fix: add a step to generate secrets.yaml from a template

[jstrachan]

It is common for the secrets you need to inject into a variety of charts to share common values. So the new jx step create install secrets lets you define a template file template-secrets.yaml which you can safely check into git which is then used to create your secrets.yaml file using a more concise secrets-parameters.yaml file which you do not check into git.

You can then use the .gitignore rule of secrets*.yaml to avoid ever checking in the secrets-parameters.yaml or the generated secrets.yaml files

e.g. you may inject your pipeline user name and token from your git provider into various charts like Tekton and Prow using the same values. Or you may want to use template functions to extract values for secrets from specific locations in the parameters file or from Vault locations etc.

So this templating mechanism lets us compose secret values from input parameters or arbitrary functions/locations in a very similar way to the use of go templates inside YAML files in helm charts themselves.

Example

• here's the template-secrets.yaml that can be checked into git
• then here are the secrets-parameters.yaml which is either fetched from Vault directory or stored in some secret place (or on the local file system)
• running jx step create install secrets then generates this secrets.yaml

Signed-off-by: James Strachan [email protected]

[jenkins-x-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: jstrachan

If they are not already assigned, you can assign the PR to them by writing /assign @jstrachan in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

Merging #4323 into master will decrease coverage by 36.69%.
The diff coverage is 24.59%.

@@            Coverage Diff            @@
##           master   #4323      +/-   ##
=========================================
- Coverage   43.33%   6.64%   -36.7%     
=========================================
  Files         803     684     -119     
  Lines      100760   90516   -10244     
=========================================
- Hits        43668    6013   -37655     
- Misses      53470   84085   +30615     
+ Partials     3622     418    -3204

Flag	Coverage Δ
#e2e	6.64% <24.59%> (-24.54%)	⬇️
#integration	?

Impacted Files	Coverage Δ
pkg/cmd/step/create/step_create.go	65.21% <100%> (+1.58%)	⬆️
pkg/cmd/step/create/step_create_install_secrets.go	22.8% <22.8%> (ø)
pkg/cmd/step/create/step_create_install_values.go	15.78% <33.33%> (-28.95%)	⬇️
pkg/util/jenkinsfile_writer.go	0% <0%> (-100%)	⬇️
pkg/util/date.go	0% <0%> (-100%)	⬇️
pkg/auth/user_auth.go	0% <0%> (-100%)	⬇️
...i/k8s_io_apimachinery_meta_v1/openapi_generated.go	0% <0%> (-100%)	⬇️
...kins.io/v1/fake/fake_pipelineactivity_expansion.go	0% <0%> (-100%)	⬇️
...t/openapi/k8s_io_api_batch_v1/openapi_generated.go	0% <0%> (-100%)	⬇️
pkg/client/openapi/core/openapi_generated.go	0% <0%> (-100%)	⬇️
... and 412 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 75e688d...fe15c38. Read the comment docs.

[codecov]

Codecov Report

Merging #4323 into master will decrease coverage by 12.37%.
The diff coverage is 24.59%.

@@             Coverage Diff             @@
##           master    #4323       +/-   ##
===========================================
- Coverage   43.33%   30.96%   -12.38%     
===========================================
  Files         803      684      -119     
  Lines      100760    90516    -10244     
===========================================
- Hits        43668    28031    -15637     
- Misses      53470    61119     +7649     
+ Partials     3622     1366     -2256

Flag	Coverage Δ
#e2e	30.96% <24.59%> (-0.22%)	⬇️
#integration	100% <ø> (+58.32%)	⬆️

Impacted Files	Coverage Δ
pkg/cmd/step/create/step_create.go	65.21% <100%> (+1.58%)	⬆️
pkg/cmd/step/create/step_create_install_secrets.go	22.8% <22.8%> (ø)
pkg/cmd/step/create/step_create_install_values.go	15.78% <33.33%> (-28.95%)	⬇️
pkg/util/jenkinsfile_writer.go	0% <0%> (-100%)	⬇️
pkg/util/date.go	0% <0%> (-100%)	⬇️
...kins.io/v1/fake/fake_pipelineactivity_expansion.go	0% <0%> (-100%)	⬇️
pkg/kube/envrolebindings.go	0% <0%> (-100%)	⬇️
pkg/vault/rule.go	0% <0%> (-100%)	⬇️
...o/v1/fake/fake_environmentrolebinding_expansion.go	0% <0%> (-100%)	⬇️
pkg/apps/utils.go	0% <0%> (-100%)	⬇️
... and 384 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 75e688d...fe15c38. Read the comment docs.

[ccojocar]

Can we use in this file the vault's URI based secrets lookup? The purpose of URI based secrets lookup was exactly to avoid committing secrets in git and have a dynamic mechanism to resolve thme. The secrets are resolved and interpolated before applying the charts.

https://github.com/jenkins-x/environment-tekton-mole-dev/blob/783a8f6178c050c0b96c61016d1581bd0bc7a3a0/env/values.yaml#L92

I think the existing vault URI based lookup can be extended for k8s secrets and local secrets as follows:

Vault:

vault:gitOps/jenkins-x/environment-tekton-mole-dev/feature-flag-api-key:token-passthrough

k8s secrets:

 k8s:<namespace>/<secret-name>:<secret-value>

Local:

 local:<yaml-file-path>/<secret-secret-path-in-yaml>:<secret-value>

[jstrachan]

yeah - I did wonder about using a function in the template for this kinda thing - so {{ .Vault.gitOps/jenkins-x/environment-tekton-mole-dev/feature-flag-api-key:token-passthrough }} or something like that?

[pmuir]

Agree with @ccojocar.

