feat: adding merge function to support templating (#1)

* feat: adding merge function to support templating

* feat: adding secret templating upon loading

* feat: adding support for k8s ConfigMap as type

Author: mxcd

.github/workflows/build.yml

@@ -12,14 +12,11 @@ jobs:
       fail-fast: false
       matrix:
         arch: [amd64, arm64]
-        os: [ubuntu-latest, ubuntu-18.04, windows-latest, macos-11]
+        os: [ubuntu-latest, windows-latest, macos-11]
         include:
           - os: ubuntu-latest
             os_name: ubuntu
             artifact_suffix: ""
-          - os: ubuntu-18.04
-            os_name: ubuntu-18.04
-            artifact_suffix: ""
           - os: windows-latest
             os_name: windows
             artifact_suffix: ".exe"

README.md

@@ -35,8 +35,8 @@ the secrets are stored in a Git repository and secured using SOPS.
 #### Secret storage
 
 Secrets are stored in any directory of your git repository. The GitOps CLI will pick
-up any file that ends with `*.gitops.secret.enc.yml` or `*.gitops.secret.enc.yaml`. The secret files
-must be encrypted using SOPS.
+up any file that ends with `*.gitops.secret.enc.y[a]ml` except for `values.gitops.secret.enc.y[a]ml` (see [Secrets Templating](#secrets-templating))
+The secret files must be encrypted using SOPS.
 
 **NOTE:** Secrets MUST NEVER be committed into version control unencrypted.
 Therefore, it is very much encouraged to add the following lines to your `.gitignore` file:
@@ -92,6 +92,12 @@ name: my-secret-name
 
 This implies, that the filename must be a valid K8s secret name.
 
+#### Secrets Templating
+
+It is possible to use Go templates in the secret files. The values will originate from sops-encrypted `values.gitops.secret.enc.y[a]ml` files.  
+Values files can be located anywhere in the repository. The GitOps CLI will pick up all files that are located on the direct path towards the respective secret file.  
+Values files closer to the secret file will have higher precedence. Any object structure is allowed to be used in a values file.
+
 ## Repository
 
 ### After the first clone

cmd/gitops/kubernetes.go

@@ -81,7 +81,7 @@ func createKubernetesPlan(c *cli.Context) (*plan.Plan, error) {
 		log.Error("Failed to connect to Kubernetes cluster")
 		return nil, err
 	}
-	localSecrets, err := secret.LoadLocalSecrets(c.String("root-dir"), secret.SecretTargetKubernetes)
+	localSecrets, err := secret.LoadLocalSecrets(secret.SecretTargetKubernetes)
 	if err != nil {
 		log.Error("Failed to load local secrets with target ", secret.SecretTargetKubernetes)
 		return nil, err
@@ -147,6 +147,7 @@ func createKubernetesPlan(c *cli.Context) (*plan.Plan, error) {
 		remoteSecret, err := k8s.GetSecret(&secret.Secret{
 			Name: stateSecret.Name,
 			Namespace: stateSecret.Namespace,
+			Type: stateSecret.Type,
 		})
 		if err != nil {
 			// only throw error if err is not "not found"

cmd/gitops/main.go

@@ -43,6 +43,7 @@ func main() {
 		Commands: []*cli.Command{
 			{
 				Name: "secrets",
+				Aliases: []string{"s"},
 				Usage: "GitOps managed secrets",
 				Subcommands: []*cli.Command{
 					{

cmd/gitops/templating.go

@@ -7,7 +7,7 @@ import (
 )
 
 func testTemplating(c *cli.Context) error {
-	secretFiles, err := util.GetSecretFiles(c.String("root-dir"))
+	secretFiles, err := util.GetSecretFiles()
 	if err != nil {
 		log.Fatal(err)
 	}

cmd/gitops/util.go

@@ -10,11 +10,8 @@ import (
 func initApplication(c *cli.Context) error  {
 	printLogo(c)
 	setLogLevel(c)
-	util.ComputeRootDir(c)
 	util.SetCliContext(c)
-	if c.String("root-dir") == "" {
-		log.Fatal("No root directory specified")
-	}
+	util.GetRootDir()
 	err := state.LoadState(c)
 	return err
 }

