mirror of
				https://github.com/1Password/onepassword-operator.git
				synced 2025-10-24 16:30:47 +00:00 
			
		
		
		
	Compare commits
	
		
			94 Commits
		
	
	
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|   | 5ccb0d88bb | ||
|   | 3f52bb2840 | ||
|   | 7650aef60a | ||
|   | 63e3f29be9 | ||
|   | 49bc9cb329 | ||
|   | a5e4a352e9 | ||
|   | edde903759 | ||
|   | 03b093ac17 | ||
|   | 79ee171b7f | ||
|   | c9a8cc6fb8 | ||
|   | a390354100 | ||
|   | de62e07bcf | ||
|   | 3ebc536dd7 | ||
|   | 6769e25a98 | ||
|   | d8734c9ae3 | ||
|   | 460742869b | ||
|   | 35e476230c | ||
|   | 0f56cab693 | ||
|   | a1ab24f244 | ||
|   | 13e4b16846 | ||
|   | 3a9691576a | ||
|   | 94602ddd72 | ||
|   | 292c6f0e93 | ||
|   | 0f1293ca95 | ||
|   | 706ebdd8b8 | ||
|   | bd963bcd1d | ||
|   | bf6cac81cb | ||
|   | 9c4849ec2e | ||
|   | c2788770fd | ||
|   | 6baef1b9cf | ||
|   | 7e08158d2f | ||
|   | 976909c438 | ||
|   | e61ba49018 | ||
|   | 6492b3cf34 | ||
|   | 9d08bcc864 | ||
|   | f7f5462133 | ||
|   | 128954cd80 | ||
|   | a1cbd40f9e | ||
|   | d75a33d524 | ||
|   | b1b6c97a88 | ||
|   | 0c3caf88b6 | ||
|   | 24edff22d4 | ||
|   | 8c893270f4 | ||
|   | d5f1044571 | ||
|   | b40f27b052 | ||
|   | cd03a651ad | ||
|   | 9aac824066 | ||
|   | 05ad484bd6 | ||
|   | 71b29d5fe6 | ||
|   | c082f9562e | ||
|   | 57478247cf | ||
|   | 4836140f66 | ||
|   | 2b36f16940 | ||
|   | bb97134e10 | ||
|   | 904d269e7b | ||
|   | cf9b267eaf | ||
|   | 4d64beab86 | ||
|   | ca051a08cf | ||
|   | 22a7c8f586 | ||
|   | 2003d13788 | ||
|   | 7187f41ef1 | ||
|   | d0b11c70f0 | ||
|   | 9825cb57c9 | ||
|   | 6bb6088353 | ||
|   | 5a56fd3330 | ||
|   | dcd7eefac0 | ||
|   | 29b7ed7899 | ||
|   | 331e8d7bfb | ||
|   | c144bd3d01 | ||
|   | 299689fe13 | ||
|   | 882d8e951d | ||
|   | 7885ba649b | ||
|   | 600adf2670 | ||
|   | 88b2dfbf67 | ||
|   | e167db2357 | ||
|   | 91a9bb6d63 | ||
|   | 116c8c92a7 | ||
|   | 4307e9d713 | ||
|   | 1759055edd | ||
|   | c1e9934088 | ||
|   | 19b629f2ee | ||
|   | 174f952691 | ||
|   | f8704223c8 | ||
|   | 5630d788a2 | ||
|   | d504e5ef35 | ||
|   | 7d2596a4aa | ||
|   | f6b267726d | ||
|   | bf8c1291b2 | ||
|   | cd504ec7df | ||
|   | cabc020cc6 | ||
|   | 4deb27b853 | ||
|   | 75e24e9e47 | ||
|   | 583b8251d8 | ||
|   | 285066139f | 
							
								
								
									
										25
									
								
								.devcontainer/devcontainer.json
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								.devcontainer/devcontainer.json
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,25 @@ | ||||
| { | ||||
|   "name": "Kubebuilder DevContainer", | ||||
|   "image": "docker.io/golang:1.24", | ||||
|   "features": { | ||||
|     "ghcr.io/devcontainers/features/docker-in-docker:2": {}, | ||||
|     "ghcr.io/devcontainers/features/git:1": {} | ||||
|   }, | ||||
|  | ||||
|   "runArgs": ["--network=host"], | ||||
|  | ||||
|   "customizations": { | ||||
|     "vscode": { | ||||
|       "settings": { | ||||
|         "terminal.integrated.shell.linux": "/bin/bash" | ||||
|       }, | ||||
|       "extensions": [ | ||||
|         "ms-kubernetes-tools.vscode-kubernetes-tools", | ||||
|         "ms-azuretools.vscode-docker" | ||||
|       ] | ||||
|     } | ||||
|   }, | ||||
|  | ||||
|   "onCreateCommand": "bash .devcontainer/post-install.sh" | ||||
| } | ||||
|  | ||||
							
								
								
									
										23
									
								
								.devcontainer/post-install.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								.devcontainer/post-install.sh
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,23 @@ | ||||
| #!/bin/bash | ||||
| set -x | ||||
|  | ||||
| curl -Lo ./kind https://kind.sigs.k8s.io/dl/latest/kind-linux-amd64 | ||||
| chmod +x ./kind | ||||
| mv ./kind /usr/local/bin/kind | ||||
|  | ||||
| curl -L -o kubebuilder https://go.kubebuilder.io/dl/latest/linux/amd64 | ||||
| chmod +x kubebuilder | ||||
| mv kubebuilder /usr/local/bin/ | ||||
|  | ||||
| KUBECTL_VERSION=$(curl -L -s https://dl.k8s.io/release/stable.txt) | ||||
| curl -LO "https://dl.k8s.io/release/$KUBECTL_VERSION/bin/linux/amd64/kubectl" | ||||
| chmod +x kubectl | ||||
| mv kubectl /usr/local/bin/kubectl | ||||
|  | ||||
| docker network create -d=bridge --subnet=172.19.0.0/24 kind | ||||
|  | ||||
| kind version | ||||
| kubebuilder version | ||||
| docker --version | ||||
| go version | ||||
| kubectl version --client | ||||
							
								
								
									
										17
									
								
								.github/pull_request_template.md
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								.github/pull_request_template.md
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| ### ✨ Summary | ||||
| <!-- What does this change do? --> | ||||
|  | ||||
| <!-- What issue does it resolve? --> | ||||
| ### 🔗 Resolves: | ||||
|  | ||||
| ### ✅ Checklist | ||||
| - [ ] 🖊️ Commits are signed | ||||
| - [ ] 🧪 Tests added/updated: _(See the [Testing Guide](docs/testing.md) for when to use each type and how to run them)_ | ||||
|   - [ ] 🔹 Unit | ||||
|   - [ ] 🔸 Integration | ||||
|   - [ ] 🌐 E2E (Connect) | ||||
|   - [ ] 🔑 E2E (Service Account) | ||||
| - [ ] 📚 Docs updated (if behavior changed) | ||||
|  | ||||
| ### 🕵️ Review Notes & ⚠️ Risks | ||||
| <!-- Notes for reviewers, flags, feature gates, rollout considerations, etc. --> | ||||
							
								
								
									
										25
									
								
								.github/workflows/build.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										25
									
								
								.github/workflows/build.yml
									
									
									
									
										vendored
									
									
								
							| @@ -1,21 +1,22 @@ | ||||
| name: Build and Test | ||||
| on: [push, pull_request] | ||||
| name: Build | ||||
|  | ||||
| on: | ||||
|   push: | ||||
|     branches: [main] | ||||
|   pull_request: | ||||
|  | ||||
| jobs: | ||||
|   build: | ||||
|     name: Build | ||||
|     name: Run on Ubuntu | ||||
|     runs-on: ubuntu-latest | ||||
|     steps: | ||||
|     - name: Set up Go 1.x | ||||
|       uses: actions/setup-go@v4 | ||||
|       with: | ||||
|         go-version: ^1.21 | ||||
|     - name: Clone the code | ||||
|       uses: actions/checkout@v5 | ||||
|  | ||||
|     - name: Check out code into the Go module directory | ||||
|       uses: actions/checkout@v4 | ||||
|     - name: Setup Go | ||||
|       uses: actions/setup-go@v6 | ||||
|       with: | ||||
|         go-version-file: go.mod | ||||
|  | ||||
|     - name: Build | ||||
|       run: go build -v ./... | ||||
|  | ||||
|     - name: Test | ||||
|       run: make test | ||||
|   | ||||
							
								
								
									
										52
									
								
								.github/workflows/e2e-tests.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										52
									
								
								.github/workflows/e2e-tests.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,52 @@ | ||||
| name: E2E Tests | ||||
|  | ||||
| on: | ||||
|   workflow_call: | ||||
|     secrets: | ||||
|       OP_CONNECT_CREDENTIALS: | ||||
|         description: '1Password Connect credentials' | ||||
|         required: true | ||||
|       OP_CONNECT_TOKEN: | ||||
|         description: '1Password Connect token' | ||||
|         required: true | ||||
|       OP_SERVICE_ACCOUNT_TOKEN: | ||||
|         description: '1Password service account token' | ||||
|         required: true | ||||
|  | ||||
| jobs: | ||||
|   e2e-test: | ||||
|     runs-on: ubuntu-latest | ||||
|     steps: | ||||
|       - name: Checkout code | ||||
|         uses: actions/checkout@v5 | ||||
|  | ||||
|       - name: Set up Go | ||||
|         uses: actions/setup-go@v6 | ||||
|         with: | ||||
|           go-version-file: go.mod | ||||
|  | ||||
|       - name: Install dependencies | ||||
|         run: go mod tidy | ||||
|  | ||||
|       - name: Create kind cluster | ||||
|         uses: helm/kind-action@v1 | ||||
|         with: | ||||
|           cluster_name: onepassword-operator-test-e2e | ||||
|  | ||||
|       # install cli to interact with item in 1Password to update/read using `testhelper/op` package | ||||
|       - name: Install 1Password CLI | ||||
|         uses: 1password/install-cli-action@v2 | ||||
|         with: | ||||
|           version: 2.32.0 | ||||
|  | ||||
|       - name: Create '1password-credentials.json' file | ||||
|         env: | ||||
|           OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }} | ||||
|         run: | | ||||
|           echo "$OP_CONNECT_CREDENTIALS" > 1password-credentials.json | ||||
|  | ||||
|       - name: Run E2E tests | ||||
|         run: make test-e2e | ||||
|         env: | ||||
|           OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} | ||||
|           OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | ||||
							
								
								
									
										24
									
								
								.github/workflows/lint.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								.github/workflows/lint.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | ||||
| name: Lint | ||||
|  | ||||
| on: | ||||
|   push: | ||||
|     branches: [main] | ||||
|   pull_request: | ||||
|  | ||||
| jobs: | ||||
|   lint: | ||||
|     name: Run on Ubuntu | ||||
|     runs-on: ubuntu-latest | ||||
|     steps: | ||||
|       - name: Clone the code | ||||
|         uses: actions/checkout@v5 | ||||
|  | ||||
|       - name: Setup Go | ||||
|         uses: actions/setup-go@v6 | ||||
|         with: | ||||
|           go-version-file: go.mod | ||||
|  | ||||
|       - name: Run linter | ||||
|         uses: golangci/golangci-lint-action@v8 | ||||
|         with: | ||||
|           version: v2.2 | ||||
							
								
								
									
										25
									
								
								.github/workflows/ok-to-test.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								.github/workflows/ok-to-test.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,25 @@ | ||||
| # Write comments "/ok-to-test <hash>" on a pull request. This will emit a repository_dispatch event. | ||||
| name: Ok To Test | ||||
|  | ||||
| on: | ||||
|   issue_comment: | ||||
|     types: [created] | ||||
|  | ||||
| jobs: | ||||
|   ok-to-test: | ||||
|     runs-on: ubuntu-latest | ||||
|     permissions: | ||||
|       pull-requests: write # For adding reactions to the pull request comments | ||||
|       contents: write # For executing the repository_dispatch event | ||||
|     # Only run for PRs, not issue comments | ||||
|     if: ${{ github.event.issue.pull_request }} | ||||
|     steps: | ||||
|       - name: Slash Command Dispatch | ||||
|         uses: volodymyrZotov/slash-command-dispatch@7c1b623a2b0eba93f684c34f689a441f0be84cf1 # TODO: use peter-evans/slash-command-dispatch when fix for team permissions is released https://github.com/peter-evans/slash-command-dispatch/pull/424 | ||||
|         with: | ||||
|           token: ${{ secrets.GITHUB_TOKEN }} | ||||
|           reaction-token: ${{ secrets.GITHUB_TOKEN }} | ||||
|           issue-type: pull-request | ||||
|           commands: ok-to-test | ||||
|           # The repository permission level required by the user to dispatch commands. Only allows 1Password collaborators to run this. | ||||
|           permission: write | ||||
							
								
								
									
										2
									
								
								.github/workflows/release-pr.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.github/workflows/release-pr.yml
									
									
									
									
										vendored
									
									
								
							| @@ -43,7 +43,7 @@ jobs: | ||||
|     name: Create Release Pull Request | ||||
|     runs-on: ubuntu-latest | ||||
|     steps: | ||||
|       - uses: actions/checkout@v4 | ||||
|       - uses: actions/checkout@v5 | ||||
|  | ||||
|       - name: Parse release version | ||||
|         id: get_version | ||||
|   | ||||
							
								
								
									
										2
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							| @@ -12,7 +12,7 @@ jobs: | ||||
|       DOCKER_CLI_EXPERIMENTAL: "enabled" | ||||
|     steps: | ||||
|       - name: Checkout | ||||
|         uses: actions/checkout@v4 | ||||
|         uses: actions/checkout@v5 | ||||
|         with: | ||||
|           fetch-depth: 0 | ||||
|  | ||||
|   | ||||
							
								
								
									
										56
									
								
								.github/workflows/test-e2e-fork.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										56
									
								
								.github/workflows/test-e2e-fork.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,56 @@ | ||||
| name: E2E tests [fork] | ||||
|  | ||||
| on: | ||||
|   repository_dispatch: | ||||
|     types: [ ok-to-test-command ] | ||||
|  | ||||
| permissions: | ||||
|   contents: read | ||||
|   checks: write | ||||
|  | ||||
| concurrency: | ||||
|   group: e2e-fork-${{ github.event.client_payload.pull_request.number || github.run_id }} | ||||
|   cancel-in-progress: true # cancel previous job runs for the same branch | ||||
|  | ||||
| jobs: | ||||
|   e2e-tests: | ||||
|     uses: ./.github/workflows/e2e-tests.yml | ||||
|     if: | | ||||
|       github.event_name == 'repository_dispatch' && | ||||
|       github.event.client_payload.slash_command.args.named.sha != '' && | ||||
|       contains( | ||||
|         github.event.client_payload.pull_request.head.sha, | ||||
|         github.event.client_payload.slash_command.args.named.sha | ||||
|       ) | ||||
|     secrets: | ||||
|       OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }} | ||||
|       OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} | ||||
|       OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | ||||
|  | ||||
|   update-check-status: | ||||
|     needs: e2e-tests | ||||
|     runs-on: ubuntu-latest | ||||
|     if: always() && github.event_name == 'repository_dispatch' | ||||
|     steps: | ||||
|       - uses: actions/github-script@v6 | ||||
|         env: | ||||
|           ref: ${{ github.event.client_payload.pull_request.head.sha }} | ||||
|           conclusion: ${{ needs.e2e-tests.result }} | ||||
|         with: | ||||
|           github-token: ${{ secrets.GITHUB_TOKEN }} | ||||
|           script: | | ||||
|             const { data: checks } = await github.rest.checks.listForRef({ | ||||
|               ...context.repo, | ||||
|               ref: process.env.ref | ||||
|             }); | ||||
|  | ||||
|             const check = checks.check_runs.filter(c => c.name === 'e2e-test'); | ||||
|  | ||||
|             const { data: result } = await github.rest.checks.update({ | ||||
|               ...context.repo, | ||||
|               check_run_id: check[0].id, | ||||
|               status: 'completed', | ||||
|               conclusion: process.env.conclusion | ||||
|             }); | ||||
|  | ||||
|             return result; | ||||
							
								
								
									
										43
									
								
								.github/workflows/test-e2e.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										43
									
								
								.github/workflows/test-e2e.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,43 @@ | ||||
| name: E2E Tests | ||||
|  | ||||
| on: | ||||
|   pull_request: | ||||
|     types: [opened, synchronize, reopened] | ||||
|     branches: ['**']   # run for PRs targeting any branch (main and others) | ||||
|     paths-ignore: &ignore_paths | ||||
|       - 'docs/**' | ||||
|       - '*.md' | ||||
|       - '.golangci.yml' | ||||
|       - '.gitignore' | ||||
|       - '.dockerignore' | ||||
|       - 'LICENSE' | ||||
|   push: | ||||
|     branches: [main] | ||||
|     paths-ignore: *ignore_paths | ||||
|  | ||||
| concurrency: | ||||
|   group: e2e-${{ github.event.pull_request.head.ref }} | ||||
|   cancel-in-progress: true  # cancel previous job runs for the same branch | ||||
|  | ||||
| jobs: | ||||
|   check-external-pr: | ||||
|     runs-on: ubuntu-latest | ||||
|     if: github.event_name == 'pull_request' | ||||
|     steps: | ||||
|       - name: Check if PR is from external contributor | ||||
|         run: | | ||||
|           if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then | ||||
|             echo "❌ External PR detected. This workflow requires approval from a maintainer." | ||||
|             echo "Please ask a maintainer to run '/ok-to-test' command to trigger the fork workflow." | ||||
|             exit 1 | ||||
|           fi | ||||
|           echo "✅ Internal PR detected. Proceeding with tests." | ||||
|  | ||||
|   e2e-test: | ||||
|     needs: check-external-pr | ||||
|     if: always() && (needs.check-external-pr.result == 'success' || github.event_name != 'pull_request') | ||||
|     uses: ./.github/workflows/e2e-tests.yml | ||||
|     secrets: | ||||
|       OP_CONNECT_CREDENTIALS: ${{ secrets.OP_CONNECT_CREDENTIALS }} | ||||
|       OP_CONNECT_TOKEN: ${{ secrets.OP_CONNECT_TOKEN }} | ||||
|       OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | ||||
							
								
								
									
										24
									
								
								.github/workflows/test.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								.github/workflows/test.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | ||||
| name: Tests | ||||
|  | ||||
| on: | ||||
|   push: | ||||
|     branches: [main] | ||||
|   pull_request: | ||||
|  | ||||
| jobs: | ||||
|   test: | ||||
|     name: Run on Ubuntu | ||||
|     runs-on: ubuntu-latest | ||||
|     steps: | ||||
|       - name: Clone the code | ||||
|         uses: actions/checkout@v5 | ||||
|  | ||||
|       - name: Setup Go | ||||
|         uses: actions/setup-go@v6 | ||||
|         with: | ||||
|           go-version-file: go.mod | ||||
|  | ||||
|       - name: Running Tests | ||||
|         run: | | ||||
|           go mod tidy | ||||
|           make test | ||||
							
								
								
									
										9
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										9
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @@ -8,14 +8,16 @@ | ||||
| bin | ||||
| testbin/* | ||||
|  | ||||
| # Test binary, build with `go test -c` | ||||
| # Test binary, built with `go test -c` | ||||
| *.test | ||||
|  | ||||
| # Output of the go coverage tool, specifically when used with LiteIDE | ||||
| *.out | ||||
|  | ||||
| # Kubernetes Generated files - skip generated files, except for vendored files | ||||
| # Go workspace file | ||||
| go.work | ||||
|  | ||||
| # Kubernetes Generated files - skip generated files, except for vendored files | ||||
| !vendor/**/zz_generated.* | ||||
|  | ||||
| # editor and IDE paraphernalia | ||||
| @@ -23,3 +25,6 @@ testbin/* | ||||
| *.swp | ||||
| *.swo | ||||
| *~ | ||||
|  | ||||
| **/1password-credentials.json | ||||
| **/op-session | ||||
|   | ||||
							
								
								
									
										52
									
								
								.golangci.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										52
									
								
								.golangci.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,52 @@ | ||||
| version: "2" | ||||
| run: | ||||
|   allow-parallel-runners: true | ||||
| linters: | ||||
|   default: none | ||||
|   enable: | ||||
|     - copyloopvar | ||||
|     - dupl | ||||
|     - errcheck | ||||
|     - ginkgolinter | ||||
|     - goconst | ||||
|     - gocyclo | ||||
|     - govet | ||||
|     - ineffassign | ||||
|     - lll | ||||
|     - misspell | ||||
|     - nakedret | ||||
|     - prealloc | ||||
|     - revive | ||||
|     - staticcheck | ||||
|     - unconvert | ||||
|     - unparam | ||||
|     - unused | ||||
|   settings: | ||||
|     revive: | ||||
|       rules: | ||||
|         - name: comment-spacings | ||||
|         - name: import-shadowing | ||||
|   exclusions: | ||||
|     generated: lax | ||||
|     rules: | ||||
|       - linters: | ||||
|           - lll | ||||
|         path: api/* | ||||
|       - linters: | ||||
|           - dupl | ||||
|           - lll | ||||
|         path: internal/* | ||||
|     paths: | ||||
|       - third_party$ | ||||
|       - builtin$ | ||||
|       - examples$ | ||||
| formatters: | ||||
|   enable: | ||||
|     - gofmt | ||||
|     - goimports | ||||
|   exclusions: | ||||
|     generated: lax | ||||
|     paths: | ||||
|       - third_party$ | ||||
|       - builtin$ | ||||
|       - examples$ | ||||
| @@ -4,7 +4,17 @@ Thank you for your interest in contributing to the 1Password Kubernetes Operator | ||||
|  | ||||
| ## Testing | ||||
|  | ||||
| - For functional testing, run the local version of the operator. From the project root: | ||||
| All contributions must include tests where applicable. | ||||
|  | ||||
| - **Unit tests** for pure Go logic. | ||||
| - **Integration tests** for controller/reconciler logic using envtest. | ||||
| - **E2E tests** for full cluster behavior with kind. | ||||
|  | ||||
| 👉 See the [Testing Guide](docs/testing.md) for details on when to use each, how to run them locally, and how they are run in CI.  | ||||
|  | ||||
| ---- | ||||
|  | ||||
| For functional testing, run the local version of the operator. From the project root: | ||||
|  | ||||
|   ```sh | ||||
|   # Go to the K8s environment (e.g. minikube) | ||||
| @@ -20,6 +30,12 @@ Thank you for your interest in contributing to the 1Password Kubernetes Operator | ||||
|   make undeploy | ||||
|   ``` | ||||
|  | ||||
| - After making changes to the code: | ||||
| 1. Rebuild the Docker image by running `make docker-build` | ||||
| 2. Restart deployment `make restart` | ||||
|  | ||||
| ---- | ||||
|  | ||||
| - For testing the changes made to the `OnePasswordItem` Custom Resource Definition (CRD), you need to re-generate the object: | ||||
|   ```sh | ||||
|   make manifests | ||||
|   | ||||
							
								
								
									
										11
									
								
								Dockerfile
									
									
									
									
									
								
							
							
						
						
									
										11
									
								
								Dockerfile
									
									
									
									
									
								
							| @@ -1,5 +1,5 @@ | ||||
| # Build the manager binary | ||||
| FROM golang:1.24 as builder | ||||
| FROM golang:1.24 AS builder | ||||
| ARG TARGETOS | ||||
| ARG TARGETARCH | ||||
|  | ||||
| @@ -8,6 +8,9 @@ WORKDIR /workspace | ||||
| COPY go.mod go.mod | ||||
| COPY go.sum go.sum | ||||
|  | ||||
| # Copy the testhelper module (needed for replace directive) | ||||
| COPY pkg/testhelper/ pkg/testhelper/ | ||||
|  | ||||
| # Download dependencies | ||||
| RUN go mod download | ||||
|  | ||||
| @@ -23,11 +26,13 @@ COPY version/ version/ | ||||
| # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO | ||||
| # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, | ||||
| # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. | ||||
| RUN CGO_ENABLED=0 \ | ||||
| RUN --mount=type=cache,target=/go/pkg/mod \ | ||||
|     --mount=type=cache,target=/root/.cache/go-build \ | ||||
|     CGO_ENABLED=0 \ | ||||
|     GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} \ | ||||
|     go build \ | ||||
|     -ldflags "-X \"github.com/1Password/onepassword-operator/version.Version=$operator_version\"" \ | ||||
|     -a -o manager cmd/main.go | ||||
|     -o manager cmd/main.go | ||||
|  | ||||
| # Use distroless as minimal base image to package the manager binary | ||||
| # Refer to https://github.com/GoogleContainerTools/distroless for more details | ||||
|   | ||||
							
								
								
									
										161
									
								
								Makefile
									
									
									
									
									
								
							
							
						
						
									
										161
									
								
								Makefile
									
									
									
									
									
