refactor: factor out common package (#347)

* refactor: factor out annotations to common package Signed-off-by: Bence Csati <[email protected]> * refactor: annotations Signed-off-by: Bence Csati <[email protected]> * refactor: pkg/common Signed-off-by: Bence Csati <[email protected]> --------- Signed-off-by: Bence Csati <[email protected]>
bank-vaults · Feb 23, 2024 · 183629e · 183629e
1 parent 935255e
commit 183629e
Show file tree

Hide file tree

Showing 8 changed files with 126 additions and 107 deletions.
diff --git a/deploy/charts/vault-secrets-webhook/README.md b/deploy/charts/vault-secrets-webhook/README.md
@@ -143,6 +143,11 @@ The following table lists the configurable parameters of the Helm chart.
 | `affinity` | object | `{}` | Node affinity settings for the pods. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ |
 | `topologySpreadConstraints` | object | `{}` | TopologySpreadConstraints to add for the pods. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ |
 | `priorityClassName` | string | `""` | Assign a PriorityClassName to pods if set. Check: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ |
+| `livenessProbe` | object | `{"failureThreshold":3,"initialDelaySeconds":30,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}` | Liveness and readiness probes for the webhook container |
+| `readinessProbe.failureThreshold` | int | `3` |  |
+| `readinessProbe.periodSeconds` | int | `10` |  |
+| `readinessProbe.successThreshold` | int | `1` |  |
+| `readinessProbe.timeoutSeconds` | int | `1` |  |
 | `rbac.psp.enabled` | bool | `false` | Use pod security policy |
 | `rbac.authDelegatorRole.enabled` | bool | `false` | Bind `system:auth-delegator` ClusterRoleBinding to given `serviceAccount` |
 | `serviceAccount.create` | bool | `true` | Specifies whether a service account should be created |

diff --git a/pkg/webhook/common.go → pkg/common/common.go b/pkg/webhook/common.go → pkg/common/common.go
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package webhook
+package common
 
 import (
 	"strings"
@@ -21,34 +21,52 @@ import (
 const (
 	// Webhook annotations
 	// ref: https://bank-vaults.dev/docs/mutating-webhook/annotations/
-	MutateAnnotation                        = "vault.security.banzaicloud.io/mutate"
-	MutateProbesAnnotation                  = "vault.security.banzaicloud.io/mutate-probes"
+	PSPAllowPrivilegeEscalationAnnotation = "vault.security.banzaicloud.io/psp-allow-privilege-escalation"
+	RunAsNonRootAnnotation                = "vault.security.banzaicloud.io/run-as-non-root"
+	RunAsUserAnnotation                   = "vault.security.banzaicloud.io/run-as-user"
+	RunAsGroupAnnotation                  = "vault.security.banzaicloud.io/run-as-group"
+	ReadOnlyRootFsAnnotation              = "vault.security.banzaicloud.io/readonly-root-fs"
+	RegistrySkipVerifyAnnotation          = "vault.security.banzaicloud.io/registry-skip-verify"
+	MutateAnnotation                      = "vault.security.banzaicloud.io/mutate"
+	MutateProbesAnnotation                = "vault.security.banzaicloud.io/mutate-probes"
+
+	// Vault-env/Secret-init annotations
+	// NOTE: Change these once vault-env has been replaced with secret-init
+	VaultEnvDaemonAnnotation = "vault.security.banzaicloud.io/vault-env-daemon"
+	// SecretInitDaemonAnnotation = "vault.security.banzaicloud.io/secret-init-daemon"
+	VaultEnvDelayAnnotation = "vault.security.banzaicloud.io/vault-env-delay"
+	// SecretInitDelayAnnotation = "vault.security.banzaicloud.io/secret-init-delay"
+	EnableJSONLogAnnotation = "vault.security.banzaicloud.io/enable-json-log"
+	// SecretInitJSONLogAnnotation = "vault.security.banzaicloud.io/secret-init-json-log"
+	VaultEnvImageAnnotation = "vault.security.banzaicloud.io/vault-env-image"
+	// SecretInitImageAnnotation = "vault.security.banzaicloud.io/secret-init-image"
+	VaultEnvImagePullPolicyAnnotation = "vault.security.banzaicloud.io/vault-env-image-pull-policy"
+	// SecretInitImagePullPolicyAnnotation = "vault.security.banzaicloud.io/secret-init-image-pull-policy"
+
+	// Vault annotations
+	VaultAddrAnnotation                     = "vault.security.banzaicloud.io/vault-addr"
+	VaultImageAnnotation                    = "vault.security.banzaicloud.io/vault-image"
+	VaultImagePullPolicyAnnotation          = "vault.security.banzaicloud.io/vault-image-pull-policy"
+	VaultRoleAnnotation                     = "vault.security.banzaicloud.io/vault-role"
+	VaultPathAnnotation                     = "vault.security.banzaicloud.io/vault-path"
+	VaultSkipVerifyAnnotation               = "vault.security.banzaicloud.io/vault-skip-verify"
+	VaultTLSSecretAnnotation                = "vault.security.banzaicloud.io/vault-tls-secret"
+	VaultIgnoreMissingSecretsAnnotation     = "vault.security.banzaicloud.io/vault-ignore-missing-secrets"
+	VaultClientTimeoutAnnotation            = "vault.security.banzaicloud.io/vault-client-timeout"
+	TransitKeyIDAnnotation                  = "vault.security.banzaicloud.io/transit-key-id"
+	TransitPathAnnotation                   = "vault.security.banzaicloud.io/transit-path"
+	VaultAuthMethodAnnotation               = "vault.security.banzaicloud.io/vault-auth-method"
+	TransitBatchSizeAnnotation              = "vault.security.banzaicloud.io/transit-batch-size"
 	TokenAuthMountAnnotation                = "vault.security.banzaicloud.io/token-auth-mount"
 	VaultServiceaccountAnnotation           = "vault.security.banzaicloud.io/vault-serviceaccount"
 	VaultNamespaceAnnotation                = "vault.security.banzaicloud.io/vault-namespace"
-	RunAsNonRootAnnotation                  = "vault.security.banzaicloud.io/run-as-non-root"
-	RunAsUserAnnotation                     = "vault.security.banzaicloud.io/run-as-user"
-	RunAsGroupAnnotation                    = "vault.security.banzaicloud.io/run-as-group"
-	ReadOnlyRootFsAnnotation                = "vault.security.banzaicloud.io/readonly-root-fs"
 	ServiceAccountTokenVolumeNameAnnotation = "vault.security.banzaicloud.io/service-account-token-volume-name"
-	PSPAllowPrivilegeEscalationAnnotation   = "vault.security.banzaicloud.io/psp-allow-privilege-escalation"
-	RegistrySkipVerifyAnnotation            = "vault.security.banzaicloud.io/registry-skip-verify"
 	LogLevelAnnotation                      = "vault.security.banzaicloud.io/log-level"
-
-	// Vault annotations
-	VaultAddrAnnotation                 = "vault.security.banzaicloud.io/vault-addr"
-	VaultImageAnnotation                = "vault.security.banzaicloud.io/vault-image"
-	VaultImagePullPolicyAnnotation      = "vault.security.banzaicloud.io/vault-image-pull-policy"
-	VaultRoleAnnotation                 = "vault.security.banzaicloud.io/vault-role"
-	VaultPathAnnotation                 = "vault.security.banzaicloud.io/vault-path"
-	VaultSkipVerifyAnnotation           = "vault.security.banzaicloud.io/vault-skip-verify"
-	VaultTLSSecretAnnotation            = "vault.security.banzaicloud.io/vault-tls-secret"
-	VaultIgnoreMissingSecretsAnnotation = "vault.security.banzaicloud.io/vault-ignore-missing-secrets"
-	VaultClientTimeoutAnnotation        = "vault.security.banzaicloud.io/vault-client-timeout"
-	TransitKeyIDAnnotation              = "vault.security.banzaicloud.io/transit-key-id"
-	TransitPathAnnotation               = "vault.security.banzaicloud.io/transit-path"
-	VaultAuthMethodAnnotation           = "vault.security.banzaicloud.io/vault-auth-method"
-	TransitBatchSizeAnnotation          = "vault.security.banzaicloud.io/transit-batch-size"
+	// NOTE: Change these once vault-env has been replaced with secret-init
+	VaultEnvPassthroughAnnotation = "vault.security.banzaicloud.io/vault-env-passthrough"
+	// VaultPasstroughAnnotation = "vault.security.banzaicloud.io/vault-passthrough"
+	VaultEnvFromPathAnnotation = "vault.security.banzaicloud.io/vault-env-from-path"
+	// VaultFromPathAnnotation = "vault.security.banzaicloud.io/vault-from-path"
 