cmd/gitops/vault.go

@@ -0,0 +1,2 @@
+package main
+

go.mod

@@ -24,6 +24,7 @@ require (
 	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/hashicorp/vault-client-go v0.2.0 // indirect
 	github.com/imdario/mergo v0.3.6 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -33,6 +34,7 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	k8s.io/klog/v2 v2.80.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
@@ -78,7 +80,7 @@ require (
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-plugin v1.4.3 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.0 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.2 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
 	github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 // indirect
 	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.3 // indirect
@@ -118,10 +120,10 @@ require (
 	golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 // indirect
 	golang.org/x/net v0.7.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
-	golang.org/x/sys v0.5.0 // indirect
+	golang.org/x/sys v0.6.0 // indirect
 	golang.org/x/term v0.5.0 // indirect
 	golang.org/x/text v0.7.0 // indirect
-	golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 // indirect
+	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/api v0.74.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20220405205423-9d709892a2bf // indirect

go.sum

@@ -304,6 +304,8 @@ github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es
 github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
 github.com/hashicorp/go-retryablehttp v0.7.0 h1:eu1EI/mbirUgP5C8hVsTNaGZreBDlYiwC1FZWkvQPQ4=
 github.com/hashicorp/go-retryablehttp v0.7.0/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
+github.com/hashicorp/go-retryablehttp v0.7.2 h1:AcYqCvkpalPnPF2pn0KamgwamS42TqUDDYFRKq/RAd0=
+github.com/hashicorp/go-retryablehttp v0.7.2/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
 github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
 github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.1/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw=
@@ -332,6 +334,8 @@ github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+l
 github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hashicorp/vault-client-go v0.2.0 h1:Zzf5D2kj7QmBZE2ZTdril1aJlujMptPatxslTkdDF+U=
+github.com/hashicorp/vault-client-go v0.2.0/go.mod h1:C9rbJeHeI1Dy/MXXd5YLrzRfAH27n6mARnhpvaW/8gk=
 github.com/hashicorp/vault/api v1.5.0 h1:Bp6yc2bn7CWkOrVIzFT/Qurzx528bdavF3nz590eu28=
 github.com/hashicorp/vault/api v1.5.0/go.mod h1:LkMdrZnWNrFaQyYYazWVn7KshilfDidgVBq6YiTq/bM=
 github.com/hashicorp/vault/sdk v0.4.1 h1:3SaHOJY687jY1fnB61PtL0cOkKItphrbLmux7T92HBo=
@@ -545,6 +549,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
+golang.org/x/exp v0.0.0-20230321023759-10a507213a29 h1:ooxPy7fPvB4kwsA2h+iBNHkAbp/4JxTSwCmvdjEYmug=
+golang.org/x/exp v0.0.0-20230321023759-10a507213a29/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -711,6 +717,8 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
@@ -733,6 +741,8 @@ golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 h1:M73Iuj3xbbb9Uk1DYhzydthsj6oOd6l9bpuFcNoUvTs=
 golang.org/x/time v0.0.0-20220224211638-0e9765cccd65/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=

internal/k8s/kubernetes.go

@@ -59,7 +59,35 @@ func TestClusterConnection() (bool, error) {
 }
 
 func CreateSecret(s *secret.Secret) error {
-	log.Trace("Creating secret ", s.Name, " in namespace ", s.Namespace)
+	if s.Type == "ConfigMap" {
+		return CreateK8sConfigMap(s)
+	} else {
+		return CreateK8sSecret(s)
+	}
+}
+
+func CreateK8sConfigMap(s *secret.Secret) error {
+	log.Trace("Creating ConfigMap ", s.Name, " in namespace ", s.Namespace)
+	k8sConfigMap, err := clientset.CoreV1().ConfigMaps(s.Namespace).Create(context.Background(), &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: s.Name,
+			Namespace: s.Namespace,
+			Annotations: map[string]string{
+				"gitops.mxcd.de/secret-id": s.ID,
+			},
+		},
+		Data: s.Data,
+	}, metav1.CreateOptions{})
+	log.Trace(k8sConfigMap)
+	if err != nil {
+		return err
+	}
+	println(s.Namespace, "/", s.Name, color.InGreen(" created"))
+	return err
+}
+
+func CreateK8sSecret(s *secret.Secret) error {
+	log.Trace("Creating Secret ", s.Name, " in namespace ", s.Namespace)
 	k8sSecret, err := clientset.CoreV1().Secrets(s.Namespace).Create(context.Background(), &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: s.Name,
@@ -80,7 +108,15 @@ func CreateSecret(s *secret.Secret) error {
 }
 