								
							| @@ -7,6 +7,10 @@ export MAIN_BRANCH ?= main | ||||
| # - use environment variables to overwrite this value (e.g export VERSION=0.0.2) | ||||
| VERSION ?= 1.9.1 | ||||
|  | ||||
| # DEPLOYMENT_NAME defines Kubernetes deployment name for the operator. | ||||
| # It should be the same as in 'config/manager/manager.yaml' | ||||
| DEPLOYMENT_NAME ?= onepassword-connect-operator | ||||
|  | ||||
| # CHANNELS define the bundle channels used in the bundle. | ||||
| # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable") | ||||
| # To re-generate a bundle for other specific channels without changing the standard setup, you can: | ||||
| @@ -50,12 +54,10 @@ endif | ||||
|  | ||||
| # Set the Operator SDK version to use. By default, what is installed on the system is used. | ||||
| # This is useful for CI or a project to utilize a specific version of the operator-sdk toolkit. | ||||
| OPERATOR_SDK_VERSION ?= v1.34.1 | ||||
| OPERATOR_SDK_VERSION ?= v1.41.1 | ||||
|  | ||||
| # Image URL to use all building/pushing image targets | ||||
| IMG ?= 1password/onepassword-operator:latest | ||||
| # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. | ||||
| ENVTEST_K8S_VERSION = 1.29.1 | ||||
|  | ||||
| # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) | ||||
| ifeq (,$(shell go env GOBIN)) | ||||
| @@ -82,7 +84,7 @@ all: build | ||||
|  | ||||
| # The help target prints out all targets with their descriptions organized | ||||
| # beneath their categories. The categories are represented by '##@' and the | ||||
| # target descriptions by '##'. The awk commands is responsible for reading the | ||||
| # target descriptions by '##'. The awk command is responsible for reading the | ||||
| # entire set of makefiles included in this invocation, looking for lines of the | ||||
| # file as xyz: ## something, and then pretty-format the target and help. Then, | ||||
| # if there's a line with ##@ something, that gets pretty-printed as a category. | ||||
| @@ -114,8 +116,49 @@ vet: ## Run go vet against code. | ||||
| 	go vet ./... | ||||
|  | ||||
| .PHONY: test | ||||
| test: manifests generate fmt vet envtest ## Run tests. | ||||
| 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out | ||||
| test: manifests generate fmt vet setup-envtest ## Run tests. | ||||
| 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test $(shell go list ./... | grep -v /test/e2e) -coverprofile cover.out | ||||
|  | ||||
| # TODO(user): To use a different vendor for e2e tests, modify the setup under 'tests/e2e'. | ||||
| # The default setup assumes Kind is pre-installed and builds/loads the Manager Docker image locally. | ||||
| # CertManager is installed by default; skip with: | ||||
| # - CERT_MANAGER_INSTALL_SKIP=true | ||||
| KIND_CLUSTER ?= onepassword-operator-test-e2e | ||||
|  | ||||
| .PHONY: setup-test-e2e | ||||
| setup-test-e2e: ## Set up a Kind cluster for e2e tests if it does not exist | ||||
| 	@command -v $(KIND) >/dev/null 2>&1 || { \ | ||||
| 		echo "Kind is not installed. Please install Kind manually."; \ | ||||
| 		exit 1; \ | ||||
| 	} | ||||
| 	@case "$$($(KIND) get clusters)" in \ | ||||
| 		*"$(KIND_CLUSTER)"*) \ | ||||
| 			echo "Kind cluster '$(KIND_CLUSTER)' already exists. Skipping creation." ;; \ | ||||
| 		*) \ | ||||
| 			echo "Creating Kind cluster '$(KIND_CLUSTER)'..."; \ | ||||
| 			$(KIND) create cluster --name $(KIND_CLUSTER) ;; \ | ||||
| 	esac | ||||
|  | ||||
| .PHONY: test-e2e | ||||
| test-e2e: setup-test-e2e manifests generate fmt vet ## Run the e2e tests. Expected an isolated environment using Kind. | ||||
| 	KIND_CLUSTER=$(KIND_CLUSTER) go test ./test/e2e/ -v -ginkgo.v | ||||
| 	$(MAKE) cleanup-test-e2e | ||||
|  | ||||
| .PHONY: cleanup-test-e2e | ||||
| cleanup-test-e2e: ## Tear down the Kind cluster used for e2e tests | ||||
| 	@$(KIND) delete cluster --name $(KIND_CLUSTER) | ||||
|  | ||||
| .PHONY: lint | ||||
| lint: golangci-lint ## Run golangci-lint linter | ||||
| 	$(GOLANGCI_LINT) run | ||||
|  | ||||
| .PHONY: lint-fix | ||||
| lint-fix: golangci-lint ## Run golangci-lint linter and perform fixes | ||||
| 	$(GOLANGCI_LINT) run --fix | ||||
|  | ||||
| .PHONY: lint-config | ||||
| lint-config: golangci-lint ## Verify golangci-lint linter configuration | ||||
| 	$(GOLANGCI_LINT) config verify | ||||
|  | ||||
| ##@ Build | ||||
|  | ||||
| @@ -127,30 +170,39 @@ build: manifests generate fmt vet ## Build manager binary. | ||||
| run: manifests generate fmt vet ## Run a controller from your host. | ||||
| 	go run ./cmd/main.go | ||||
|  | ||||
| # If you wish built the manager image targeting other platforms you can use the --platform flag. | ||||
| # If you wish to build the manager image targeting other platforms you can use the --platform flag. | ||||
| # (i.e. docker build --platform linux/arm64). However, you must enable docker buildKit for it. | ||||
| # More info: https://docs.docker.com/develop/develop-images/build_enhancements/ | ||||
| .PHONY: docker-build | ||||
| docker-build: test ## Build docker image with the manager. | ||||
| 	$(CONTAINER_TOOL) build -t ${IMG} . | ||||
| docker-build: ## Build docker image with the manager. | ||||
| 	DOCKER_BUILDKIT=1 $(CONTAINER_TOOL) build -t ${IMG} . | ||||
|  | ||||
| .PHONY: docker-push | ||||
| docker-push: ## Push docker image with the manager. | ||||
| 	$(CONTAINER_TOOL) push ${IMG} | ||||
|  | ||||
| # PLATFORMS defines the target platforms for  the manager image be build to provide support to multiple | ||||
| # PLATFORMS defines the target platforms for the manager image be built to provide support to multiple | ||||
| # architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to: | ||||
| # - able to use docker buildx . More info: https://docs.docker.com/build/buildx/ | ||||
| # - have enable BuildKit, More info: https://docs.docker.com/develop/develop-images/build_enhancements/ | ||||
| # - be able to push the image for your registry (i.e. if you do not inform a valid value via IMG=<myregistry/image:<tag>> then the export will fail) | ||||
| # To properly provided solutions that supports more than one platform you should use this option. | ||||
| # - be able to use docker buildx. More info: https://docs.docker.com/build/buildx/ | ||||
| # - have enabled BuildKit. More info: https://docs.docker.com/develop/develop-images/build_enhancements/ | ||||
| # - be able to push the image to your registry (i.e. if you do not set a valid value via IMG=<myregistry/image:<tag>> then the export will fail) | ||||
| # To adequately provide solutions that are compatible with multiple platforms, you should consider using this option. | ||||
| PLATFORMS ?= linux/arm64,linux/amd64,linux/s390x,linux/ppc64le | ||||
| .PHONY: docker-buildx | ||||
| docker-buildx: ## Build and push docker image for the manager for cross-platform support | ||||
| 	- $(CONTAINER_TOOL) buildx create --name project-v3-builder | ||||
| 	$(CONTAINER_TOOL) buildx use project-v3-builder | ||||
| 	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile . | ||||
| 	- $(CONTAINER_TOOL) buildx rm project-v3-builder | ||||
| 	# copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile | ||||
| 	sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross | ||||
| 	- $(CONTAINER_TOOL) buildx create --name onepassword-operator-builder | ||||
| 	$(CONTAINER_TOOL) buildx use onepassword-operator-builder | ||||
| 	- $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross . | ||||
| 	- $(CONTAINER_TOOL) buildx rm onepassword-operator-builder | ||||
| 	rm Dockerfile.cross | ||||
|  | ||||
| .PHONY: build-installer | ||||
| build-installer: manifests generate kustomize ## Generate a consolidated YAML with CRDs and deployment. | ||||
| 	mkdir -p dist | ||||
| 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} | ||||
| 	$(KUSTOMIZE) build config/default > dist/install.yaml | ||||
|  | ||||
| ##@ Deployment | ||||
|  | ||||
| @@ -176,10 +228,14 @@ deploy: manifests kustomize set-namespace ## Deploy controller to the K8s cluste | ||||
| 	$(KUSTOMIZE) build config/default | $(KUBECTL) apply -f - | ||||
|  | ||||
| .PHONY: undeploy | ||||
| undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. | ||||
| undeploy: kustomize ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion. | ||||
| 	$(KUSTOMIZE) build config/default | $(KUBECTL) delete --ignore-not-found=$(ignore-not-found) -f - | ||||
|  | ||||
| ##@ Build Dependencies | ||||
| .PHONY: restart | ||||
| restart: ## Restarts deployment so that the operator picks up changes in the deployment configuration. | ||||
| 	$(KUBECTL) rollout restart deployment $(DEPLOYMENT_NAME) | ||||
|  | ||||
| ##@ Dependencies | ||||
|  | ||||
| ## Location to install dependencies to | ||||
| LOCALBIN ?= $(shell pwd)/bin | ||||
| @@ -188,33 +244,64 @@ $(LOCALBIN): | ||||
|  | ||||
| ## Tool Binaries | ||||
| KUBECTL ?= kubectl | ||||
| KIND ?= kind | ||||
| KUSTOMIZE ?= $(LOCALBIN)/kustomize | ||||
| CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen | ||||
| ENVTEST ?= $(LOCALBIN)/setup-envtest | ||||
| GOLANGCI_LINT = $(LOCALBIN)/golangci-lint | ||||
|  | ||||
| ## Tool Versions | ||||
| KUSTOMIZE_VERSION ?= v5.3.0 | ||||
| CONTROLLER_TOOLS_VERSION ?= v0.14.0 | ||||
| KUSTOMIZE_VERSION ?= v5.6.0 | ||||
| CONTROLLER_TOOLS_VERSION ?= v0.18.0 | ||||
| # ENVTEST_VERSION is the version of controller-runtime release branch to fetch the envtest setup script (i.e. release-0.20) | ||||
| ENVTEST_VERSION := $(shell go list -m -f "{{ .Version }}" sigs.k8s.io/controller-runtime | awk -F'[v.]' '{printf "release-%d.%d", $$2, $$3}') | ||||
| # ENVTEST_K8S_VERSION is the version of Kubernetes to use for setting up ENVTEST binaries (i.e. 1.31) | ||||
| ENVTEST_K8S_VERSION := $(shell go list -m -f "{{ .Version }}" k8s.io/api | awk -F'[v.]' '{printf "1.%d", $$3}') | ||||
| GOLANGCI_LINT_VERSION ?= v2.2.0 | ||||
|  | ||||
| .PHONY: kustomize | ||||
| kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. If wrong version is installed, it will be removed before downloading. | ||||
| kustomize: $(KUSTOMIZE) ## Download kustomize locally if necessary. | ||||
| $(KUSTOMIZE): $(LOCALBIN) | ||||
| 	@if test -x $(LOCALBIN)/kustomize && ! $(LOCALBIN)/kustomize version | grep -q $(KUSTOMIZE_VERSION); then \ | ||||
| 		echo "$(LOCALBIN)/kustomize version is not expected $(KUSTOMIZE_VERSION). Removing it before installing."; \ | ||||
| 		rm -rf $(LOCALBIN)/kustomize; \ | ||||
| 	fi | ||||
| 	test -s $(LOCALBIN)/kustomize || GOBIN=$(LOCALBIN) GO111MODULE=on go install sigs.k8s.io/kustomize/kustomize/v5@$(KUSTOMIZE_VERSION) | ||||
| 	$(call go-install-tool,$(KUSTOMIZE),sigs.k8s.io/kustomize/kustomize/v5,$(KUSTOMIZE_VERSION)) | ||||
|  | ||||
| .PHONY: controller-gen | ||||
| controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. If wrong version is installed, it will be overwritten. | ||||
| controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessary. | ||||
| $(CONTROLLER_GEN): $(LOCALBIN) | ||||
| 	test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \ | ||||
| 	GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION) | ||||
| 	$(call go-install-tool,$(CONTROLLER_GEN),sigs.k8s.io/controller-tools/cmd/controller-gen,$(CONTROLLER_TOOLS_VERSION)) | ||||
|  | ||||
| .PHONY: setup-envtest | ||||
| setup-envtest: envtest ## Download the binaries required for ENVTEST in the local bin directory. | ||||
| 	@echo "Setting up envtest binaries for Kubernetes version $(ENVTEST_K8S_VERSION)..." | ||||
| 	@$(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path || { \ | ||||
| 		echo "Error: Failed to set up envtest binaries for version $(ENVTEST_K8S_VERSION)."; \ | ||||
| 		exit 1; \ | ||||
| 	} | ||||
|  | ||||
| .PHONY: envtest | ||||
| envtest: $(ENVTEST) ## Download envtest-setup locally if necessary. | ||||
| envtest: $(ENVTEST) ## Download setup-envtest locally if necessary. | ||||
| $(ENVTEST): $(LOCALBIN) | ||||
| 	test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest | ||||
| 	$(call go-install-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest,$(ENVTEST_VERSION)) | ||||
|  | ||||
| .PHONY: golangci-lint | ||||
| golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary. | ||||
| $(GOLANGCI_LINT): $(LOCALBIN) | ||||
| 	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/v2/cmd/golangci-lint,$(GOLANGCI_LINT_VERSION)) | ||||
|  | ||||
| # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist | ||||
| # $1 - target path with name of binary | ||||
| # $2 - package url which can be installed | ||||
| # $3 - specific version of package | ||||
| define go-install-tool | ||||
| @[ -f "$(1)-$(3)" ] || { \ | ||||
| set -e; \ | ||||
| package=$(2)@$(3) ;\ | ||||
| echo "Downloading $${package}" ;\ | ||||
| rm -f $(1) || true ;\ | ||||
| GOBIN=$(LOCALBIN) go install $${package} ;\ | ||||
| mv $(1) $(1)-$(3) ;\ | ||||
| } ;\ | ||||
| ln -sf $(1)-$(3) $(1) | ||||
| endef | ||||
|  | ||||
| .PHONY: operator-sdk | ||||
| OPERATOR_SDK ?= $(LOCALBIN)/operator-sdk | ||||
| @@ -242,14 +329,14 @@ bundle: manifests kustomize operator-sdk ## Generate bundle manifests and metada | ||||
|  | ||||
| .PHONY: bundle-build | ||||
| bundle-build: ## Build the bundle image. | ||||
| 	docker build -f bundle.Dockerfile -t $(BUNDLE_IMG) . | ||||
| 	$(CONTAINER_TOOL) build -f bundle.Dockerfile -t $(BUNDLE_IMG) . | ||||
|  | ||||
| .PHONY: bundle-push | ||||
| bundle-push: ## Push the bundle image. | ||||
| 	$(MAKE) docker-push IMG=$(BUNDLE_IMG) | ||||
|  | ||||
| .PHONY: opm | ||||
| OPM = ./bin/opm | ||||
| OPM = $(LOCALBIN)/opm | ||||
| opm: ## Download opm locally if necessary. | ||||
| ifeq (,$(wildcard $(OPM))) | ||||
| ifeq (,$(shell which opm 2>/dev/null)) | ||||
| @@ -257,7 +344,7 @@ ifeq (,$(shell which opm 2>/dev/null)) | ||||
| 	set -e ;\ | ||||
| 	mkdir -p $(dir $(OPM)) ;\ | ||||
| 	OS=$(shell go env GOOS) && ARCH=$(shell go env GOARCH) && \ | ||||
| 	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.23.0/$${OS}-$${ARCH}-opm ;\ | ||||
| 	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.55.0/$${OS}-$${ARCH}-opm ;\ | ||||
| 	chmod +x $(OPM) ;\ | ||||
| 	} | ||||
| else | ||||
| @@ -282,7 +369,7 @@ endif | ||||
| # https://github.com/operator-framework/community-operators/blob/7f1438c/docs/packaging-operator.md#updating-your-existing-operator | ||||
| .PHONY: catalog-build | ||||
| catalog-build: opm ## Build a catalog image. | ||||
| 	$(OPM) index add --container-tool docker --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT) | ||||
| 	$(OPM) index add --container-tool $(CONTAINER_TOOL) --mode semver --tag $(CATALOG_IMG) --bundles $(BUNDLE_IMGS) $(FROM_INDEX_OPT) | ||||
|  | ||||
| # Push the catalog image. | ||||
| .PHONY: catalog-push | ||||
|   | ||||
							
								
								
									
										153
									
								
								cmd/main.go
									
									
									
									
									
								
							
							
						
						
									
										153
									
								
								cmd/main.go
									
									
									
									
									
								
							| @@ -26,10 +26,12 @@ package main | ||||
|  | ||||
| import ( | ||||
| 	"context" | ||||
| 	"crypto/tls" | ||||
| 	"errors" | ||||
| 	"flag" | ||||
| 	"fmt" | ||||
| 	"os" | ||||
| 	"path/filepath" | ||||
| 	"regexp" | ||||
| 	"runtime" | ||||
| 	"strconv" | ||||
| @@ -46,9 +48,12 @@ import ( | ||||
| 	"k8s.io/client-go/rest" | ||||
| 	ctrl "sigs.k8s.io/controller-runtime" | ||||
| 	"sigs.k8s.io/controller-runtime/pkg/cache" | ||||
| 	"sigs.k8s.io/controller-runtime/pkg/certwatcher" | ||||
| 	"sigs.k8s.io/controller-runtime/pkg/healthz" | ||||
| 	"sigs.k8s.io/controller-runtime/pkg/log/zap" | ||||
| 	"sigs.k8s.io/controller-runtime/pkg/metrics/filters" | ||||
| 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server" | ||||
| 	"sigs.k8s.io/controller-runtime/pkg/webhook" | ||||
|  | ||||
| 	onepasswordcomv1 "github.com/1Password/onepassword-operator/api/v1" | ||||
| 	"github.com/1Password/onepassword-operator/internal/controller" | ||||
| @@ -73,13 +78,6 @@ const ( | ||||
| 	annotationRegExpString = "^operator.1password.io\\/[a-zA-Z\\.]+" | ||||
| ) | ||||
|  | ||||
| // Change below variables to serve metrics on different host or port. | ||||
| var ( | ||||
| 	metricsHost               = "0.0.0.0" | ||||
| 	metricsPort         int32 = 8383 | ||||
| 	operatorMetricsPort int32 = 8686 | ||||
| ) | ||||
|  | ||||
| func printVersion() { | ||||
| 	setupLog.Info(fmt.Sprintf("Operator Version: %s", version.OperatorVersion)) | ||||
| 	setupLog.Info(fmt.Sprintf("Go Version: %s", runtime.Version())) | ||||
| @@ -96,13 +94,31 @@ func init() { | ||||
|  | ||||
| func main() { | ||||
| 	var metricsAddr string | ||||
| 	var metricsCertPath, metricsCertName, metricsCertKey string | ||||
| 	var webhookCertPath, webhookCertName, webhookCertKey string | ||||
| 	var enableLeaderElection bool | ||||
| 	var probeAddr string | ||||
| 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") | ||||
| 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") | ||||
| 	var secureMetrics bool | ||||
| 	var enableHTTP2 bool | ||||
| 	var tlsOpts []func(*tls.Config) | ||||
| 	flag.StringVar(&metricsAddr, "metrics-bind-address", "8080", | ||||
| 		"The address the metrics endpoint binds to. "+ | ||||
| 			"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.") | ||||
| 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", | ||||
| 		"The address the probe endpoint binds to.") | ||||
| 	flag.BoolVar(&enableLeaderElection, "leader-elect", false, | ||||
| 		"Enable leader election for controller manager. "+ | ||||
| 			"Enabling this will ensure there is only one active controller manager.") | ||||
| 	flag.BoolVar(&secureMetrics, "metrics-secure", true, | ||||
| 		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.") | ||||
| 	flag.StringVar(&metricsCertPath, "metrics-cert-path", "", | ||||
| 		"The directory that contains the metrics server certificate.") | ||||
| 	flag.StringVar(&metricsCertName, "metrics-cert-name", "tls.crt", | ||||
| 		"The name of the metrics server certificate file.") | ||||
| 	flag.StringVar(&metricsCertKey, "metrics-cert-key", "tls.key", | ||||
| 		"The name of the metrics server key file.") | ||||
| 	flag.BoolVar(&enableHTTP2, "enable-http2", false, | ||||
| 		"If set, HTTP/2 will be enabled for the metrics") | ||||
| 	opts := zap.Options{ | ||||
| 		Development: true, | ||||
| 	} | ||||
| @@ -111,6 +127,21 @@ func main() { | ||||
|  | ||||
| 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts))) | ||||
|  | ||||
| 	// if the enable-http2 flag is false (the default), http/2 should be disabled | ||||
| 	// due to its vulnerabilities. More specifically, disabling http/2 will | ||||
| 	// prevent from being vulnerable to the HTTP/2 Stream Cancelation and | ||||
| 	// Rapid Reset CVEs. For more information see: | ||||
| 	// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3 | ||||
| 	// - https://github.com/advisories/GHSA-4374-p667-p6c8 | ||||
| 	disableHTTP2 := func(c *tls.Config) { | ||||
| 		setupLog.Info("disabling http/2") | ||||
| 		c.NextProtos = []string{"http/1.1"} | ||||
| 	} | ||||
|  | ||||
| 	if !enableHTTP2 { | ||||
| 		tlsOpts = append(tlsOpts, disableHTTP2) | ||||
| 	} | ||||
|  | ||||
| 	printVersion() | ||||
|  | ||||
| 	// Create a root context that will be cancelled on termination signals | ||||
| @@ -128,12 +159,104 @@ func main() { | ||||
| 		os.Exit(1) | ||||
| 	} | ||||
|  | ||||
| 	// Create watchers for metrics and webhooks certificates | ||||
| 	var metricsCertWatcher, webhookCertWatcher *certwatcher.CertWatcher | ||||
|  | ||||
| 	// Initial webhook TLS options | ||||
| 	webhookTLSOpts := tlsOpts | ||||
|  | ||||
| 	if len(webhookCertPath) > 0 { | ||||
| 		setupLog.Info("Initializing webhook certificate watcher using provided certificates", | ||||
| 			"webhook-cert-path", webhookCertPath, "webhook-cert-name", webhookCertName, "webhook-cert-key", webhookCertKey) | ||||
|  | ||||
| 		var err error | ||||
| 		webhookCertWatcher, err = certwatcher.New( | ||||
| 			filepath.Join(webhookCertPath, webhookCertName), | ||||
| 			filepath.Join(webhookCertPath, webhookCertKey), | ||||
| 		) | ||||
| 		if err != nil { | ||||
| 			setupLog.Error(err, "Failed to initialize webhook certificate watcher") | ||||
| 			os.Exit(1) | ||||
| 		} | ||||
|  | ||||
| 		webhookTLSOpts = append(webhookTLSOpts, func(config *tls.Config) { | ||||
| 			config.GetCertificate = webhookCertWatcher.GetCertificate | ||||
| 		}) | ||||
| 	} | ||||
|  | ||||
| 	webhookServer := webhook.NewServer(webhook.Options{ | ||||
| 		TLSOpts: webhookTLSOpts, | ||||
| 	}) | ||||
|  | ||||
| 	// Metrics endpoint is enabled in 'config/default/kustomization.yaml'. The Metrics options configure the server. | ||||
| 	// More info: | ||||
| 	// - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.21.0/pkg/metrics/server | ||||
| 	// - https://book.kubebuilder.io/reference/metrics.html | ||||
| 	metricsServerOptions := metricsserver.Options{ | ||||
| 		BindAddress:   metricsAddr, | ||||
| 		SecureServing: secureMetrics, | ||||
| 		// TODO(user): TLSOpts is used to allow configuring the TLS config used for the server. If certificates are | ||||
| 		// not provided, self-signed certificates will be generated by default. This option is not recommended for | ||||
| 		// production environments as self-signed certificates do not offer the same level of trust and security | ||||
| 		// as certificates issued by a trusted Certificate Authority (CA). The primary risk is potentially allowing | ||||
| 		// unauthorized access to sensitive metrics data. Consider replacing with CertDir, CertName, and KeyName | ||||
| 		// to provide certificates, ensuring the server communicates using trusted and secure certificates. | ||||
| 		TLSOpts: tlsOpts, | ||||
| 	} | ||||
|  | ||||
| 	if secureMetrics { | ||||
| 		// FilterProvider is used to protect the metrics endpoint with authn/authz. | ||||
| 		// These configurations ensure that only authorized users and service accounts | ||||
| 		// can access the metrics endpoint. The RBAC are configured in 'config/rbac/kustomization.yaml'. More info: | ||||
| 		// https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.19.0/pkg/metrics/filters#WithAuthenticationAndAuthorization | ||||
| 		metricsServerOptions.FilterProvider = filters.WithAuthenticationAndAuthorization | ||||
| 	} | ||||
|  | ||||
| 	// If the certificate is not specified, controller-runtime will automatically | ||||
| 	// generate self-signed certificates for the metrics server. While convenient for development and testing, | ||||
| 	// this setup is not recommended for production. | ||||
| 	// | ||||
| 	// TODO(user): If you enable certManager, uncomment the following lines: | ||||
| 	// - [METRICS-WITH-CERTS] at config/default/kustomization.yaml to generate and use certificates | ||||
| 	// managed by cert-manager for the metrics server. | ||||
| 	// - [PROMETHEUS-WITH-CERTS] at config/prometheus/kustomization.yaml for TLS certification. | ||||
| 	if len(metricsCertPath) > 0 { | ||||
| 		setupLog.Info("Initializing metrics certificate watcher using provided certificates", | ||||
| 			"metrics-cert-path", metricsCertPath, "metrics-cert-name", metricsCertName, "metrics-cert-key", metricsCertKey) | ||||
|  | ||||
| 		var err error | ||||
| 		metricsCertWatcher, err = certwatcher.New( | ||||
| 			filepath.Join(metricsCertPath, metricsCertName), | ||||
| 			filepath.Join(metricsCertPath, metricsCertKey), | ||||
| 		) | ||||
| 		if err != nil { | ||||
| 			setupLog.Error(err, "Failed to initialize metrics certificate watcher") | ||||
| 			os.Exit(1) | ||||
| 		} | ||||
|  | ||||
| 		metricsServerOptions.TLSOpts = append(metricsServerOptions.TLSOpts, func(config *tls.Config) { | ||||
| 			config.GetCertificate = metricsCertWatcher.GetCertificate | ||||
| 		}) | ||||
| 	} | ||||
|  | ||||
| 	options := ctrl.Options{ | ||||
| 		Scheme:                 scheme, | ||||
| 		Metrics:                metricsserver.Options{BindAddress: metricsAddr}, | ||||
| 		Metrics:                metricsServerOptions, | ||||
| 		WebhookServer:          webhookServer, | ||||
| 		HealthProbeBindAddress: probeAddr, | ||||
| 		LeaderElection:         enableLeaderElection, | ||||
| 		LeaderElectionID:       "c26807fd.onepassword.com", | ||||
| 		// LeaderElectionReleaseOnCancel defines if the leader should step down voluntarily | ||||
| 		// when the Manager ends. This requires the binary to immediately end when the | ||||
| 		// Manager is stopped, otherwise, this setting is unsafe. Setting this significantly | ||||
| 		// speeds up voluntary leader transitions as the new leader don't have to wait | ||||
| 		// LeaseDuration time first. | ||||
| 		// | ||||
| 		// In the default scaffold provided, the program ends immediately after | ||||
| 		// the manager stops, so would be fine to enable this option. However, | ||||
| 		// if you are doing or is intended to do any operation such as perform cleanups | ||||
| 		// after the manager stops then its usage might be unsafe. | ||||
| 		// LeaderElectionReleaseOnCancel: true, | ||||
| 	} | ||||
|  | ||||
| 	// Add support for MultiNamespace set in WATCH_NAMESPACE (e.g ns1,ns2) | ||||
| @@ -191,7 +314,7 @@ func main() { | ||||
| 		setupLog.Info("Automated Connect Management Enabled") | ||||
| 		go func(ctx context.Context) { | ||||
| 			connectStarted := false | ||||
| 			for connectStarted == false { | ||||
| 			for !connectStarted { | ||||
| 				err := op.SetupConnect(ctx, mgr.GetClient(), deploymentNamespace) | ||||
| 				// Cache Not Started is an acceptable error. Retry until cache is started. | ||||
| 				if err != nil && !errors.Is(err, &cache.ErrCacheNotStarted{}) { | ||||
| @@ -226,6 +349,14 @@ func main() { | ||||
| 		} | ||||
| 	}(ctx) | ||||
|  | ||||
| 	if metricsCertWatcher != nil { | ||||
| 		setupLog.Info("Adding metrics certificate watcher to manager") | ||||
| 		if err := mgr.Add(metricsCertWatcher); err != nil { | ||||
| 			setupLog.Error(err, "Unable to add metrics certificate watcher to manager") | ||||
| 			os.Exit(1) | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil { | ||||
| 		setupLog.Error(err, "unable to set up health check") | ||||
| 		os.Exit(1) | ||||
|   | ||||
| @@ -14,6 +14,8 @@ spec: | ||||
|     spec: | ||||
|       securityContext: | ||||
|         runAsNonRoot: true | ||||
|         fsGroup: 999 | ||||
|         fsGroupChangePolicy: OnRootMismatch | ||||
|       volumes: | ||||
|         - name: shared-data | ||||
|           emptyDir: {} | ||||
| @@ -31,10 +33,20 @@ spec: | ||||
|           volumeMounts: | ||||
|             - mountPath: /home/opuser/.op/data | ||||
|               name: shared-data | ||||
|           securityContext: | ||||
|             runAsUser: 0 | ||||
|             runAsNonRoot: false | ||||
|             allowPrivilegeEscalation: false | ||||
|             capabilities: | ||||
|               drop: [ "ALL" ] | ||||
|               add: ["CHOWN", "FOWNER"] | ||||
|       containers: | ||||
|         - name: connect-api | ||||
|           image: 1password/connect-api:latest | ||||
|           securityContext: | ||||
|             runAsNonRoot: true | ||||
|             runAsUser: 999 | ||||
|             runAsGroup: 999 | ||||
|             allowPrivilegeEscalation: false | ||||
|           resources: | ||||
|             limits: | ||||
| @@ -55,6 +67,9 @@ spec: | ||||
|         - name: connect-sync | ||||
|           image: 1password/connect-sync:latest | ||||
|           securityContext: | ||||
|             runAsNonRoot: true | ||||
|             runAsUser: 999 | ||||
|             runAsGroup: 999 | ||||
|             allowPrivilegeEscalation: false | ||||
|           resources: | ||||
|             limits: | ||||
|   | ||||
| @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 | ||||
| kind: CustomResourceDefinition | ||||
| metadata: | ||||
|   annotations: | ||||
|     controller-gen.kubebuilder.io/version: v0.14.0 | ||||
|     controller-gen.kubebuilder.io/version: v0.18.0 | ||||
|   name: onepassworditems.onepassword.com | ||||
| spec: | ||||
|   group: onepassword.com | ||||
|   | ||||
| @@ -11,13 +11,7 @@ patches: | ||||
| #- path: patches/webhook_in_onepassworditems.yaml | ||||
| #+kubebuilder:scaffold:crdkustomizewebhookpatch | ||||
|  | ||||
| # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. | ||||
| # patches here are for enabling the CA injection for each CRD | ||||
| #- path: patches/cainjection_in_onepassworditems.yaml | ||||
| #+kubebuilder:scaffold:crdkustomizecainjectionpatch | ||||
|  | ||||
| # [WEBHOOK] To enable webhook, uncomment the following section | ||||
| # the following config is for teaching kustomize how to do kustomization for CRDs. | ||||
|  | ||||
| #configurations: | ||||
| #- kustomizeconfig.yaml | ||||
|   | ||||
| @@ -1,7 +0,0 @@ | ||||
| # The following patch adds a directive for certmanager to inject CA into the CRD | ||||
| apiVersion: apiextensions.k8s.io/v1 | ||||
| kind: CustomResourceDefinition | ||||
| metadata: | ||||
|   annotations: | ||||
|     cert-manager.io/inject-ca-from: CERTIFICATE_NAMESPACE/CERTIFICATE_NAME | ||||
|   name: onepassworditems.onepassword.com | ||||
| @@ -1,16 +0,0 @@ | ||||
| # The following patch enables a conversion webhook for the CRD | ||||
| apiVersion: apiextensions.k8s.io/v1 | ||||
| kind: CustomResourceDefinition | ||||
| metadata: | ||||
|   name: onepassworditems.onepassword.com | ||||
| spec: | ||||
|   conversion: | ||||
|     strategy: Webhook | ||||
|     webhook: | ||||
|       clientConfig: | ||||
|         service: | ||||
|           namespace: system | ||||
|           name: webhook-service | ||||
|           path: /convert | ||||
|       conversionReviewVersions: | ||||
|       - v1 | ||||
| @@ -25,31 +25,141 @@ resources: | ||||
| #- ../certmanager | ||||
| # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. | ||||
| #- ../prometheus | ||||
| # [METRICS] Expose the controller manager metrics service. | ||||
| - metrics_service.yaml | ||||
| # [NETWORK POLICY] Protect the /metrics endpoint and Webhook Server with NetworkPolicy. | ||||
| # Only Pod(s) running a namespace labeled with 'metrics: enabled' will be able to gather the metrics. | ||||
| # Only CR(s) which requires webhooks and are applied on namespaces labeled with 'webhooks: enabled' will | ||||
| # be able to communicate with the Webhook Server. | ||||
| #- ../network-policy | ||||
|  | ||||
| # Uncomment the patches line if you enable Metrics | ||||
| patches: | ||||
| # Protect the /metrics endpoint by putting it behind auth. | ||||
| # If you want your controller-manager to expose the /metrics | ||||
| # endpoint w/o any authn/z, please comment the following line. | ||||
| - path: manager_auth_proxy_patch.yaml | ||||
| # [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443. | ||||
| # More info: https://book.kubebuilder.io/reference/metrics | ||||
| - path: manager_metrics_patch.yaml | ||||
|   target: | ||||
|     kind: Deployment | ||||
|  | ||||
| # Uncomment the patches line if you enable Metrics and CertManager | ||||
| # [METRICS-WITH-CERTS] To enable metrics protected with certManager, uncomment the following line. | ||||
| # This patch will protect the metrics with certManager self-signed certs. | ||||
| #- path: cert_metrics_manager_patch.yaml | ||||
| #  target: | ||||
| #    kind: Deployment | ||||
|  | ||||
| # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in | ||||
| # crd/kustomization.yaml | ||||
| #- path: manager_webhook_patch.yaml | ||||
|  | ||||
| # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. | ||||
| # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. | ||||
| # 'CERTMANAGER' needs to be enabled to use ca injection | ||||
| #- path: webhookcainjection_patch.yaml | ||||
| #  target: | ||||
| #    kind: Deployment | ||||
|  | ||||
| # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. | ||||
| # Uncomment the following replacements to add the cert-manager CA injection annotations | ||||
| #replacements: | ||||
| #  - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs | ||||
| # - source: # Uncomment the following block to enable certificates for metrics | ||||
| #     kind: Service | ||||
| #     version: v1 | ||||
| #     name: controller-manager-metrics-service | ||||
| #     fieldPath: metadata.name | ||||
| #   targets: | ||||
| #     - select: | ||||
| #         kind: Certificate | ||||
| #         group: cert-manager.io | ||||
| #         version: v1 | ||||
| #      name: serving-cert # this name should match the one in certificate.yaml | ||||
| #      fieldPath: .metadata.namespace # namespace of the certificate CR | ||||
| #         name: metrics-certs | ||||
| #       fieldPaths: | ||||
| #         - spec.dnsNames.0 | ||||
| #         - spec.dnsNames.1 | ||||
| #       options: | ||||
| #         delimiter: '.' | ||||
| #         index: 0 | ||||
| #         create: true | ||||
| #     - select: # Uncomment the following to set the Service name for TLS config in Prometheus ServiceMonitor | ||||
| #         kind: ServiceMonitor | ||||
| #         group: monitoring.coreos.com | ||||
| #         version: v1 | ||||
| #         name: controller-manager-metrics-monitor | ||||
| #       fieldPaths: | ||||
| #         - spec.endpoints.0.tlsConfig.serverName | ||||
| #       options: | ||||
| #         delimiter: '.' | ||||
| #         index: 0 | ||||
| #         create: true | ||||
| # | ||||
| # - source: | ||||
| #     kind: Service | ||||
| #     version: v1 | ||||
| #     name: controller-manager-metrics-service | ||||
| #     fieldPath: metadata.namespace | ||||
| #   targets: | ||||
| #     - select: | ||||
| #         kind: Certificate | ||||
| #         group: cert-manager.io | ||||
| #         version: v1 | ||||
| #         name: metrics-certs | ||||
| #       fieldPaths: | ||||
| #         - spec.dnsNames.0 | ||||
| #         - spec.dnsNames.1 | ||||
| #       options: | ||||
| #         delimiter: '.' | ||||
| #         index: 1 | ||||
| #         create: true | ||||
| #     - select: # Uncomment the following to set the Service namespace for TLS in Prometheus ServiceMonitor | ||||
| #         kind: ServiceMonitor | ||||
| #         group: monitoring.coreos.com | ||||
| #         version: v1 | ||||
| #         name: controller-manager-metrics-monitor | ||||
| #       fieldPaths: | ||||
| #         - spec.endpoints.0.tlsConfig.serverName | ||||
| #       options: | ||||
| #         delimiter: '.' | ||||
| #         index: 1 | ||||
| #         create: true | ||||
| # | ||||
| # - source: # Uncomment the following block if you have any webhook | ||||
| #     kind: Service | ||||
| #     version: v1 | ||||
| #     name: webhook-service | ||||
| #     fieldPath: .metadata.name # Name of the service | ||||
| #   targets: | ||||
| #     - select: | ||||
| #         kind: Certificate | ||||
| #         group: cert-manager.io | ||||
| #         version: v1 | ||||
| #         name: serving-cert | ||||
| #       fieldPaths: | ||||
| #         - .spec.dnsNames.0 | ||||
| #         - .spec.dnsNames.1 | ||||
| #       options: | ||||
| #         delimiter: '.' | ||||
| #         index: 0 | ||||
| #         create: true | ||||
| # - source: | ||||
| #     kind: Service | ||||
| #     version: v1 | ||||
| #     name: webhook-service | ||||
| #     fieldPath: .metadata.namespace # Namespace of the service | ||||
| #   targets: | ||||
| #     - select: | ||||
| #         kind: Certificate | ||||
| #         group: cert-manager.io | ||||
| #         version: v1 | ||||
| #         name: serving-cert | ||||
| #       fieldPaths: | ||||
| #         - .spec.dnsNames.0 | ||||
| #         - .spec.dnsNames.1 | ||||
| #       options: | ||||
| #         delimiter: '.' | ||||
| #         index: 1 | ||||
| #         create: true | ||||
| # | ||||
| # - source: # Uncomment the following block if you have a ValidatingWebhook (--programmatic-validation) | ||||
| #     kind: Certificate | ||||
| #     group: cert-manager.io | ||||
| #     version: v1 | ||||
| #     name: serving-cert # This name should match the one in certificate.yaml | ||||
| #     fieldPath: .metadata.namespace # Namespace of the certificate CR | ||||
| #   targets: | ||||
| #     - select: | ||||
| #         kind: ValidatingWebhookConfiguration | ||||
| @@ -59,27 +169,11 @@ patches: | ||||
| #         delimiter: '/' | ||||
| #         index: 0 | ||||
| #         create: true | ||||
| #      - select: | ||||
| #          kind: MutatingWebhookConfiguration | ||||
| #        fieldPaths: | ||||
| #          - .metadata.annotations.[cert-manager.io/inject-ca-from] | ||||
| #        options: | ||||
| #          delimiter: '/' | ||||
| #          index: 0 | ||||
| #          create: true | ||||
| #      - select: | ||||
| #          kind: CustomResourceDefinition | ||||
| #        fieldPaths: | ||||
| #          - .metadata.annotations.[cert-manager.io/inject-ca-from] | ||||
| #        options: | ||||
| #          delimiter: '/' | ||||
| #          index: 0 | ||||
| #          create: true | ||||
| # - source: | ||||
| #     kind: Certificate | ||||
| #     group: cert-manager.io | ||||
| #     version: v1 | ||||
| #      name: serving-cert # this name should match the one in certificate.yaml | ||||
| #     name: serving-cert | ||||
| #     fieldPath: .metadata.name | ||||
| #   targets: | ||||
| #     - select: | ||||
| @@ -90,6 +184,29 @@ patches: | ||||
| #         delimiter: '/' | ||||
| #         index: 1 | ||||
| #         create: true | ||||
| # | ||||
| # - source: # Uncomment the following block if you have a DefaultingWebhook (--defaulting ) | ||||
| #     kind: Certificate | ||||
| #     group: cert-manager.io | ||||
| #     version: v1 | ||||
| #     name: serving-cert | ||||
| #     fieldPath: .metadata.namespace # Namespace of the certificate CR | ||||
| #   targets: | ||||
| #     - select: | ||||
| #         kind: MutatingWebhookConfiguration | ||||
| #       fieldPaths: | ||||
| #         - .metadata.annotations.[cert-manager.io/inject-ca-from] | ||||
| #       options: | ||||
| #         delimiter: '/' | ||||
| #         index: 0 | ||||
| #         create: true | ||||
| # - source: | ||||
| #     kind: Certificate | ||||
| #     group: cert-manager.io | ||||
| #     version: v1 | ||||
| #     name: serving-cert | ||||
| #     fieldPath: .metadata.name | ||||
| #   targets: | ||||
| #     - select: | ||||
| #         kind: MutatingWebhookConfiguration | ||||
| #       fieldPaths: | ||||
| @@ -98,45 +215,20 @@ patches: | ||||
| #         delimiter: '/' | ||||
| #         index: 1 | ||||
| #         create: true | ||||
| #      - select: | ||||
| #          kind: CustomResourceDefinition | ||||
| #        fieldPaths: | ||||
| #          - .metadata.annotations.[cert-manager.io/inject-ca-from] | ||||
| #        options: | ||||
| #          delimiter: '/' | ||||
| #          index: 1 | ||||
| #          create: true | ||||
| #  - source: # Add cert-manager annotation to the webhook Service | ||||
| #      kind: Service | ||||
| #      version: v1 | ||||
| #      name: webhook-service | ||||
| #      fieldPath: .metadata.name # namespace of the service | ||||
| #    targets: | ||||
| #      - select: | ||||
| # | ||||
| # - source: # Uncomment the following block if you have a ConversionWebhook (--conversion) | ||||
| #     kind: Certificate | ||||
| #     group: cert-manager.io | ||||
| #     version: v1 | ||||
| #        fieldPaths: | ||||
| #          - .spec.dnsNames.0 | ||||
| #          - .spec.dnsNames.1 | ||||
| #        options: | ||||
| #          delimiter: '.' | ||||
| #          index: 0 | ||||
| #          create: true | ||||
| #     name: serving-cert | ||||
| #     fieldPath: .metadata.namespace # Namespace of the certificate CR | ||||
| #   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD. | ||||
| # +kubebuilder:scaffold:crdkustomizecainjectionns | ||||
| # - source: | ||||
| #      kind: Service | ||||
| #      version: v1 | ||||
| #      name: webhook-service | ||||
| #      fieldPath: .metadata.namespace # namespace of the service | ||||
| #    targets: | ||||
| #      - select: | ||||
| #     kind: Certificate | ||||
| #     group: cert-manager.io | ||||
| #     version: v1 | ||||
| #        fieldPaths: | ||||
| #          - .spec.dnsNames.0 | ||||
| #          - .spec.dnsNames.1 | ||||
| #        options: | ||||
| #          delimiter: '.' | ||||
| #          index: 1 | ||||
| #          create: true | ||||
| #     name: serving-cert | ||||
| #     fieldPath: .metadata.name | ||||
| #   targets: # Do not remove or uncomment the following scaffold marker; required to generate code for target CRD. | ||||
| # +kubebuilder:scaffold:crdkustomizecainjectionname | ||||
|   | ||||
| @@ -1,41 +0,0 @@ | ||||
| # This patch inject a sidecar container which is a HTTP proxy for the | ||||
| # controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   name: onepassword-connect-operator | ||||
|   namespace: system | ||||
| spec: | ||||
|   template: | ||||
|     spec: | ||||
|       securityContext: | ||||
|         runAsNonRoot: true | ||||
|       containers: | ||||
|       - name: kube-rbac-proxy | ||||
|         securityContext: | ||||
|           allowPrivilegeEscalation: false | ||||
|           capabilities: | ||||
|             drop: | ||||
|               - "ALL" | ||||
|         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0 | ||||
|         args: | ||||
|         - "--secure-listen-address=0.0.0.0:8443" | ||||
|         - "--upstream=http://127.0.0.1:8080/" | ||||
|         - "--logtostderr=true" | ||||
|         - "--v=0" | ||||
|         ports: | ||||
|         - containerPort: 8443 | ||||
|           protocol: TCP | ||||
|           name: https | ||||
|         resources: | ||||
|           limits: | ||||
|             cpu: 500m | ||||
|             memory: 128Mi | ||||
|           requests: | ||||
|             cpu: 5m | ||||
|             memory: 64Mi | ||||
|       - name: manager | ||||
|         args: | ||||
|         - "--health-probe-bind-address=:8081" | ||||
|         - "--metrics-bind-address=127.0.0.1:8080" | ||||
|         - "--leader-elect" | ||||
| @@ -1,10 +0,0 @@ | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   name: onepassword-connect-operator | ||||
|   namespace: system | ||||
| spec: | ||||
|   template: | ||||
|     spec: | ||||
|       containers: | ||||
|       - name: manager | ||||
							
