Merge pull request #70 from itscontained/cleanup-readme

Update docs and chart metadata

.github/workflows/e2e.yaml

@@ -36,4 +36,4 @@ jobs:
         run: |
           export PATH=$PATH:$(go env GOPATH)/bin
           go get github.com/onsi/ginkgo/ginkgo
-          make e2e
+          make e2e-test

.github/workflows/helm.yaml

@@ -25,7 +25,7 @@ jobs:
       - name: Fix appversion for tests
         run: |
           LASTTAG=$(git describe --abbrev=0 --tags)
-          sed -i "s/0.0.0/${LASTTAG#v}/" deploy/charts/secret-manager/Chart.yaml
+          sed -i "s/%%APP_VERSION%%/${LASTTAG#v}/" deploy/charts/secret-manager/Chart.yaml
       - name: lint
         id: lint
         uses: helm/[email protected]
@@ -78,7 +78,7 @@ jobs:
           make crds-to-chart
           LASTTAG=$(git describe --abbrev=0 --tags)
           echo "Using ${LASTTAG#v} for appVersion"
-          sed -i "s/0.0.0/${LASTTAG#v}/" deploy/charts/secret-manager/Chart.yaml
+          sed -i "s/%%APP_VERSION%%/${LASTTAG#v}/" deploy/charts/secret-manager/Chart.yaml
       - name: Generate Helm README
         run: cd secret-manager && make helm-docs
       - name: Release Chart

CHANGELOG.md

@@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fix Vault API path for v1 secret engine ([#42](https://github.com/itscontained/secret-manager/pull/42) [@c35sys](https://github.com/c35sys))
 - Add E2E testing structure and tests for AWS Secret Manager ([#39](https://github.com/itscontained/secret-manager/pull/39) [@moolen](https://github.com/moolen))
 - Fix logging flag registration ([#46](https://github.com/itscontained/secret-manager/pull/46) [@mcavoyk](https://github.com/mcavoyk))
+- Update helm chart to install CRD's by default ([#68](https://github.com/itscontained/secret-manager/pull/68) [@mcavoyk](https://github.com/mcavoyk))
 - Change base docker image from `gcr.io/distroless/static` to `alpine:3.12` ([#67](https://github.com/itscontained/secret-manager/pull/67) [@mcavoyk](https://github.com/mcavoyk))
 
 ## [0.2.0](https://github.com/itscontained/secret-manager/compare/v0.1.0...v0.2.0) - 2020-09-17

Makefile

@@ -21,8 +21,8 @@ LDFLAGS += -X github.com/itscontained/secret-manager/pkg/util.version=${BINARY_V
 LDFLAGS += -X github.com/itscontained/secret-manager/pkg/util.gitCommit=${GIT_COMMIT}
 LDFLAGS += -X github.com/itscontained/secret-manager/pkg/util.gitState=${GIT_DIRTY}
 
-IMG_TAG ?= ${GIT_TAG}
-IMG ?= itscontained/secret-manager:${IMG_TAG}
+IMG_TAG  ?= ${GIT_TAG}
+IMG      ?= itscontained/secret-manager:${IMG_TAG}
 HELM_DIR ?= deploy/charts/secret-manager
 
 DOCKER_BUILD_FLAGS ?=
@@ -41,7 +41,7 @@ else ifneq (,$(wildcard $(GOBIN)/golangci-lint))
 GOLANGCI_LINT=$(GOBIN)/golangci-lint
 endif
 
-lint-install: ## installs golangci-lint to the go bin dir
+lint-install: # installs golangci-lint to the go bin dir
 	@if ! golangci-lint --version > /dev/null 2>&1; then \
 		echo "Installing golangci-lint"; \
 		curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(GOBIN) v1.31.0; \
@@ -62,7 +62,7 @@ test: ## Run tests
 build: generate ## Build manager binary
 	CGO_ENABLED=0 go build -a -ldflags '$(LDFLAGS)' -o bin/manager ./cmd/controller/main.go
 
