From 652b6b36315cbe24f0e5b82a0701e4c9753cd0af Mon Sep 17 00:00:00 2001 From: Theron Voran Date: Thu, 15 Jun 2023 11:05:48 -0700 Subject: [PATCH] update go, actions, k8s and vault versions (#488) Updates all github actions to latest trusted versions and use the common jira-sync. Testing with k8s 1.23-1.27 (now that 1.22 has been dropped from major cloud providers). Building with go 1.20.5. Defaults to Vault 1.13.3. --- .github/workflows/build.yml | 2 +- .github/workflows/jira.yaml | 71 ++++--------------------------- .github/workflows/tests.yaml | 20 +++------ .go-version | 2 +- CHANGELOG.md | 9 +++- Dockerfile | 4 +- agent-inject/agent/agent.go | 2 +- deploy/injector-deployment.yaml | 2 +- subcommand/injector/flags_test.go | 2 +- 9 files changed, 27 insertions(+), 87 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a3ef6ff8..6e434173 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -62,7 +62,7 @@ jobs: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup go - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version-file: .go-version diff --git a/.github/workflows/jira.yaml b/.github/workflows/jira.yaml index f2ba64e7..0f73ec38 100644 --- a/.github/workflows/jira.yaml +++ b/.github/workflows/jira.yaml @@ -1,3 +1,4 @@ +name: Jira Sync on: issues: types: [opened, closed, deleted, reopened] @@ -5,68 +6,12 @@ on: types: [opened, closed, reopened] issue_comment: # Also triggers when commenting on a PR from the conversation view types: [created] - -name: Jira Sync - jobs: sync: - runs-on: ubuntu-latest - name: Jira sync - steps: - - name: Login - uses: atlassian/gajira-login@45fd029b9f1d6d8926c6f04175aa80c0e42c9026 # v3.0.1 - env: - JIRA_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }} - JIRA_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }} - JIRA_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }} - - - name: Preprocess - if: github.event.action == 'opened' || github.event.action == 'created' - id: preprocess - run: | - if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then - echo "type=PR" >> $GITHUB_OUTPUT - else - echo "type=ISS" >> $GITHUB_OUTPUT - fi - - - name: Create ticket - if: github.event.action == 'opened' - uses: tomhjp/gh-action-jira-create@3ed1789cad3521292e591a7cfa703215ec1348bf # v0.2.1 - with: - project: VAULT - issuetype: "GH Issue" - summary: "${{ github.event.repository.name }} [${{ steps.preprocess.outputs.type }} #${{ github.event.issue.number || github.event.pull_request.number }}]: ${{ github.event.issue.title || github.event.pull_request.title }}" - description: "${{ github.event.issue.body || github.event.pull_request.body }}\n\n_Created from GitHub Action for ${{ github.event.issue.html_url || github.event.pull_request.html_url }} from ${{ github.actor }}_" - # customfield_10089 is Issue Link custom field - # customfield_10091 is team custom field - extraFields: '{"fixVersions": [{"name": "TBD"}], "customfield_10091": ["ecosystem", "foundations"], "customfield_10089": "${{ github.event.issue.html_url || github.event.pull_request.html_url }}"}' - - - name: Search - if: github.event.action != 'opened' - id: search - uses: tomhjp/gh-action-jira-search@04700b457f317c3e341ce90da5a3ff4ce058f2fa # v0.2.2 - with: - # cf[10089] is Issue Link custom field - jql: 'project = "VAULT" and cf[10089]="${{ github.event.issue.html_url || github.event.pull_request.html_url }}"' - - - name: Sync comment - if: github.event.action == 'created' && steps.search.outputs.issue - uses: tomhjp/gh-action-jira-comment@6eb6b9ead70221916b6badd118c24535ed220bd9 # v0.2.0 - with: - issue: ${{ steps.search.outputs.issue }} - comment: "${{ github.actor }} ${{ github.event.review.state || 'commented' }}:\n\n${{ github.event.comment.body || github.event.review.body }}\n\n${{ github.event.comment.html_url || github.event.review.html_url }}" - - - name: Close ticket - if: (github.event.action == 'closed' || github.event.action == 'deleted') && steps.search.outputs.issue - uses: atlassian/gajira-transition@38fc9cd61b03d6a53dd35fcccda172fe04b36de3 # v3.0.1 - with: - issue: ${{ steps.search.outputs.issue }} - transition: Closed - - - name: Reopen ticket - if: github.event.action == 'reopened' && steps.search.outputs.issue - uses: atlassian/gajira-transition@38fc9cd61b03d6a53dd35fcccda172fe04b36de3 # v3.0.1 - with: - issue: ${{ steps.search.outputs.issue }} - transition: "Pending Triage" + uses: hashicorp/vault-workflows-common/.github/workflows/jira.yaml@main + secrets: + JIRA_SYNC_BASE_URL: ${{ secrets.JIRA_SYNC_BASE_URL }} + JIRA_SYNC_USER_EMAIL: ${{ secrets.JIRA_SYNC_USER_EMAIL }} + JIRA_SYNC_API_TOKEN: ${{ secrets.JIRA_SYNC_API_TOKEN }} + with: + teams-array: '["ecosystem", "foundations-eco"]' diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index d037f6c5..c5a12aeb 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -11,17 +11,7 @@ jobs: steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - # cache/restore