								
								
									
										4
									
								
								config/default/manager_metrics_patch.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								config/default/manager_metrics_patch.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,4 @@ | ||||
| # This patch adds the args to allow exposing the metrics endpoint using HTTPS | ||||
| - op: add | ||||
|   path: /spec/template/spec/containers/0/args/0 | ||||
|   value: --metrics-bind-address=:8443 | ||||
							
								
								
									
										17
									
								
								config/default/metrics_service.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								config/default/metrics_service.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   labels: | ||||
|     control-plane: controller-manager | ||||
|     app.kubernetes.io/name: onepassword-operator | ||||
|     app.kubernetes.io/managed-by: kustomize | ||||
|   name: controller-manager-metrics-service | ||||
|   namespace: system | ||||
| spec: | ||||
|   ports: | ||||
|     - name: https | ||||
|       port: 8443 | ||||
|       protocol: TCP | ||||
|       targetPort: 8443 | ||||
|   selector: | ||||
|     control-plane: controller-manager | ||||
| @@ -72,6 +72,7 @@ spec: | ||||
|         - /manager | ||||
|         args: | ||||
|         - --leader-elect | ||||
|         - --health-probe-bind-address=:8081 | ||||
|         image: 1password/onepassword-operator:latest | ||||
|         name: manager | ||||
|         env: | ||||
|   | ||||
							
								
								
									
										26
									
								
								config/network-policy/allow-metrics-traffic.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										26
									
								
								config/network-policy/allow-metrics-traffic.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,26 @@ | ||||
| # This NetworkPolicy allows ingress traffic | ||||
| # with Pods running on namespaces labeled with 'metrics: enabled'. Only Pods on those | ||||
| # namespaces are able to gathering data from the metrics endpoint. | ||||
| apiVersion: networking.k8s.io/v1 | ||||
| kind: NetworkPolicy | ||||
| metadata: | ||||
|   labels: | ||||
|     app.kubernetes.io/name: onepassword-operator | ||||
|     app.kubernetes.io/managed-by: kustomize | ||||
|   name: allow-metrics-traffic | ||||
|   namespace: system | ||||
| spec: | ||||
|   podSelector: | ||||
|     matchLabels: | ||||
|       control-plane: controller-manager | ||||
|   policyTypes: | ||||
|       - Ingress | ||||
|   ingress: | ||||
|       # This allows ingress traffic from any namespace with the label metrics: enabled | ||||
|     - from: | ||||
|       - namespaceSelector: | ||||
|           matchLabels: | ||||
|             metrics: enabled  # Only from namespaces with this label | ||||
|       ports: | ||||
|         - port: 8443 | ||||
|           protocol: TCP | ||||
							
								
								
									
										2
									
								
								config/network-policy/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								config/network-policy/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | ||||
| resources: | ||||
| - allow-metrics-traffic.yaml | ||||
| @@ -1,2 +1,11 @@ | ||||
| resources: | ||||
| - monitor.yaml | ||||
|  | ||||
| # [PROMETHEUS-WITH-CERTS] The following patch configures the ServiceMonitor in ../prometheus | ||||
| # to securely reference certificates created and managed by cert-manager. | ||||
| # Additionally, ensure that you uncomment the [METRICS WITH CERTMANAGER] patch under config/default/kustomization.yaml | ||||
| # to mount the "metrics-server-cert" secret in the Manager Deployment. | ||||
| #patches: | ||||
| #  - path: monitor_tls_patch.yaml | ||||
| #    target: | ||||
| #      kind: ServiceMonitor | ||||
|   | ||||
| @@ -5,7 +5,7 @@ metadata: | ||||
|   labels: | ||||
|     name: onepassword-connect-operator | ||||
|     control-plane: onepassword-connect-operator | ||||
|     app.kubernetes.io/name: servicemonitor | ||||
|     app.kubernetes.io/name: onepassword-operator | ||||
|     app.kubernetes.io/instance: controller-manager-metrics-monitor | ||||
|     app.kubernetes.io/component: metrics | ||||
|     app.kubernetes.io/created-by: onepassword-connect-operator | ||||
| @@ -16,12 +16,22 @@ metadata: | ||||
| spec: | ||||
|   endpoints: | ||||
|     - path: /metrics | ||||
|       port: https | ||||
|       port: https # Ensure this is the name of the port that exposes HTTPS metrics | ||||
|       scheme: https | ||||
|       bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token | ||||
|       tlsConfig: | ||||
|         # TODO(user): The option insecureSkipVerify: true is not recommended for production since it disables | ||||
|         # certificate verification. This poses a significant security risk by making the system vulnerable to | ||||
|         # man-in-the-middle attacks, where an attacker could intercept and manipulate the communication between | ||||
|         # Prometheus and the monitored services. This could lead to unauthorized access to sensitive metrics data, | ||||
|         # compromising the integrity and confidentiality of the information. | ||||
|         # Please use the following options for secure configurations: | ||||
|         # caFile: /etc/metrics-certs/ca.crt | ||||
|         # certFile: /etc/metrics-certs/tls.crt | ||||
|         # keyFile: /etc/metrics-certs/tls.key | ||||
|         insecureSkipVerify: true | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       name: onepassword-connect-operator | ||||
|       control-plane: onepassword-connect-operator | ||||
|       app.kubernetes.io/name: onepassword-operator | ||||
|   | ||||
							
								
								
									
										19
									
								
								config/prometheus/monitor_tls_patch.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								config/prometheus/monitor_tls_patch.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | ||||
| # Patch for Prometheus ServiceMonitor to enable secure TLS configuration | ||||
| # using certificates managed by cert-manager | ||||
| - op: replace | ||||
|   path: /spec/endpoints/0/tlsConfig | ||||
|   value: | ||||
|     # SERVICE_NAME and SERVICE_NAMESPACE will be substituted by kustomize | ||||
|     serverName: SERVICE_NAME.SERVICE_NAMESPACE.svc | ||||
|     insecureSkipVerify: false | ||||
|     ca: | ||||
|       secret: | ||||
|         name: metrics-server-cert | ||||
|         key: ca.crt | ||||
|     cert: | ||||
|       secret: | ||||
|         name: metrics-server-cert | ||||
|         key: tls.crt | ||||
|     keySecret: | ||||
|       name: metrics-server-cert | ||||
|       key: tls.key | ||||
| @@ -1,16 +0,0 @@ | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: ClusterRole | ||||
| metadata: | ||||
|   labels: | ||||
|     app.kubernetes.io/name: clusterrole | ||||
|     app.kubernetes.io/instance: metrics-reader | ||||
|     app.kubernetes.io/component: kube-rbac-proxy | ||||
|     app.kubernetes.io/created-by: onepassword-connect-operator | ||||
|     app.kubernetes.io/part-of: onepassword-connect-operator | ||||
|     app.kubernetes.io/managed-by: kustomize | ||||
|   name: metrics-reader | ||||
| rules: | ||||
| - nonResourceURLs: | ||||
|   - "/metrics" | ||||
|   verbs: | ||||
|   - get | ||||
| @@ -1,24 +0,0 @@ | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: ClusterRole | ||||
| metadata: | ||||
|   labels: | ||||
|     app.kubernetes.io/name: clusterrole | ||||
|     app.kubernetes.io/instance: proxy-role | ||||
|     app.kubernetes.io/component: kube-rbac-proxy | ||||
|     app.kubernetes.io/created-by: onepassword-connect-operator | ||||
|     app.kubernetes.io/part-of: onepassword-connect-operator | ||||
|     app.kubernetes.io/managed-by: kustomize | ||||
|   name: proxy-role | ||||
| rules: | ||||
| - apiGroups: | ||||
|   - authentication.k8s.io | ||||
|   resources: | ||||
|   - tokenreviews | ||||
|   verbs: | ||||
|   - create | ||||
| - apiGroups: | ||||
|   - authorization.k8s.io | ||||
|   resources: | ||||
|   - subjectaccessreviews | ||||
|   verbs: | ||||
|   - create | ||||
| @@ -1,19 +0,0 @@ | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: ClusterRoleBinding | ||||
| metadata: | ||||
|   labels: | ||||
|     app.kubernetes.io/name: clusterrolebinding | ||||
|     app.kubernetes.io/instance: proxy-rolebinding | ||||
|     app.kubernetes.io/component: kube-rbac-proxy | ||||
|     app.kubernetes.io/created-by: onepassword-connect-operator | ||||
|     app.kubernetes.io/part-of: onepassword-connect-operator | ||||
|     app.kubernetes.io/managed-by: kustomize | ||||
|   name: proxy-rolebinding | ||||
| roleRef: | ||||
|   apiGroup: rbac.authorization.k8s.io | ||||
|   kind: ClusterRole | ||||
|   name: proxy-role | ||||
| subjects: | ||||
| - kind: ServiceAccount | ||||
|   name: onepassword-connect-operator | ||||
|   namespace: system | ||||
| @@ -1,23 +0,0 @@ | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   labels: | ||||
|     name: onepassword-connect-operator | ||||
|     control-plane: onepassword-connect-operator | ||||
|     app.kubernetes.io/name: service | ||||
|     app.kubernetes.io/instance: controller-manager-metrics-service | ||||
|     app.kubernetes.io/component: kube-rbac-proxy | ||||
|     app.kubernetes.io/created-by: onepassword-connect-operator | ||||
|     app.kubernetes.io/part-of: onepassword-connect-operator | ||||
|     app.kubernetes.io/managed-by: kustomize | ||||
|   name: onepassword-connect-operator-metrics-service | ||||
|   namespace: system | ||||
| spec: | ||||
|   ports: | ||||
|   - name: https | ||||
|     port: 8443 | ||||
|     protocol: TCP | ||||
|     targetPort: https | ||||
|   selector: | ||||
|     name: onepassword-connect-operator | ||||
|     control-plane: onepassword-connect-operator | ||||
| @@ -9,10 +9,19 @@ resources: | ||||
| - role_binding.yaml | ||||
| - leader_election_role.yaml | ||||
| - leader_election_role_binding.yaml | ||||
| # Comment the following 4 lines if you want to disable | ||||
| # the auth proxy (https://github.com/brancz/kube-rbac-proxy) | ||||
| # which protects your /metrics endpoint. | ||||
| - auth_proxy_service.yaml | ||||
| - auth_proxy_role.yaml | ||||
| - auth_proxy_role_binding.yaml | ||||
| - auth_proxy_client_clusterrole.yaml | ||||
| # The following RBAC configurations are used to protect | ||||
| # the metrics endpoint with authn/authz. These configurations | ||||
| # ensure that only authorized users and service accounts | ||||
| # can access the metrics endpoint. Comment the following | ||||
| # permissions if you want to disable this protection. | ||||
| # More info: https://book.kubebuilder.io/reference/metrics.html | ||||
| - metrics_auth_role.yaml | ||||
| - metrics_auth_role_binding.yaml | ||||
| - metrics_reader_role.yaml | ||||
| # For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by | ||||
| # default, aiding admins in cluster management. Those roles are | ||||
| # not used by the {{ .ProjectName }} itself. You can comment the following lines | ||||
| # if you do not want those helpers be installed with your Project. | ||||
| - onepassworditem_admin_role.yaml | ||||
| - onepassworditem_editor_role.yaml | ||||
| - onepassworditem_viewer_role.yaml | ||||
|   | ||||
							
								
								
									
										17
									
								
								config/rbac/metrics_auth_role.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								config/rbac/metrics_auth_role.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: ClusterRole | ||||
| metadata: | ||||
|   name: metrics-auth-role | ||||
| rules: | ||||
|   - apiGroups: | ||||
|       - authentication.k8s.io | ||||
|     resources: | ||||
|       - tokenreviews | ||||
|     verbs: | ||||
|       - create | ||||
|   - apiGroups: | ||||
|       - authorization.k8s.io | ||||
|     resources: | ||||
|       - subjectaccessreviews | ||||
|     verbs: | ||||
|       - create | ||||
							
								
								
									
										12
									
								
								config/rbac/metrics_auth_role_binding.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										12
									
								
								config/rbac/metrics_auth_role_binding.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,12 @@ | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: ClusterRoleBinding | ||||
| metadata: | ||||
|   name: metrics-auth-rolebinding | ||||
| roleRef: | ||||
|   apiGroup: rbac.authorization.k8s.io | ||||
|   kind: ClusterRole | ||||
|   name: metrics-auth-role | ||||
| subjects: | ||||
|   - kind: ServiceAccount | ||||
|     name: controller-manager | ||||
|     namespace: system | ||||
							
								
								
									
										9
									
								
								config/rbac/metrics_reader_role.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										9
									
								
								config/rbac/metrics_reader_role.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,9 @@ | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: ClusterRole | ||||
| metadata: | ||||
|   name: metrics-reader | ||||
| rules: | ||||
|   - nonResourceURLs: | ||||
|       - "/metrics" | ||||
|     verbs: | ||||
|       - get | ||||
							
								
								
									
										31
									
								
								config/rbac/onepassworditem_admin_role.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										31
									
								
								config/rbac/onepassworditem_admin_role.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,31 @@ | ||||
| # This rule is not used by the project onepassword-operator itself. | ||||
| # It is provided to allow the cluster admin to help manage permissions for users. | ||||
| # | ||||
| # Grants full permissions ('*') over onepassword.com. | ||||
| # This role is intended for users authorized to modify roles and bindings within the cluster, | ||||
| # enabling them to delegate specific permissions to other users or groups as needed. | ||||
|  | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: ClusterRole | ||||
| metadata: | ||||
|   labels: | ||||
|     app.kubernetes.io/name: clusterrole | ||||
|     app.kubernetes.io/instance: onepassworditem-admin-role | ||||
|     app.kubernetes.io/component: rbac | ||||
|     app.kubernetes.io/created-by: onepassword-connect-operator | ||||
|     app.kubernetes.io/part-of: onepassword-connect-operator | ||||
|     app.kubernetes.io/managed-by: kustomize | ||||
|   name: onepassworditem-admin-role | ||||
| rules: | ||||
|   - apiGroups: | ||||
|       - onepassword.com | ||||
|     resources: | ||||
|       - onepassworditems | ||||
|     verbs: | ||||
|       - '*' | ||||
|   - apiGroups: | ||||
|       - onepassword.com | ||||
|     resources: | ||||
|       - onepassworditems/status | ||||
|     verbs: | ||||
|       - get | ||||
| @@ -1,4 +1,10 @@ | ||||
| # permissions for end users to edit onepassworditems. | ||||
| # This rule is not used by the project onepassword-operator itself. | ||||
| # It is provided to allow the cluster admin to help manage permissions for users. | ||||
| # | ||||
| # Grants permissions to create, update, and delete resources within the onepassword.com. | ||||
| # This role is intended for users who need to manage these resources | ||||
| # but should not control RBAC or manage permissions for others. | ||||
|  | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: ClusterRole | ||||
| metadata: | ||||
|   | ||||
| @@ -1,4 +1,10 @@ | ||||
| # permissions for end users to view onepassworditems. | ||||
| # This rule is not used by the project onepassword-operator itself. | ||||
| # It is provided to allow the cluster admin to help manage permissions for users. | ||||
| # | ||||
| # Grants read-only access to onepassword.com resources. | ||||
| # This role is intended for users who need visibility into these resources | ||||
| # without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. | ||||
|  | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: ClusterRole | ||||
| metadata: | ||||
|   | ||||
| @@ -24,12 +24,6 @@ rules: | ||||
|   - patch | ||||
|   - update | ||||
|   - watch | ||||
| - apiGroups: | ||||
|   - "" | ||||
|   resources: | ||||
|   - pods | ||||
|   verbs: | ||||
|   - get | ||||
| - apiGroups: | ||||
|   - apps | ||||
|   resources: | ||||
| @@ -45,25 +39,6 @@ rules: | ||||
|   - patch | ||||
|   - update | ||||
|   - watch | ||||
| - apiGroups: | ||||
|   - apps | ||||
|   resources: | ||||
|   - deployments | ||||
|   verbs: | ||||
|   - create | ||||
|   - delete | ||||
|   - get | ||||
|   - list | ||||
|   - patch | ||||
|   - update | ||||
|   - watch | ||||
| - apiGroups: | ||||
|   - apps | ||||
|   resources: | ||||
|   - deployments | ||||
|   - replicasets | ||||
|   verbs: | ||||
|   - get | ||||
| - apiGroups: | ||||
|   - apps | ||||
|   resources: | ||||
| @@ -106,17 +81,6 @@ rules: | ||||
|   - onepassword.com | ||||
|   resources: | ||||
|   - '*' | ||||
|   verbs: | ||||
|   - create | ||||
|   - delete | ||||
|   - get | ||||
|   - list | ||||
|   - patch | ||||
|   - update | ||||
|   - watch | ||||
| - apiGroups: | ||||
|   - onepassword.com | ||||
|   resources: | ||||
|   - onepassworditems | ||||
|   verbs: | ||||
|   - create | ||||
|   | ||||
							
								
								
									
										20
									
								
								docs/testing.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								docs/testing.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| # Testing | ||||
|  | ||||
| ## Unit & Integration tests | ||||
| **When**: Unit (pure Go) and integration (controller-runtime envtest). | ||||
| **Where**: `internal/...`, `pkg/...` | ||||
| **Add files in**: `*_test.go` next to the code. | ||||
| **Run**: `make test` | ||||
|  | ||||
| ## E2E tests (kind) | ||||
| **When**: Full cluster behavior (CRDs, operator image, Connect/SA flows). | ||||
| **Where**: `test/e2e/...` | ||||
| **Add files in**: `*_test.go` next to the code. | ||||
| **Framework**: Ginkgo + `pkg/testhelper`. | ||||
|  | ||||
| **Local prep**: | ||||
| 1. [Install `kind`](https://kind.sigs.k8s.io/docs/user/quick-start/#installing-with-a-package-manager) to spin up local Kubernetes cluster. | ||||
| 2. `export OP_CONNECT_TOKEN=<token>` | ||||
| 3. `export OP_SERVICE_ACCOUNT_TOKEN=<token>` | ||||
| 4. Put `1password-credentials.json` into project root. | ||||
| 5. `make test-e2e` | ||||
							
								
								
									
										101
									
								
								go.mod
									
									
									
									
									
								
							
							
						
						
									
										101
									
								
								go.mod
									
									
									
									
									
								
							| @@ -1,49 +1,60 @@ | ||||
| module github.com/1Password/onepassword-operator | ||||
|  | ||||
| go 1.24 | ||||
| go 1.24.0 | ||||
|  | ||||
| toolchain go1.24.4 | ||||
| toolchain go1.24.5 | ||||
|  | ||||
| // In main go.mod, add this replace directive: | ||||
| replace github.com/1Password/onepassword-operator/pkg/testhelper => ./pkg/testhelper | ||||
|  | ||||
| require ( | ||||
| 	github.com/1Password/connect-sdk-go v1.5.3 | ||||
| 	github.com/1Password/onepassword-operator/pkg/testhelper v0.0.0-00010101000000-000000000000 | ||||
| 	github.com/1password/onepassword-sdk-go v0.3.1 | ||||
| 	github.com/go-logr/logr v1.4.2 | ||||
| 	github.com/onsi/ginkgo/v2 v2.14.0 | ||||
| 	github.com/onsi/gomega v1.30.0 | ||||
| 	github.com/onsi/ginkgo/v2 v2.22.0 | ||||
| 	github.com/onsi/gomega v1.36.1 | ||||
| 	github.com/stretchr/testify v1.10.0 | ||||
| 	k8s.io/api v0.29.3 | ||||
| 	k8s.io/apimachinery v0.29.3 | ||||
| 	k8s.io/client-go v0.29.3 | ||||
| 	k8s.io/api v0.33.0 | ||||
| 	k8s.io/apimachinery v0.33.0 | ||||
| 	k8s.io/client-go v0.33.0 | ||||
| 	k8s.io/kubectl v0.29.0 | ||||
| 	sigs.k8s.io/controller-runtime v0.17.2 | ||||
| 	sigs.k8s.io/controller-runtime v0.21.0 | ||||
| ) | ||||
|  | ||||
| require ( | ||||
| 	cel.dev/expr v0.19.1 // indirect | ||||
| 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect | ||||
| 	github.com/beorn7/perks v1.0.1 // indirect | ||||
| 	github.com/cespare/xxhash/v2 v2.2.0 // indirect | ||||
| 	github.com/davecgh/go-spew v1.1.1 // indirect | ||||
| 	github.com/blang/semver/v4 v4.0.0 // indirect | ||||
| 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect | ||||
| 	github.com/cespare/xxhash/v2 v2.3.0 // indirect | ||||
| 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect | ||||
| 	github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a // indirect | ||||
| 	github.com/emicklei/go-restful/v3 v3.12.0 // indirect | ||||
| 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect | ||||
| 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect | ||||
| 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect | ||||
| 	github.com/extism/go-sdk v1.7.0 // indirect | ||||
| 	github.com/felixge/httpsnoop v1.0.4 // indirect | ||||
| 	github.com/fsnotify/fsnotify v1.7.0 // indirect | ||||
| 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect | ||||
| 	github.com/go-logr/stdr v1.2.2 // indirect | ||||
| 	github.com/go-logr/zapr v1.3.0 // indirect | ||||
| 	github.com/go-openapi/jsonpointer v0.21.0 // indirect | ||||
| 	github.com/go-openapi/jsonreference v0.21.0 // indirect | ||||
| 	github.com/go-openapi/swag v0.23.0 // indirect | ||||
| 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect | ||||
| 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect | ||||
| 	github.com/gobwas/glob v0.2.3 // indirect | ||||
| 	github.com/gogo/protobuf v1.3.2 // indirect | ||||
| 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect | ||||
| 	github.com/golang/protobuf v1.5.4 // indirect | ||||
| 	github.com/google/gnostic-models v0.6.8 // indirect | ||||
| 	github.com/google/go-cmp v0.6.0 // indirect | ||||
| 	github.com/google/gofuzz v1.2.0 // indirect | ||||
| 	github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect | ||||
| 	github.com/google/btree v1.1.3 // indirect | ||||
| 	github.com/google/cel-go v0.23.2 // indirect | ||||
| 	github.com/google/gnostic-models v0.6.9 // indirect | ||||
| 	github.com/google/go-cmp v0.7.0 // indirect | ||||
| 	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect | ||||
| 	github.com/google/uuid v1.6.0 // indirect | ||||
| 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 // indirect | ||||
| 	github.com/ianlancetaylor/demangle v0.0.0-20240805132620-81f5be970eca // indirect | ||||
| 	github.com/imdario/mergo v0.3.16 // indirect | ||||
| 	github.com/inconshreveable/mousetrap v1.1.0 // indirect | ||||
| 	github.com/josharian/intern v1.0.0 // indirect | ||||
| 	github.com/json-iterator/go v1.1.12 // indirect | ||||
| 	github.com/mailru/easyjson v0.7.7 // indirect | ||||
| @@ -52,40 +63,58 @@ require ( | ||||
| 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect | ||||
| 	github.com/opentracing/opentracing-go v1.2.0 // indirect | ||||
| 	github.com/pkg/errors v0.9.1 // indirect | ||||
| 	github.com/pmezard/go-difflib v1.0.0 // indirect | ||||
| 	github.com/prometheus/client_golang v1.19.0 // indirect | ||||
| 	github.com/prometheus/client_model v0.6.0 // indirect | ||||
| 	github.com/prometheus/common v0.51.1 // indirect | ||||
| 	github.com/prometheus/procfs v0.13.0 // indirect | ||||
| 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect | ||||
| 	github.com/prometheus/client_golang v1.22.0 // indirect | ||||
| 	github.com/prometheus/client_model v0.6.1 // indirect | ||||
| 	github.com/prometheus/common v0.62.0 // indirect | ||||
| 	github.com/prometheus/procfs v0.15.1 // indirect | ||||
| 	github.com/spf13/cobra v1.8.1 // indirect | ||||
| 	github.com/spf13/pflag v1.0.5 // indirect | ||||
| 	github.com/stoewer/go-strcase v1.3.0 // indirect | ||||
| 	github.com/stretchr/objx v0.5.2 // indirect | ||||
| 	github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834 // indirect | ||||
| 	github.com/tetratelabs/wazero v1.9.0 // indirect | ||||
| 	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect | ||||
| 	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect | ||||
| 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect | ||||
| 	github.com/x448/float16 v0.8.4 // indirect | ||||
| 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect | ||||
| 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect | ||||
| 	go.opentelemetry.io/otel v1.33.0 // indirect | ||||
| 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 // indirect | ||||
| 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 // indirect | ||||
| 	go.opentelemetry.io/otel/metric v1.33.0 // indirect | ||||
| 	go.opentelemetry.io/otel/sdk v1.33.0 // indirect | ||||
| 	go.opentelemetry.io/otel/trace v1.33.0 // indirect | ||||
| 	go.opentelemetry.io/proto/otlp v1.4.0 // indirect | ||||
| 	go.uber.org/atomic v1.11.0 // indirect | ||||
| 	go.uber.org/multierr v1.11.0 // indirect | ||||
| 	go.uber.org/zap v1.27.0 // indirect | ||||
| 	golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81 // indirect | ||||
| 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect | ||||
| 	golang.org/x/net v0.41.0 // indirect | ||||
| 	golang.org/x/oauth2 v0.30.0 // indirect | ||||
| 	golang.org/x/sync v0.15.0 // indirect | ||||
| 	golang.org/x/sys v0.33.0 // indirect | ||||
| 	golang.org/x/term v0.32.0 // indirect | ||||
| 	golang.org/x/text v0.26.0 // indirect | ||||
| 	golang.org/x/time v0.5.0 // indirect | ||||
| 	golang.org/x/time v0.9.0 // indirect | ||||
| 	golang.org/x/tools v0.33.0 // indirect | ||||
| 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect | ||||
| 	google.golang.org/protobuf v1.34.2 // indirect | ||||
| 	google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect | ||||
| 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect | ||||
| 	google.golang.org/grpc v1.68.1 // indirect | ||||
| 	google.golang.org/protobuf v1.36.5 // indirect | ||||
| 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect | ||||
| 	gopkg.in/inf.v0 v0.9.1 // indirect | ||||
| 	gopkg.in/yaml.v2 v2.4.0 // indirect | ||||
| 	gopkg.in/yaml.v3 v3.0.1 // indirect | ||||
| 	k8s.io/apiextensions-apiserver v0.29.3 // indirect | ||||
| 	k8s.io/component-base v0.29.3 // indirect | ||||
| 	k8s.io/klog/v2 v2.120.1 // indirect | ||||
| 	k8s.io/kube-openapi v0.0.0-20240322212309-b815d8309940 // indirect | ||||
| 	k8s.io/utils v0.0.0-20240310230437-4693a0247e57 // indirect | ||||
| 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect | ||||
| 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect | ||||
| 	k8s.io/apiextensions-apiserver v0.33.0 // indirect | ||||
| 	k8s.io/apiserver v0.33.0 // indirect | ||||
| 	k8s.io/component-base v0.33.0 // indirect | ||||
| 	k8s.io/klog/v2 v2.130.1 // indirect | ||||
| 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect | ||||
| 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect | ||||
| 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 // indirect | ||||
| 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect | ||||
| 	sigs.k8s.io/randfill v1.0.0 // indirect | ||||
| 	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect | ||||
| 	sigs.k8s.io/yaml v1.4.0 // indirect | ||||
| ) | ||||
|   | ||||
							