• anything where there is a risk you might commit the actual secrets, we should avoid like the plauge
• the secrets plugin is odd and confusing, I think we should try to not use it at all

The URL approach is much better in my opinion and I think we can use the scheme Cosmin proposes to generalise it.

I'm not sure why we would need to use a function - is this when you are using non tillerless helm?

[ccojocar]

It would be great if we could be consistent with notation and with the secrets sources.

[pmuir]

I'm 👎 on merging this PR. Instead we should extend the URLs and work out how to make them work with tillered helm

[jstrachan]

@pmuir I initially thought of going all in on URLs - but then I hit things like maven settings.xml

jx/pkg/cmd/step/create/test_data/step_create_install_secrets/template-secrets.yaml

Lines 26 to 112 in 3997419

	MavenSettingsXML: |-
	<settings>
	<localRepository>/home/jenkins/.mvnrepository</localRepository>
	<!--This sends everything else to /public -->
	<mirrors>
	<mirror>
	<id>nexus</id>
	<mirrorOf>external:*</mirrorOf>
	<url>http://nexus/repository/maven-group/</url>
	</mirror>
	</mirrors>
	<!-- lets disable the download progress indicator that fills up logs -->
	<interactiveMode>false</interactiveMode>
	<servers>
	<server>
	<id>local-nexus</id>
	<username>{{ .Values.adminUser.username }}</username>
	<password>{{ .Values.adminUser.password }}</password>
	</server>
	<server>
	<id>nexus</id>
	<username>{{ .Values.adminUser.username }}</username>
	<password>{{ .Values.adminUser.password }}</password>
	</server>
	<server>
	<id>docker.io</id>
	</server>
	</servers>
	<profiles>
	<profile>
	<id>nexus</id>
	<properties>
	<altDeploymentRepository>local-nexus::default::http://nexus/repository/maven-snapshots/</altDeploymentRepository>
	<altReleaseDeploymentRepository>local-nexus::default::http://nexus/repository/maven-releases/</altReleaseDeploymentRepository>
	<altSnapshotDeploymentRepository>local-nexus::default::http://nexus/repository/maven-snapshots/</altSnapshotDeploymentRepository>
	</properties>
	<repositories>
	<repository>
	<id>central</id>
	<url>http://central</url>
	<releases><enabled>true</enabled></releases>
	<snapshots><enabled>true</enabled></snapshots>
	</repository>
	</repositories>
	<pluginRepositories>
	<pluginRepository>
	<id>central</id>
	<url>http://central</url>
	<releases><enabled>true</enabled></releases>
	<snapshots><enabled>true</enabled></snapshots>
	</pluginRepository>
	</pluginRepositories>
	</profile>
	<profile>
	<id>repo.jenkins-ci.org</id>
	<properties>
	<altDeploymentRepository>repo.jenkins-ci.org::default::https://repo.jenkins-ci.org/releases/</altDeploymentRepository>
	<altReleaseDeploymentRepository>repo.jenkins-ci.org::default::https://repo.jenkins-ci.org/releases/</altReleaseDeploymentRepository>
	<altSnapshotDeploymentRepository>repo.jenkins-ci.org::default::https://repo.jenkins-ci.org/snapshots/</altSnapshotDeploymentRepository>
	</properties>
	</profile>
	<profile>
	<id>maven.jenkins-ci.org</id>
	<properties>
	<altDeploymentRepository>maven.jenkins-ci.org::default::https://maven.jenkins-ci.org/releases/</altDeploymentRepository>
	<altReleaseDeploymentRepository>maven.jenkins-ci.org::default::https://maven.jenkins-ci.org/releases/</altReleaseDeploymentRepository>
	<altSnapshotDeploymentRepository>maven.jenkins-ci.org::default::https://maven.jenkins-ci.org/snapshots/</altSnapshotDeploymentRepository>
	</properties>
	</profile>
	<profile>
	<id>release</id>
	<properties>
	<gpg.executable>gpg</gpg.executable>
	<gpg.passphrase>{{ .Values.gpg.passphrase }}</gpg.passphrase>
	</properties>
	</profile>
	</profiles>
	<activeProfiles>
	<!--<activeProfile>nexus</activeProfile>-->
	</activeProfiles>

and docker config.json

jx/pkg/cmd/step/create/test_data/step_create_install_secrets/template-secrets.yaml

Lines 14 to 23 in 3997419

	DockerConfig: |-
	{
	"credHelpers": {
	"gcr.io": "gcr",
	"us.gcr.io": "gcr",
	"eu.gcr.io": "gcr",
	"asia.gcr.io": "gcr",
	"staging-k8s.gcr.io": "gcr"
	}
	}

and even the secret for basic auth:

jx/pkg/cmd/step/create/test_data/step_create_install_secrets/template-secrets.yaml

Line 2 in 3997419

JXBasicAuth: {{ .Values.adminUser.username }}:{SHA}{{ .Values.adminUser.password | hashPassword }}

and figured templating was way more flexible as we are often including secret values (user/pwds) inside large amounts of text values in the generated secrets.yaml.

e.g. compare the input for a specific user/install needs to provide: secrets-parameters.yaml to the current secrets.yaml thats generated by the generic template - so much simpler for the user to configure + the template hides the duplication inside Jenkins X / Apps and the composition of user/passwords into larger chunks of secret text like ingress passwords, maven settings.xml and docker config.json files.

The aim of the templating is to reduce the amount of user configuration required for secrets really - URLs don't help with templating

[jstrachan]

@pmuir btw this is a stand alone step used for the alternative GitOps installer pipeline to bootstrap the secrets: #4326 - we don't need to necessarily include this into the general jx step helm apply logic - so folks can avoid using this approach if they don't want

[jstrachan]

/hold

[jstrachan]

gonna try solve this in a different way...#4328