: Setup Go ${{ matrix.go-version }}
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Run unit tests
+        run: |
+          go test -v ./...

.gitignore

@@ -19,3 +19,6 @@
 
 # Go workspace file
 go.work
+
+bin
+k8s-secret-replicator

Dockerfile

@@ -0,0 +1,43 @@
+# syntax = docker/dockerfile:1.3
+FROM --platform=$BUILDPLATFORM golang:1.20-alpine AS builder
+
+ARG REPOSITORY=Lirt
+ARG PLUGIN=k8s-secret-replicator
+ARG PKG=github.com/Lirt/k8s-secret-replicator
+ARG VERSION=0.0.0
+ARG GIT_SHA=nil
+
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT
+
+ARG GOOS=linux
+ARG GOARCH=amd64
+
+ENV GOOS=${TARGETOS}
+ENV GOARCH=${TARGETARCH}
+ENV GOARM=${TARGETVARIANT}
+
+ENV GOPROXY=https://proxy.golang.org
+
+
+WORKDIR /build
+COPY . .
+
+RUN \
+  export GOARM=$( echo "${GOARM}" | cut -c2-) && \
+  CGO_ENABLED=0 \
+    go build \
+	-ldflags "-s -w" \
+	-o bin/k8s-secret-replicator \
+	.
+
+# Use distroless as minimal base image to package the k8s-secret-replicator binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+
+COPY --from=builder /build/bin/k8s-secret-replicator ./k8s-secret-replicator
+
+USER 65532
+ENTRYPOINT [ "/k8s-secret-replicator" ]

README.md

@@ -1,2 +1,68 @@
-# k8s-secret-replicator
+# K8s Secret Replicator
+
 K8s Secret Replicator is used to replicate one source secret to all namespaces in a Kubernetes cluster.
+
+This is useful for example for replicating image pull secret to all namespaces without knowing which namespaces will exist in advance.
+
+When content of source secret is changed, secrets with the same name will also be updated in all namespaces.
+
+## Usage
+
+First create or prepare docker-registry secret. Here is example:
+```bash
+kubectl create secret \
+               docker-registry \
+               my-secret-to-replicate \
+               --docker-server=https://index.docker.io/v1/ \
+               --docker-username=user \
+               --docker-password=password
+```
+
+### Production
+
+Install via helm chart or use your favorite continuous deployment tool:
+
+```bash
+helm upgrade \
+     --install \
+     --create-namespace \
+     --version 0.1.0 \
+     --namespace kube-system \
+     --set app.sourceSecretName=my-secret-to-replicate \
+     --set app.sourceSecretNamespace=kube-system \
+     --wait \
+     k8s-secret-replicator \
+     chart
+```
+
+Official image is built and pushed to dockerhub https://hub.docker.com/repository/docker/lirt/k8s-secret-replicator/.
+
+### Development
+
+In production in-cluster config will be consumed. For testing you can set kubeconfig to point to a cluster where you want to test it.
+
+```bash
+export KUBECONFIG="~/.kube/configs/my-awesome-cluster.yaml"
+export SOURCE_SECRET_NAME=my-secret-to-replicate
+export SOURCE_SECRET_NAMESPACE=kube-system
+go run main.go
+```
+
+## Build
+
+### Go
+
+```bash
+go build
+```
+
+### Docker
+
+```bash
+docker buildx build \
+              --platform linux/amd64,linux/arm,linux/arm64 \
+              --tag lirt/k8s-secret-replicator:v0.1.0 \
+              --no-cache \
+              --push \
+              .
+```

chart/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

chart/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: k8s-secret-replicator
+description: Secret Replicator is used to replicate one source secret to all namespaces in a Kubernetes cluster.
+type: application
+version: 0.1.0
+appVersion: "0.1.0"

chart/templates/_helpers.tpl

@@ -0,0 +1,73 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "k8s-secret-replicator.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "k8s-secret-replicator.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "k8s-secret-replicator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "k8s-secret-replicator.labels" -}}
+helm.sh/chart: {{ include "k8s-secret-replicator.chart" . }}
+{{ include "k8s-secret-replicator.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "k8s-secret-replicator.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "k8s-secret-replicator.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "k8s-secret-replicator.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "k8s-secret-replicator.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Template image tag.
+*/}}
+{{- define "image-template" }}
+{{- if .repository -}}
+{{- printf "%s/%s/%s:%s" (required (printf "missing %s.%s" . .registry) (trimSuffix "/" .registry)) (trimAll "/" .repository) (required (printf "missing %s.%s" . .name) (trimAll "/" .name)) (required (printf "missing %s.%s" . .tag) .tag) }}
+{{- else -}}
+{{- printf "%s/%s:%s" (required (printf "missing %s.%s" . .registry) (trimSuffix "/" .registry)) (required (printf "missing %s.%s" . .name) (trimAll "/" .name)) (required (printf "missing %s.%s" . .tag) .tag) }}
+{{- end }}
+{{- end }}

chart/templates/deployment.yaml

@@ -0,0 +1,53 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "k8s-secret-replicator.fullname" . }}
+  labels:
+    {{- include "k8s-secret-replicator.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "k8s-secret-replicator.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "k8s-secret-replicator.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "k8s-secret-replicator.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: '{{ include "image-template" .Values.image }}'
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+          - name: SOURCE_SECRET_NAME
+            value: {{ required "Please specify app.sourceSecretName to tell replicator how to identify source secret" .Values.app.sourceSecretName }}
+          - name: SOURCE_SECRET_NAMESPACE
+            value: {{ required "Please specify app.sourceSecretNamespace to tell replicator how to identify source secret" .Values.app.sourceSecretNamespace }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}