								
								
									
										204
									
								
								go.sum
									
									
									
									
									
								
							
							
						
						
									
										204
									
								
								go.sum
									
									
									
									
									
								
							| @@ -1,33 +1,47 @@ | ||||
| cel.dev/expr v0.19.1 h1:NciYrtDRIR0lNCnH1LFJegdjspNx9fI59O7TWcua/W4= | ||||
| cel.dev/expr v0.19.1/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw= | ||||
| github.com/1Password/connect-sdk-go v1.5.3 h1:KyjJ+kCKj6BwB2Y8tPM1Ixg5uIS6HsB0uWA8U38p/Uk= | ||||
| github.com/1Password/connect-sdk-go v1.5.3/go.mod h1:5rSymY4oIYtS4G3t0oMkGAXBeoYiukV3vkqlnEjIDJs= | ||||
| github.com/1password/onepassword-sdk-go v0.3.1 h1:dz0LrYuIh/HrZ7rxr8NMymikNLBIXhyj4NBmo5Tdamc= | ||||
| github.com/1password/onepassword-sdk-go v0.3.1/go.mod h1:kssODrGGqHtniqPR91ZPoCMEo79mKulKat7RaD1bunk= | ||||
| github.com/HdrHistogram/hdrhistogram-go v1.1.2 h1:5IcZpTvzydCQeHzK4Ef/D5rrSqwxob0t8PQPMybUNFM= | ||||
| github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXYg9BVp4O+o5f6V/ehm6Oo= | ||||
| github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= | ||||
| github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g= | ||||
| github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= | ||||
| github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= | ||||
| github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= | ||||
| github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= | ||||
| github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= | ||||
| github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= | ||||
| github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= | ||||
| github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= | ||||
| github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= | ||||
| github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= | ||||
| github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= | ||||
| github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= | ||||
| github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= | ||||
| github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= | ||||
| github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | ||||
| github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= | ||||
| github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | ||||
| github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= | ||||
| github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | ||||
| github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a h1:UwSIFv5g5lIvbGgtf3tVwC7Ky9rmMFBp0RMs+6f6YqE= | ||||
| github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a/go.mod h1:C8DzXehI4zAbrdlbtOByKX6pfivJTBiV9Jjqv56Yd9Q= | ||||
| github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk= | ||||
| github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= | ||||
| github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= | ||||
| github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= | ||||
| github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= | ||||
| github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= | ||||
| github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= | ||||
| github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM= | ||||
| github.com/extism/go-sdk v1.7.0 h1:yHbSa2JbcF60kjGsYiGEOcClfbknqCJchyh9TRibFWo= | ||||
| github.com/extism/go-sdk v1.7.0/go.mod h1:Dhuc1qcD0aqjdqJ3ZDyGdkZPEj/EHKVjbE4P+1XRMqc= | ||||
| github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= | ||||
| github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= | ||||
| github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= | ||||
| github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= | ||||
| github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= | ||||
| github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= | ||||
| github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= | ||||
| github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= | ||||
| github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= | ||||
| github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= | ||||
| github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= | ||||
| github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= | ||||
| github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= | ||||
| github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= | ||||
| @@ -36,43 +50,50 @@ github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF | ||||
| github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= | ||||
| github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= | ||||
| github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= | ||||
| github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= | ||||
| github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= | ||||
| github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= | ||||
| github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= | ||||
| github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= | ||||
| github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= | ||||
| github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= | ||||
| github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= | ||||
| github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= | ||||
| github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= | ||||
| github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= | ||||
| github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= | ||||
| github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= | ||||
| github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= | ||||
| github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= | ||||
| github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4= | ||||
| github.com/google/cel-go v0.23.2 h1:UdEe3CvQh3Nv+E/j9r1Y//WO0K0cSyD7/y0bzyLIMI4= | ||||
| github.com/google/cel-go v0.23.2/go.mod h1:52Pb6QsDbC5kvgxvZhiL9QX1oZEkcUF/ZqaPx1J5Wwo= | ||||
| github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= | ||||
| github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= | ||||
| github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= | ||||
| github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= | ||||
| github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= | ||||
| github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= | ||||
| github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= | ||||
| github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= | ||||
| github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= | ||||
| github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= | ||||
| github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= | ||||
| github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= | ||||
| github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo= | ||||
| github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= | ||||
| github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= | ||||
| github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= | ||||
| github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= | ||||
| github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 h1:TmHmbvxPmaegwhDubVz0lICL0J5Ka2vwTzhoePEXsGE= | ||||
| github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0/go.mod h1:qztMSjm835F2bXf+5HKAPIS5qsmQDqZna/PgVt4rWtI= | ||||
| github.com/ianlancetaylor/demangle v0.0.0-20240805132620-81f5be970eca h1:T54Ema1DU8ngI+aef9ZhAhNGQhcRTrWxVeG07F+c/Rw= | ||||
| github.com/ianlancetaylor/demangle v0.0.0-20240805132620-81f5be970eca/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw= | ||||
| github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= | ||||
| github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= | ||||
| github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= | ||||
| github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= | ||||
| github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= | ||||
| github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= | ||||
| github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= | ||||
| github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= | ||||
| github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= | ||||
| github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= | ||||
| github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= | ||||
| github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= | ||||
| github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= | ||||
| github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= | ||||
| github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= | ||||
| github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= | ||||
| github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= | ||||
| github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= | ||||
| github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= | ||||
| github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= | ||||
| github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= | ||||
| @@ -82,33 +103,43 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G | ||||
| github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= | ||||
| github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= | ||||
| github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= | ||||
| github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY= | ||||
| github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw= | ||||
| github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= | ||||
| github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= | ||||
| github.com/onsi/ginkgo/v2 v2.22.0 h1:Yed107/8DjTr0lKCNt7Dn8yQ6ybuDRQoMGrNFKzMfHg= | ||||
| github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= | ||||
| github.com/onsi/gomega v1.36.1 h1:bJDPBO7ibjxcbHMgSCoo4Yj18UWbKDlLwX1x9sybDcw= | ||||
| github.com/onsi/gomega v1.36.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= | ||||
| github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs= | ||||
| github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= | ||||
| github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= | ||||
| github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= | ||||
| github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= | ||||
| github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= | ||||
| github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU= | ||||
| github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k= | ||||
| github.com/prometheus/client_model v0.6.0 h1:k1v3CzpSRUTrKMppY35TLwPvxHqBu0bYgxZzqGIgaos= | ||||
| github.com/prometheus/client_model v0.6.0/go.mod h1:NTQHnmxFpouOD0DpvP4XujX3CdOAGQPoaGhyTchlyt8= | ||||
| github.com/prometheus/common v0.51.1 h1:eIjN50Bwglz6a/c3hAgSMcofL3nD+nFQkV6Dd4DsQCw= | ||||
| github.com/prometheus/common v0.51.1/go.mod h1:lrWtQx+iDfn2mbH5GUzlH9TSHyfZpHkSiG1W7y3sF2Q= | ||||
| github.com/prometheus/procfs v0.13.0 h1:GqzLlQyfsPbaEHaQkO7tbDlriv/4o5Hudv6OXHGKX7o= | ||||
| github.com/prometheus/procfs v0.13.0/go.mod h1:cd4PFCR54QLnGKPaKGA6l+cfuNXtht43ZKY6tow0Y1g= | ||||
| github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= | ||||
| github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= | ||||
| github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= | ||||
| github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= | ||||
| github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q= | ||||
| github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0= | ||||
| github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= | ||||
| github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= | ||||
| github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io= | ||||
| github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I= | ||||
| github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= | ||||
| github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= | ||||
| github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= | ||||
| github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= | ||||
| github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= | ||||
| github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= | ||||
| github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= | ||||
| github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= | ||||
| github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= | ||||
| github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs= | ||||
| github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo= | ||||
| github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= | ||||
| github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= | ||||
| github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= | ||||
| github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= | ||||
| github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= | ||||
| github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= | ||||
| github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= | ||||
| github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= | ||||
| github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= | ||||
| github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= | ||||
| github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= | ||||
| github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= | ||||
| github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834 h1:ZF+QBjOI+tILZjBaFj3HgFonKXUcwgJ4djLb6i42S3Q= | ||||
| @@ -119,10 +150,28 @@ github.com/uber/jaeger-client-go v2.30.0+incompatible h1:D6wyKGCecFaSRUpo8lCVbaO | ||||
| github.com/uber/jaeger-client-go v2.30.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk= | ||||
| github.com/uber/jaeger-lib v2.4.1+incompatible h1:td4jdvLcExb4cBISKIpHuGoVXh+dVKhn2Um6rjCsSsg= | ||||
| github.com/uber/jaeger-lib v2.4.1+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U= | ||||
| github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= | ||||
| github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= | ||||
| github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= | ||||
| github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= | ||||
| go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= | ||||
| go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= | ||||
| go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= | ||||
| go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= | ||||
| go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU= | ||||
| go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q= | ||||
| go.opentelemetry.io/otel v1.33.0 h1:/FerN9bax5LoK51X/sI0SVYrjSE0/yUL7DpxW4K3FWw= | ||||
| go.opentelemetry.io/otel v1.33.0/go.mod h1:SUUkR6csvUQl+yjReHu5uM3EtVV7MBm5FHKRlNx4I8I= | ||||
| go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 h1:Vh5HayB/0HHfOQA7Ctx69E/Y/DcQSMPpKANYVMQ7fBA= | ||||
| go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0/go.mod h1:cpgtDBaqD/6ok/UG0jT15/uKjAY8mRA53diogHBg3UI= | ||||
| go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 h1:5pojmb1U1AogINhN3SurB+zm/nIcusopeBNp42f45QM= | ||||
| go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0/go.mod h1:57gTHJSE5S1tqg+EKsLPlTWhpHMsWlVmer+LA926XiA= | ||||
| go.opentelemetry.io/otel/metric v1.33.0 h1:r+JOocAyeRVXD8lZpjdQjzMadVZp2M4WmQ+5WtEnklQ= | ||||
| go.opentelemetry.io/otel/metric v1.33.0/go.mod h1:L9+Fyctbp6HFTddIxClbQkjtubW6O9QS3Ann/M82u6M= | ||||
| go.opentelemetry.io/otel/sdk v1.33.0 h1:iax7M131HuAm9QkZotNHEfstof92xM+N8sr3uHXc2IM= | ||||
| go.opentelemetry.io/otel/sdk v1.33.0/go.mod h1:A1Q5oi7/9XaMlIWzPSxLRWOI8nG3FnzHJNbiENQuihM= | ||||
| go.opentelemetry.io/otel/trace v1.33.0 h1:cCJuF7LRjUFso9LPnEAHJDB2pqzp+hbO8eu1qqW2d/s= | ||||
| go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck= | ||||
| go.opentelemetry.io/proto/otlp v1.4.0 h1:TA9WRvW6zMwP+Ssb6fLoUIuirti1gGbP28GcKG1jgeg= | ||||
| go.opentelemetry.io/proto/otlp v1.4.0/go.mod h1:PPBWZIP98o2ElSqI35IHfu7hIhSwvc5N38Jw8pXuGFY= | ||||
| go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= | ||||
| go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= | ||||
| go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= | ||||
| @@ -134,8 +183,8 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= | ||||
| golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= | ||||
| golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= | ||||
| golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= | ||||
| golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81 h1:6R2FC06FonbXQ8pK11/PDFY6N6LWlf9KlzibaCapmqc= | ||||
| golang.org/x/exp v0.0.0-20240318143956-a85f2c67cd81/go.mod h1:CQ1k9gNrJ50XIzaKCRR2hssIjF07kZFEiieALBM/ARQ= | ||||
| golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= | ||||
| golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= | ||||
| golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= | ||||
| golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= | ||||
| golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= | ||||
| @@ -149,9 +198,10 @@ golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKl | ||||
| golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||||
| golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||||
| golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||||
| golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8= | ||||
| golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= | ||||
| golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||||
| golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||||
| golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||||
| golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||||
| golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= | ||||
| golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= | ||||
| @@ -161,8 +211,8 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= | ||||
| golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= | ||||
| golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M= | ||||
| golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= | ||||
| golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= | ||||
| golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= | ||||
| golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY= | ||||
| golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= | ||||
| golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= | ||||
| golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= | ||||
| golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= | ||||
| @@ -175,42 +225,54 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T | ||||
| golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= | ||||
| gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= | ||||
| gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= | ||||
| google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= | ||||
| google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= | ||||
| google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 h1:CkkIfIt50+lT6NHAVoRYEyAvQGFM7xEwXUUywFvEb3Q= | ||||
| google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576/go.mod h1:1R3kvZ1dtP3+4p4d3G8uJ8rFk/fWlScl38vanWACI08= | ||||
| google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY= | ||||
| google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= | ||||
| google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0= | ||||
| google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw= | ||||
| google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM= | ||||
| google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= | ||||
| gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= | ||||
| gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= | ||||
| gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= | ||||
| gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= | ||||
| gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= | ||||
| gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= | ||||
| gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= | ||||
| gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= | ||||
| gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= | ||||
| gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= | ||||
| gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= | ||||
| gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= | ||||
| gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= | ||||
| k8s.io/api v0.29.3 h1:2ORfZ7+bGC3YJqGpV0KSDDEVf8hdGQ6A03/50vj8pmw= | ||||
| k8s.io/api v0.29.3/go.mod h1:y2yg2NTyHUUkIoTC+phinTnEa3KFM6RZ3szxt014a80= | ||||
| k8s.io/apiextensions-apiserver v0.29.3 h1:9HF+EtZaVpFjStakF4yVufnXGPRppWFEQ87qnO91YeI= | ||||
| k8s.io/apiextensions-apiserver v0.29.3/go.mod h1:po0XiY5scnpJfFizNGo6puNU6Fq6D70UJY2Cb2KwAVc= | ||||
| k8s.io/apimachinery v0.29.3 h1:2tbx+5L7RNvqJjn7RIuIKu9XTsIZ9Z5wX2G22XAa5EU= | ||||
| k8s.io/apimachinery v0.29.3/go.mod h1:hx/S4V2PNW4OMg3WizRrHutyB5la0iCUbZym+W0EQIU= | ||||
| k8s.io/client-go v0.29.3 h1:R/zaZbEAxqComZ9FHeQwOh3Y1ZUs7FaHKZdQtIc2WZg= | ||||
| k8s.io/client-go v0.29.3/go.mod h1:tkDisCvgPfiRpxGnOORfkljmS+UrW+WtXAy2fTvXJB0= | ||||
| k8s.io/component-base v0.29.3 h1:Oq9/nddUxlnrCuuR2K/jp6aflVvc0uDvxMzAWxnGzAo= | ||||
| k8s.io/component-base v0.29.3/go.mod h1:Yuj33XXjuOk2BAaHsIGHhCKZQAgYKhqIxIjIr2UXYio= | ||||
| k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= | ||||
| k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= | ||||
| k8s.io/kube-openapi v0.0.0-20240322212309-b815d8309940 h1:qVoMaQV5t62UUvHe16Q3eb2c5HPzLHYzsi0Tu/xLndo= | ||||
| k8s.io/kube-openapi v0.0.0-20240322212309-b815d8309940/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= | ||||
| k8s.io/api v0.33.0 h1:yTgZVn1XEe6opVpP1FylmNrIFWuDqe2H0V8CT5gxfIU= | ||||
| k8s.io/api v0.33.0/go.mod h1:CTO61ECK/KU7haa3qq8sarQ0biLq2ju405IZAd9zsiM= | ||||
| k8s.io/apiextensions-apiserver v0.33.0 h1:d2qpYL7Mngbsc1taA4IjJPRJ9ilnsXIrndH+r9IimOs= | ||||
| k8s.io/apiextensions-apiserver v0.33.0/go.mod h1:VeJ8u9dEEN+tbETo+lFkwaaZPg6uFKLGj5vyNEwwSzc= | ||||
| k8s.io/apimachinery v0.33.0 h1:1a6kHrJxb2hs4t8EE5wuR/WxKDwGN1FKH3JvDtA0CIQ= | ||||
| k8s.io/apimachinery v0.33.0/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= | ||||
| k8s.io/apiserver v0.33.0 h1:QqcM6c+qEEjkOODHppFXRiw/cE2zP85704YrQ9YaBbc= | ||||
| k8s.io/apiserver v0.33.0/go.mod h1:EixYOit0YTxt8zrO2kBU7ixAtxFce9gKGq367nFmqI8= | ||||
| k8s.io/client-go v0.33.0 h1:UASR0sAYVUzs2kYuKn/ZakZlcs2bEHaizrrHUZg0G98= | ||||
| k8s.io/client-go v0.33.0/go.mod h1:kGkd+l/gNGg8GYWAPr0xF1rRKvVWvzh9vmZAMXtaKOg= | ||||
| k8s.io/component-base v0.33.0 h1:Ot4PyJI+0JAD9covDhwLp9UNkUja209OzsJ4FzScBNk= | ||||
| k8s.io/component-base v0.33.0/go.mod h1:aXYZLbw3kihdkOPMDhWbjGCO6sg+luw554KP51t8qCU= | ||||
| k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= | ||||
| k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= | ||||
| k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4= | ||||
| k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8= | ||||
| k8s.io/kubectl v0.29.0 h1:Oqi48gXjikDhrBF67AYuZRTcJV4lg2l42GmvsP7FmYI= | ||||
| k8s.io/kubectl v0.29.0/go.mod h1:0jMjGWIcMIQzmUaMgAzhSELv5WtHo2a8pq67DtviAJs= | ||||
| k8s.io/utils v0.0.0-20240310230437-4693a0247e57 h1:gbqbevonBh57eILzModw6mrkbwM0gQBEuevE/AaBsHY= | ||||
| k8s.io/utils v0.0.0-20240310230437-4693a0247e57/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= | ||||
| sigs.k8s.io/controller-runtime v0.17.2 h1:FwHwD1CTUemg0pW2otk7/U5/i5m2ymzvOXdbeGOUvw0= | ||||
| sigs.k8s.io/controller-runtime v0.17.2/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= | ||||
| sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= | ||||
| sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= | ||||
| sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= | ||||
| sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= | ||||
| k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro= | ||||
| k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= | ||||
| sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2 h1:jpcvIRr3GLoUoEKRkHKSmGjxb6lWwrBlJsXc+eUYQHM= | ||||
| sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.2/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= | ||||
| sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytIGcJS8= | ||||
| sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM= | ||||
| sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8= | ||||
| sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo= | ||||
| sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= | ||||
| sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= | ||||
| sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= | ||||
| sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc= | ||||
| sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= | ||||
| sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= | ||||
| sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= | ||||
|   | ||||
| @@ -92,11 +92,11 @@ func (r *DeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Request) | ||||
| 	} | ||||
|  | ||||
| 	// If the deployment is not being deleted | ||||
| 	if deployment.ObjectMeta.DeletionTimestamp.IsZero() { | ||||
| 	if deployment.DeletionTimestamp.IsZero() { | ||||
| 		// Adds a finalizer to the deployment if one does not exist. | ||||
| 		// This is so we can handle cleanup of associated secrets properly | ||||
| 		if !utils.ContainsString(deployment.ObjectMeta.Finalizers, finalizer) { | ||||
| 			deployment.ObjectMeta.Finalizers = append(deployment.ObjectMeta.Finalizers, finalizer) | ||||
| 		if !utils.ContainsString(deployment.Finalizers, finalizer) { | ||||
| 			deployment.Finalizers = append(deployment.Finalizers, finalizer) | ||||
| 			if err = r.Update(ctx, deployment); err != nil { | ||||
| 				return reconcile.Result{}, err | ||||
| 			} | ||||
| @@ -114,7 +114,7 @@ func (r *DeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Request) | ||||
| 	} | ||||
| 	// The deployment has been marked for deletion. If the one password | ||||
| 	// finalizer is found there are cleanup tasks to perform | ||||
| 	if utils.ContainsString(deployment.ObjectMeta.Finalizers, finalizer) { | ||||
| 	if utils.ContainsString(deployment.Finalizers, finalizer) { | ||||
|  | ||||
| 		secretName := annotations[op.NameAnnotation] | ||||
| 		if err = r.cleanupKubernetesSecretForDeployment(ctx, secretName, deployment); err != nil { | ||||
| @@ -133,13 +133,14 @@ func (r *DeploymentReconciler) Reconcile(ctx context.Context, req ctrl.Request) | ||||
| func (r *DeploymentReconciler) SetupWithManager(mgr ctrl.Manager) error { | ||||
| 	return ctrl.NewControllerManagedBy(mgr). | ||||
| 		For(&appsv1.Deployment{}). | ||||
| 		Named("onepassword-deployment"). | ||||
| 		Complete(r) | ||||
| } | ||||
|  | ||||
| func (r *DeploymentReconciler) cleanupKubernetesSecretForDeployment(ctx context.Context, secretName string, deletedDeployment *appsv1.Deployment) error { | ||||
| 	kubernetesSecret := &corev1.Secret{} | ||||
| 	kubernetesSecret.ObjectMeta.Name = secretName | ||||
| 	kubernetesSecret.ObjectMeta.Namespace = deletedDeployment.Namespace | ||||
| 	kubernetesSecret.Name = secretName | ||||
| 	kubernetesSecret.Namespace = deletedDeployment.Namespace | ||||
|  | ||||
| 	if len(secretName) == 0 { | ||||
| 		return nil | ||||
| @@ -185,7 +186,7 @@ func (r *DeploymentReconciler) areMultipleDeploymentsUsingSecret(ctx context.Con | ||||
| } | ||||
|  | ||||
| func (r *DeploymentReconciler) removeOnePasswordFinalizerFromDeployment(ctx context.Context, deployment *appsv1.Deployment) error { | ||||
| 	deployment.ObjectMeta.Finalizers = utils.RemoveString(deployment.ObjectMeta.Finalizers, finalizer) | ||||
| 	deployment.Finalizers = utils.RemoveString(deployment.Finalizers, finalizer) | ||||
| 	return r.Update(ctx, deployment) | ||||
| } | ||||
|  | ||||
|   | ||||
| @@ -82,10 +82,7 @@ var _ = Describe("Deployment controller", func() { | ||||
| 		time.Sleep(time.Millisecond * 100) | ||||
| 		Eventually(func() bool { | ||||
| 			err := k8sClient.Get(ctx, secretKey, createdSecret) | ||||
| 			if err != nil { | ||||
| 				return false | ||||
| 			} | ||||
| 			return true | ||||
| 			return err == nil | ||||
| 		}, timeout, interval).Should(BeTrue()) | ||||
| 		Expect(createdSecret.Data).Should(Equal(item1.SecretData)) | ||||
| 	} | ||||
| @@ -190,10 +187,7 @@ var _ = Describe("Deployment controller", func() { | ||||
| 			updatedSecret := &v1.Secret{} | ||||
| 			Eventually(func() bool { | ||||
| 				err := k8sClient.Get(ctx, secretKey, updatedSecret) | ||||
| 				if err != nil { | ||||
| 					return false | ||||
| 				} | ||||
| 				return true | ||||
| 				return err == nil | ||||
| 			}, timeout, interval).Should(BeTrue()) | ||||
| 			Expect(updatedSecret.Data).Should(Equal(item2.SecretData)) | ||||
| 		}) | ||||
| @@ -247,10 +241,7 @@ var _ = Describe("Deployment controller", func() { | ||||
| 			updatedSecret := &v1.Secret{} | ||||
| 			Eventually(func() bool { | ||||
| 				err := k8sClient.Get(ctx, secretKey, updatedSecret) | ||||
| 				if err != nil { | ||||
| 					return false | ||||
| 				} | ||||
| 				return true | ||||
| 				return err == nil | ||||
| 			}, timeout, interval).Should(BeTrue()) | ||||
| 			Expect(updatedSecret.Data).Should(Equal(item1.SecretData)) | ||||
| 		}) | ||||
|   | ||||
| @@ -93,11 +93,11 @@ func (r *OnePasswordItemReconciler) Reconcile(ctx context.Context, req ctrl.Requ | ||||
| 	} | ||||
|  | ||||
| 	// If the deployment is not being deleted | ||||
| 	if onepassworditem.ObjectMeta.DeletionTimestamp.IsZero() { | ||||
| 	if onepassworditem.DeletionTimestamp.IsZero() { | ||||
| 		// Adds a finalizer to the deployment if one does not exist. | ||||
| 		// This is so we can handle cleanup of associated secrets properly | ||||
| 		if !utils.ContainsString(onepassworditem.ObjectMeta.Finalizers, finalizer) { | ||||
| 			onepassworditem.ObjectMeta.Finalizers = append(onepassworditem.ObjectMeta.Finalizers, finalizer) | ||||
| 		if !utils.ContainsString(onepassworditem.Finalizers, finalizer) { | ||||
| 			onepassworditem.Finalizers = append(onepassworditem.Finalizers, finalizer) | ||||
| 			if err = r.Update(ctx, onepassworditem); err != nil { | ||||
| 				return ctrl.Result{}, err | ||||
| 			} | ||||
| @@ -117,7 +117,7 @@ func (r *OnePasswordItemReconciler) Reconcile(ctx context.Context, req ctrl.Requ | ||||
| 		return ctrl.Result{}, err | ||||
| 	} | ||||
| 	// If one password finalizer exists then we must cleanup associated secrets | ||||
| 	if utils.ContainsString(onepassworditem.ObjectMeta.Finalizers, finalizer) { | ||||
| 	if utils.ContainsString(onepassworditem.Finalizers, finalizer) { | ||||
|  | ||||
| 		// Delete associated kubernetes secret | ||||
| 		if err = r.cleanupKubernetesSecret(ctx, onepassworditem); err != nil { | ||||
| @@ -125,7 +125,7 @@ func (r *OnePasswordItemReconciler) Reconcile(ctx context.Context, req ctrl.Requ | ||||
| 		} | ||||
|  | ||||
| 		// Remove finalizer now that cleanup is complete | ||||
| 		if err = r.removeFinalizer(ctx, onepassworditem); err != nil { | ||||
| 		if err = r.removeOnePasswordFinalizerFromOnePasswordItem(ctx, onepassworditem); err != nil { | ||||
| 			return ctrl.Result{}, err | ||||
| 		} | ||||
| 	} | ||||
| @@ -136,21 +136,14 @@ func (r *OnePasswordItemReconciler) Reconcile(ctx context.Context, req ctrl.Requ | ||||
| func (r *OnePasswordItemReconciler) SetupWithManager(mgr ctrl.Manager) error { | ||||
| 	return ctrl.NewControllerManagedBy(mgr). | ||||
| 		For(&onepasswordv1.OnePasswordItem{}). | ||||
| 		Named("onepassworditem"). | ||||
| 		Complete(r) | ||||
| } | ||||
|  | ||||
| func (r *OnePasswordItemReconciler) removeFinalizer(ctx context.Context, onePasswordItem *onepasswordv1.OnePasswordItem) error { | ||||
| 	onePasswordItem.ObjectMeta.Finalizers = utils.RemoveString(onePasswordItem.ObjectMeta.Finalizers, finalizer) | ||||
| 	if err := r.Update(ctx, onePasswordItem); err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| func (r *OnePasswordItemReconciler) cleanupKubernetesSecret(ctx context.Context, onePasswordItem *onepasswordv1.OnePasswordItem) error { | ||||
| 	kubernetesSecret := &corev1.Secret{} | ||||
| 	kubernetesSecret.ObjectMeta.Name = onePasswordItem.Name | ||||
| 	kubernetesSecret.ObjectMeta.Namespace = onePasswordItem.Namespace | ||||
| 	kubernetesSecret.Name = onePasswordItem.Name | ||||
| 	kubernetesSecret.Namespace = onePasswordItem.Namespace | ||||
|  | ||||
| 	if err := r.Delete(ctx, kubernetesSecret); err != nil { | ||||
| 		if !errors.IsNotFound(err) { | ||||
| @@ -160,12 +153,12 @@ func (r *OnePasswordItemReconciler) cleanupKubernetesSecret(ctx context.Context, | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| func (r *OnePasswordItemReconciler) removeOnePasswordFinalizerFromOnePasswordItem(ctx context.Context, opSecret *onepasswordv1.OnePasswordItem) error { | ||||
| 	opSecret.ObjectMeta.Finalizers = utils.RemoveString(opSecret.ObjectMeta.Finalizers, finalizer) | ||||
| 	return r.Update(ctx, opSecret) | ||||
| func (r *OnePasswordItemReconciler) removeOnePasswordFinalizerFromOnePasswordItem(ctx context.Context, onePasswordItem *onepasswordv1.OnePasswordItem) error { | ||||
| 	onePasswordItem.Finalizers = utils.RemoveString(onePasswordItem.Finalizers, finalizer) | ||||
| 	return r.Update(ctx, onePasswordItem) | ||||
| } | ||||
|  | ||||
| func (r *OnePasswordItemReconciler) handleOnePasswordItem(ctx context.Context, resource *onepasswordv1.OnePasswordItem, req ctrl.Request) error { | ||||
| func (r *OnePasswordItemReconciler) handleOnePasswordItem(ctx context.Context, resource *onepasswordv1.OnePasswordItem, _ ctrl.Request) error { | ||||
| 	secretName := resource.GetName() | ||||
| 	labels := resource.Labels | ||||
| 	secretType := resource.Type | ||||
|   | ||||
| @@ -3,6 +3,7 @@ package controller | ||||
| import ( | ||||
| 	"context" | ||||
| 	"fmt" | ||||
|  | ||||
| 	. "github.com/onsi/ginkgo/v2" | ||||
| 	. "github.com/onsi/gomega" | ||||
|  | ||||
| @@ -60,20 +61,14 @@ var _ = Describe("OnePasswordItem controller", func() { | ||||
| 			created := &onepasswordv1.OnePasswordItem{} | ||||
| 			Eventually(func() bool { | ||||
| 				err := k8sClient.Get(ctx, key, created) | ||||
| 				if err != nil { | ||||
| 					return false | ||||
| 				} | ||||
| 				return true | ||||
| 				return err == nil | ||||
| 			}, timeout, interval).Should(BeTrue()) | ||||
|  | ||||
| 			By("Creating the K8s secret successfully") | ||||
| 			createdSecret := &v1.Secret{} | ||||
| 			Eventually(func() bool { | ||||
| 				err := k8sClient.Get(ctx, key, createdSecret) | ||||
| 				if err != nil { | ||||
| 					return false | ||||
| 				} | ||||
| 				return true | ||||
| 				return err == nil | ||||
| 			}, timeout, interval).Should(BeTrue()) | ||||
| 			Expect(createdSecret.Data).Should(Equal(item1.SecretData)) | ||||
|  | ||||
| @@ -101,10 +96,7 @@ var _ = Describe("OnePasswordItem controller", func() { | ||||
| 			updatedSecret := &v1.Secret{} | ||||
| 			Eventually(func() bool { | ||||
| 				err := k8sClient.Get(ctx, key, updatedSecret) | ||||
| 				if err != nil { | ||||
| 					return false | ||||
| 				} | ||||
| 				return true | ||||
| 				return err == nil | ||||
| 			}, timeout, interval).Should(BeTrue()) | ||||
| 			Expect(updatedSecret.Data).Should(Equal(newDataByte)) | ||||
|  | ||||
| @@ -175,20 +167,14 @@ var _ = Describe("OnePasswordItem controller", func() { | ||||
| 			created := &onepasswordv1.OnePasswordItem{} | ||||
| 			Eventually(func() bool { | ||||
| 				err := k8sClient.Get(ctx, key, created) | ||||
| 				if err != nil { | ||||
| 					return false | ||||
| 				} | ||||
| 				return true | ||||
| 				return err == nil | ||||
| 			}, timeout, interval).Should(BeTrue()) | ||||
|  | ||||
| 			By("Creating the K8s secret successfully") | ||||
| 			createdSecret := &v1.Secret{} | ||||
| 			Eventually(func() bool { | ||||
| 				err := k8sClient.Get(ctx, key, createdSecret) | ||||
| 				if err != nil { | ||||
| 					return false | ||||
| 				} | ||||
| 				return true | ||||
| 				return err == nil | ||||
| 			}, timeout, interval).Should(BeTrue()) | ||||
| 			Expect(createdSecret.Data).Should(Equal(expectedData)) | ||||
|  | ||||
| @@ -297,10 +283,7 @@ var _ = Describe("OnePasswordItem controller", func() { | ||||
| 			secret := &v1.Secret{} | ||||
| 			Eventually(func() bool { | ||||
| 				err := k8sClient.Get(ctx, key, secret) | ||||
| 				if err != nil { | ||||
| 					return false | ||||
| 				} | ||||
| 				return true | ||||
| 				return err == nil | ||||
| 			}, timeout, interval).Should(BeTrue()) | ||||
| 			Expect(secret.Type).Should(Equal(v1.SecretType(customType))) | ||||
| 		}) | ||||
| @@ -344,10 +327,7 @@ var _ = Describe("OnePasswordItem controller", func() { | ||||
| 			createdSecret := &v1.Secret{} | ||||
| 			Eventually(func() bool { | ||||
| 				err := k8sClient.Get(ctx, key, createdSecret) | ||||
| 				if err != nil { | ||||
| 					return false | ||||
| 				} | ||||
| 				return true | ||||
| 				return err == nil | ||||
| 			}, timeout, interval).Should(BeTrue()) | ||||
|  | ||||
| 			Expect(createdSecret.Data).Should(HaveKeyWithValue("server.crt", fileContent)) | ||||
| @@ -381,20 +361,14 @@ var _ = Describe("OnePasswordItem controller", func() { | ||||
| 			secret := &v1.Secret{} | ||||
| 			Eventually(func() bool { | ||||
| 				err := k8sClient.Get(ctx, key, secret) | ||||
| 				if err != nil { | ||||
| 					return false | ||||
| 				} | ||||
| 				return true | ||||
| 				return err == nil | ||||
| 			}, timeout, interval).Should(BeTrue()) | ||||
|  | ||||
| 			By("Failing to update K8s secret") | ||||
| 			Eventually(func() bool { | ||||
| 				secret.Type = v1.SecretTypeBasicAuth | ||||
| 				err := k8sClient.Update(ctx, secret) | ||||
| 				if err != nil { | ||||
| 					return false | ||||
| 				} | ||||
| 				return true | ||||
| 				return err == nil | ||||
| 			}, timeout, interval).Should(BeFalse()) | ||||
| 		}) | ||||
|  | ||||
|   | ||||
| @@ -26,6 +26,7 @@ package controller | ||||
|  | ||||
| import ( | ||||
| 	"context" | ||||
| 	"os" | ||||
| 	"path/filepath" | ||||
| 	"regexp" | ||||
| 	"testing" | ||||
| @@ -155,6 +156,11 @@ var _ = BeforeSuite(func() { | ||||
| 		ErrorIfCRDPathMissing: true, | ||||
| 	} | ||||
|  | ||||
| 	// Retrieve the first found binary directory to allow running tests from IDEs | ||||
| 	if getFirstFoundEnvTestBinaryDir() != "" { | ||||
| 		testEnv.BinaryAssetsDirectory = getFirstFoundEnvTestBinaryDir() | ||||
| 	} | ||||
|  | ||||
| 	var err error | ||||
| 	// cfg is defined in this file globally. | ||||
| 	cfg, err = testEnv.Start() | ||||
| @@ -210,3 +216,26 @@ var _ = AfterSuite(func() { | ||||