-build-multiarch: ## Build multi-arch manager binary
+build-multiarch: # Build multi-arch manager binary
 	for arch in $(ARCHS); do \
 		CGO_ENABLED=0 GOOS=linux GOARCH=$${arch} go build -a -ldflags '$(LDFLAGS)' -o "bin/manager-linux-$${arch}" ./cmd/controller/main.go ;\
 	done ;\
@@ -77,16 +77,16 @@ generate: controller-gen ## Generate CRD code
 docker-build: manifests generate ## Build the docker image
 	docker build . -t $(IMG) $(DOCKER_BUILD_FLAGS)
 
-docker-buildx: manifests generate ## cross-compile
+docker-buildx: manifests generate # cross-compile
 	docker buildx build . -t $(IMG) $(DOCKER_BUILD_FLAGS)
 
-crds-to-chart: ## copy crds to helm chart directory
+crds-to-chart: ## Copy crds to helm chart directory
 	cp deploy/crds/*.yaml $(HELM_DIR)/templates/crds/; \
 	for i in deploy/charts/secret-manager/templates/crds/*.yaml; do \
 		sed -i '1s/.*/{{- if .Values.installCRDs }}/;$$a{{- end }}' $$i; \
 	done
 
-docker-build-kind-deploy: docker-build crds-to-chart ## copy
+docker-build-kind-deploy: docker-build crds-to-chart # Deploy to local kind cluster
 	kind load docker-image ${IMG} --name test
 	kind export kubeconfig --name test --kubeconfig $(HOME)/.kube/configs/kind-test.yaml
 	kubie ctx kind-test --namespace kube-system
@@ -101,9 +101,17 @@ helm-docs: ## Generate helm docs
 	cd $(HELM_DIR); \
 	docker run --rm -v $(shell pwd)/$(HELM_DIR):/helm-docs -u $(shell id -u) jnorwood/helm-docs:latest
 
-e2e: generate manifests
+e2e-start: ## Start local kind cluster
+	$(MAKE) -C e2e start-kind
+
+e2e-stop: ## Stop local kind cluster
+	$(MAKE) -C e2e stop-kind
+
+e2e-test: generate manifests ## Run e2e tests against current context
 	$(MAKE) -C e2e test
 
+e2e: e2e-start e2e-test e2e-stop ## Creates kind cluster and runs e2e tests
+
 # find or download controller-gen
 # download controller-gen if necessary
 controller-gen:

README.md

@@ -1,236 +1,45 @@
 # Secret Manager
-Secret Manager is a set of Kubernetes CRDs and controllers which define a common method of interacting with External
-SecretStores.
+Secret Manager is a Kubernetes add-on to automate the creation and renewal of
+secrets from various external secret sources.
 
-## SecretStore Backends
-### Supported
-* Hashicorp Vault
-* AWS SecretManager
-* GCP Secret Manager
+Secret Manager can also reformat the sourced secrets to fit the configuration
+expected by the workloads using the created secrets.
 
-### Planned
-* Azure Key Vault
-* Bitwarden
-
-## Inspiration
-Inspired by the great work done by the contributors over at [godaddy/kubernetes-external-secrets][1] and
-[jetstack/cert-manager][2], This project aims to take some of the best ideas from both projects for managing secrets.
+Based on the work from [godaddy/kubernetes-external-secrets](https://github.com/godaddy/kubernetes-external-secrets)
+and with borrowed wisdom from [jetstack/cert-manager](https://github.com/jetstack/cert-manager).
 
