dodopizza · vitalyu · Apr 30, 2024 · Apr 30, 2024 · Apr 30, 2024 · Apr 30, 2024
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -0,0 +1,64 @@
+FROM mcr.microsoft.com/devcontainers/go:1-1.22-bookworm
+
+USER root
+
+# must be amd64 or arm64
+ARG TARGETARCH
+
+# BASE
+RUN apt update && apt install -y git jq make unzip
+
+# YQ
+RUN cd /tmp && \
+  version=4.35.2 && \
+  curl -L --output /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/v${version}/yq_linux_${TARGETARCH} && \
+  chmod +x /usr/local/bin/yq
+
+# DOCKER-CLI
+RUN cd /tmp && \
+  version=24.0.6 && \
+  arch=${TARGETARCH} && \
+  [ "$arch" = "arm64" ] && arch="aarch64"; \
+  [ "$arch" = "amd64" ] && arch="x86_64"; \
+  curl -L https://download.docker.com/linux/static/stable/${arch}/docker-${version}.tgz | tar xz && \
+  mv docker/docker /usr/local/bin/
+
+# KUBECTL
+RUN cd /tmp && \
+  curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${TARGETARCH}/kubectl" && \
+  chmod +x kubectl && mv kubectl /usr/local/bin/
+
+## KUBELOGIN
+RUN cd /tmp && \
+    version=0.0.33 && \
+    curl -L https://github.com/Azure/kubelogin/releases/download/v${version}/kubelogin-linux-${TARGETARCH}.zip > ./kubelogin-linux-${TARGETARCH}.zip && \
+    unzip /tmp/kubelogin-linux-${TARGETARCH}.zip && \
+    mv /tmp/bin/linux_${TARGETARCH}/kubelogin /usr/local/bin
+
+# HELM
+RUN cd /tmp && \
+  version=3.14.0 && \
+  curl -L https://get.helm.sh/helm-v${version}-linux-${TARGETARCH}.tar.gz | tar xz && \
+  mv linux-${TARGETARCH}/helm /usr/local/bin/helm
+
+# KIND
+RUN cd /tmp && \
+  version=0.20.0 && \
+  curl -Lo ./kind https://kind.sigs.k8s.io/dl/v${version}/kind-linux-${TARGETARCH} && \
+  chmod +x ./kind && mv ./kind /usr/local/bin/
+
+# KREW
+RUN cd /tmp && \
+  version=0.4.4 && \
+  curl -L https://github.com/kubernetes-sigs/krew/releases/download/v${version}/krew-linux_${TARGETARCH}.tar.gz | tar xz && \
+  mv krew-linux_${TARGETARCH} /usr/local/bin/kubectl-krew && \
+  echo 'export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"' >> $HOME/.bashrc
+
+# KREW PLUGINS
+RUN kubectl krew install ctx ns
+
+# K9S
+RUN cd /tmp && \
+  version=0.27.4 && \
+  curl -L https://github.com/derailed/k9s/releases/download/v${version}/k9s_Linux_${TARGETARCH}.tar.gz | tar xz && \
+  mv k9s /usr/local/bin/
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -0,0 +1,22 @@
+{
+	"name": "infra.k8s.external-secrets",
+	"image": "ghcr.io/dodopizza/infra.k8s.external-secrets-devcontainer:latest",
+	"runArgs": [
+		"--pull=always"
+	],
+	"mounts": [
+		"source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind",
+		"source=${env:HOME}${env:USERPROFILE}/.kube,target=/usr/local/share/kube-localhost,type=bind,readonly"
+	],
+	"customizations": {
+		"vscode": {
+			"extensions": [
+				"ms-azuretools.vscode-docker",
+				"ms-kubernetes-tools.vscode-kubernetes-tools"
+			],
+			"settings": {}
+		}
+	},
+	"remoteUser": "root",
+	"postAttachCommand": ".devcontainer/post-command.sh"
+}
diff --git a/.devcontainer/post-command.sh b/.devcontainer/post-command.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+set -eu
+
+CYAN='\033[0;36m'
+NC='\033[0m'
+function log() { echo -e "${CYAN}${1}${NC}"; }
+
+function prepare_kube_config_from_host() {
+  # https://github.com/microsoft/vscode-dev-containers/blob/main/containers/kubernetes-helm/.devcontainer/copy-kube-config.sh
+  log '[~] Prepare .kube/config'
+  if [ -d "/usr/local/share/kube-localhost" ]; then
+    mkdir -p $HOME/.kube
+    cp -r /usr/local/share/kube-localhost/* $HOME/.kube
+    chown -R $(id -u) $HOME/.kube
+    # for internal kind cluster
+    sed -i -e "s/localhost/host.docker.internal/g" $HOME/.kube/config
+    sed -i -e "s/127.0.0.1/host.docker.internal/g" $HOME/.kube/config
+    # set insecure for remote clusters
+    yq e '.clusters[].cluster."insecure-skip-tls-verify" = true' -i $HOME/.kube/config
+    yq e 'del(.clusters[].cluster."certificate-authority-data")' -i $HOME/.kube/config
+  fi
+}
+
+if [ -d "$HOME/.kube" ]; then
+  log "[-] Kube config presents. Skip."
+else
+  read -p "Copy kube config from host? [y/n]" -n 1 -r
+  echo
+  [[ $REPLY =~ ^[Yy]$ ]] && prepare_kube_config_from_host
+fi
+
+log '[.] Done\n'
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -3,9 +3,9 @@ name: CI
 on:
   push:
     branches:
-      - main
-      - release-*
-  pull_request: {}
+      - dodo
+      # - release-*
+  # pull_request: {}
 