| 	err := testEnv.Stop() | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
| }) | ||||
|  | ||||
| // getFirstFoundEnvTestBinaryDir locates the first binary in the specified path. | ||||
| // ENVTEST-based tests depend on specific binaries, usually located in paths set by | ||||
| // controller-runtime. When running tests directly (e.g., via an IDE) without using | ||||
| // Makefile targets, the 'BinaryAssetsDirectory' must be explicitly configured. | ||||
| // | ||||
| // This function streamlines the process by finding the required binaries, similar to | ||||
| // setting the 'KUBEBUILDER_ASSETS' environment variable. To ensure the binaries are | ||||
| // properly set up, run 'make setup-envtest' beforehand. | ||||
| func getFirstFoundEnvTestBinaryDir() string { | ||||
| 	basePath := filepath.Join("..", "..", "bin", "k8s") | ||||
| 	entries, err := os.ReadDir(basePath) | ||||
| 	if err != nil { | ||||
| 		logf.Log.Error(err, "Failed to read directory", "path", basePath) | ||||
| 		return "" | ||||
| 	} | ||||
| 	for _, entry := range entries { | ||||
| 		if entry.IsDir() { | ||||
| 			return filepath.Join(basePath, entry.Name()) | ||||
| 		} | ||||
| 	} | ||||
| 	return "" | ||||
| } | ||||
|   | ||||
| @@ -2,7 +2,7 @@ package kubernetessecrets | ||||
|  | ||||
| import ( | ||||
| 	"context" | ||||
| 	errs "errors" | ||||
| 	"errors" | ||||
| 	"fmt" | ||||
| 	"reflect" | ||||
| 	"regexp" | ||||
| @@ -11,7 +11,7 @@ import ( | ||||
| 	"github.com/1Password/onepassword-operator/pkg/onepassword/model" | ||||
| 	"github.com/1Password/onepassword-operator/pkg/utils" | ||||
| 	corev1 "k8s.io/api/core/v1" | ||||
| 	"k8s.io/apimachinery/pkg/api/errors" | ||||
| 	apierrors "k8s.io/apimachinery/pkg/api/errors" | ||||
| 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||||
| 	"k8s.io/apimachinery/pkg/types" | ||||
| 	kubeValidate "k8s.io/apimachinery/pkg/util/validation" | ||||
| @@ -26,11 +26,20 @@ const VersionAnnotation = OnepasswordPrefix + "/item-version" | ||||
| const ItemPathAnnotation = OnepasswordPrefix + "/item-path" | ||||
| const RestartDeploymentsAnnotation = OnepasswordPrefix + "/auto-restart" | ||||
|  | ||||
| var ErrCannotUpdateSecretType = errs.New("Cannot change secret type. Secret type is immutable") | ||||
| var ErrCannotUpdateSecretType = errors.New("cannot change secret type: secret type is immutable") | ||||
|  | ||||
| var log = logf.Log | ||||
|  | ||||
| func CreateKubernetesSecretFromItem(ctx context.Context, kubeClient kubernetesClient.Client, secretName, namespace string, item *model.Item, autoRestart string, labels map[string]string, secretType string, ownerRef *metav1.OwnerReference) error { | ||||
| func CreateKubernetesSecretFromItem( | ||||
| 	ctx context.Context, | ||||
| 	kubeClient kubernetesClient.Client, | ||||
| 	secretName, namespace string, | ||||
| 	item *model.Item, | ||||
| 	autoRestart string, | ||||
| 	labels map[string]string, | ||||
| 	secretType string, | ||||
| 	ownerRef *metav1.OwnerReference, | ||||
| ) error { | ||||
| 	itemVersion := fmt.Sprint(item.Version) | ||||
| 	secretAnnotations := map[string]string{ | ||||
| 		VersionAnnotation:  itemVersion, | ||||
| @@ -40,17 +49,20 @@ func CreateKubernetesSecretFromItem(ctx context.Context, kubeClient kubernetesCl | ||||
| 	if autoRestart != "" { | ||||
| 		_, err := utils.StringToBool(autoRestart) | ||||
| 		if err != nil { | ||||
| 			return fmt.Errorf("Error parsing %v annotation on Secret %v. Must be true or false. Defaulting to false.", RestartDeploymentsAnnotation, secretName) | ||||
| 			return fmt.Errorf("error parsing %v annotation on Secret %v. Must be true or false. Defaulting to false", | ||||
| 				RestartDeploymentsAnnotation, secretName, | ||||
| 			) | ||||
| 		} | ||||
| 		secretAnnotations[RestartDeploymentsAnnotation] = autoRestart | ||||
| 	} | ||||
|  | ||||
| 	// "Opaque" and "" secret types are treated the same by Kubernetes. | ||||
| 	secret := BuildKubernetesSecretFromOnePasswordItem(secretName, namespace, secretAnnotations, labels, secretType, *item, ownerRef) | ||||
| 	secret := BuildKubernetesSecretFromOnePasswordItem(secretName, namespace, secretAnnotations, labels, | ||||
| 		secretType, *item, ownerRef) | ||||
|  | ||||
| 	currentSecret := &corev1.Secret{} | ||||
| 	err := kubeClient.Get(ctx, types.NamespacedName{Name: secret.Name, Namespace: secret.Namespace}, currentSecret) | ||||
| 	if err != nil && errors.IsNotFound(err) { | ||||
| 	if err != nil && apierrors.IsNotFound(err) { | ||||
| 		log.Info(fmt.Sprintf("Creating Secret %v at namespace '%v'", secret.Name, secret.Namespace)) | ||||
| 		return kubeClient.Create(ctx, secret) | ||||
| 	} else if err != nil { | ||||
| @@ -75,20 +87,29 @@ func CreateKubernetesSecretFromItem(ctx context.Context, kubeClient kubernetesCl | ||||
| 	currentLabels := currentSecret.Labels | ||||
| 	if !reflect.DeepEqual(currentAnnotations, secretAnnotations) || !reflect.DeepEqual(currentLabels, labels) { | ||||
| 		log.Info(fmt.Sprintf("Updating Secret %v at namespace '%v'", secret.Name, secret.Namespace)) | ||||
| 		currentSecret.ObjectMeta.Annotations = secretAnnotations | ||||
| 		currentSecret.ObjectMeta.Labels = labels | ||||
| 		currentSecret.Annotations = secretAnnotations | ||||
| 		currentSecret.Labels = labels | ||||
| 		currentSecret.Data = secret.Data | ||||
| 		if err := kubeClient.Update(ctx, currentSecret); err != nil { | ||||
| 			return fmt.Errorf("Kubernetes secret update failed: %w", err) | ||||
| 			return fmt.Errorf("kubernetes secret update failed: %w", err) | ||||
| 		} | ||||
| 		return nil | ||||
| 	} | ||||
|  | ||||
| 	log.Info(fmt.Sprintf("Secret with name %v and version %v already exists", secret.Name, secret.Annotations[VersionAnnotation])) | ||||
| 	log.Info(fmt.Sprintf("Secret with name %v and version %v already exists", | ||||
| 		secret.Name, secret.Annotations[VersionAnnotation], | ||||
| 	)) | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| func BuildKubernetesSecretFromOnePasswordItem(name, namespace string, annotations map[string]string, labels map[string]string, secretType string, item model.Item, ownerRef *metav1.OwnerReference) *corev1.Secret { | ||||
| func BuildKubernetesSecretFromOnePasswordItem( | ||||
| 	name, namespace string, | ||||
| 	annotations map[string]string, | ||||
| 	labels map[string]string, | ||||
| 	secretType string, | ||||
| 	item model.Item, | ||||
| 	ownerRef *metav1.OwnerReference, | ||||
| ) *corev1.Secret { | ||||
| 	var ownerRefs []metav1.OwnerReference | ||||
| 	if ownerRef != nil { | ||||
| 		ownerRefs = []metav1.OwnerReference{*ownerRef} | ||||
|   | ||||
| @@ -3,7 +3,6 @@ package kubernetessecrets | ||||
| import ( | ||||
| 	"context" | ||||
| 	"fmt" | ||||
| 	"github.com/1Password/onepassword-operator/pkg/onepassword/model" | ||||
| 	"strings" | ||||
| 	"testing" | ||||
|  | ||||
| @@ -12,26 +11,34 @@ import ( | ||||
| 	"k8s.io/apimachinery/pkg/types" | ||||
| 	kubeValidate "k8s.io/apimachinery/pkg/util/validation" | ||||
| 	"sigs.k8s.io/controller-runtime/pkg/client/fake" | ||||
|  | ||||
| 	"github.com/1Password/onepassword-operator/pkg/onepassword/model" | ||||
| ) | ||||
|  | ||||
| const restartDeploymentAnnotation = "false" | ||||
| const ( | ||||
| 	restartDeploymentAnnotation = "false" | ||||
| 	testNamespace               = "test" | ||||
| 	testItemUUID                = "h46bb3jddvay7nxopfhvlwg35q" | ||||
| 	testVaultUUID               = "hfnjvi6aymbsnfc2xeeoheizda" | ||||
| ) | ||||
|  | ||||
| func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) { | ||||
| 	ctx := context.Background() | ||||
| 	secretName := "test-secret-name" | ||||
| 	namespace := "test" | ||||
| 	namespace := testNamespace | ||||
|  | ||||
| 	item := model.Item{} | ||||
| 	item.Fields = generateFields(5) | ||||
| 	item.Version = 123 | ||||
| 	item.VaultID = "hfnjvi6aymbsnfc2xeeoheizda" | ||||
| 	item.ID = "h46bb3jddvay7nxopfhvlwg35q" | ||||
| 	item.VaultID = testVaultUUID | ||||
| 	item.ID = testItemUUID | ||||
|  | ||||
| 	kubeClient := fake.NewClientBuilder().Build() | ||||
| 	secretLabels := map[string]string{} | ||||
| 	secretType := "" | ||||
|  | ||||
| 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretType, nil) | ||||
| 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, | ||||
| 		secretLabels, secretType, nil) | ||||
| 	if err != nil { | ||||
| 		t.Errorf("Unexpected error: %v", err) | ||||
| 	} | ||||
| @@ -48,13 +55,13 @@ func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) { | ||||
| func TestKubernetesSecretFromOnePasswordItemOwnerReferences(t *testing.T) { | ||||
| 	ctx := context.Background() | ||||
| 	secretName := "test-secret-name" | ||||
| 	namespace := "test" | ||||
| 	namespace := testNamespace | ||||
|  | ||||
| 	item := model.Item{} | ||||
| 	item.Fields = generateFields(5) | ||||
| 	item.Version = 123 | ||||
| 	item.VaultID = "hfnjvi6aymbsnfc2xeeoheizda" | ||||
| 	item.ID = "h46bb3jddvay7nxopfhvlwg35q" | ||||
| 	item.VaultID = testVaultUUID | ||||
| 	item.ID = testItemUUID | ||||
|  | ||||
| 	kubeClient := fake.NewClientBuilder().Build() | ||||
| 	secretLabels := map[string]string{} | ||||
| @@ -66,15 +73,19 @@ func TestKubernetesSecretFromOnePasswordItemOwnerReferences(t *testing.T) { | ||||
| 		Name:       "test-deployment", | ||||
| 		UID:        types.UID("test-uid"), | ||||
| 	} | ||||
| 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretType, ownerRef) | ||||
| 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, | ||||
| 		secretLabels, secretType, ownerRef) | ||||
| 	if err != nil { | ||||
| 		t.Errorf("Unexpected error: %v", err) | ||||
| 	} | ||||
| 	createdSecret := &corev1.Secret{} | ||||
| 	err = kubeClient.Get(ctx, types.NamespacedName{Name: secretName, Namespace: namespace}, createdSecret) | ||||
| 	if err != nil { | ||||
| 		t.Errorf("Unexpected error: %v", err) | ||||
| 	} | ||||
|  | ||||
| 	// Check owner references. | ||||
| 	gotOwnerRefs := createdSecret.ObjectMeta.OwnerReferences | ||||
| 	gotOwnerRefs := createdSecret.OwnerReferences | ||||
| 	if len(gotOwnerRefs) != 1 { | ||||
| 		t.Errorf("Expected owner references length: 1 but got: %d", len(gotOwnerRefs)) | ||||
| 	} | ||||
| @@ -94,19 +105,20 @@ func TestKubernetesSecretFromOnePasswordItemOwnerReferences(t *testing.T) { | ||||
| func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) { | ||||
| 	ctx := context.Background() | ||||
| 	secretName := "test-secret-update" | ||||
| 	namespace := "test" | ||||
| 	namespace := testNamespace | ||||
|  | ||||
| 	item := model.Item{} | ||||
| 	item.Fields = generateFields(5) | ||||
| 	item.Version = 123 | ||||
| 	item.VaultID = "hfnjvi6aymbsnfc2xeeoheizda" | ||||
| 	item.ID = "h46bb3jddvay7nxopfhvlwg35q" | ||||
| 	item.VaultID = testVaultUUID | ||||
| 	item.ID = testItemUUID | ||||
|  | ||||
| 	kubeClient := fake.NewClientBuilder().Build() | ||||
| 	secretLabels := map[string]string{} | ||||
| 	secretType := "" | ||||
|  | ||||
| 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretType, nil) | ||||
| 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, | ||||
| 		secretLabels, secretType, nil) | ||||
|  | ||||
| 	if err != nil { | ||||
| 		t.Errorf("Unexpected error: %v", err) | ||||
| @@ -116,9 +128,10 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) { | ||||
| 	newItem := model.Item{} | ||||
| 	newItem.Fields = generateFields(6) | ||||
| 	newItem.Version = 456 | ||||
| 	newItem.VaultID = "hfnjvi6aymbsnfc2xeeoheizda" | ||||
| 	newItem.ID = "h46bb3jddvay7nxopfhvlwg35q" | ||||
| 	err = CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation, secretLabels, secretType, nil) | ||||
| 	newItem.VaultID = testVaultUUID | ||||
| 	newItem.ID = testItemUUID | ||||
| 	err = CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation, | ||||
| 		secretLabels, secretType, nil) | ||||
| 	if err != nil { | ||||
| 		t.Errorf("Unexpected error: %v", err) | ||||
| 	} | ||||
| @@ -210,19 +223,20 @@ func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) { | ||||
| func TestCreateKubernetesTLSSecretFromOnePasswordItem(t *testing.T) { | ||||
| 	ctx := context.Background() | ||||
| 	secretName := "tls-test-secret-name" | ||||
| 	namespace := "test" | ||||
| 	namespace := testNamespace | ||||
|  | ||||
| 	item := model.Item{} | ||||
| 	item.Fields = generateFields(5) | ||||
| 	item.Version = 123 | ||||
| 	item.VaultID = "hfnjvi6aymbsnfc2xeeoheizda" | ||||
| 	item.ID = "h46bb3jddvay7nxopfhvlwg35q" | ||||
| 	item.VaultID = testVaultUUID | ||||
| 	item.ID = testItemUUID | ||||
|  | ||||
| 	kubeClient := fake.NewClientBuilder().Build() | ||||
| 	secretLabels := map[string]string{} | ||||
| 	secretType := "kubernetes.io/tls" | ||||
|  | ||||
| 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretType, nil) | ||||
| 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, | ||||
| 		secretLabels, secretType, nil) | ||||
| 	if err != nil { | ||||
| 		t.Errorf("Unexpected error: %v", err) | ||||
| 	} | ||||
| @@ -254,7 +268,9 @@ func compareAnnotationsToItem(annotations map[string]string, item model.Item, t | ||||
| 	} | ||||
|  | ||||
| 	if annotations[RestartDeploymentsAnnotation] != "false" { | ||||
| 		t.Errorf("Expected restart deployments annotation to be %v but was %v", restartDeploymentAnnotation, RestartDeploymentsAnnotation) | ||||
| 		t.Errorf("Expected restart deployments annotation to be %v but was %v", | ||||
| 			restartDeploymentAnnotation, RestartDeploymentsAnnotation, | ||||
| 		) | ||||
| 	} | ||||
| } | ||||
|  | ||||
| @@ -286,7 +302,10 @@ func ParseVaultIdAndItemIdFromPath(path string) (string, string, error) { | ||||
| 	if len(splitPath) == 4 && splitPath[0] == "vaults" && splitPath[2] == "items" { | ||||
| 		return splitPath[1], splitPath[3], nil | ||||
| 	} | ||||
| 	return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path) | ||||
| 	return "", "", fmt.Errorf( | ||||
| 		"%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", | ||||
| 		path, | ||||
| 	) | ||||
| } | ||||
|  | ||||
| func validLabel(v string) bool { | ||||
|   | ||||
| @@ -1,7 +1,7 @@ | ||||
| package logs | ||||
|  | ||||
| // A Level is a logging priority. Lower levels are more important. | ||||
| // All levels have been multipled by -1 to ensure compatibilty | ||||
| // All levels have been multiplied by -1 to ensure compatibility | ||||
| // between zapcore and logr | ||||
| const ( | ||||
| 	ErrorLevel = -2 | ||||
|   | ||||
| @@ -2,6 +2,7 @@ package mocks | ||||
|  | ||||
| import ( | ||||
| 	"context" | ||||
|  | ||||
| 	"github.com/stretchr/testify/mock" | ||||
|  | ||||
| 	"github.com/1Password/onepassword-operator/pkg/onepassword/model" | ||||
|   | ||||
| @@ -45,13 +45,14 @@ func FilterAnnotations(annotations map[string]string, regex *regexp.Regexp) map[ | ||||
|  | ||||
| func AreAnnotationsUsingSecrets(annotations map[string]string, secrets map[string]*corev1.Secret) bool { | ||||
| 	_, ok := secrets[annotations[NameAnnotation]] | ||||
| 	if ok { | ||||
| 		return true | ||||
| 	} | ||||
| 	return false | ||||
| 	return ok | ||||
| } | ||||
|  | ||||
| func AppendAnnotationUpdatedSecret(annotations map[string]string, secrets map[string]*corev1.Secret, updatedDeploymentSecrets map[string]*corev1.Secret) map[string]*corev1.Secret { | ||||
| func AppendAnnotationUpdatedSecret( | ||||
| 	annotations map[string]string, | ||||
| 	secrets map[string]*corev1.Secret, | ||||
| 	updatedDeploymentSecrets map[string]*corev1.Secret, | ||||
| ) map[string]*corev1.Secret { | ||||
| 	secret, ok := secrets[annotations[NameAnnotation]] | ||||
| 	if ok { | ||||
| 		updatedDeploymentSecrets[secret.Name] = secret | ||||
|   | ||||
| @@ -80,7 +80,7 @@ func TestGetNoAnnotationsForDeployment(t *testing.T) { | ||||
| 	} | ||||
|  | ||||
| 	numAnnotations := len(filteredAnnotations) | ||||
| 	if 0 != numAnnotations { | ||||
| 	if numAnnotations != 0 { | ||||
| 		t.Errorf("Expected %v annotations got %v", 0, numAnnotations) | ||||
| 	} | ||||
| } | ||||
|   | ||||
| @@ -58,7 +58,8 @@ func (c *Connect) GetItemsByTitle(ctx context.Context, vaultID, itemTitle string | ||||
| } | ||||
|  | ||||
| // GetFileContent retrieves the content of a file from a 1Password item. | ||||
| // As the Connect has a delay when synchronizing files and returns a 500 error in this case, this function implements a retry mechanism. | ||||
| // As the Connect has a delay when synchronizing files and returns a 500 error in this case, | ||||
| // this function implements a retry mechanism. | ||||
| func (c *Connect) GetFileContent(ctx context.Context, vaultID, itemID, fileID string) ([]byte, error) { | ||||
| 	const maxRetries = 5 | ||||
| 	const delay = 1 * time.Second | ||||
|   | ||||
| @@ -1,7 +1,6 @@ | ||||
| package testing | ||||
|  | ||||
| import ( | ||||
| 	sdk "github.com/1password/onepassword-sdk-go" | ||||
| 	"testing" | ||||
| 	"time" | ||||
|  | ||||
| @@ -9,6 +8,7 @@ import ( | ||||
|  | ||||
| 	"github.com/1Password/connect-sdk-go/onepassword" | ||||
| 	"github.com/1Password/onepassword-operator/pkg/onepassword/model" | ||||
| 	sdk "github.com/1password/onepassword-sdk-go" | ||||
| ) | ||||
|  | ||||
| func CreateConnectItem() *onepassword.Item { | ||||
|   | ||||
| @@ -104,7 +104,11 @@ func (c *ConnectClientMock) GetFileContent(file *onepassword.File) ([]byte, erro | ||||
| 	return args.Get(0).([]byte), args.Error(1) | ||||
| } | ||||
|  | ||||
| func (c *ConnectClientMock) DownloadFile(file *onepassword.File, targetDirectory string, overwrite bool) (string, error) { | ||||
| func (c *ConnectClientMock) DownloadFile( | ||||
| 	file *onepassword.File, | ||||
| 	targetDirectory string, | ||||
| 	overwrite bool, | ||||
| ) (string, error) { | ||||
| 	// Only implement this if mocking is needed | ||||
| 	panic("implement me") | ||||
| } | ||||
|   | ||||
| @@ -47,7 +47,11 @@ func (i *ItemAPIMock) Archive(ctx context.Context, vaultID string, itemID string | ||||
| 	panic("implement me") | ||||
| } | ||||
|  | ||||
| func (i *ItemAPIMock) List(ctx context.Context, vaultID string, filters ...sdk.ItemListFilter) ([]sdk.ItemOverview, error) { | ||||
| func (i *ItemAPIMock) List( | ||||
| 	ctx context.Context, | ||||
| 	vaultID string, | ||||
| 	filters ...sdk.ItemListFilter, | ||||
| ) ([]sdk.ItemOverview, error) { | ||||
| 	args := i.Called(ctx, vaultID, filters) | ||||
| 	return args.Get(0).([]sdk.ItemOverview), args.Error(1) | ||||
| } | ||||
| @@ -75,7 +79,11 @@ func (f *FileAPIMock) Delete(ctx context.Context, item sdk.Item, sectionID strin | ||||
| 	panic("implement me") | ||||
| } | ||||
|  | ||||
| func (f *FileAPIMock) ReplaceDocument(ctx context.Context, item sdk.Item, docParams sdk.DocumentCreateParams) (sdk.Item, error) { | ||||
| func (f *FileAPIMock) ReplaceDocument( | ||||
| 	ctx context.Context, | ||||
| 	item sdk.Item, | ||||
| 	docParams sdk.DocumentCreateParams, | ||||
| ) (sdk.Item, error) { | ||||
| 	// TODO implement me | ||||
| 	panic("implement me") | ||||
| } | ||||
|   | ||||
| @@ -32,11 +32,19 @@ func SetupConnect(ctx context.Context, kubeClient client.Client, deploymentNames | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| func setupDeployment(ctx context.Context, kubeClient client.Client, deploymentPath string, deploymentNamespace string) error { | ||||
| func setupDeployment( | ||||
| 	ctx context.Context, | ||||
| 	kubeClient client.Client, | ||||
| 	deploymentPath string, | ||||
| 	deploymentNamespace string, | ||||
| ) error { | ||||
| 	existingDeployment := &appsv1.Deployment{} | ||||
|  | ||||
| 	// check if deployment has already been created | ||||
| 	err := kubeClient.Get(ctx, types.NamespacedName{Name: "onepassword-connect", Namespace: deploymentNamespace}, existingDeployment) | ||||
| 	err := kubeClient.Get(ctx, types.NamespacedName{ | ||||
| 		Name:      "onepassword-connect", | ||||
| 		Namespace: deploymentNamespace, | ||||
| 	}, existingDeployment) | ||||
| 	if err != nil { | ||||
| 		if errors.IsNotFound(err) { | ||||
| 			logConnectSetup.Info("No existing Connect deployment found. Creating Deployment") | ||||
| @@ -46,7 +54,12 @@ func setupDeployment(ctx context.Context, kubeClient client.Client, deploymentPa | ||||
| 	return err | ||||
| } | ||||
|  | ||||
| func createDeployment(ctx context.Context, kubeClient client.Client, deploymentPath string, deploymentNamespace string) error { | ||||
| func createDeployment( | ||||
| 	ctx context.Context, | ||||
| 	kubeClient client.Client, | ||||
| 	deploymentPath string, | ||||
| 	deploymentNamespace string, | ||||
| ) error { | ||||
| 	deployment, err := getDeploymentToCreate(deploymentPath, deploymentNamespace) | ||||
| 	if err != nil { | ||||
| 		return err | ||||
| @@ -82,7 +95,10 @@ func setupService(ctx context.Context, kubeClient client.Client, servicePath str | ||||
| 	existingService := &corev1.Service{} | ||||
|  | ||||
| 	// check if service has already been created | ||||
| 	err := kubeClient.Get(ctx, types.NamespacedName{Name: "onepassword-connect", Namespace: deploymentNamespace}, existingService) | ||||
| 	err := kubeClient.Get(ctx, types.NamespacedName{ | ||||
| 		Name:      "onepassword-connect", | ||||
| 		Namespace: deploymentNamespace, | ||||
| 	}, existingService) | ||||
| 	if err != nil { | ||||
| 		if errors.IsNotFound(err) { | ||||
| 			logConnectSetup.Info("No existing Connect service found. Creating Service") | ||||
| @@ -92,7 +108,12 @@ func setupService(ctx context.Context, kubeClient client.Client, servicePath str | ||||
| 	return err | ||||
| } | ||||
|  | ||||
| func createService(ctx context.Context, kubeClient client.Client, servicePath string, deploymentNamespace string) error { | ||||
| func createService( | ||||
| 	ctx context.Context, | ||||
| 	kubeClient client.Client, | ||||
| 	servicePath string, | ||||
| 	deploymentNamespace string, | ||||
| ) error { | ||||
| 	f, err := os.Open(servicePath) | ||||
| 	if err != nil { | ||||
| 		return err | ||||
|   | ||||
| @@ -28,7 +28,11 @@ func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string | ||||
| 	return false | ||||
| } | ||||
|  | ||||
| func AppendUpdatedContainerSecrets(containers []corev1.Container, secrets map[string]*corev1.Secret, updatedDeploymentSecrets map[string]*corev1.Secret) map[string]*corev1.Secret { | ||||
| func AppendUpdatedContainerSecrets( | ||||
| 	containers []corev1.Container, | ||||
| 	secrets map[string]*corev1.Secret, | ||||
| 	updatedDeploymentSecrets map[string]*corev1.Secret, | ||||
| ) map[string]*corev1.Secret { | ||||
| 	for i := 0; i < len(containers); i++ { | ||||
| 		envVariables := containers[i].Env | ||||
| 		for j := 0; j < len(envVariables); j++ { | ||||
| @@ -42,7 +46,7 @@ func AppendUpdatedContainerSecrets(containers []corev1.Container, secrets map[st | ||||
| 		envFromVariables := containers[i].EnvFrom | ||||
| 		for j := 0; j < len(envFromVariables); j++ { | ||||
| 			if envFromVariables[j].SecretRef != nil { | ||||
| 				secret, ok := secrets[envFromVariables[j].SecretRef.LocalObjectReference.Name] | ||||
| 				secret, ok := secrets[envFromVariables[j].SecretRef.Name] | ||||
| 				if ok { | ||||
| 					updatedDeploymentSecrets[secret.Name] = secret | ||||
| 				} | ||||
|   | ||||
| @@ -9,10 +9,15 @@ func IsDeploymentUsingSecrets(deployment *appsv1.Deployment, secrets map[string] | ||||
| 	volumes := deployment.Spec.Template.Spec.Volumes | ||||
| 	containers := deployment.Spec.Template.Spec.Containers | ||||
| 	containers = append(containers, deployment.Spec.Template.Spec.InitContainers...) | ||||
| 	return AreAnnotationsUsingSecrets(deployment.Annotations, secrets) || AreContainersUsingSecrets(containers, secrets) || AreVolumesUsingSecrets(volumes, secrets) | ||||
| 	return AreAnnotationsUsingSecrets(deployment.Annotations, secrets) || | ||||
| 		AreContainersUsingSecrets(containers, secrets) || | ||||
| 		AreVolumesUsingSecrets(volumes, secrets) | ||||
| } | ||||
|  | ||||
| func GetUpdatedSecretsForDeployment(deployment *appsv1.Deployment, secrets map[string]*corev1.Secret) map[string]*corev1.Secret { | ||||
| func GetUpdatedSecretsForDeployment( | ||||
| 	deployment *appsv1.Deployment, | ||||
| 	secrets map[string]*corev1.Secret, | ||||
| ) map[string]*corev1.Secret { | ||||
| 	volumes := deployment.Spec.Template.Spec.Volumes | ||||
| 	containers := deployment.Spec.Template.Spec.Containers | ||||
| 	containers = append(containers, deployment.Spec.Template.Spec.InitContainers...) | ||||
|   | ||||
| @@ -49,7 +49,10 @@ func ParseVaultAndItemFromPath(path string) (string, string, error) { | ||||
| 	if len(splitPath) == 4 && splitPath[0] == "vaults" && splitPath[2] == "items" { | ||||
| 		return splitPath[1], splitPath[3], nil | ||||
| 	} | ||||
| 	return "", "", fmt.Errorf("%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", path) | ||||
| 	return "", "", fmt.Errorf( | ||||
| 		"%q is not an acceptable path for One Password item. Must be of the format: `vaults/{vault_id}/items/{item_id}`", | ||||
| 		path, | ||||
| 	) | ||||
| } | ||||
|  | ||||
| func getVaultID(ctx context.Context, client opclient.Client, vaultNameOrID string) (string, error) { | ||||
| @@ -60,7 +63,7 @@ func getVaultID(ctx context.Context, client opclient.Client, vaultNameOrID strin | ||||
| 		} | ||||
|  | ||||
| 		if len(vaults) == 0 { | ||||
| 			return "", fmt.Errorf("No vaults found with identifier %q", vaultNameOrID) | ||||
| 			return "", fmt.Errorf("no vaults found with identifier %q", vaultNameOrID) | ||||
| 		} | ||||
|  | ||||
| 		oldestVault := vaults[0] | ||||
| @@ -70,7 +73,9 @@ func getVaultID(ctx context.Context, client opclient.Client, vaultNameOrID strin | ||||
| 					oldestVault = returnedVault | ||||
| 				} | ||||
| 			} | ||||
| 			logger.Info(fmt.Sprintf("%v 1Password vaults found with the title %q. Will use vault %q as it is the oldest.", len(vaults), vaultNameOrID, oldestVault.ID)) | ||||
| 			logger.Info(fmt.Sprintf("%v 1Password vaults found with the title %q. Will use vault %q as it is the oldest.", | ||||
| 				len(vaults), vaultNameOrID, oldestVault.ID, | ||||
| 			)) | ||||
| 		} | ||||
| 		vaultNameOrID = oldestVault.ID | ||||
| 	} | ||||
| @@ -85,7 +90,7 @@ func getItemID(ctx context.Context, client opclient.Client, vaultId, itemNameOrI | ||||
| 		} | ||||
|  | ||||
| 		if len(items) == 0 { | ||||
| 			return "", fmt.Errorf("No items found with identifier %q", itemNameOrID) | ||||
| 			return "", fmt.Errorf("no items found with identifier %q", itemNameOrID) | ||||
| 		} | ||||
|  | ||||
| 		oldestItem := items[0] | ||||
| @@ -95,7 +100,9 @@ func getItemID(ctx context.Context, client opclient.Client, vaultId, itemNameOrI | ||||
| 					oldestItem = returnedItem | ||||
| 				} | ||||
| 			} | ||||
| 			logger.Info(fmt.Sprintf("%v 1Password items found with the title %q. Will use item %q as it is the oldest.", len(items), itemNameOrID, oldestItem.ID)) | ||||
| 			logger.Info(fmt.Sprintf("%v 1Password items found with the title %q. Will use item %q as it is the oldest.", | ||||
| 				len(items), itemNameOrID, oldestItem.ID, | ||||
| 			)) | ||||
| 		} | ||||
| 		itemNameOrID = oldestItem.ID | ||||
| 	} | ||||
|   | ||||
| @@ -24,9 +24,7 @@ func (i *Item) FromConnectItem(item *connect.Item) { | ||||
| 	i.VaultID = item.Vault.ID | ||||
| 	i.Version = item.Version | ||||
|  | ||||
| 	for _, tag := range item.Tags { | ||||
| 		i.Tags = append(i.Tags, tag) | ||||
| 	} | ||||
| 	i.Tags = append(i.Tags, item.Tags...) | ||||
|  | ||||
| 	for _, field := range item.Fields { | ||||
| 		i.Fields = append(i.Fields, ItemField{ | ||||
|   | ||||
| @@ -18,12 +18,16 @@ import ( | ||||
| 	logf "sigs.k8s.io/controller-runtime/pkg/log" | ||||
| ) | ||||
|  | ||||
| const envHostVariable = "OP_HOST" | ||||
| // const envHostVariable = "OP_HOST" | ||||
| const lockTag = "operator.1password.io:ignore-secret" | ||||
|  | ||||
| var log = logf.Log.WithName("update_op_kubernetes_secrets_task") | ||||
|  | ||||
| func NewManager(kubernetesClient client.Client, opClient opclient.Client, shouldAutoRestartDeploymentsGlobal bool) *SecretUpdateHandler { | ||||
| func NewManager( | ||||
| 	kubernetesClient client.Client, | ||||
| 	opClient opclient.Client, | ||||
| 	shouldAutoRestartDeploymentsGlobal bool, | ||||
| ) *SecretUpdateHandler { | ||||
| 	return &SecretUpdateHandler{ | ||||
| 		client:                             kubernetesClient, | ||||
| 		opClient:                           opClient, | ||||
| @@ -46,7 +50,10 @@ func (h *SecretUpdateHandler) UpdateKubernetesSecretsTask(ctx context.Context) e | ||||
| 	return h.restartDeploymentsWithUpdatedSecrets(ctx, updatedKubernetesSecrets) | ||||
| } | ||||
|  | ||||
| func (h *SecretUpdateHandler) restartDeploymentsWithUpdatedSecrets(ctx context.Context, updatedSecretsByNamespace map[string]map[string]*corev1.Secret) error { | ||||
| func (h *SecretUpdateHandler) restartDeploymentsWithUpdatedSecrets( | ||||
| 	ctx context.Context, | ||||
| 	updatedSecretsByNamespace map[string]map[string]*corev1.Secret, | ||||
| ) error { | ||||
| 	// No secrets to update. Exit | ||||
| 	if len(updatedSecretsByNamespace) == 0 || updatedSecretsByNamespace == nil { | ||||
| 		return nil | ||||
| @@ -83,14 +90,18 @@ func (h *SecretUpdateHandler) restartDeploymentsWithUpdatedSecrets(ctx context.C | ||||
| 			} | ||||
| 		} | ||||
|  | ||||
| 		log.V(logs.DebugLevel).Info(fmt.Sprintf("Deployment %q at namespace %q is up to date", deployment.GetName(), deployment.Namespace)) | ||||
| 		log.V(logs.DebugLevel).Info(fmt.Sprintf("Deployment %q at namespace %q is up to date", | ||||
| 			deployment.GetName(), deployment.Namespace, | ||||
| 		)) | ||||
|  | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| func (h *SecretUpdateHandler) restartDeployment(ctx context.Context, deployment *appsv1.Deployment) { | ||||
| 	log.Info(fmt.Sprintf("Deployment %q at namespace %q references an updated secret. Restarting", deployment.GetName(), deployment.Namespace)) | ||||
| 	log.Info(fmt.Sprintf("Deployment %q at namespace %q references an updated secret. Restarting", | ||||
| 		deployment.GetName(), deployment.Namespace, | ||||
| 	)) | ||||
| 	if deployment.Spec.Template.Annotations == nil { | ||||
| 		deployment.Spec.Template.Annotations = map[string]string{} | ||||
| 	} | ||||
| @@ -101,7 +112,9 @@ func (h *SecretUpdateHandler) restartDeployment(ctx context.Context, deployment | ||||
| 	} | ||||
| } | ||||
|  | ||||
| func (h *SecretUpdateHandler) updateKubernetesSecrets(ctx context.Context) (map[string]map[string]*corev1.Secret, error) { | ||||
| func (h *SecretUpdateHandler) updateKubernetesSecrets(ctx context.Context) ( | ||||
| 	map[string]map[string]*corev1.Secret, error, | ||||
| ) { | ||||
| 	secrets := &corev1.SecretList{} | ||||
| 	err := h.client.List(ctx, secrets) | ||||
| 	if err != nil { | ||||
| @@ -123,7 +136,9 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets(ctx context.Context) (map[ | ||||
|  | ||||
| 		item, err := GetOnePasswordItemByPath(ctx, h.opClient, OnePasswordItemPath) | ||||
| 		if err != nil { | ||||
| 			log.Error(err, fmt.Sprintf("failed to retrieve 1Password item at path %s for secret %s", secret.Annotations[ItemPathAnnotation], secret.Name)) | ||||
| 			log.Error(err, fmt.Sprintf("failed to retrieve 1Password item at path %s for secret %s", | ||||
| 				secret.Annotations[ItemPathAnnotation], secret.Name, | ||||
| 			)) | ||||
| 			continue | ||||
| 		} | ||||
|  | ||||
| @@ -132,7 +147,11 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets(ctx context.Context) (map[ | ||||
|  | ||||
| 		if currentVersion != itemVersion || secret.Annotations[ItemPathAnnotation] != itemPathString { | ||||
| 			if isItemLockedForForcedRestarts(item) { | ||||
| 				log.V(logs.DebugLevel).Info(fmt.Sprintf("Secret '%v' has been updated in 1Password but is set to be ignored. Updates to an ignored secret will not trigger an update to a kubernetes secret or a rolling restart.", secret.GetName())) | ||||
| 				log.V(logs.DebugLevel).Info(fmt.Sprintf( | ||||
| 					"Secret '%v' has been updated in 1Password but is set to be ignored. "+ | ||||
| 						"Updates to an ignored secret will not trigger an update to a kubernetes secret or a rolling restart.", | ||||
| 					secret.GetName(), | ||||
| 				)) | ||||
| 				secret.Annotations[VersionAnnotation] = itemVersion | ||||
| 				secret.Annotations[ItemPathAnnotation] = itemPathString | ||||
| 				if err := h.client.Update(ctx, &secret); err != nil { | ||||
| @@ -145,7 +164,9 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets(ctx context.Context) (map[ | ||||
| 			secret.Annotations[VersionAnnotation] = itemVersion | ||||
| 			secret.Annotations[ItemPathAnnotation] = itemPathString | ||||
| 			secret.Data = kubeSecrets.BuildKubernetesSecretData(item.Fields, item.Files) | ||||
| 			log.V(logs.DebugLevel).Info(fmt.Sprintf("New secret path: %v and version: %v", secret.Annotations[ItemPathAnnotation], secret.Annotations[VersionAnnotation])) | ||||
| 			log.V(logs.DebugLevel).Info(fmt.Sprintf("New secret path: %v and version: %v", | ||||
| 				secret.Annotations[ItemPathAnnotation], secret.Annotations[VersionAnnotation], | ||||
| 			)) | ||||
| 			if err := h.client.Update(ctx, &secret); err != nil { | ||||
| 				log.Error(err, fmt.Sprintf("failed to update secret %s to version %s", secret.Name, itemVersion)) | ||||
| 				continue | ||||
| @@ -171,10 +192,7 @@ func isItemLockedForForcedRestarts(item *model.Item) bool { | ||||
|  | ||||
| func isUpdatedSecret(secretName string, updatedSecrets map[string]*corev1.Secret) bool { | ||||
| 	_, ok := updatedSecrets[secretName] | ||||
| 	if ok { | ||||
| 		return true | ||||
| 	} | ||||
| 	return false | ||||
| 	return ok | ||||
| } | ||||
|  | ||||
| func (h *SecretUpdateHandler) getIsSetForAutoRestartByNamespaceMap(ctx context.Context) (map[string]bool, error) { | ||||
| @@ -209,7 +227,11 @@ func (h *SecretUpdateHandler) getPathFromOnePasswordItem(secret corev1.Secret) s | ||||
| 	return secret.Annotations[ItemPathAnnotation] | ||||
| } | ||||
|  | ||||
| func isSecretSetForAutoRestart(secret *corev1.Secret, deployment *appsv1.Deployment, setForAutoRestartByNamespace map[string]bool) bool { | ||||
| func isSecretSetForAutoRestart( | ||||
| 	secret *corev1.Secret, | ||||
| 	deployment *appsv1.Deployment, | ||||
| 	setForAutoRestartByNamespace map[string]bool, | ||||
| ) bool { | ||||
| 	restartDeployment := secret.Annotations[RestartDeploymentsAnnotation] | ||||
| 	// If annotation for auto restarts for deployment is not set. Check for the annotation on its namepsace | ||||
| 	if restartDeployment == "" { | ||||
| @@ -218,7 +240,9 @@ func isSecretSetForAutoRestart(secret *corev1.Secret, deployment *appsv1.Deploym | ||||
|  | ||||
| 	restartDeploymentBool, err := utils.StringToBool(restartDeployment) | ||||
| 	if err != nil { | ||||
| 		log.Error(err, fmt.Sprintf("Error parsing %s annotation on Secret %s. Must be true or false. Defaulting to false.", RestartDeploymentsAnnotation, secret.Name)) | ||||
| 		log.Error(err, fmt.Sprintf("Error parsing %s annotation on Secret %s. Must be true or false. Defaulting to false.", | ||||
| 			RestartDeploymentsAnnotation, secret.Name, | ||||
| 		)) | ||||
| 		return false | ||||
| 	} | ||||
| 	return restartDeploymentBool | ||||
| @@ -233,7 +257,10 @@ func isDeploymentSetForAutoRestart(deployment *appsv1.Deployment, setForAutoRest | ||||
|  | ||||
| 	restartDeploymentBool, err := utils.StringToBool(restartDeployment) | ||||
| 	if err != nil { | ||||
| 		log.Error(err, fmt.Sprintf("Error parsing %s annotation on Deployment %s. Must be true or false. Defaulting to false.", RestartDeploymentsAnnotation, deployment.Name)) | ||||
| 		log.Error(err, fmt.Sprintf( | ||||
| 			"Error parsing %s annotation on Deployment %s. Must be true or false. Defaulting to false.", | ||||
| 			RestartDeploymentsAnnotation, deployment.Name, | ||||
| 		)) | ||||
| 		return false | ||||
| 	} | ||||
| 	return restartDeploymentBool | ||||
| @@ -248,7 +275,9 @@ func (h *SecretUpdateHandler) isNamespaceSetToAutoRestart(namespace *corev1.Name | ||||
|  | ||||
| 	restartDeploymentBool, err := utils.StringToBool(restartDeployment) | ||||
| 	if err != nil { | ||||
| 		log.Error(err, fmt.Sprintf("Error parsing %s annotation on Namespace %s. Must be true or false. Defaulting to false.", RestartDeploymentsAnnotation, namespace.Name)) | ||||
| 		log.Error(err, fmt.Sprintf("Error parsing %s annotation on Namespace %s. Must be true or false. Defaulting to false.", | ||||
| 			RestartDeploymentsAnnotation, namespace.Name, | ||||
| 		)) | ||||
| 		return false | ||||
| 	} | ||||
| 	return restartDeploymentBool | ||||
|   | ||||
| @@ -43,7 +43,6 @@ type testUpdateSecretTask struct { | ||||
| 	existingSecret           *corev1.Secret | ||||
| 	expectedError            error | ||||
| 	expectedResultSecret     *corev1.Secret | ||||
| 	expectedEvents           []string | ||||
| 	opItem                   map[string]string | ||||
| 	expectedRestart          bool | ||||
| 	globalAutoRestartEnabled bool | ||||
| @@ -63,6 +62,9 @@ var defaultNamespace = &corev1.Namespace{ | ||||
| 	}, | ||||
| } | ||||
|  | ||||
| // TODO: Refactor test cases to avoid duplication. | ||||
| // | ||||
| //nolint:dupl | ||||
| var tests = []testUpdateSecretTask{ | ||||
| 	{ | ||||
| 		testName:          "Test unrelated deployment is not restarted with an updated secret", | ||||
| @@ -841,6 +843,7 @@ func TestUpdateSecretHandler(t *testing.T) { | ||||
| 			// check if deployment has been restarted | ||||
| 			deployment := &appsv1.Deployment{} | ||||
| 			err = cl.Get(ctx, types.NamespacedName{Name: testData.existingDeployment.Name, Namespace: namespace}, deployment) | ||||
| 			assert.NoError(t, err) | ||||
|  | ||||
| 			_, ok := deployment.Spec.Template.Annotations[RestartAnnotation] | ||||
| 			if ok { | ||||
| @@ -849,7 +852,7 @@ func TestUpdateSecretHandler(t *testing.T) { | ||||
| 				assert.False(t, testData.expectedRestart, "Deployment was restarted but should not have been.") | ||||
| 			} | ||||
|  | ||||
| 			oldPodTemplateAnnotations := testData.existingDeployment.Spec.Template.ObjectMeta.Annotations | ||||
| 			oldPodTemplateAnnotations := testData.existingDeployment.Spec.Template.Annotations | ||||
| 			newPodTemplateAnnotations := deployment.Spec.Template.Annotations | ||||
| 			for name, expected := range oldPodTemplateAnnotations { | ||||
| 				actual, ok := newPodTemplateAnnotations[name] | ||||
|   | ||||
| @@ -10,13 +10,14 @@ func AreVolumesUsingSecrets(volumes []corev1.Volume, secrets map[string]*corev1. | ||||
| 			return false | ||||
| 		} | ||||
| 	} | ||||
| 	if len(volumes) == 0 { | ||||
| 		return false | ||||
| 	} | ||||
| 	return true | ||||
| 	return len(volumes) > 0 | ||||
| } | ||||
|  | ||||
| func AppendUpdatedVolumeSecrets(volumes []corev1.Volume, secrets map[string]*corev1.Secret, updatedDeploymentSecrets map[string]*corev1.Secret) map[string]*corev1.Secret { | ||||
| func AppendUpdatedVolumeSecrets( | ||||
| 	volumes []corev1.Volume, | ||||
| 	secrets map[string]*corev1.Secret, | ||||
| 	updatedDeploymentSecrets map[string]*corev1.Secret, | ||||
| ) map[string]*corev1.Secret { | ||||
| 	for i := 0; i < len(volumes); i++ { | ||||
| 		secret := IsVolumeUsingSecret(volumes[i], secrets) | ||||
| 		if secret != nil { | ||||
|   | ||||
							
