Skip to content

Commit

Permalink
Merge pull request #72 from projectsyn/feat/support-secrets
Browse files Browse the repository at this point in the history
Support custom secrets
  • Loading branch information
DebakelOrakel authored Aug 9, 2024
2 parents d5f42de + 4dee73f commit 6ea5f9e
Show file tree
Hide file tree
Showing 19 changed files with 299 additions and 8 deletions.
4 changes: 2 additions & 2 deletions .cruft.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,11 @@
"name": "fluentbit",
"slug": "fluentbit",
"parameter_key": "fluentbit",
"test_cases": "defaults",
"test_cases": "defaults config",
"add_lib": "n",
"add_pp": "y",
"add_golden": "y",
"add_matrix": "n",
"add_matrix": "y",
"add_go_unit": "n",
"automerge_patch": "y",
"automerge_patch_v0": "n",
Expand Down
14 changes: 12 additions & 2 deletions .github/workflows/test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ jobs:
args: 'check'
test:
runs-on: ubuntu-latest
strategy:
matrix:
instance:
- defaults
- config
defaults:
run:
working-directory: ${{ env.COMPONENT_NAME }}
Expand All @@ -37,9 +42,14 @@ jobs:
with:
path: ${{ env.COMPONENT_NAME }}
- name: Compile component
run: make test
run: make test -e instance=${{ matrix.instance }}
golden:
runs-on: ubuntu-latest
strategy:
matrix:
instance:
- defaults
- config
defaults:
run:
working-directory: ${{ env.COMPONENT_NAME }}
Expand All @@ -48,4 +58,4 @@ jobs:
with:
path: ${{ env.COMPONENT_NAME }}
- name: Golden diff
run: make golden-diff
run: make golden-diff -e instance=${{ matrix.instance }}
16 changes: 16 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,22 @@ golden-diff: commodore_args += -f tests/$(instance).yml
golden-diff: clean .compile ## Diff compile output against the reference version. Review output and run `make gen-golden golden-diff` if this target fails.
@git diff --exit-code --minimal --no-index -- tests/golden/$(instance) compiled/

.PHONY: golden-diff-all
golden-diff-all: recursive_target=golden-diff
golden-diff-all: $(test_instances) ## Run golden-diff for all instances. Note: this doesn't work when running make with multiple parallel jobs (-j != 1).

.PHONY: gen-golden-all
gen-golden-all: recursive_target=gen-golden
gen-golden-all: $(test_instances) ## Run gen-golden for all instances. Note: this doesn't work when running make with multiple parallel jobs (-j != 1).

.PHONY: lint_kubent_all
lint_kubent_all: recursive_target=lint_kubent
lint_kubent_all: $(test_instances) ## Lint deprecated Kubernetes API versions for all golden test instances. Will exit on first error. Note: this doesn't work when running make with multiple parallel jobs (-j != 1).

.PHONY: $(test_instances)
$(test_instances):
$(MAKE) $(recursive_target) -e instance=$(basename $(@F))

.PHONY: clean
clean: ## Clean the project
rm -rf .cache compiled dependencies vendor helmcharts jsonnetfile*.json || true
1 change: 1 addition & 0 deletions Makefile.vars.mk
Original file line number Diff line number Diff line change
Expand Up @@ -57,3 +57,4 @@ KUBENT_IMAGE ?= ghcr.io/doitintl/kube-no-trouble:latest
KUBENT_DOCKER ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE)

instance ?= defaults
test_instances = tests/defaults.yml tests/config.yml
4 changes: 4 additions & 0 deletions class/defaults.yml
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,10 @@ parameters:
K8S-Logging.Parser: "On"
K8S-Logging.Exclude: "On"

# Configure a custom secret to deploy
secretName: ${_instance}
secret: {}

# Add volumes to the pod spec
extraVolumes: []
extraVolumeMounts: []
Expand Down
17 changes: 17 additions & 0 deletions component/main.jsonnet
Original file line number Diff line number Diff line change
Expand Up @@ -162,8 +162,25 @@ local configmap = kube.ConfigMap(params.configMapName) {
},
};

local secret = kube.Secret(params.secretName) {
metadata+: {
labels+: {
'app.kubernetes.io/name': params.secretName,
'app.kubernetes.io/instance': instanceName,
'app.kubernetes.io/component': 'fluent-bit',
'app.kubernetes.io/managed-by': 'commodore',
},
},
stringData: {
[s]: params.secret[s]
for s in std.objectFields(params.secret)
},
data:: {},
};

{
[if params.createNamespace then '00_namespace']: kube.Namespace(params.namespace),
[if std.length(params.secret) > 0 then '10_custom_secret']: secret,
'10_custom_config': configmap,
[if params.monitoring.enabled then '20_service_monitor']:
kube._Object('monitoring.coreos.com/v1', 'ServiceMonitor', 'fluent-bit') {
Expand Down
16 changes: 16 additions & 0 deletions docs/modules/ROOT/pages/references/parameters.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,22 @@ capitalization of keys and values).
If the dict for a section doesn't have a key `Name`, the key for the section will be used as the plugin name for the section.
This allows avoiding repetition, when it's unnecessary, while still supporting having multiple outputs using the same plugin.

== `secretName`

[horizontal]
type:: string
default:: `${_instance}`

The name of the generated secret.

== `secret`

[horizontal]
type:: dict
default:: {}

Create a custom secret which containes the key-value pairs defined in this dict.