 env:
   # Common versions
@@ -138,6 +138,7 @@ jobs:
     if: needs.detect-noop.outputs.noop != 'true'
     uses: ./.github/workflows/publish.yml
     permissions:
+      packages: write
       id-token: write
       contents: read
     strategy:
@@ -148,16 +149,16 @@ jobs:
           build-arch: "amd64 arm64 s390x"
           build-platform: "linux/amd64,linux/arm64,linux/s390x"
           tag-suffix: "" # distroless
-        - dockerfile: "Dockerfile.ubi"
-          build-args: "CGO_ENABLED=0"
-          build-arch: "amd64 arm64"
-          build-platform: "linux/amd64,linux/arm64"
-          tag-suffix: "-ubi"
-        - dockerfile: "Dockerfile.ubi"
-          build-args: "CGO_ENABLED=0 GOEXPERIMENT=boringcrypto"
-          build-arch: "amd64"
-          build-platform: "linux/amd64"
-          tag-suffix: "-ubi-boringssl"
+        # - dockerfile: "Dockerfile.ubi"
+        #   build-args: "CGO_ENABLED=0"
+        #   build-arch: "amd64 arm64"
+        #   build-platform: "linux/amd64,linux/arm64"
+        #   tag-suffix: "-ubi"
+        # - dockerfile: "Dockerfile.ubi"
+        #   build-args: "CGO_ENABLED=0 GOEXPERIMENT=boringcrypto"
+        #   build-arch: "amd64"
+        #   build-platform: "linux/amd64"
+        #   tag-suffix: "-ubi-boringssl"
     with:
       dockerfile: ${{ matrix.dockerfile }}
       tag-suffix: ${{ matrix.tag-suffix }}
@@ -167,6 +168,6 @@ jobs:
       build-arch: ${{ matrix.build-arch }}
       ref: ${{ github.ref }}
     secrets:
-      GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
-      GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
+      GHCR_USERNAME: ${{ github.actor }}
+      GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
diff --git a/.github/workflows/devcontainer.yaml b/.github/workflows/devcontainer.yaml
@@ -0,0 +1,44 @@
+name: Build DevContainer image
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - dodo
+    paths:
+      - ".devcontainer/**"
+
+jobs:
+  push:
+    name: Build DevContainer image
+    runs-on: ubuntu-latest
+    env:
+      DEVCONTAINER_IMAGE_TAG: v0.1
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push (for main branch)
+        uses: docker/build-push-action@v4
+        with:
+          file: ".devcontainer/Dockerfile"
+          push: true
+          tags: >
+            ghcr.io/${{ github.repository }}-devcontainer:latest,
+            ghcr.io/${{ github.repository }}-devcontainer:${{ env.DEVCONTAINER_IMAGE_TAG }}
+          platforms: |
+            linux/arm64
+            linux/amd64
+      - name: Output image tags
+        run: |
+          echo "## Built images with the following tags" >> $GITHUB_STEP_SUMMARY
+          echo "### ghcr.io/${{ github.repository }}-devcontainer:latest" >> $GITHUB_STEP_SUMMARY
+          echo "### ghcr.io/${{ github.repository }}-devcontainer:${{ env.DEVCONTAINER_IMAGE_TAG }}" >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -3,8 +3,8 @@ name: Deploy Docs
 on:
   push:
     branches:
-      - main
-      - release-*
+      - dodo
+      # - release-*
 
 permissions:
   contents: read

diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml
@@ -3,15 +3,15 @@ name: Helm
 on:
   push:
     branches:
-      - main
-      - release-*
-    paths:
-      - 'deploy/charts/**'
-      - 'deploy/crds/**'
-  pull_request:
+      - dodo
+      # - release-*
     paths:
       - 'deploy/charts/**'
       - 'deploy/crds/**'
+  # pull_request:
+  #   paths:
+  #     - 'deploy/charts/**'
+  #     - 'deploy/crds/**'
   workflow_dispatch: {}
 
 permissions:
@@ -97,9 +97,9 @@ jobs:
       #     echo "${{ secrets.GPG_PASSPHRASE }}" > passphrase-file.txt
       - name: Run chart-releaser
         uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
-        if: |
-          github.ref == 'refs/heads/main' ||
-          startsWith(github.ref, 'refs/heads/release-')
+        # if: |
+        #   github.ref == 'refs/heads/main' ||
+        #   startsWith(github.ref, 'refs/heads/release-')
         env:
           ## Temporarily removing - This is making the release break
           # CR_KEY: external-secrets <external-secrets@external-secrets.io>