 	// Vault agent annotations
 	// ref: https://bank-vaults.dev/docs/mutating-webhook/vault-agent-templating/
@@ -76,24 +94,8 @@ const (
 	VaultConsulTemplateMemoryAnnotation                  = "vault.security.banzaicloud.io/vault-ct-memory"
 	VaultConsuleTemplateSecretsMountPathAnnotation       = "vault.security.banzaicloud.io/vault-ct-secrets-mount-path"
 	VaultConsuleTemplateInjectInInitcontainersAnnotation = "vault.security.banzaicloud.io/vault-ct-inject-in-initcontainers"
-
-	// Vault-env/Secret-init annotations
-	EnableJSONLogAnnotation = "vault.security.banzaicloud.io/enable-json-log"
-	// NOTE: Change these once vault-env has been replaced with secret-init
-	// SecretInitPasstroughAnnotation = "vault.security.banzaicloud.io/secret-init-passthrough"
-	VaultEnvPassthroughAnnotation = "vault.security.banzaicloud.io/vault-env-passthrough"
-	// SecretInitDaemonAnnotation = "vault.security.banzaicloud.io/secret-init-daemon"
-	VaultEnvDaemonAnnotation = "vault.security.banzaicloud.io/vault-env-daemon"
-	// SecretInitImageAnnotation = "vault.security.banzaicloud.io/secret-init-image"
-	VaultEnvImageAnnotation = "vault.security.banzaicloud.io/vault-env-image"
-	// SecretInitImagePullPolicyAnnotation = "vault.security.banzaicloud.io/secret-init-image-pull-policy"
-	VaultEnvImagePullPolicyAnnotation = "vault.security.banzaicloud.io/vault-env-image-pull-policy"
-	// VaultFromPathAnnotation = "vault.security.banzaicloud.io/vault-from-path"
-	VaultEnvFromPathAnnotation = "vault.security.banzaicloud.io/vault-env-from-path"
-	// SecretInitDelayAnnotation = "vault.security.banzaicloud.io/secret-init-delay"
-	VaultEnvDelayAnnotation = "vault.security.banzaicloud.io/vault-env-delay"
 )
 
-func hasVaultPrefix(value string) bool {
+func HasVaultPrefix(value string) bool {
 	return strings.HasPrefix(value, "vault:") || strings.HasPrefix(value, ">>vault:")
 }