Maintenance

- Test Docker Build in Continuous Integration GitHub Action
- Change triggers for Continuous Integration GitHub Action
- Adjust Helm install command
- Format YAML files
- Add linting

Author: ricoberger

.github/FUNDING.yml

@@ -1,2 +1,3 @@
+---
 github: [ricoberger]
 custom: ["https://www.paypal.me/ricoberger"]

.github/release.yaml

@@ -1,3 +1,4 @@
+---
 name-template: "$RESOLVED_VERSION"
 tag-template: "$RESOLVED_VERSION"
 version-template: "v$MAJOR.$MINOR.$PATCH"

.github/workflows/continuous-delivery.yaml

@@ -39,12 +39,6 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Login to DockerHub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:

.github/workflows/continuous-integration.yaml

@@ -1,6 +1,13 @@
+---
 name: Continuous Integration
 
-on: pull_request
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
 
 jobs:
   kubernetes:
@@ -65,9 +72,8 @@ jobs:
           cache: true
           cache-dependency-path: go.sum
 
-      - name: Download Dependencies
-        run: |
-          go mod download
+      - name: Lint
+        uses: golangci/golangci-lint-action@v7
 
       - name: Test
         run: |
@@ -76,3 +82,27 @@ jobs:
       - name: Build
         run: |
           make build
+
+  docker:
+    name: Docker
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker Image
+        id: docker_build
+        uses: docker/build-push-action@v6
+        with:
+          push: false
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64

.github/workflows/release.yaml

@@ -1,3 +1,4 @@
+---
 name: Release
 
 on:

.golangci.yaml

@@ -0,0 +1,38 @@
+---
+version: "2"
+linters:
+  default: none
+  enable:
+    - bodyclose
+    - gosec
+    - govet
+    - ineffassign
+    - noctx
+    - staticcheck
+    - unused
+    - whitespace
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  settings:
+    goimports:
+      local-prefixes:
+        - github.com/ricoberger/script_exporter
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

README.md

@@ -28,7 +28,7 @@ running at `http://vault:8200`, but can be overidden by specifying
 `--set vault.address=https://vault.example.com`
 
 ```sh
-helm upgrade --install vault-secrets-operator oci://ghcr.io/ricoberger/charts/vault-secrets-operator --version 3.0.0
+helm upgrade --install vault-secrets-operator oci://ghcr.io/ricoberger/charts/vault-secrets-operator --version <VERSION>
 ```
 
 ### Prepare Vault

controllers/vaultsecret_controller.go

@@ -150,15 +150,17 @@ func (r *VaultSecretReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return ctrl.Result{}, nil
 	}
 
-	if instance.Spec.SecretEngine == "" || instance.Spec.SecretEngine == kvEngine {
+	switch instance.Spec.SecretEngine {
+	case "", kvEngine:
 		data, err = vaultClient.GetSecret(instance.Spec.SecretEngine, instance.Spec.Path, instance.Spec.Keys, instance.Spec.Version, instance.Spec.IsBinary, instance.Spec.VaultNamespace)
 		if err != nil {
 			// Error while getting the secret from Vault - requeue the request.
 			log.Error(err, "Could not get secret from vault")
 			r.updateConditions(ctx, instance, conditionReasonFetchFailed, err.Error(), metav1.ConditionFalse)
 			return ctrl.Result{}, err
 		}
-	} else if instance.Spec.SecretEngine == pkiEngine {
+
+	case pkiEngine:
 		if err := ValidatePKI(instance); err != nil {
 			log.Error(err, "Resource validation failed")
 			r.updateConditions(ctx, instance, conditionReasonInvalidResource, err.Error(), metav1.ConditionFalse)
@@ -408,8 +410,8 @@ func newSecretForCR(cr *ricobergerdev1alpha1.VaultSecret, data map[string][]byte
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        cr.Name,
 			Namespace:   cr.Namespace,
-			Labels:      cr.ObjectMeta.Labels,
-			Annotations: cr.ObjectMeta.Annotations,
+			Labels:      cr.Labels,
+			Annotations: cr.Annotations,
 		},
 		Data: data,
 		Type: cr.Spec.Type,