 func UpdateSecret(s *secret.Secret) error {
-	log.Trace("Updating secret ", s.Name, " in namespace ", s.Namespace)
+	if s.Type == "ConfigMap" {
+		return UpdateK8sConfigMap(s)
+	} else {
+		return UpdateK8sSecret(s)
+	}
+}
+
+func UpdateK8sSecret(s *secret.Secret) error {
+	log.Trace("Updating Secret ", s.Name, " in namespace ", s.Namespace)
 
 	k8sSecret, err := clientset.CoreV1().Secrets(s.Namespace).Update(context.Background(), &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
@@ -101,8 +137,47 @@ func UpdateSecret(s *secret.Secret) error {
 	return err
 }
 
+func UpdateK8sConfigMap(s *secret.Secret) error {
+	log.Trace("Updating ConfigMap ", s.Name, " in namespace ", s.Namespace)
+
+	k8sConfigMap, err := clientset.CoreV1().ConfigMaps(s.Namespace).Update(context.Background(), &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: s.Name,
+			Namespace: s.Namespace,
+			Annotations: map[string]string{
+				"gitops.mxcd.de/secret-id": s.ID,
+			},
+		},
+		Data: s.Data,
+	}, metav1.UpdateOptions{})
+	log.Trace(k8sConfigMap)
+	if err != nil {
+		return err
+	}
+	println(s.Namespace, "/", s.Name, color.InYellow(" updated"))
+	return err
+}
+
 func DeleteSecret(s *secret.Secret) error {
-	log.Trace("Deleting secret ", s.Name, " in namespace ", s.Namespace)
+	if s.Type == "ConfigMap" {
+		return DeleteK8sConfigMap(s)
+	} else {
+		return DeleteK8sSecret(s)
+	}
+}
+
+func DeleteK8sConfigMap(s *secret.Secret) error {
+	log.Trace("Deleting ConfigMap ", s.Name, " in namespace ", s.Namespace)
+	err := clientset.CoreV1().ConfigMaps(s.Namespace).Delete(context.Background(), s.Name, metav1.DeleteOptions{})
+	if err != nil {
+		return err
+	}
+	println(s.Namespace, "/", s.Name, color.InRed(" deleted"))
+	return err
+}
+
+func DeleteK8sSecret(s *secret.Secret) error {
+	log.Trace("Deleting Secret ", s.Name, " in namespace ", s.Namespace)
 	err := clientset.CoreV1().Secrets(s.Namespace).Delete(context.Background(), s.Name, metav1.DeleteOptions{})
 	if err != nil {
 		return err
@@ -112,6 +187,30 @@ func DeleteSecret(s *secret.Secret) error {
 }
 
 func GetSecret(s *secret.Secret) (*secret.Secret, error) {
+	if s.Type == "ConfigMap" {
+		return GetK8sConfigMap(s)
+	} else {
+		return GetK8sSecret(s)
+	}
+}
+
+func GetK8sConfigMap(s *secret.Secret) (*secret.Secret, error) {
+	k8sConfigMap, err := clientset.CoreV1().ConfigMaps(s.Namespace).Get(context.Background(), s.Name, metav1.GetOptions{})
+	
+	if err != nil {
+		return nil, err
+	}
+
+	return &secret.Secret{
+		Name: k8sConfigMap.Name,
+		Target: secret.SecretTargetKubernetes,
+		Namespace: k8sConfigMap.Namespace,
+		Data: k8sConfigMap.Data,
+		Type: "ConfigMap",
+	}, nil
+}
+
+func GetK8sSecret(s *secret.Secret) (*secret.Secret, error) {
 	k8sSecret, err := clientset.CoreV1().Secrets(s.Namespace).Get(context.Background(), s.Name, metav1.GetOptions{})
 
 	if err != nil {
@@ -127,8 +226,6 @@ func GetSecret(s *secret.Secret) (*secret.Secret, error) {
 	}, nil
 }
 
-
-
 func getStringData(s *v1.Secret) map[string]string {
 	stringData := make(map[string]string)
 	for key, value := range s.Data {