								
								
									
										115
									
								
								pkg/testhelper/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										115
									
								
								pkg/testhelper/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,115 @@ | ||||
| # OnePassword Operator Test Helper | ||||
|  | ||||
| This is a standalone Go module that provides testing utilities for Kubernetes operators  and webhooks. It's specifically designed for testing 1Password Kubernetes operator and secrets injector, but it can be used for any Kubernetes operator or webhook testing. | ||||
|  | ||||
| ## Installation | ||||
|  | ||||
| To use this module in your project, add it as a dependency: | ||||
|  | ||||
| ```bash | ||||
| go get github.com/1Password/onepassword-operator/pkg/testhelper@<commit-hash> | ||||
| ``` | ||||
|  | ||||
| ### Basic Setup | ||||
|  | ||||
| ```go | ||||
| import ( | ||||
|     "github.com/1Password/onepassword-operator/pkg/testhelper/kube" | ||||
|     "github.com/1Password/onepassword-operator/pkg/testhelper/defaults" | ||||
| ) | ||||
|  | ||||
| // Create a kube client for testing | ||||
| kubeClient := kube.NewKubeClient(&kube.Config{ | ||||
|     Namespace:    "default", | ||||
|     ManifestsDir: "manifests", | ||||
|     TestConfig: &kube.TestConfig{ | ||||
|         Timeout:  defaults.E2ETimeout, | ||||
|         Interval: defaults.E2EInterval, | ||||
|     }, | ||||
|     CRDs: []string{ | ||||
|         "path/to/your/crd.yaml", | ||||
|     }, | ||||
| }) | ||||
| ``` | ||||
|  | ||||
| ### Working with Secrets | ||||
|  | ||||
| ```go | ||||
| // Create k8s secret from environment variable | ||||
| k8sSecret := kubeClient.Secret("my-secret") | ||||
| k8sSecret.CreateFromEnvVar(ctx, "MY_ENV_VAR") | ||||
|  | ||||
| // Create a secret from file | ||||
| data := []byte("secret content") | ||||
| k8sSecret.CreateFromFile(ctx, "filename", data) | ||||
|  | ||||
| // Check if secret exists | ||||
| k8sSecret.CheckIfExists(ctx) | ||||
|  | ||||
| // Get secret | ||||
| secretObj := k8sSecret.Get(ctx) | ||||
| ``` | ||||
|  | ||||
| ### Working with Deployments | ||||
|  | ||||
| ```go | ||||
| deployment := kubeClient.Deployment("my-deployment") | ||||
|  | ||||
| // Read environment variable from deployment | ||||
| envVar := deployment.ReadEnvVar(ctx, "MY_ENV_VAR") | ||||
|  | ||||
| // Patch environment variables | ||||
| deployment.PatchEnvVars(ctx,  | ||||
|     []corev1.EnvVar{ | ||||
|         {Name: "NEW_VAR", Value: "new_value"}, | ||||
|     }, | ||||
|     []string{"OLD_VAR"}, // variables to remove | ||||
| ) | ||||
|  | ||||
| // Wait for deployment rollout | ||||
| deployment.WaitDeploymentRolledOut(ctx) | ||||
| ``` | ||||
|  | ||||
| ### Working with Pods | ||||
|  | ||||
| ```go | ||||
| pod := kubeClient.Pod(map[string]string{"app": "my-app"}) | ||||
| pod.WaitingForRunningPod(ctx) | ||||
| ``` | ||||
|  | ||||
| ### Working with Namespaces | ||||
|  | ||||
| ```go | ||||
| namespace := kubeClient.Namespace("my-namespace") | ||||
| namespace.LabelNamespace(ctx, map[string]string{ | ||||
|     "environment": "test", | ||||
| }) | ||||
| ``` | ||||
|  | ||||
| ### System Utilities | ||||
|  | ||||
| ```go | ||||
| import "github.com/1Password/onepassword-operator/pkg/testhelper/system" | ||||
|  | ||||
| // Run shell commands | ||||
| output, err := system.Run("kubectl", "get", "pods") | ||||
|  | ||||
| // Get project root directory | ||||
| rootDir, err := system.GetProjectRoot() | ||||
|  | ||||
| // Replace files | ||||
| err := system.ReplaceFile("source.yaml", "dest.yaml") | ||||
| ``` | ||||
|  | ||||
| ### Kind Integration | ||||
|  | ||||
| ```go | ||||
| import "github.com/1Password/onepassword-operator/pkg/testhelper/kind" | ||||
|  | ||||
| // Load Docker image to Kind cluster | ||||
| kind.LoadImageToKind("my-image:latest") | ||||
| ``` | ||||
|  | ||||
| ## License | ||||
|  | ||||
| MIT License - see the main project LICENSE file for details. | ||||
							
								
								
									
										8
									
								
								pkg/testhelper/defaults/defaults.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								pkg/testhelper/defaults/defaults.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,8 @@ | ||||
| package defaults | ||||
|  | ||||
| import "time" | ||||
|  | ||||
| const ( | ||||
| 	E2EInterval = 1 * time.Second | ||||
| 	E2ETimeout  = 1 * time.Minute | ||||
| ) | ||||
							
								
								
									
										59
									
								
								pkg/testhelper/go.mod
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										59
									
								
								pkg/testhelper/go.mod
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,59 @@ | ||||
| module github.com/1Password/onepassword-operator/pkg/testhelper | ||||
|  | ||||
| go 1.24.0 | ||||
|  | ||||
| toolchain go1.24.5 | ||||
|  | ||||
| require ( | ||||
| 	github.com/onsi/ginkgo/v2 v2.22.0 | ||||
| 	github.com/onsi/gomega v1.36.1 | ||||
| 	k8s.io/api v0.33.0 | ||||
| 	k8s.io/apiextensions-apiserver v0.33.0 | ||||
| 	k8s.io/apimachinery v0.33.0 | ||||
| 	k8s.io/client-go v0.33.0 | ||||
| 	sigs.k8s.io/controller-runtime v0.21.0 | ||||
| ) | ||||
|  | ||||
| require ( | ||||
| 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect | ||||
| 	github.com/emicklei/go-restful/v3 v3.12.0 // indirect | ||||
| 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect | ||||
| 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect | ||||
| 	github.com/go-logr/logr v1.4.2 // indirect | ||||
| 	github.com/go-openapi/jsonpointer v0.21.0 // indirect | ||||
| 	github.com/go-openapi/jsonreference v0.21.0 // indirect | ||||
| 	github.com/go-openapi/swag v0.23.0 // indirect | ||||
| 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect | ||||
| 	github.com/gogo/protobuf v1.3.2 // indirect | ||||
| 	github.com/google/gnostic-models v0.6.9 // indirect | ||||
| 	github.com/google/go-cmp v0.7.0 // indirect | ||||
| 	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect | ||||
| 	github.com/google/uuid v1.6.0 // indirect | ||||
| 	github.com/josharian/intern v1.0.0 // indirect | ||||
| 	github.com/json-iterator/go v1.1.12 // indirect | ||||
| 	github.com/mailru/easyjson v0.7.7 // indirect | ||||
| 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect | ||||
| 	github.com/modern-go/reflect2 v1.0.2 // indirect | ||||
| 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect | ||||
| 	github.com/pkg/errors v0.9.1 // indirect | ||||
| 	github.com/spf13/pflag v1.0.5 // indirect | ||||
| 	github.com/x448/float16 v0.8.4 // indirect | ||||
| 	golang.org/x/net v0.41.0 // indirect | ||||
| 	golang.org/x/oauth2 v0.30.0 // indirect | ||||
| 	golang.org/x/sys v0.33.0 // indirect | ||||
| 	golang.org/x/term v0.32.0 // indirect | ||||
| 	golang.org/x/text v0.26.0 // indirect | ||||
| 	golang.org/x/time v0.9.0 // indirect | ||||
| 	golang.org/x/tools v0.33.0 // indirect | ||||
| 	google.golang.org/protobuf v1.36.5 // indirect | ||||
| 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect | ||||
| 	gopkg.in/inf.v0 v0.9.1 // indirect | ||||
| 	gopkg.in/yaml.v3 v3.0.1 // indirect | ||||
| 	k8s.io/klog/v2 v2.130.1 // indirect | ||||
| 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect | ||||
| 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect | ||||
| 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect | ||||
| 	sigs.k8s.io/randfill v1.0.0 // indirect | ||||
| 	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect | ||||
| 	sigs.k8s.io/yaml v1.4.0 // indirect | ||||
| ) | ||||
							
								
								