vault/client.go

@@ -65,7 +65,7 @@ func (c *Client) RenewToken() {
 
 		// Request a new token if the actual token lifetime more than the specified maximum
 		// lifetime.
-		elapsed := time.Now().Sub(started).Seconds()
+		elapsed := time.Since(started).Seconds()
 		if c.tokenMaxTTL > 0 && elapsed >= float64(c.tokenMaxTTL) && c.requestToken != nil {
 			log.Info("Request new Vault token")
 			err := c.requestToken(c)
@@ -97,7 +97,7 @@ func (c *Client) RenewToken() {
 // GetHealth checks if the failedRenewTokenAttempts hits the given thresholds. If this is the case an error is returned.
 func (c *Client) GetHealth(threshold int) error {
 	if c.failedRenewTokenAttempts >= threshold {
-		return fmt.Errorf("Renew Vault token failed %d times", c.failedRenewTokenAttempts)
+		return fmt.Errorf("renew Vault token failed %d times", c.failedRenewTokenAttempts)
 	}
 
 	return nil
@@ -214,7 +214,7 @@ func convertData(secretData map[string]interface{}, keys []string, isBinary bool
 			continue
 		}
 		if len(keys) == 0 || contains(key, keys) {
-			switch value.(type) {
+			switch value := value.(type) {
 			case map[string]interface{}:
 				jsonString, err := json.Marshal(value)
 				if err != nil {
@@ -223,17 +223,17 @@ func convertData(secretData map[string]interface{}, keys []string, isBinary bool
 				data[key] = []byte(jsonString)
 			case string:
 				if isBinary {
-					data[key], err = b64.StdEncoding.DecodeString(value.(string))
+					data[key], err = b64.StdEncoding.DecodeString(value)
 					if err != nil {
 						return nil, err
 					}
 				} else {
-					data[key] = []byte(value.(string))
+					data[key] = []byte(value)
 				}
 			case json.Number:
-				data[key] = []byte(value.(json.Number))
+				data[key] = []byte(value)
 			case bool:
-				data[key] = []byte(fmt.Sprintf("%t", value.(bool)))
+				data[key] = []byte(fmt.Sprintf("%t", value))
 			default:
 				return nil, fmt.Errorf("could not parse secret value")
 			}
@@ -257,8 +257,7 @@ func (c *Client) kvPreflightVersionRequest(path string) (string, int, error) {
 	c.client.SetOutputCurlString(false)
 	defer c.client.SetOutputCurlString(currentOutputCurlString)
 
-	r := c.client.NewRequest("GET", "/v1/sys/internal/ui/mounts/"+path)
-	resp, err := c.client.RawRequest(r)
+	resp, err := c.client.Logical().ReadRaw("/v1/sys/internal/ui/mounts/" + path)
 	if resp != nil {
 		defer resp.Body.Close()
 	}

vault/vault.go

@@ -6,13 +6,14 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"os"
 	"strconv"
 	"time"
 
 	gcpmetadata "cloud.google.com/go/compute/metadata"
 	gcpcredentials "cloud.google.com/go/iam/credentials/apiv1"
+	gcpcredentialspb "cloud.google.com/go/iam/credentials/apiv1/credentialspb"
 	"github.com/aws/aws-sdk-go/aws"
 	awscredentials "github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
@@ -26,7 +27,6 @@ import (
 	"github.com/pkg/errors"
 	"golang.org/x/oauth2/google"
 	"google.golang.org/api/iam/v1"
-	gcpcredentialspb "google.golang.org/genproto/googleapis/iam/credentials/v1"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
@@ -143,7 +143,7 @@ func CreateClient(vaultKubernetesRole string) (*Client, error) {
 				return nil, fmt.Errorf("missing vault token")
 			}
 