== `annotations`

[horizontal]
Expand Down
2 changes: 1 addition & 1 deletion renovate.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
"separateMinorPatch": true,
"postUpgradeTasks": {
"commands": [
"make gen-golden"
"make gen-golden-all"
],
"fileFilters": [
"tests/golden/**"
Expand Down
10 changes: 10 additions & 0 deletions tests/config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
parameters:
fluentbit:
secret:
AWS_ACCESS_KEY_ID: <SUPER_SECRET>
AWS_SECRET_ACCESS_KEY: <EVEN_MORE_SUPERER>

helm_values:
envFrom:
- secretRef:
name: ${fluentbit:secretName}
6 changes: 3 additions & 3 deletions tests/defaults.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
---
parameters:
fluentbit: {}
# Overwrite parameters here

# parameters: {...}
3 changes: 3 additions & 0 deletions tests/golden/config/fluentbit/apps/fluentbit.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
spec:
source:
path: manifests/fluentbit/fluentbit
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
annotations: {}
labels:
name: syn-fluentbit
name: syn-fluentbit
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: fluentbit
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: fluent-bit
app.kubernetes.io/version: 3.1.4
helm.sh/chart: fluent-bit-0.47.5
name: fluentbit
rules:
- apiGroups:
- ''
resources:
- namespaces
- pods
verbs:
- get
- list
- watch
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: fluentbit
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: fluent-bit
app.kubernetes.io/version: 3.1.4
helm.sh/chart: fluent-bit-0.47.5
name: fluentbit
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: fluentbit
subjects:
- kind: ServiceAccount
name: fluentbit
namespace: syn-fluentbit
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app.kubernetes.io/instance: fluentbit
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: fluent-bit
app.kubernetes.io/version: 3.1.4
helm.sh/chart: fluent-bit-0.47.5
name: fluentbit
namespace: syn-fluentbit
spec:
selector:
matchLabels:
app.kubernetes.io/instance: fluentbit
app.kubernetes.io/name: fluent-bit
template:
metadata:
annotations:
checksum/config: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
checksum/syn-config: 06e588437d65a5b9ef0171f6ac0a59e7
fluentbit.io/exclude: 'true'
labels:
app.kubernetes.io/instance: fluentbit
app.kubernetes.io/name: fluent-bit
spec:
containers:
- args:
- --workdir=/fluent-bit/etc
- --config=/fluent-bit/etc/conf/fluent-bit.conf
command:
- /fluent-bit/bin/fluent-bit
envFrom:
- secretRef:
name: fluentbit
image: docker.io/fluent/fluent-bit:3.1.4
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /
port: http
name: fluent-bit
ports:
- containerPort: 2020
name: http
protocol: TCP
readinessProbe:
httpGet:
path: /api/v1/health
port: http
volumeMounts:
- mountPath: /fluent-bit/etc/conf
name: config
- mountPath: /var/log
name: varlog
- mountPath: /var/lib/docker/containers
name: varlibdockercontainers
readOnly: true
- mountPath: /etc/machine-id
name: etcmachineid
readOnly: true
dnsPolicy: ClusterFirst
hostNetwork: false
serviceAccountName: fluentbit
volumes:
- configMap:
name: fluentbit
name: config
- hostPath:
path: /var/log
name: varlog
- hostPath:
path: /var/lib/docker/containers
name: varlibdockercontainers
- hostPath:
path: /etc/machine-id
type: File
name: etcmachineid
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/instance: fluentbit
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: fluent-bit
app.kubernetes.io/version: 3.1.4
helm.sh/chart: fluent-bit-0.47.5
name: fluentbit
namespace: syn-fluentbit
spec:
ports:
- name: http
port: 2020
protocol: TCP
targetPort: http
selector:
app.kubernetes.io/instance: fluentbit
app.kubernetes.io/name: fluent-bit
type: ClusterIP
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: fluentbit
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: fluent-bit
app.kubernetes.io/version: 3.1.4
helm.sh/chart: fluent-bit-0.47.5
name: fluentbit
namespace: syn-fluentbit
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
apiVersion: v1
data:
custom_parsers.conf: ''
fluent-bit.conf: |
[SERVICE]
Daemon Off
Flush 1
HTTP_Listen 0.0.0.0
HTTP_Port 2020
HTTP_Server On
Log_Level info
Parsers_File parsers.conf
Plugins_File plugins.conf
[FILTER]
Name kubernetes
K8S-Logging.Exclude On
K8S-Logging.Parser On
Keep_Log On
Match kube.*
Merge_Log On
[INPUT]
Name tail
Mem_Buf_Limit 5MB
Parser docker
Path /var/log/containers/*.log
Skip_Long_lines On
Tag kube.*
[INPUT]
Name systemd
Read_From_Tail On
Systemd_Filter _SYSTEMD_UNIT=kubelet.service
Tag host.*
kind: ConfigMap
metadata:
annotations: {}
labels:
app.kubernetes.io/component: fluent-bit
app.kubernetes.io/instance: fluentbit
app.kubernetes.io/managed-by: commodore
app.kubernetes.io/name: fluent-bit
app.kubernetes.io/version: 3.1.4
name: fluentbit
name: fluentbit
namespace: syn-fluentbit
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: v1
kind: Secret
metadata:
annotations: {}
labels:
app.kubernetes.io/component: fluent-bit
app.kubernetes.io/instance: fluentbit
app.kubernetes.io/managed-by: commodore
app.kubernetes.io/name: fluentbit
name: fluentbit
name: fluentbit
stringData:
AWS_ACCESS_KEY_ID: <SUPER_SECRET>
AWS_SECRET_ACCESS_KEY: <EVEN_MORE_SUPERER>
type: Opaque

0 comments on commit 6ea5f9e

Please sign in to comment.