go mod - - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 - with: - path: | - ~/.cache/go-build - ~/go/pkg/mod - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 + - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version-file: .go-version @@ -44,7 +34,7 @@ jobs: strategy: fail-fast: false matrix: - kind-k8s-version: [1.21.14, 1.22.15, 1.23.13, 1.24.7, 1.25.3, 1.26.0] + kind-k8s-version: [1.23.17, 1.24.13, 1.25.9, 1.26.4, 1.27.2] runs-on: ubuntu-latest steps: # Setup test tools from https://github.com/hashicorp/vault-helm/blob/main/.github/workflows/setup-test-tools/action.yaml @@ -55,7 +45,7 @@ jobs: BATS_VERSION: '1.8.2' - run: bats -v shell: bash - - uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0 + - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1 with: python-version: '3.10' - run: pip install yq @@ -65,7 +55,7 @@ jobs: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: repository: "hashicorp/vault-helm" - ref: "v0.23.0" + ref: "v0.24.1" path: "vault-helm" - name: Create K8s Kind Cluster @@ -74,7 +64,7 @@ jobs: cluster_name: kind config: vault-helm/test/kind/config.yaml node_image: kindest/node:v${{ matrix.kind-k8s-version }} - version: v0.17.0 + version: v0.19.0 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: diff --git a/.go-version b/.go-version index f5b00dc2..7bf9455f 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.20.3 +1.20.5 diff --git a/CHANGELOG.md b/CHANGELOG.md index ff14abd8..973115d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,10 +4,15 @@ Improvements: * Add `NAMESPACE`, `HOST_IP`, and `POD_IP` environment variables to Agent container using downward API [GH-486](https://github.com/hashicorp/vault-k8s/pull/486) Changes: +* Default to Vault 1.13.3 +* Building with Go 1.20.5 +* Testing with K8s versions 1.23-1.27 * Dependency updates: * `github.com/cenkalti/backoff/v4` v4.2.0 -> v4.2.1 - * `github.com/hashicorp/vault/sdk` v0.8.1 -> v0.9.0 - * Docker alpine version 3.17.3 -> 3.18.0 + * `github.com/hashicorp/vault/sdk` v0.8.1 -> v0.9.1 + * `github.com/stretchr/testify` v1.8.2 -> v1.8.3 + * `github.com/prometheus/client_golang` v1.14.0 -> v1.15.1 + * Docker alpine version 3.17.3 -> 3.18.2 * Docker UBI image `ubi8/ubi-minimal` 8.7-1107 -> 8.8-860 Bugs: diff --git a/Dockerfile b/Dockerfile index 590509a3..7a76d9e3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ # `default` is the production docker image which cannot be built locally. # For local dev and testing purposes, please build and use the `dev` docker image. -FROM docker.mirror.hashicorp.services/alpine:3.18.0 as dev +FROM docker.mirror.hashicorp.services/alpine:3.18.2 as dev RUN addgroup vault && \ adduser -S -G vault vault @@ -24,7 +24,7 @@ USER vault ENTRYPOINT ["/vault-k8s"] # This target creates a production release image for the project. -FROM docker.mirror.hashicorp.services/alpine:3.18.0 as default +FROM docker.mirror.hashicorp.services/alpine:3.18.2 as default # PRODUCT_VERSION is the tag built, e.g. v0.1.0 # PRODUCT_REVISION is the git hash built diff --git a/agent-inject/agent/agent.go b/agent-inject/agent/agent.go index 62e28a19..99ffb04a 100644 --- a/agent-inject/agent/agent.go +++ b/agent-inject/agent/agent.go @@ -17,7 +17,7 @@ import ( ) const ( - DefaultVaultImage = "hashicorp/vault:1.13.1" + DefaultVaultImage = "hashicorp/vault:1.13.3" DefaultVaultAuthType = "kubernetes" DefaultVaultAuthPath = "auth/kubernetes" DefaultAgentRunAsUser = 100 diff --git a/deploy/injector-deployment.yaml b/deploy/injector-deployment.yaml index cfcfa90e..2fb05691 100644 --- a/deploy/injector-deployment.yaml +++ b/deploy/injector-deployment.yaml @@ -44,7 +44,7 @@ spec: - name: AGENT_INJECT_VAULT_ADDR value: "https://vault.$(NAMESPACE).svc:8200" - name: AGENT_INJECT_VAULT_IMAGE - value: "hashicorp/vault:1.13.1" + value: "hashicorp/vault:1.13.3" - name: AGENT_INJECT_TLS_AUTO value: vault-agent-injector-cfg - name: AGENT_INJECT_TLS_AUTO_HOSTS diff --git a/subcommand/injector/flags_test.go b/subcommand/injector/flags_test.go index 8442ebb8..e5d155b1 100644 --- a/subcommand/injector/flags_test.go +++ b/subcommand/injector/flags_test.go @@ -118,7 +118,7 @@ func TestCommandEnvs(t *testing.T) { {env: "AGENT_INJECT_VAULT_ADDR", value: "http://vault:8200", cmdPtr: &cmd.flagVaultService}, {env: "AGENT_INJECT_PROXY_ADDR", value: "http://proxy:3128", cmdPtr: &cmd.flagProxyAddress}, {env: "AGENT_INJECT_VAULT_AUTH_PATH", value: "auth-path-test", cmdPtr: &cmd.flagVaultAuthPath}, - {env: "AGENT_INJECT_VAULT_IMAGE", value: "hashicorp/vault:1.13.1", cmdPtr: &cmd.flagVaultImage}, + {env: "AGENT_INJECT_VAULT_IMAGE", value: "hashicorp/vault:1.13.3", cmdPtr: &cmd.flagVaultImage}, {env: "AGENT_INJECT_VAULT_NAMESPACE", value: "test-namespace", cmdPtr: &cmd.flagVaultNamespace}, {env: "AGENT_INJECT_TLS_KEY_FILE", value: "server.key", cmdPtr: &cmd.flagKeyFile}, {env: "AGENT_INJECT_TLS_CERT_FILE", value: "server.crt", cmdPtr: &cmd.flagCertFile},