-			t, err := ioutil.ReadFile(vaultTokenPath)
+			t, err := os.ReadFile(vaultTokenPath)
 			if err != nil {
 				return nil, err
 			}
@@ -199,6 +199,7 @@ func CreateClient(vaultKubernetesRole string) (*Client, error) {
 			return nil, nil
 		}
 
+		// #nosec G101
 		serviceAccountTokenPath := "/var/run/secrets/kubernetes.io/serviceaccount/token"
 
 		if vaultTokenPath != "" {
@@ -207,7 +208,7 @@ func CreateClient(vaultKubernetesRole string) (*Client, error) {
 
 		// Read the service account token value and create a map for the
 		// authentication against Vault.
-		kubeToken, err := ioutil.ReadFile(serviceAccountTokenPath)
+		kubeToken, err := os.ReadFile(serviceAccountTokenPath)
 		if err != nil {
 			return nil, err
 		}
@@ -478,7 +479,6 @@ func CreateClient(vaultKubernetesRole string) (*Client, error) {
 			restrictNamespace:         vaultRestrictNamespace,
 			pkiRenew:                  pkiRenew,
 		}, nil
-
 	}
 
 	if vaultAuthMethod == "aws" {
@@ -508,7 +508,7 @@ func CreateClient(vaultKubernetesRole string) (*Client, error) {
 					return nil, fmt.Errorf("error requesting signature: %w", err)
 				}
 
-				kubeToken, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
+				kubeToken, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
 				if err != nil {
 					return nil, err
 				}
@@ -539,7 +539,7 @@ func CreateClient(vaultKubernetesRole string) (*Client, error) {
 					if err != nil {
 						return nil, errors.Wrap(err, "error creating a new session to create a WebIdentityRoleProvider")
 					}
-					webIdentityProvider := stscreds.NewWebIdentityRoleProvider(sts.New(sess), roleARN, roleSessionName, tokenPath)
+					webIdentityProvider := stscreds.NewWebIdentityRoleProviderWithOptions(sts.New(sess), roleARN, roleSessionName, stscreds.FetchTokenPath(tokenPath))
 
 					// Add the web identity role credential provider
 					providers = append(providers, webIdentityProvider)
@@ -582,7 +582,7 @@ func CreateClient(vaultKubernetesRole string) (*Client, error) {
 				if err != nil {
 					return nil, err
 				}
-				requestBody, err := ioutil.ReadAll(stsRequest.HTTPRequest.Body)
+				requestBody, err := io.ReadAll(stsRequest.HTTPRequest.Body)
 				if err != nil {
 					return nil, err
 				}
@@ -672,7 +672,6 @@ func CreateClient(vaultKubernetesRole string) (*Client, error) {
 	}
 
 	if vaultAuthMethod == "gcp" {
-
 		// Check the required mount path and role for the GCP Auth
 		// Method. If one of the env variable is missing we return an error.
 		if vaultGcpPath == "" {
@@ -711,7 +710,7 @@ func CreateClient(vaultKubernetesRole string) (*Client, error) {
 
 				if vaultGcpServiceAccountEmail == "" {
 					metadataClient := gcpmetadata.NewClient(nil)
-					vaultGcpServiceAccountEmail, err = metadataClient.Email("default")
+					vaultGcpServiceAccountEmail, err = metadataClient.EmailWithContext(context.Background(), "default")
 					if err != nil {
 						return nil, fmt.Errorf("could not obtain service account from credentials; a service account to authenticate as must be provided")
 					}
@@ -842,7 +841,7 @@ func setVaultIDs(idType string) string {
 		idPath = os.Getenv("VAULT_SECRET_ID_PATH")
 	}
 
-	id, err := ioutil.ReadFile(idPath)
+	id, err := os.ReadFile(idPath)
 	if err != nil {
 		log.WithValues("VaultFilePath", idPath).Error(err, "missing secret vault-secrets-operator or bad path in volume")
 		return string(id)