 ## Installation
 
 Helm installation steps can be found on the chart readme at [artifacthub.io](https://artifacthub.io/packages/helm/itscontained/secret-manager)
 
-## Examples
-### Basic Example
-To use an ExternalSecret first define a SecretStore for use.
-```yaml
-apiVersion: secret-manager.itscontained.io/v1alpha1
-kind: SecretStore
-metadata:
-  name: vault
-  namespace: example-ns
-spec:
-  vault:
-    server: "https://vault.example.com"
-    path: secret/data
-    auth:
-      kubernetes:
-        mountPath: kubernetes
-        role: example-role
-        secretRef:
-          name: vault-secret
-```
-
-The SecretStore defines how ExternalSecrets for the Store should interact with the backend, and the permission boundary
-that the ExternalSecrets have within the namespace or cluster when accessing the SecretStore.
-
-Once a SecretStore is defined an ExternalSecret can be created which references the Store.
-
-In this example, the Vault KV Secrets Engine has a secret at the name `teamA/hello-service`:
-```json
-{
-  "data": {
-      "serviceBapiKey": "foo-123",
-      "serviceCapiKey": "bar-456",
-      "private-images": "{ \"auths\": {\"registry.example.com\":{\"username\":\"foo\",\"password\":\"bar\",\"email\":\"[email protected]\"}}}"
-  }
-}
-```
-
-The ExternalSecret referencing this secret would look like:
-```yaml
-apiVersion: secret-manager.itscontained.io/v1alpha1
-kind: ExternalSecret
-metadata:
-  name: hello-service
-  namespace: example-ns
-spec:
-  storeRef:
-    name: vault
-  data:
-  - secretKey: password
-    remoteRef:
-      name: teamA/hello-service
-      property: serviceBapiKey
-```
-
-This ExternalSecret generates the secret:
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: hello-service
-  namespace: example-ns
-type: Opaque
-data:
-  # base64 decoded: foo-123
-  password: Zm9vLTEyMw==
-```
-
-### Advanced Examples
-#### Renewing Secrets
-The ExternalSecret can also optionally define the secret polling time. The ExternalSecret is refreshed when this
-period passes.
-```yaml
-apiVersion: secret-manager.itscontained.io/v1alpha1
-kind: ExternalSecret
-metadata:
-  name: hello-service
-  namespace: example-ns
-spec:
-  storeRef:
-    name: vault
-  renewAfter: "7d"
-  data:
-  - secretKey: password
-    remoteRef:
-      name: teamA/hello-service
-      property: serviceBapiKey
-```
-
-#### Templating Secrets
-The ExternalSecret can optionally define the format of the created Kubernetes secrets. The `template` specification
-field deeply merges with the generated ExternalSecret and ran through a go template parser. This can allow secrets
-with `type` other than `Opaque`, custom labels/annotations on the secret, or a secret data field configured differently
-than the data available in the ExternalSecret Store.
-
-An example imagePullSecret with an ExternalSecret:
-```yaml
-apiVersion: secret-manager.itscontained.io/v1alpha1
-kind: ExternalSecret
-metadata:
-  name: hello-service-images
-  namespace: example-ns
-spec:
-  storeRef:
-    name: vault
-  data:
-  - secretKey: .dockerconfigjson
-    remoteRef:
-      name: teamA/hello-service
-      property: private-images
-  template:
-    metadata:
-      annotations:
-        example: annotation-value
-    type: kubernetes.io/dockerconfigjson
-```
-
-Generates:
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: hello-service-images
-  namespace: example-ns
-  annotations:
-    example: annotation-value
-type: kubernetes.io/dockerconfigjson
-data:
-  # base64 decoded: {"auths":{"registry.example.com":{"username":"foo","password":"bar","email":"[email protected]"}}}
-  .dockerconfigjson: eyJhdXRocyI6eyJyZWdpc3RyeS5leGFtcGxlLmNvbSI6eyJ1c2VybmFtZSI6ImZvbyIsInBhc3N3b3JkIjoiYmFyIiwiZW1haWwiOiJmb29AZXhhbXBsZS5jb20ifX19