									
										156
									
								
								pkg/testhelper/go.sum
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										156
									
								
								pkg/testhelper/go.sum
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,156 @@ | ||||
| github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= | ||||
| github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= | ||||
| github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | ||||
| github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | ||||
| github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= | ||||
| github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | ||||
| github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk= | ||||
| github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= | ||||
| github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= | ||||
| github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM= | ||||
| github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= | ||||
| github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= | ||||
| github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= | ||||
| github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= | ||||
| github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= | ||||
| github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= | ||||
| github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= | ||||
| github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY= | ||||
| github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= | ||||
| github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= | ||||
| github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE= | ||||
| github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ= | ||||
| github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= | ||||
| github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= | ||||
| github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= | ||||
| github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= | ||||
| github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw= | ||||
| github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw= | ||||
| github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= | ||||
| github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= | ||||
| github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= | ||||
| github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= | ||||
| github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo= | ||||
| github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= | ||||
| github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= | ||||
| github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= | ||||
| github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= | ||||
| github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= | ||||
| github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= | ||||
| github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= | ||||
| github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= | ||||
| github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= | ||||
| github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= | ||||
| github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= | ||||
| github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= | ||||
| github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= | ||||
| github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= | ||||
| github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= | ||||
| github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= | ||||
| github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= | ||||
| github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= | ||||
| github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= | ||||
| github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= | ||||
| github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= | ||||
| github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= | ||||
| github.com/onsi/ginkgo/v2 v2.22.0 h1:Yed107/8DjTr0lKCNt7Dn8yQ6ybuDRQoMGrNFKzMfHg= | ||||
| github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= | ||||
| github.com/onsi/gomega v1.36.1 h1:bJDPBO7ibjxcbHMgSCoo4Yj18UWbKDlLwX1x9sybDcw= | ||||
| github.com/onsi/gomega v1.36.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= | ||||
| github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= | ||||
| github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= | ||||
| github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= | ||||
| github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= | ||||
| github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= | ||||
| github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= | ||||
| github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= | ||||
| github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= | ||||
| github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= | ||||
| github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= | ||||
| github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= | ||||
| github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= | ||||
| github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= | ||||
| github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= | ||||
| github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= | ||||
| github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= | ||||
| github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= | ||||
| github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= | ||||
| go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= | ||||
| go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= | ||||
| go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= | ||||
| go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= | ||||
| golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= | ||||
| golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= | ||||
| golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= | ||||
| golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= | ||||
| golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= | ||||
| golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= | ||||
| golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= | ||||
| golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= | ||||
| golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= | ||||
| golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw= | ||||
| golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA= | ||||
| golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI= | ||||
| golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU= | ||||
| golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||||
| golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||||
| golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||||
| golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||||
| golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||||
| golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= | ||||
| golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw= | ||||
| golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= | ||||
| golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg= | ||||
| golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= | ||||
| golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= | ||||
| golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= | ||||
| golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M= | ||||
| golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= | ||||
| golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY= | ||||
| golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= | ||||
| golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= | ||||
| golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= | ||||
| golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= | ||||
| golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= | ||||
| golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc= | ||||
| golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI= | ||||
| golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= | ||||
| golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= | ||||
| golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= | ||||
| golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= | ||||
| google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM= | ||||
| google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= | ||||
| gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= | ||||
| gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= | ||||
| gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= | ||||
| gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= | ||||
| gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= | ||||
| gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= | ||||
| gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= | ||||
| gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= | ||||
| gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= | ||||
| k8s.io/api v0.33.0 h1:yTgZVn1XEe6opVpP1FylmNrIFWuDqe2H0V8CT5gxfIU= | ||||
| k8s.io/api v0.33.0/go.mod h1:CTO61ECK/KU7haa3qq8sarQ0biLq2ju405IZAd9zsiM= | ||||
| k8s.io/apiextensions-apiserver v0.33.0 h1:d2qpYL7Mngbsc1taA4IjJPRJ9ilnsXIrndH+r9IimOs= | ||||
| k8s.io/apiextensions-apiserver v0.33.0/go.mod h1:VeJ8u9dEEN+tbETo+lFkwaaZPg6uFKLGj5vyNEwwSzc= | ||||
| k8s.io/apimachinery v0.33.0 h1:1a6kHrJxb2hs4t8EE5wuR/WxKDwGN1FKH3JvDtA0CIQ= | ||||
| k8s.io/apimachinery v0.33.0/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM= | ||||
| k8s.io/client-go v0.33.0 h1:UASR0sAYVUzs2kYuKn/ZakZlcs2bEHaizrrHUZg0G98= | ||||
| k8s.io/client-go v0.33.0/go.mod h1:kGkd+l/gNGg8GYWAPr0xF1rRKvVWvzh9vmZAMXtaKOg= | ||||
| k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= | ||||
| k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= | ||||
| k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4= | ||||
| k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8= | ||||
| k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro= | ||||
| k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= | ||||
| sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytIGcJS8= | ||||
| sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM= | ||||
| sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8= | ||||
| sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo= | ||||
| sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= | ||||
| sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= | ||||
| sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= | ||||
| sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc= | ||||
| sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps= | ||||
| sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= | ||||
| sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= | ||||
							
								
								
									
										23
									
								
								pkg/testhelper/kind/kind.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								pkg/testhelper/kind/kind.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,23 @@ | ||||
| package kind | ||||
|  | ||||
| import ( | ||||
| 	"os" | ||||
|  | ||||
| 	//nolint:staticcheck // ST1001 | ||||
| 	. "github.com/onsi/ginkgo/v2" | ||||
| 	//nolint:staticcheck // ST1001 | ||||
| 	. "github.com/onsi/gomega" | ||||
|  | ||||
| 	"github.com/1Password/onepassword-operator/pkg/testhelper/system" | ||||
| ) | ||||
|  | ||||
| // LoadImageToKind loads a local docker image to the Kind cluster | ||||
| func LoadImageToKind(imageName string) { | ||||
| 	By("Loading the operator image on Kind") | ||||
| 	clusterName := "kind" | ||||
| 	if value, ok := os.LookupEnv("KIND_CLUSTER"); ok { | ||||
| 		clusterName = value | ||||
| 	} | ||||
| 	_, err := system.Run("kind", "load", "docker-image", imageName, "--name", clusterName) | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
| } | ||||
							
								
								
									
										125
									
								
								pkg/testhelper/kube/deployment.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										125
									
								
								pkg/testhelper/kube/deployment.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,125 @@ | ||||
| package kube | ||||
|  | ||||
| import ( | ||||
| 	"context" | ||||
| 	"time" | ||||
|  | ||||
| 	//nolint:staticcheck // ST1001 | ||||
| 	. "github.com/onsi/ginkgo/v2" | ||||
| 	//nolint:staticcheck // ST1001 | ||||
| 	. "github.com/onsi/gomega" | ||||
| 	appsv1 "k8s.io/api/apps/v1" | ||||
| 	corev1 "k8s.io/api/core/v1" | ||||
| 	"sigs.k8s.io/controller-runtime/pkg/client" | ||||
| ) | ||||
|  | ||||
| type Deployment struct { | ||||
| 	client client.Client | ||||
| 	config *Config | ||||
| 	name   string | ||||
| } | ||||
|  | ||||
| func (d *Deployment) Get(ctx context.Context) *appsv1.Deployment { | ||||
| 	// Derive a short-lived context so this API call won't hang indefinitely. | ||||
| 	c, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||
| 	defer cancel() | ||||
|  | ||||
| 	deployment := &appsv1.Deployment{} | ||||
| 	err := d.client.Get(c, client.ObjectKey{Name: d.name, Namespace: d.config.Namespace}, deployment) | ||||
| 	Expect(err).ToNot(HaveOccurred()) | ||||
|  | ||||
| 	return deployment | ||||
| } | ||||
|  | ||||
| func (d *Deployment) ReadEnvVar(ctx context.Context, envVarName string) string { | ||||
| 	By("Reading " + envVarName + " value from deployment/" + d.name) | ||||
| 	deployment := d.Get(ctx) | ||||
|  | ||||
| 	// Search env across all containers | ||||
| 	found := "" | ||||
| 	for _, container := range deployment.Spec.Template.Spec.Containers { | ||||
| 		for _, env := range container.Env { | ||||
| 			if env.Name == envVarName && env.Value != "" { | ||||
| 				found = env.Value | ||||
| 				break | ||||
| 			} | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	Expect(found).NotTo(BeEmpty()) | ||||
| 	return found | ||||
| } | ||||
|  | ||||
| func (d *Deployment) PatchEnvVars(ctx context.Context, upsert []corev1.EnvVar, remove []string) { | ||||
| 	By("Patching env variables for deployment/" + d.name) | ||||
| 	deployment := d.Get(ctx) | ||||
| 	deploymentCopy := deployment.DeepCopy() | ||||
| 	container := &deployment.Spec.Template.Spec.Containers[0] | ||||
|  | ||||
| 	// Build removal set for quick lookup | ||||
| 	toRemove := make(map[string]struct{}, len(remove)) | ||||
| 	for _, n := range remove { | ||||
| 		toRemove[n] = struct{}{} | ||||
| 	} | ||||
|  | ||||
| 	// Build upsert map for quick lookup | ||||
| 	upserts := make(map[string]corev1.EnvVar, len(upsert)) | ||||
| 	for _, e := range upsert { | ||||
| 		upserts[e.Name] = e | ||||
| 	} | ||||
|  | ||||
| 	// Filter existing envs: keep if not in remove and not being upserted | ||||
| 	filtered := make([]corev1.EnvVar, 0, len(container.Env)) | ||||
| 	for _, e := range container.Env { | ||||
| 		if _, ok := toRemove[e.Name]; ok { | ||||
| 			continue | ||||
| 		} | ||||
| 		if newE, ok := upserts[e.Name]; ok { | ||||
| 			filtered = append(filtered, newE) // replace existing | ||||
| 			delete(upserts, e.Name)           // delete from map to not use once again | ||||
| 		} else { | ||||
| 			filtered = append(filtered, e) | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	// Append any new envs that weren’t already in the container | ||||
| 	for _, e := range upserts { | ||||
| 		filtered = append(filtered, e) | ||||
| 	} | ||||
|  | ||||
| 	container.Env = filtered | ||||
|  | ||||
| 	// Derive a short-lived context so this API call won't hang indefinitely. | ||||
| 	c, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||
| 	defer cancel() | ||||
|  | ||||
| 	err := d.client.Patch(c, deployment, client.MergeFrom(deploymentCopy)) | ||||
| 	Expect(err).ToNot(HaveOccurred()) | ||||
|  | ||||
| 	// wait for new deployment to roll out | ||||
| 	d.WaitDeploymentRolledOut(ctx) | ||||
| } | ||||
|  | ||||
| // WaitDeploymentRolledOut waits for deployment to finish a rollout. | ||||
| func (d *Deployment) WaitDeploymentRolledOut(ctx context.Context) { | ||||
| 	By("Waiting for deployment/" + d.name + " to roll out") | ||||
|  | ||||
| 	deployment := d.Get(ctx) | ||||
| 	targetGen := deployment.Generation | ||||
|  | ||||
| 	Eventually(func(g Gomega) error { | ||||
| 		newDeployment := d.Get(ctx) | ||||
| 		g.Expect(newDeployment.Status.ObservedGeneration).To(BeNumerically(">=", targetGen)) | ||||
|  | ||||
| 		desired := int32(1) | ||||
| 		if newDeployment.Spec.Replicas != nil { | ||||
| 			desired = *newDeployment.Spec.Replicas | ||||
| 		} | ||||
|  | ||||
| 		g.Expect(newDeployment.Status.UpdatedReplicas).To(Equal(desired)) | ||||
| 		g.Expect(newDeployment.Status.AvailableReplicas).To(Equal(desired)) | ||||
| 		g.Expect(newDeployment.Status.Replicas).To(Equal(desired)) | ||||
|  | ||||
| 		return nil | ||||
| 	}, d.config.TestConfig.Timeout, d.config.TestConfig.Interval).Should(Succeed()) | ||||
| } | ||||
							
								
								
									
										240
									
								
								pkg/testhelper/kube/kube.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										240
									
								
								pkg/testhelper/kube/kube.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,240 @@ | ||||
| package kube | ||||
|  | ||||
| import ( | ||||
| 	"context" | ||||
| 	"fmt" | ||||
| 	"os" | ||||
| 	"path/filepath" | ||||
| 	"time" | ||||
|  | ||||
| 	//nolint:staticcheck // ST1001 | ||||
| 	. "github.com/onsi/ginkgo/v2" | ||||
| 	//nolint:staticcheck // ST1001 | ||||
| 	. "github.com/onsi/gomega" | ||||
| 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1" | ||||
| 	appsv1 "k8s.io/api/apps/v1" | ||||
| 	corev1 "k8s.io/api/core/v1" | ||||
| 	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" | ||||
| 	apix "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset" | ||||
| 	apierrors "k8s.io/apimachinery/pkg/api/errors" | ||||
| 	"k8s.io/apimachinery/pkg/api/meta" | ||||
| 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||||
| 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" | ||||
| 	"k8s.io/apimachinery/pkg/runtime" | ||||
| 	utilruntime "k8s.io/apimachinery/pkg/util/runtime" | ||||
| 	"k8s.io/apimachinery/pkg/util/yaml" | ||||
| 	"k8s.io/client-go/kubernetes" | ||||
| 	"k8s.io/client-go/rest" | ||||
| 	"k8s.io/client-go/tools/clientcmd" | ||||
| 	"sigs.k8s.io/controller-runtime/pkg/client" | ||||
| 	"sigs.k8s.io/controller-runtime/pkg/client/apiutil" | ||||
|  | ||||
| 	"github.com/1Password/onepassword-operator/pkg/testhelper/defaults" | ||||
| ) | ||||
|  | ||||
| type TestConfig struct { | ||||
| 	Timeout  time.Duration | ||||
| 	Interval time.Duration | ||||
| } | ||||
|  | ||||
| type Config struct { | ||||
| 	Namespace    string | ||||
| 	ManifestsDir string | ||||
| 	TestConfig   *TestConfig | ||||
| 	CRDs         []string | ||||
| } | ||||
|  | ||||
| type Kube struct { | ||||
| 	Config    *Config | ||||
| 	Client    client.Client | ||||
| 	Clientset kubernetes.Interface | ||||
| 	Mapper    meta.RESTMapper | ||||
| } | ||||
|  | ||||
| func NewKubeClient(config *Config) *Kube { | ||||
| 	By("Creating a kubernetes client") | ||||
| 	kubeconfig := os.Getenv("KUBECONFIG") | ||||
| 	if kubeconfig == "" { | ||||
| 		home, _ := os.UserHomeDir() | ||||
| 		kubeconfig = filepath.Join(home, ".kube", "config") | ||||
| 	} | ||||
| 	restConfig, err := clientcmd.BuildConfigFromFlags("", kubeconfig) | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 	// Install CRDs first (so discovery sees them) | ||||
| 	installCRDs(context.Background(), restConfig, config.CRDs) | ||||
|  | ||||
| 	// Build an http.Client from restConfig | ||||
| 	httpClient, err := rest.HTTPClientFor(restConfig) | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 	// Create a Dynamic RESTMapper that uses restConfig | ||||
| 	rm, err := apiutil.NewDynamicRESTMapper(restConfig, httpClient) | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 	scheme := runtime.NewScheme() | ||||
| 	utilruntime.Must(corev1.AddToScheme(scheme)) | ||||
| 	utilruntime.Must(appsv1.AddToScheme(scheme)) | ||||
| 	utilruntime.Must(admissionregistrationv1.AddToScheme(scheme)) | ||||
|  | ||||
| 	kubernetesClient, err := client.New(restConfig, client.Options{ | ||||
| 		Scheme: scheme, | ||||
| 		Mapper: rm, | ||||
| 	}) | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 	// Create Kubernetes clientset for logs and other operations | ||||
| 	clientset, err := kubernetes.NewForConfig(restConfig) | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 	// update the current context’s namespace in kubeconfig | ||||
| 	pathOpts := clientcmd.NewDefaultPathOptions() | ||||
| 	cfg, err := pathOpts.GetStartingConfig() | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 	currentContext := cfg.CurrentContext | ||||
| 	Expect(currentContext).NotTo(BeEmpty(), "no current kube context is set in kubeconfig") | ||||
|  | ||||
| 	ctx, ok := cfg.Contexts[currentContext] | ||||
| 	Expect(ok).To(BeTrue(), fmt.Sprintf("current context %q not found in kubeconfig", currentContext)) | ||||
|  | ||||
| 	ctx.Namespace = config.Namespace | ||||
| 	err = clientcmd.ModifyConfig(pathOpts, *cfg, true) | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 	return &Kube{ | ||||
| 		Config:    config, | ||||
| 		Client:    kubernetesClient, | ||||
| 		Clientset: clientset, | ||||
| 		Mapper:    rm, | ||||
| 	} | ||||
| } | ||||
|  | ||||
| func (k *Kube) Secret(name string) *Secret { | ||||
| 	return &Secret{ | ||||
| 		client: k.Client, | ||||
| 		config: k.Config, | ||||
| 		name:   name, | ||||
| 	} | ||||
| } | ||||
|  | ||||
| func (k *Kube) Deployment(name string) *Deployment { | ||||
| 	return &Deployment{ | ||||
| 		client: k.Client, | ||||
| 		config: k.Config, | ||||
| 		name:   name, | ||||
| 	} | ||||
| } | ||||
|  | ||||
| func (k *Kube) Pod(selector map[string]string) *Pod { | ||||
| 	return &Pod{ | ||||
| 		client:    k.Client, | ||||
| 		clientset: k.Clientset, | ||||
| 		config:    k.Config, | ||||
| 		selector:  selector, | ||||
| 	} | ||||
| } | ||||
|  | ||||
| func (k *Kube) Namespace(name string) *Namespace { | ||||
| 	return &Namespace{ | ||||
| 		client: k.Client, | ||||
| 		config: k.Config, | ||||
| 		name:   name, | ||||
| 	} | ||||
| } | ||||
|  | ||||
| func (k *Kube) Webhook(name string) *Webhook { | ||||
| 	return &Webhook{ | ||||
| 		client: k.Client, | ||||
| 		config: k.Config, | ||||
| 		name:   name, | ||||
| 	} | ||||
| } | ||||
|  | ||||
| // Apply applies a Kubernetes manifest file using server-side apply. | ||||
| func (k *Kube) Apply(ctx context.Context, fileName string) { | ||||
| 	By("Applying " + fileName) | ||||
|  | ||||
| 	// Derive a short-lived context so this API call won't hang indefinitely. | ||||
| 	c, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||
| 	defer cancel() | ||||
|  | ||||
| 	data, err := os.ReadFile(k.Config.ManifestsDir + "/" + fileName) | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 	// Decode YAML -> JSON -> unstructured.Unstructured | ||||
| 	jsonBytes, err := yaml.ToJSON(data) | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 	var obj unstructured.Unstructured | ||||
| 	Expect(obj.UnmarshalJSON(jsonBytes)).To(Succeed()) | ||||
|  | ||||
| 	// Default namespace for namespaced resources if not set in YAML | ||||
| 	if obj.GetNamespace() == "" && k.Config.Namespace != "" { | ||||
| 		gvk := obj.GroupVersionKind() | ||||
| 		mapping, mapErr := k.Mapper.RESTMapping(gvk.GroupKind(), gvk.Version) | ||||
| 		if mapErr == nil && mapping.Scope.Name() == meta.RESTScopeNameNamespace { | ||||
| 			obj.SetNamespace(k.Config.Namespace) | ||||
| 		} | ||||
| 	} | ||||
|  | ||||
| 	// Server-Side Apply (create or update) | ||||
| 	patchOpts := []client.PatchOption{ | ||||
| 		client.FieldOwner("onepassword-e2e"), | ||||
| 		client.ForceOwnership, // to force-take conflicting fields | ||||
| 	} | ||||
| 	Expect(k.Client.Patch(c, &obj, client.Apply, patchOpts...)).To(Succeed()) | ||||
| } | ||||
|  | ||||
| func installCRDs(ctx context.Context, restConfig *rest.Config, crdFiles []string) { | ||||
| 	apixClient, err := apix.NewForConfig(restConfig) | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 	for _, f := range crdFiles { | ||||
| 		By("Installing CRD " + f) | ||||
| 		b, err := os.ReadFile(filepath.Clean(f)) | ||||
| 		Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 		var crd apiextv1.CustomResourceDefinition | ||||
| 		err = yaml.Unmarshal(b, &crd) | ||||
| 		Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 		// Create or Update | ||||
| 		_, err = apixClient.ApiextensionsV1().CustomResourceDefinitions().Create(ctx, &crd, metav1.CreateOptions{}) | ||||
| 		if apierrors.IsAlreadyExists(err) { | ||||
| 			existing, getErr := apixClient.ApiextensionsV1().CustomResourceDefinitions().Get(ctx, crd.Name, metav1.GetOptions{}) | ||||
| 			Expect(getErr).NotTo(HaveOccurred()) | ||||
|  | ||||
| 			crd.ResourceVersion = existing.ResourceVersion | ||||
| 			_, err = apixClient.ApiextensionsV1().CustomResourceDefinitions().Update(ctx, &crd, metav1.UpdateOptions{}) | ||||
| 		} | ||||
| 		Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 		waitCRDEstablished(ctx, apixClient, crd.Name) | ||||
| 	} | ||||
| } | ||||
|  | ||||
| // waitCRDEstablished Wait until the CRD reaches Established=True, retrying until the suite timeout. | ||||
| func waitCRDEstablished(ctx context.Context, apixClient *apix.Clientset, name string) { | ||||
| 	By("Waiting for CRD " + name + " to be Established") | ||||
|  | ||||
| 	Eventually(func(g Gomega) { | ||||
| 		// Short per-attempt timeout so a single Get can't hang the whole Eventually loop. | ||||
| 		attemptCtx, cancel := context.WithTimeout(ctx, 5*time.Second) | ||||
| 		defer cancel() | ||||
|  | ||||
| 		crd, err := apixClient.ApiextensionsV1(). | ||||
| 			CustomResourceDefinitions(). | ||||
| 			Get(attemptCtx, name, metav1.GetOptions{}) | ||||
| 		g.Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 		established := false | ||||
| 		for _, c := range crd.Status.Conditions { | ||||
| 			if c.Type == apiextv1.Established && c.Status == apiextv1.ConditionTrue { | ||||
| 				established = true | ||||
| 				break | ||||
| 			} | ||||
| 		} | ||||
| 		g.Expect(established).To(BeTrue(), "CRD %q is not Established yet", name) | ||||
| 	}, defaults.E2ETimeout, defaults.E2EInterval).Should(Succeed()) | ||||
| } | ||||
							
								
								
									
										41
									
								
								pkg/testhelper/kube/namespace.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										41
									
								
								pkg/testhelper/kube/namespace.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,41 @@ | ||||
| package kube | ||||
|  | ||||
| import ( | ||||
| 	"context" | ||||
| 	//nolint:staticcheck // ST1001 | ||||
| 	. "github.com/onsi/ginkgo/v2" | ||||
| 	//nolint:staticcheck // ST1001 | ||||
| 	. "github.com/onsi/gomega" | ||||
| 	corev1 "k8s.io/api/core/v1" | ||||
| 	"k8s.io/apimachinery/pkg/labels" | ||||
| 	"sigs.k8s.io/controller-runtime/pkg/client" | ||||
| ) | ||||
|  | ||||
| type Namespace struct { | ||||
| 	client client.Client | ||||
| 	config *Config | ||||
| 	name   string | ||||
| } | ||||
|  | ||||
| // LabelNamespace applies the given labels to the specified namespace | ||||
| func (n *Namespace) LabelNamespace(ctx context.Context, labelsMap map[string]string) { | ||||
| 	if len(labelsMap) == 0 { | ||||
| 		return | ||||
| 	} | ||||
|  | ||||
| 	By("Setting labelsMap " + labels.Set(labelsMap).String() + " to namespace/" + n.name) | ||||
| 	ns := &corev1.Namespace{} | ||||
| 	err := n.client.Get(ctx, client.ObjectKey{Name: n.name}, ns) | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 	if ns.Labels == nil { | ||||
| 		ns.Labels = map[string]string{} | ||||
| 	} | ||||
|  | ||||
| 	for k, v := range labelsMap { | ||||
| 		ns.Labels[k] = v | ||||
| 	} | ||||
|  | ||||
| 	err = n.client.Update(ctx, ns) | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
| } | ||||
							
								
								
									
										148
									
								
								pkg/testhelper/kube/pod.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										148
									
								
								pkg/testhelper/kube/pod.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,148 @@ | ||||
| package kube | ||||
|  | ||||
| import ( | ||||
| 	"context" | ||||
| 	"io" | ||||
| 	"time" | ||||
|  | ||||
| 	//nolint:staticcheck // ST1001 | ||||
| 	. "github.com/onsi/ginkgo/v2" | ||||
| 	//nolint:staticcheck // ST1001 | ||||
| 	. "github.com/onsi/gomega" | ||||
| 	corev1 "k8s.io/api/core/v1" | ||||
| 	"k8s.io/apimachinery/pkg/labels" | ||||
| 	"k8s.io/client-go/kubernetes" | ||||
| 	"sigs.k8s.io/controller-runtime/pkg/client" | ||||
| ) | ||||
|  | ||||
| type Pod struct { | ||||
| 	client    client.Client | ||||
| 	clientset kubernetes.Interface | ||||
| 	config    *Config | ||||
| 	selector  map[string]string | ||||
| } | ||||
|  | ||||
| func (p *Pod) WaitingForRunningPod(ctx context.Context) { | ||||
| 	By("Waiting for the pod " + labels.Set(p.selector).String() + " to be 'Running'") | ||||
|  | ||||
| 	Eventually(func(g Gomega) { | ||||
| 		// short per-attempt timeout to avoid hanging calls while Eventually polls | ||||
| 		attemptCtx, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||
| 		defer cancel() | ||||
|  | ||||
| 		var pods corev1.PodList | ||||
| 		listOpts := []client.ListOption{ | ||||
| 			client.InNamespace(p.config.Namespace), | ||||
| 			client.MatchingLabels(p.selector), | ||||
| 		} | ||||
| 		g.Expect(p.client.List(attemptCtx, &pods, listOpts...)).To(Succeed()) | ||||
| 		g.Expect(pods.Items).NotTo(BeEmpty(), "no pods found with selector %q", labels.Set(p.selector).String()) | ||||
|  | ||||
| 		foundRunning := false | ||||
| 		for _, p := range pods.Items { | ||||
| 			if p.Status.Phase == corev1.PodRunning { | ||||
| 				foundRunning = true | ||||
| 				break | ||||
| 			} | ||||
| 		} | ||||
| 		g.Expect(foundRunning).To(BeTrue(), "pod not Running yet") | ||||
| 	}, p.config.TestConfig.Timeout, p.config.TestConfig.Interval).Should(Succeed()) | ||||
| } | ||||
|  | ||||
| func (p *Pod) GetPodLogs(ctx context.Context) string { | ||||
| 	// First find the pod by label selector | ||||
| 	var pods corev1.PodList | ||||
| 	listOpts := []client.ListOption{ | ||||
| 		client.InNamespace(p.config.Namespace), | ||||
| 		client.MatchingLabels(p.selector), | ||||
| 	} | ||||
| 	err := p.client.List(ctx, &pods, listOpts...) | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
| 	Expect(pods.Items).NotTo(BeEmpty(), "no pods found with selector %q", labels.Set(p.selector).String()) | ||||
|  | ||||
| 	// Find a running pod to get logs from | ||||
| 	var pod *corev1.Pod | ||||
| 	for i := range pods.Items { | ||||
| 		if pods.Items[i].Status.Phase == corev1.PodRunning { | ||||
| 			pod = &pods.Items[i] | ||||
| 			break | ||||
| 		} | ||||
| 	} | ||||
| 	Expect(pod).NotTo(BeNil(), "no running pod found with selector %q", labels.Set(p.selector).String()) | ||||
|  | ||||
| 	podName := pod.Name | ||||
| 	// Get logs using the Kubernetes clientset | ||||
| 	req := p.clientset.CoreV1().Pods(p.config.Namespace).GetLogs(podName, &corev1.PodLogOptions{}) | ||||
| 	stream, err := req.Stream(context.TODO()) | ||||
| 	Expect(err).NotTo(HaveOccurred(), "failed to stream logs for pod %s", podName) | ||||
| 	defer stream.Close() | ||||
|  | ||||
| 	// Read all logs from the stream | ||||
| 	logs, err := io.ReadAll(stream) | ||||
| 	Expect(err).NotTo(HaveOccurred(), "failed to read logs for pod %s", podName) | ||||
|  | ||||
| 	return string(logs) | ||||
| } | ||||
|  | ||||
| func (p *Pod) VerifyWebhookInjection(ctx context.Context) { | ||||
| 	By("Verifying webhook injection for pod with selector " + labels.Set(p.selector).String()) | ||||
|  | ||||
| 	Eventually(func(g Gomega) { | ||||
| 		// short per-attempt timeout to avoid hanging calls while Eventually polls | ||||
| 		attemptCtx, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||
| 		defer cancel() | ||||
|  | ||||
| 		// First find the pod by label selector | ||||
| 		var pods corev1.PodList | ||||
| 		listOpts := []client.ListOption{ | ||||
| 			client.InNamespace(p.config.Namespace), | ||||
| 			client.MatchingLabels(p.selector), | ||||
| 		} | ||||
| 		g.Expect(p.client.List(attemptCtx, &pods, listOpts...)).To(Succeed()) | ||||
| 		g.Expect(pods.Items).NotTo(BeEmpty(), "no pods found with selector %q", labels.Set(p.selector).String()) | ||||
|  | ||||
| 		// Find a running pod to verify webhook injection | ||||
| 		var pod *corev1.Pod | ||||
| 		for i := range pods.Items { | ||||
| 			if pods.Items[i].Status.Phase == corev1.PodRunning { | ||||
| 				pod = &pods.Items[i] | ||||
| 				break | ||||
| 			} | ||||
| 		} | ||||
| 		g.Expect(pod).NotTo(BeNil(), "no running pod found with selector %q", labels.Set(p.selector).String()) | ||||
|  | ||||
| 		// Check injection status annotation | ||||
| 		g.Expect(pod.Annotations).To(HaveKey("operator.1password.io/status")) | ||||
| 		g.Expect(pod.Annotations["operator.1password.io/status"]).To(Equal("injected")) | ||||
|  | ||||
| 		// Check command was modified to use op run | ||||
| 		if len(pod.Spec.Containers) > 0 { | ||||
| 			container := pod.Spec.Containers[0] | ||||
| 			g.Expect(container.Command).To(HaveLen(4)) | ||||
| 			g.Expect(container.Command[0]).To(Equal("/op/bin/op")) | ||||
| 			g.Expect(container.Command[1]).To(Equal("run")) | ||||
| 			g.Expect(container.Command[2]).To(Equal("--")) | ||||
| 		} | ||||
|  | ||||
| 		// Check init container was added | ||||
| 		g.Expect(pod.Spec.InitContainers).To(HaveLen(1)) | ||||
| 		g.Expect(pod.Spec.InitContainers[0].Name).To(Equal("copy-op-bin")) | ||||
|  | ||||
| 		// Check volume mount was added | ||||
| 		g.Expect(pod.Spec.Containers[0].VolumeMounts).To(ContainElement(HaveField("Name", "op-bin"))) | ||||
| 	}, p.config.TestConfig.Timeout, p.config.TestConfig.Interval).Should(Succeed()) | ||||
| } | ||||
|  | ||||
| func (p *Pod) VerifySecretsInjected(ctx context.Context) { | ||||
| 	By("Verifying secrets are injected and concealed in pod with selector " + labels.Set(p.selector).String()) | ||||
|  | ||||
| 	Eventually(func(g Gomega) { | ||||
| 		// short per-attempt timeout to avoid hanging calls while Eventually polls | ||||
| 		attemptCtx, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||
| 		defer cancel() | ||||
|  | ||||
| 		logs := p.GetPodLogs(attemptCtx) | ||||
| 		// Check that secrets are concealed in the application logs | ||||
| 		g.Expect(logs).To(ContainSubstring("SECRET: '<concealed by 1Password>'")) | ||||
| 	}, p.config.TestConfig.Timeout, p.config.TestConfig.Interval).Should(Succeed()) | ||||
| } | ||||
							