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -21,35 +21,33 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.inputs.source_ref }}
+      # - name: Checkout
+      #   uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      #   with:
+      #     fetch-depth: 0
+      #     ref: ${{ github.event.inputs.source_ref }}
 
       - name: Create Release
         uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
         with:
           tag_name: ${{ github.event.inputs.version }}
-          target_commitish: ${{ github.event.inputs.source_ref }}
-          generate_release_notes: true
+          target_commitish: ${{ github.ref_name }}
+          # generate_release_notes: true
           body: |
             Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}`
-            Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}-ubi`
-            Image: `${{ env.IMAGE_NAME }}:${{ github.event.inputs.version }}-ubi-boringssl`
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 
-      - name: Configure Git
-        run: |
-          git config user.name "$GITHUB_ACTOR"
-          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+      # - name: Configure Git
+      #   run: |
+      #     git config user.name "$GITHUB_ACTOR"
+      #     git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
-      - name: Update Docs
-        if: github.ref == 'refs/heads/main'
-        run: make docs.publish DOCS_VERSION=${{ github.event.inputs.version }} DOCS_ALIAS=latest
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+      # - name: Update Docs
+      #   if: github.ref == 'refs/heads/dodo'
+      #   run: make docs.publish DOCS_VERSION=${{ github.event.inputs.version }} DOCS_ALIAS=latest
+      #   env:
+      #     GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 
   promote:
     name: Promote Container Image
@@ -58,10 +56,9 @@ jobs:
       matrix:
         include:
         - tag_suffix: "" # distroless image
-        - tag_suffix: "-ubi" # ubi image
-        - tag_suffix: "-ubi-boringssl" # ubi image
 
     permissions:
+      packages: write
       id-token: write
       contents: write
 
@@ -89,8 +86,8 @@ jobs:
         uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
         with:
           registry: ghcr.io
-          username: ${{ secrets.GHCR_USERNAME }}
-          password: ${{ secrets.GHCR_TOKEN }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Promote Container Image
         run: make docker.promote
@@ -108,8 +105,8 @@ jobs:
         with:
           image-name: ${{ env.IMAGE_NAME }}
           image-tag: ${{ env.RELEASE_TAG }}
-          GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
-          GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
+          GHCR_USERNAME: ${{ github.actor }}
+          GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Update Release

diff --git a/.gitignore b/.gitignore
@@ -11,6 +11,9 @@ cover.out
 # ignore ide files (debug config etc...)
 /.vscode
 /.idea
+__debug_bin*
+.history
+localtest
 
 # helm chart dependencies
 **/charts/*.tgz

diff --git a/apis/externalsecrets/v1alpha1/secretstore_yandexlockbox_types.go b/apis/externalsecrets/v1alpha1/secretstore_yandexlockbox_types.go
@@ -34,6 +34,10 @@ type YandexLockboxProvider struct {
 	// +optional
 	APIEndpoint string `json:"apiEndpoint,omitempty"`
 
+	// If provided sets the ability to get secrets by its name in the specified folder
+	// +optional
+	FolderID string `json:"folderID,omitempty"`
+
 	// Auth defines the information necessary to authenticate against Yandex Lockbox
 	Auth YandexLockboxAuth `json:"auth"`
 

diff --git a/apis/externalsecrets/v1beta1/secretstore_yandexcertificatemanager_types.go b/apis/externalsecrets/v1beta1/secretstore_yandexcertificatemanager_types.go
@@ -34,6 +34,10 @@ type YandexCertificateManagerProvider struct {
 	// +optional
 	APIEndpoint string `json:"apiEndpoint,omitempty"`
 
+	// If provided sets the ability to get secrets by its name in the specified folder
+	// +optional
+	FolderID string `json:"folderID,omitempty"`
+
 	// Auth defines the information necessary to authenticate against Yandex Certificate Manager
 	Auth YandexCertificateManagerAuth `json:"auth"`
 

diff --git a/apis/externalsecrets/v1beta1/secretstore_yandexlockbox_types.go b/apis/externalsecrets/v1beta1/secretstore_yandexlockbox_types.go
@@ -34,6 +34,10 @@ type YandexLockboxProvider struct {
 	// +optional
 	APIEndpoint string `json:"apiEndpoint,omitempty"`
 
+	// If provided sets the ability to get secrets by its name in the specified folder
+	// +optional
+	FolderID string `json:"folderID,omitempty"`
+
 	// Auth defines the information necessary to authenticate against Yandex Lockbox
 	Auth YandexLockboxAuth `json:"auth"`