-```
-
-An example secret with a templated configuration:
-
-```yaml
-apiVersion: secret-manager.itscontained.io/v1alpha1
-kind: ExternalSecret
-metadata:
-  name: hello-service-config
-  namespace: example-ns
-spec:
-  storeRef:
-    name: vault
-  data:
-  - secretKey: password
-    remoteRef:
-      name: teamA/hello-service
-      property: serviceBapiKey
-  template:
-    data:
-      config.yaml: |
-      {
-        "apiUrl": "http://localhost:12345",
-        "apiKey": {{ .data.password | quote }}
-      }
-```
-
-Generates:
-
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: hello-service-config
-  namespace: example-ns
-type: Opaque
-data:
-  config.yaml: ewogICJhcGlVcmwiOiAiaHR0cDovL2xvY2FsaG9zdDoxMjM0NSIsCiAgImFwaUtleSI6ICJmb28tMTIzIgp9
-# config.yaml: |
-# {
-#   "apiUrl": "http://localhost:12345"
-#   "apiKey": "foo-123"
-# }
-```
-
-
-### Embedding Secrets
-
-If the SecretStore returns a map of secret values, then these secrets can be individually referenced via the `property`
-field as already demonstrated. When all secret fields should be in the generated secret, the `dataFrom` field can be
-specified to fetch all ExternalSecret properties into the generated secret.
-
-
-```yaml
-apiVersion: secret-manager.itscontained.io/v1alpha1
-kind: ExternalSecret
-metadata:
-  name: hello-service-config
-  namespace: example-ns
-spec:
-  storeRef:
-    name: vault
-  dataFrom:
-  - name: teamA/hello-service
-```
-
-Generates:
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: hello-service-config
-  namespace: example-ns
-type: Opaque
-data:
-  serviceBapiKey: ewogICJjb25maWciOiAiZm9vLTEyMyIKfQ==
-  serviceCapiKey: YmFyLTQ1Ng==
-  private-images: eyJhdXRocyI6eyJyZWdpc3RyeS5leGFtcGxlLmNvbSI6eyJ1c2VybmFtZSI6ImZvbyIsInBhc3N3b3JkIjoiYmFyIiwiZW1haWwiOiJmb29AZXhhbXBsZS5jb20ifX19
-# "serviceBapiKey": "foo-123",
-# "serviceCapiKey": "bar-456",
-# "private-images": "{ \"auths\": {\"registry.example.com\":{\"username\":\"foo\",\"password\":\"bar\",\"email\":\"[email protected]\"}}}"
-```
-
-[1]: https://github.com/godaddy/kubernetes-external-secrets
-[2]: https://github.com/jetstack/cert-manager
+## Documentation
+
+Documentation and examples for supported external secret sources can be found in
+the [docs directory](docs/) of this project.
+
+## Support
+
+If you encounter any issues whilst using secret-manager, we have a number of places you
+can use to try and get help.
+
+First of all we recommend looking at the [troubleshooting guide](docs/troubleshooting.md) of our documentation.
+
+The quickest way to ask a question is to first post on [#external-secrets](https://kubernetes.slack.com/archives/C017BF84G2Y)
+channel on the Kubernetes Slack. There are some community members in this channel, and
+you can often get an answer to your question straight away!
+
+You can also try [searching for an existing issue](https://github.com/itscontained/secret-manager/issues). Properly searching
+for an existing issue will help reduce the number of duplicates, and help you find the answer you are looking for quicker.
+
+If you believe you have encountered a bug, and cannot find an existing issue similar to your own,
+you may open a new issue. Please be sure to include as much information as possible about your environment.
+
+## Contributing
+
+We welcome pull requests with open arms! There's a lot of work to do here, and we're especially concerned with
+ensuring the longevity and reliability of the project.
+
+Please take a look at our [issue tracker](https://github.com/itscontained/secret-manager/issues) if you are
+unsure where to start with getting involved!
+
+Developer documentation is available in the [official documentation](docs/contributing/README.md).