								
								
									
										141
									
								
								pkg/testhelper/kube/secret.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										141
									
								
								pkg/testhelper/kube/secret.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,141 @@ | ||||
| package kube | ||||
|  | ||||
| import ( | ||||
| 	"context" | ||||
| 	"encoding/base64" | ||||
| 	"os" | ||||
| 	"path/filepath" | ||||
| 	"time" | ||||
|  | ||||
| 	//nolint:staticcheck // ST1001 | ||||
| 	. "github.com/onsi/ginkgo/v2" | ||||
| 	//nolint:staticcheck // ST1001 | ||||
| 	. "github.com/onsi/gomega" | ||||
| 	corev1 "k8s.io/api/core/v1" | ||||
| 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||||
| 	"sigs.k8s.io/controller-runtime/pkg/client" | ||||
|  | ||||
| 	"github.com/1Password/onepassword-operator/pkg/testhelper/system" | ||||
| ) | ||||
|  | ||||
| type Secret struct { | ||||
| 	client client.Client | ||||
| 	config *Config | ||||
| 	name   string | ||||
| } | ||||
|  | ||||
| // CreateFromEnvVar creates a kubernetes secret from an environment variable | ||||
| func (s *Secret) CreateFromEnvVar(ctx context.Context, envVar string) *corev1.Secret { | ||||
| 	By("Creating '" + s.name + "' secret from environment variable") | ||||
|  | ||||
| 	// Derive a short-lived context so this API call won't hang indefinitely. | ||||
| 	c, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||
| 	defer cancel() | ||||
|  | ||||
| 	value, ok := os.LookupEnv(envVar) | ||||
| 	Expect(ok).To(BeTrue()) | ||||
| 	Expect(value).NotTo(BeEmpty()) | ||||
|  | ||||
| 	secret := &corev1.Secret{ | ||||
| 		ObjectMeta: metav1.ObjectMeta{ | ||||
| 			Name:      s.name, | ||||
| 			Namespace: s.config.Namespace, | ||||
| 		}, | ||||
| 		StringData: map[string]string{ | ||||
| 			"token": value, | ||||
| 		}, | ||||
| 	} | ||||
|  | ||||
| 	err := s.client.Create(c, secret) | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 	return secret | ||||
| } | ||||
|  | ||||
| // CreateFromFile creates a kubernetes secret from a file | ||||
| func (s *Secret) CreateFromFile(ctx context.Context, fileName string, content []byte) *corev1.Secret { | ||||
| 	By("Creating '" + s.name + "' secret from file " + fileName) | ||||
|  | ||||
| 	// Derive a short-lived context so this API call won't hang indefinitely. | ||||
| 	c, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||
| 	defer cancel() | ||||
|  | ||||
| 	secret := &corev1.Secret{ | ||||
| 		ObjectMeta: metav1.ObjectMeta{ | ||||
| 			Name:      s.name, | ||||
| 			Namespace: s.config.Namespace, | ||||
| 		}, | ||||
| 		Data: map[string][]byte{ | ||||
| 			filepath.Base(fileName): content, | ||||
| 		}, | ||||
| 	} | ||||
|  | ||||
| 	err := s.client.Create(c, secret) | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 	return secret | ||||
| } | ||||
|  | ||||
| // CreateOpCredentials creates a kubernetes secret from 1password-credentials.json file in the project root | ||||
| // encodes it in base64 and saves it to op-session file | ||||
| func (s *Secret) CreateOpCredentials(ctx context.Context) *corev1.Secret { | ||||
| 	rootDir, err := system.GetProjectRoot() | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 	credentialsFilePath := filepath.Join(rootDir, "1password-credentials.json") | ||||
| 	data, err := os.ReadFile(credentialsFilePath) | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 	encoded := base64.RawURLEncoding.EncodeToString(data) | ||||
|  | ||||
| 	return s.CreateFromFile(ctx, "op-session", []byte(encoded)) | ||||
| } | ||||
|  | ||||
| // Get retrieves a kubernetes secret | ||||
| func (s *Secret) Get(ctx context.Context) *corev1.Secret { | ||||
| 	By("Getting '" + s.name + "' secret") | ||||
|  | ||||
| 	// Derive a short-lived context so this API call won't hang indefinitely. | ||||
| 	c, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||
| 	defer cancel() | ||||
|  | ||||
| 	secret := &corev1.Secret{} | ||||
| 	err := s.client.Get(c, client.ObjectKey{Name: s.name, Namespace: s.config.Namespace}, secret) | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 	return secret | ||||
| } | ||||
|  | ||||
| // Delete deletes a kubernetes secret | ||||
| func (s *Secret) Delete(ctx context.Context) { | ||||
| 	By("Deleting '" + s.name + "' secret") | ||||
|  | ||||
| 	// Derive a short-lived context so this API call won't hang indefinitely. | ||||
| 	c, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||
| 	defer cancel() | ||||
|  | ||||
| 	secret := &corev1.Secret{ | ||||
| 		ObjectMeta: metav1.ObjectMeta{ | ||||
| 			Name:      s.name, | ||||
| 			Namespace: s.config.Namespace, | ||||
| 		}, | ||||
| 	} | ||||
| 	err := s.client.Delete(c, secret) | ||||
| 	Expect(err).NotTo(HaveOccurred()) | ||||
| } | ||||
|  | ||||
| // CheckIfExists repeatedly attempts to retrieve the given Secret | ||||
| // from the cluster until it is found or the test's timeout expires. | ||||
| func (s *Secret) CheckIfExists(ctx context.Context) { | ||||
| 	By("Checking '" + s.name + "' secret") | ||||
|  | ||||
| 	Eventually(func(g Gomega) { | ||||
| 		// Derive a short-lived context so this API call won't hang indefinitely. | ||||
| 		attemptCtx, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||
| 		defer cancel() | ||||
|  | ||||
| 		secret := &corev1.Secret{} | ||||
| 		err := s.client.Get(attemptCtx, client.ObjectKey{Name: s.name, Namespace: s.config.Namespace}, secret) | ||||
| 		g.Expect(err).NotTo(HaveOccurred()) | ||||
| 	}, s.config.TestConfig.Timeout, s.config.TestConfig.Interval).Should(Succeed()) | ||||
| } | ||||
							
								
								
									
										33
									
								
								pkg/testhelper/kube/webhook.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										33
									
								
								pkg/testhelper/kube/webhook.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,33 @@ | ||||
| package kube | ||||
|  | ||||
| import ( | ||||
| 	"context" | ||||
| 	"time" | ||||
|  | ||||
| 	//nolint:staticcheck // ST1001 | ||||
| 	. "github.com/onsi/ginkgo/v2" | ||||
| 	//nolint:staticcheck // ST1001 | ||||
| 	. "github.com/onsi/gomega" | ||||
| 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1" | ||||
| 	"sigs.k8s.io/controller-runtime/pkg/client" | ||||
| ) | ||||
|  | ||||
| type Webhook struct { | ||||
| 	client client.Client | ||||
| 	config *Config | ||||
| 	name   string | ||||
| } | ||||
|  | ||||
| func (w *Webhook) WaitForWebhookToBeRegistered(ctx context.Context) { | ||||
| 	By("Waiting for webhook " + w.name + " to be registered") | ||||
|  | ||||
| 	Eventually(func(g Gomega) { | ||||
| 		// short per-attempt timeout to avoid hanging calls while Eventually polls | ||||
| 		attemptCtx, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||
| 		defer cancel() | ||||
|  | ||||
| 		webhookConfig := &admissionregistrationv1.MutatingWebhookConfiguration{} | ||||
| 		err := w.client.Get(attemptCtx, client.ObjectKey{Name: w.name}, webhookConfig) | ||||
| 		g.Expect(err).ToNot(HaveOccurred()) | ||||
| 	}, w.config.TestConfig.Timeout, w.config.TestConfig.Interval).Should(Succeed()) | ||||
| } | ||||
							
								
								
									
										32
									
								
								pkg/testhelper/op/op.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										32
									
								
								pkg/testhelper/op/op.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,32 @@ | ||||
| package op | ||||
|  | ||||
| import ( | ||||
| 	"fmt" | ||||
|  | ||||
| 	"github.com/1Password/onepassword-operator/pkg/testhelper/system" | ||||
| ) | ||||
|  | ||||
| type Field string | ||||
|  | ||||
| const ( | ||||
| 	FieldUsername = "username" | ||||
| 	FieldPassword = "password" | ||||
| ) | ||||
|  | ||||
| // UpdateItemPassword updates the password of an item in 1Password | ||||
| func UpdateItemPassword(item string) error { | ||||
| 	_, err := system.Run("op", "item", "edit", item, "--generate-password=letters,digits,symbols,32") | ||||
| 	if err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
|  | ||||
| // ReadItemField reads the password of an item in 1Password | ||||
| func ReadItemField(item, vault string, field Field) (string, error) { | ||||
| 	output, err := system.Run("op", "read", fmt.Sprintf("op://%s/%s/%s", vault, item, field)) | ||||
| 	if err != nil { | ||||
| 		return "", err | ||||
| 	} | ||||
| 	return output, nil | ||||
| } | ||||
							
								
								
									
										94
									
								
								pkg/testhelper/system/system.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										94
									
								
								pkg/testhelper/system/system.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,94 @@ | ||||
| package system | ||||
|  | ||||
| import ( | ||||
| 	"errors" | ||||
| 	"fmt" | ||||
| 	"io" | ||||
| 	"os" | ||||
| 	"os/exec" | ||||
| 	"path/filepath" | ||||
| 	"strings" | ||||
| ) | ||||
|  | ||||
| // Run executes the provided command within this context | ||||
| func Run(name string, args ...string) (string, error) { | ||||
| 	cmd := exec.Command(name, args...) | ||||
|  | ||||
| 	rootDir, err := GetProjectRoot() | ||||
| 	if err != nil { | ||||
| 		return "", err | ||||
| 	} | ||||
|  | ||||
| 	// Command will run from project root | ||||
| 	cmd.Dir = rootDir | ||||
|  | ||||
| 	command := strings.Join(cmd.Args, " ") | ||||
| 	output, err := cmd.CombinedOutput() | ||||
| 	if err != nil { | ||||
| 		return string(output), fmt.Errorf("%s failed with error: (%v) %s", command, err, string(output)) | ||||
| 	} | ||||
|  | ||||
| 	return string(output), nil | ||||
| } | ||||
|  | ||||
| func GetProjectRoot() (string, error) { | ||||
| 	dir, err := os.Getwd() | ||||
| 	if err != nil { | ||||
| 		return "", err | ||||
| 	} | ||||
|  | ||||
| 	for { | ||||
| 		// check if go.mod exists in current dir | ||||
| 		modFile := filepath.Join(dir, "go.mod") | ||||
| 		if _, err := os.Stat(modFile); err == nil { | ||||
| 			return dir, nil | ||||
| 		} | ||||
|  | ||||
| 		// move one level up | ||||
| 		parent := filepath.Dir(dir) | ||||
| 		if parent == dir { | ||||
| 			// reached filesystem root | ||||
| 			return "", fmt.Errorf("project root not found (no go.mod)") | ||||
| 		} | ||||
| 		dir = parent | ||||
| 	} | ||||
| } | ||||
|  | ||||
| func ReplaceFile(src, dst string) error { | ||||
| 	rootDir, err := GetProjectRoot() | ||||
| 	if err != nil { | ||||
| 		return err | ||||
| 	} | ||||
|  | ||||
| 	// Open the source file | ||||
| 	sourceFile, err := os.Open(filepath.Join(rootDir, src)) | ||||
| 	if err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 	defer func(sourceFile *os.File) { | ||||
| 		cerr := sourceFile.Close() | ||||
| 		if err != nil { | ||||
| 			err = errors.Join(err, cerr) | ||||
| 		} | ||||
| 	}(sourceFile) | ||||
|  | ||||
| 	// Create (or overwrite) the destination file | ||||
| 	destFile, err := os.Create(filepath.Join(rootDir, dst)) | ||||
| 	if err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 	defer func(destFile *os.File) { | ||||
| 		cerr := destFile.Close() | ||||
| 		if err != nil { | ||||
| 			err = errors.Join(err, cerr) | ||||
| 		} | ||||
| 	}(destFile) | ||||
|  | ||||
| 	// Copy contents | ||||
| 	if _, err = io.Copy(destFile, sourceFile); err != nil { | ||||
| 		return err | ||||
| 	} | ||||
|  | ||||
| 	// Ensure data is written to disk | ||||
| 	return destFile.Sync() | ||||
| } | ||||
							
								
								
									
										14
									
								
								test/e2e/e2e_suite_test.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										14
									
								
								test/e2e/e2e_suite_test.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,14 @@ | ||||
| package e2e | ||||
|  | ||||
| import ( | ||||
| 	"testing" | ||||
|  | ||||
| 	. "github.com/onsi/ginkgo/v2" | ||||
| 	. "github.com/onsi/gomega" | ||||
| ) | ||||
|  | ||||
| // Run e2e tests using the Ginkgo runner. | ||||
| func TestE2E(t *testing.T) { | ||||
| 	RegisterFailHandler(Fail) | ||||
| 	RunSpecs(t, "onepassword-operator e2e suite") | ||||
| } | ||||
							
								
								
									
										233
									
								
								test/e2e/e2e_test.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										233
									
								
								test/e2e/e2e_test.go
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,233 @@ | ||||
| package e2e | ||||
|  | ||||
| import ( | ||||
| 	"context" | ||||
| 	"path/filepath" | ||||
| 	"strconv" | ||||
| 	"time" | ||||
|  | ||||
| 	//nolint:staticcheck // ST1001 | ||||
| 	. "github.com/onsi/ginkgo/v2" | ||||
| 	//nolint:staticcheck // ST1001 | ||||
| 	. "github.com/onsi/gomega" | ||||
| 	corev1 "k8s.io/api/core/v1" | ||||
|  | ||||
| 	"github.com/1Password/onepassword-operator/pkg/testhelper/defaults" | ||||
| 	"github.com/1Password/onepassword-operator/pkg/testhelper/kind" | ||||
| 	"github.com/1Password/onepassword-operator/pkg/testhelper/kube" | ||||
| 	"github.com/1Password/onepassword-operator/pkg/testhelper/op" | ||||
| 	"github.com/1Password/onepassword-operator/pkg/testhelper/system" | ||||
| ) | ||||
|  | ||||
| const ( | ||||
| 	operatorImageName = "1password/onepassword-operator:latest" | ||||
| 	vaultName         = "operator-acceptance-tests" | ||||
| ) | ||||
|  | ||||
| var kubeClient *kube.Kube | ||||
|  | ||||
| var _ = Describe("Onepassword Operator e2e", Ordered, func() { | ||||
| 	ctx := context.Background() | ||||
|  | ||||
| 	BeforeAll(func() { | ||||
| 		rootDir, err := system.GetProjectRoot() | ||||
| 		Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 		kubeClient = kube.NewKubeClient(&kube.Config{ | ||||
| 			Namespace:    "default", | ||||
| 			ManifestsDir: filepath.Join("manifests"), | ||||
| 			TestConfig: &kube.TestConfig{ | ||||
| 				Timeout:  defaults.E2ETimeout, | ||||
| 				Interval: defaults.E2EInterval, | ||||
| 			}, | ||||
| 			CRDs: []string{ | ||||
| 				filepath.Join(rootDir, "config", "crd", "bases", "onepassword.com_onepassworditems.yaml"), | ||||
| 			}, | ||||
| 		}) | ||||
|  | ||||
| 		By("Building the Operator image") | ||||
| 		_, err = system.Run("make", "docker-build") | ||||
| 		Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 		kind.LoadImageToKind(operatorImageName) | ||||
|  | ||||
| 		kubeClient.Secret("op-credentials").CreateOpCredentials(ctx) | ||||
| 		kubeClient.Secret("op-credentials").CheckIfExists(ctx) | ||||
|  | ||||
| 		kubeClient.Secret("onepassword-token").CreateFromEnvVar(ctx, "OP_CONNECT_TOKEN") | ||||
| 		kubeClient.Secret("onepassword-token").CheckIfExists(ctx) | ||||
|  | ||||
| 		kubeClient.Secret("onepassword-service-account-token").CreateFromEnvVar(ctx, "OP_SERVICE_ACCOUNT_TOKEN") | ||||
| 		kubeClient.Secret("onepassword-service-account-token").CheckIfExists(ctx) | ||||
|  | ||||
| 		By("Replace manager.yaml") | ||||
| 		err = system.ReplaceFile("test/e2e/manifests/manager.yaml", "config/manager/manager.yaml") | ||||
| 		Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 		_, err = system.Run("make", "deploy") | ||||
| 		Expect(err).NotTo(HaveOccurred()) | ||||
| 		kubeClient.Pod(map[string]string{"name": "onepassword-connect-operator"}).WaitingForRunningPod(ctx) | ||||
| 	}) | ||||
|  | ||||
| 	Context("Use the operator with Service Account", func() { | ||||
| 		runCommonTestCases(ctx) | ||||
| 	}) | ||||
|  | ||||
| 	Context("Use the operator with Connect", func() { | ||||
| 		BeforeAll(func() { | ||||
| 			kubeClient.Deployment("onepassword-connect-operator").PatchEnvVars(ctx, []corev1.EnvVar{ | ||||
| 				{Name: "MANAGE_CONNECT", Value: "true"}, | ||||
| 				{Name: "OP_CONNECT_HOST", Value: "http://onepassword-connect:8080"}, | ||||
| 				{ | ||||
| 					Name: "OP_CONNECT_TOKEN", | ||||
| 					ValueFrom: &corev1.EnvVarSource{ | ||||
| 						SecretKeyRef: &corev1.SecretKeySelector{ | ||||
| 							LocalObjectReference: corev1.LocalObjectReference{ | ||||
| 								Name: "onepassword-token", | ||||
| 							}, | ||||
| 							Key: "token", | ||||
| 						}, | ||||
| 					}, | ||||
| 				}, | ||||
| 			}, []string{"OP_SERVICE_ACCOUNT_TOKEN"}) | ||||
|  | ||||
| 			kubeClient.Secret("login").Delete(ctx)             // remove secret crated in previous test | ||||
| 			kubeClient.Secret("secret-ignored").Delete(ctx)    // remove secret crated in previous test | ||||
| 			kubeClient.Secret("secret-for-update").Delete(ctx) // remove secret crated in previous test | ||||
|  | ||||
| 			kubeClient.Pod(map[string]string{"app": "onepassword-connect"}).WaitingForRunningPod(ctx) | ||||
| 		}) | ||||
|  | ||||
| 		runCommonTestCases(ctx) | ||||
| 	}) | ||||
| }) | ||||
|  | ||||
| // runCommonTestCases contains test cases that are common to both Connect and Service Account authentication methods. | ||||
| func runCommonTestCases(ctx context.Context) { | ||||
| 	It("Should create kubernetes secret from manifest file", func() { | ||||
| 		By("Creating secret `login` from 1Password item") | ||||
| 		kubeClient.Apply(ctx, "secret.yaml") | ||||
| 		kubeClient.Secret("login").CheckIfExists(ctx) | ||||
| 	}) | ||||
|  | ||||
| 	It("Kubernetes secret is updated after POOLING_INTERVAL, when updating item in 1Password", func() { | ||||
| 		itemName := "secret-for-update" | ||||
| 		secretName := itemName | ||||
|  | ||||
| 		By("Creating secret `" + secretName + "` from 1Password item") | ||||
| 		kubeClient.Apply(ctx, secretName+".yaml") | ||||
| 		kubeClient.Secret(secretName).CheckIfExists(ctx) | ||||
|  | ||||
| 		By("Reading old password") | ||||
| 		secret := kubeClient.Secret(secretName).Get(ctx) | ||||
| 		oldPassword, ok := secret.Data["password"] | ||||
| 		Expect(ok).To(BeTrue()) | ||||
|  | ||||
| 		By("Updating `" + secretName + "` 1Password item") | ||||
| 		err := op.UpdateItemPassword(itemName) | ||||
| 		Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 		// checking that password was updated | ||||
| 		Eventually(func(g Gomega) { | ||||
| 			// Derive a short-lived context so this API call won't hang indefinitely. | ||||
| 			attemptCtx, cancel := context.WithTimeout(ctx, 10*time.Second) | ||||
| 			defer cancel() | ||||
|  | ||||
| 			secret = kubeClient.Secret(secretName).Get(attemptCtx) | ||||
| 			g.Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 			newPassword, ok := secret.Data["password"] | ||||
| 			g.Expect(ok).To(BeTrue()) | ||||
| 			g.Expect(newPassword).NotTo(Equal(oldPassword)) | ||||
| 		}, defaults.E2ETimeout, defaults.E2EInterval).Should(Succeed()) | ||||
| 	}) | ||||
|  | ||||
| 	It("1Password item with `ignore-secret` tag doesn't pull updates to kubernetes secret", func() { | ||||
| 		itemName := "secret-ignored" | ||||
| 		secretName := itemName | ||||
|  | ||||
| 		By("Creating secret `" + secretName + "` from 1Password item") | ||||
| 		kubeClient.Apply(ctx, secretName+".yaml") | ||||
| 		kubeClient.Secret(secretName).CheckIfExists(ctx) | ||||
|  | ||||
| 		By("Reading old password") | ||||
| 		secret := kubeClient.Secret(secretName).Get(ctx) | ||||
| 		oldPassword, ok := secret.Data["password"] | ||||
| 		Expect(ok).To(BeTrue()) | ||||
|  | ||||
| 		By("Updating `" + secretName + "` 1Password item") | ||||
| 		err := op.UpdateItemPassword(itemName) | ||||
| 		Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 		newPassword, err := op.ReadItemField(itemName, vaultName, op.FieldPassword) | ||||
| 		Expect(err).NotTo(HaveOccurred()) | ||||
| 		Expect(newPassword).NotTo(BeEquivalentTo(oldPassword)) | ||||
|  | ||||
| 		// checking that password was NOT updated | ||||
| 		Eventually(func(g Gomega) { | ||||
| 			// Derive a short-lived context so this API call won't hang indefinitely. | ||||
| 			attemptCtx, cancel := context.WithTimeout(ctx, 30*time.Second) | ||||
| 			defer cancel() | ||||
|  | ||||
| 			intervalStr := kubeClient.Deployment("onepassword-connect-operator").ReadEnvVar(attemptCtx, "POLLING_INTERVAL") | ||||
| 			Expect(intervalStr).NotTo(BeEmpty()) | ||||
|  | ||||
| 			i, err := strconv.Atoi(intervalStr) | ||||
| 			Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 			// convert to duration in seconds | ||||
| 			interval := time.Duration(i) * time.Second | ||||
| 			// wait for one polling interval + 2 seconds to make sure updated secret is pulled | ||||
| 			time.Sleep(interval + 2*time.Second) | ||||
|  | ||||
| 			secret = kubeClient.Secret(secretName).Get(attemptCtx) | ||||
| 			g.Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 			currentPassword, ok := secret.Data["password"] | ||||
| 			Expect(ok).To(BeTrue()) | ||||
| 			Expect(currentPassword).To(BeEquivalentTo(oldPassword)) | ||||
| 			Expect(currentPassword).NotTo(BeEquivalentTo(newPassword)) | ||||
| 		}, defaults.E2ETimeout, defaults.E2EInterval).Should(Succeed()) | ||||
| 	}) | ||||
|  | ||||
| 	It("AUTO_RESTART restarts deployments using 1Password secrets after item update", func() { | ||||
| 		By("Enabling AUTO_RESTART") | ||||
| 		kubeClient.Deployment("onepassword-connect-operator").PatchEnvVars(ctx, []corev1.EnvVar{ | ||||
| 			{Name: "AUTO_RESTART", Value: "true"}, | ||||
| 		}, nil) | ||||
|  | ||||
| 		DeferCleanup(func() { | ||||
| 			By("Disabling AUTO_RESTART") | ||||
| 			// disable AUTO_RESTART after test | ||||
| 			kubeClient.Deployment("onepassword-connect-operator").PatchEnvVars(ctx, []corev1.EnvVar{ | ||||
| 				{Name: "AUTO_RESTART", Value: "false"}, | ||||
| 			}, nil) | ||||
| 		}) | ||||
|  | ||||
| 		// Ensure the secret exists (created in earlier test), but apply again safely just in case | ||||
| 		kubeClient.Apply(ctx, "secret-for-update.yaml") | ||||
| 		kubeClient.Secret("secret-for-update").CheckIfExists(ctx) | ||||
|  | ||||
| 		// add custom secret to the operator | ||||
| 		kubeClient.Deployment("onepassword-connect-operator").PatchEnvVars(ctx, []corev1.EnvVar{ | ||||
| 			{ | ||||
| 				Name: "CUSTOM_SECRET", | ||||
| 				ValueFrom: &corev1.EnvVarSource{ | ||||
| 					SecretKeyRef: &corev1.SecretKeySelector{ | ||||
| 						LocalObjectReference: corev1.LocalObjectReference{ | ||||
| 							Name: "secret-for-update", | ||||
| 						}, | ||||
| 						Key: "password", | ||||
| 					}, | ||||
| 				}, | ||||
| 			}, | ||||
| 		}, nil) | ||||
|  | ||||
| 		By("Updating `secret-for-update` 1Password item") | ||||
| 		err := op.UpdateItemPassword("secret-for-update") | ||||
| 		Expect(err).NotTo(HaveOccurred()) | ||||
|  | ||||
| 		By("Checking the operator is restarted") | ||||
| 		kubeClient.Deployment("onepassword-connect-operator").WaitDeploymentRolledOut(ctx) | ||||
| 	}) | ||||
| } | ||||
							
								
								
									
										99
									
								
								test/e2e/manifests/manager.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										99
									
								
								test/e2e/manifests/manager.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,99 @@ | ||||
| # This manager file is used for e2e tests. | ||||
| # It will be copied to `config/manager` and be used when deploying the operator in e2e tests | ||||
| # The purpose of it is to increase e2e tests speed and do not introduce additional changes in original `manager.yaml` | ||||
|  | ||||
| apiVersion: v1 | ||||
| kind: Namespace | ||||
| metadata: | ||||
|   labels: | ||||
|     control-plane: onepassword-connect-operator | ||||
|     app.kubernetes.io/name: namespace | ||||
|     app.kubernetes.io/instance: system | ||||
|     app.kubernetes.io/component: manager | ||||
|     app.kubernetes.io/created-by: onepassword-connect-operator | ||||
|     app.kubernetes.io/part-of: onepassword-connect-operator | ||||
|     app.kubernetes.io/managed-by: kustomize | ||||
|   name: system | ||||
| --- | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   name: onepassword-connect-operator | ||||
|   namespace: system | ||||
|   labels: | ||||
|     control-plane: controller-manager | ||||
|     app.kubernetes.io/name: deployment | ||||
|     app.kubernetes.io/instance: controller-manager | ||||
|     app.kubernetes.io/component: manager | ||||
|     app.kubernetes.io/created-by: onepassword-connect-operator | ||||
|     app.kubernetes.io/part-of: onepassword-connect-operator | ||||
|     app.kubernetes.io/managed-by: kustomize | ||||
| spec: | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       name: onepassword-connect-operator | ||||
|       control-plane: onepassword-connect-operator | ||||
|   replicas: 1 | ||||
|   template: | ||||
|     metadata: | ||||
|       annotations: | ||||
|         kubectl.kubernetes.io/default-container: manager | ||||
|       labels: | ||||
|         name: onepassword-connect-operator | ||||
|         control-plane: onepassword-connect-operator | ||||
|     spec: | ||||
|       securityContext: | ||||
|         runAsNonRoot: true | ||||
|       containers: | ||||
|       - command: | ||||
|         - /manager | ||||
|         args: | ||||
|         - --leader-elect | ||||
|         - --health-probe-bind-address=:8081 | ||||
|         image: 1password/onepassword-operator:latest | ||||
|         imagePullPolicy: Never | ||||
|         name: manager | ||||
|         env: | ||||
|           - name: OPERATOR_NAME | ||||
|             value: "onepassword-connect-operator" | ||||
|           - name: POD_NAME | ||||
|             valueFrom: | ||||
|               fieldRef: | ||||
|                 fieldPath: metadata.name | ||||
|           - name: WATCH_NAMESPACE | ||||
|             value: "default" | ||||
|           - name: POLLING_INTERVAL | ||||
|             value: "10" | ||||
|           - name: AUTO_RESTART | ||||
|             value: "false" | ||||
|           - name: OP_SERVICE_ACCOUNT_TOKEN | ||||
|             valueFrom: | ||||
|               secretKeyRef: | ||||
|                 name: onepassword-service-account-token | ||||
|                 key: token | ||||
|         securityContext: | ||||
|           allowPrivilegeEscalation: false | ||||
|           capabilities: | ||||
|             drop: | ||||
|             - "ALL" | ||||
|         livenessProbe: | ||||
|           httpGet: | ||||
|             path: /healthz | ||||
|             port: 8081 | ||||
|           initialDelaySeconds: 15 | ||||
|           periodSeconds: 20 | ||||
|         readinessProbe: | ||||
|           httpGet: | ||||
|             path: /readyz | ||||
|             port: 8081 | ||||
|           initialDelaySeconds: 5 | ||||
|           periodSeconds: 10 | ||||
|         resources: | ||||
|           limits: | ||||
|             cpu: 500m | ||||
|             memory: 512Mi | ||||
|           requests: | ||||
|             cpu: 100m | ||||
|             memory: 128Mi | ||||
|       serviceAccountName: onepassword-connect-operator | ||||
|       terminationGracePeriodSeconds: 10 | ||||
							
								
								
									
										6
									
								
								test/e2e/manifests/secret-for-update.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								test/e2e/manifests/secret-for-update.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | ||||
| apiVersion: onepassword.com/v1 | ||||
| kind: OnePasswordItem | ||||
| metadata: | ||||
|   name: secret-for-update | ||||
| spec: | ||||
|   itemPath: "vaults/operator-acceptance-tests/items/secret-for-update" | ||||
							
								
								
									
										6
									
								
								test/e2e/manifests/secret-ignored.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								test/e2e/manifests/secret-ignored.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | ||||
| apiVersion: onepassword.com/v1 | ||||
| kind: OnePasswordItem | ||||
| metadata: | ||||
|   name: secret-ignored | ||||
| spec: | ||||
|   itemPath: "vaults/operator-acceptance-tests/items/secret-ignored" | ||||
							
								
								
									
										6
									
								
								test/e2e/manifests/secret.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								test/e2e/manifests/secret.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | ||||
| apiVersion: onepassword.com/v1 | ||||
| kind: OnePasswordItem | ||||
| metadata: | ||||
|   name: login | ||||
| spec: | ||||
|   itemPath: "vaults/operator-acceptance-tests/items/test-login" | ||||
| @@ -2,5 +2,5 @@ package version | ||||
|  | ||||
| var ( | ||||
| 	OperatorVersion    = "1.9.1" | ||||
| 	OperatorSDKVersion = "1.34.1" | ||||
| 	OperatorSDKVersion = "1.41.1" | ||||
| ) | ||||
|   | ||||
		Reference in New Issue
	
	Block a user