Merge branch 'main'

Author: merll

.github/workflows/coverage.yml

@@ -0,0 +1,34 @@
+name: 'coverage'
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  coverage:
+    if: ${{ github.actor != 'dependabot[bot]' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout PR branch
+        uses: actions/checkout@v4
+
+      - name: Install Node
+        run: |
+          export NVM_DIR="$HOME/.nvm"
+          [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
+          nvm install
+          nvm use
+          node -v
+          npm install
+
+      - name: Install gucci
+        run: |
+          GUCCI_VERSION="1.6.13"
+          curl -L -o gucci https://github.com/noqcks/gucci/releases/download/v${GUCCI_VERSION}/gucci-v${GUCCI_VERSION}-linux-amd64
+          chmod +x gucci
+          sudo mv gucci /usr/local/bin/
+
+      - name: Compare Coverage
+        uses: ArtiomTr/jest-coverage-report-action@v2
+        with:
+          test-script: npm run test:ts

.husky/post-checkout

@@ -23,4 +23,9 @@ source_nvm
 # automatically change node version to the one indicated in .nvmrc
 nvm use
 
-npm run run-if-changed
+# Prevent errors on shallow clones
+if git rev-parse --verify HEAD@{1} >/dev/null 2>&1; then
+  npm run run-if-changed
+else
+  echo "Skipping run-if-changed: Not enough Git history"
+fi

chart/chart-index/Chart.yaml

@@ -38,10 +38,10 @@ dependencies:
     version: 7.10.0
     repository: https://prometheus-community.github.io/helm-charts
   - name: promtail
-    version: 6.11.2
+    version: 6.16.6
     repository: https://grafana.github.io/helm-charts
   - name: sealed-secrets
-    version: 2.14.1
+    version: 2.17.1
     repository: https://bitnami-labs.github.io/sealed-secrets/
   - name: tekton-pipeline
     version: 1.0.2
@@ -51,7 +51,7 @@ dependencies:
     repository: https://vmware-tanzu.github.io/helm-charts/
   - name: trivy-operator
     version: 0.25.0
-    repository: https://github.com/aquasecurity/trivy-operator/
+    repository: https://aquasecurity.github.io/helm-charts/
   - name: falco
     version: 3.8.5
     repository: https://falcosecurity.github.io/charts

charts/promtail/Chart.yaml

@@ -1,16 +1,17 @@
 apiVersion: v2
-name: promtail
-description: Promtail is an agent which ships the contents of local logs to a Loki instance
-type: application
 appVersion: 3.0.0
-version: 6.16.6
+description: Promtail is an agent which ships the contents of local logs to a Loki
+  instance
 home: https://grafana.com/loki
-sources:
-  - https://github.com/grafana/loki
-  - https://grafana.com/oss/loki/
-  - https://grafana.com/docs/loki/latest/
 icon: https://raw.githubusercontent.com/grafana/loki/master/docs/sources/logo.png
 maintainers:
-  - name: Loki Maintainers
-    email: [email protected]
-  - name: unguiculus
+- email: [email protected]
+  name: Loki Maintainers
+- name: unguiculus
+name: promtail
+sources:
+- https://github.com/grafana/loki
+- https://grafana.com/oss/loki/
+- https://grafana.com/docs/loki/latest/
+type: application
+version: 6.16.6

charts/sealed-secrets/Chart.yaml

@@ -1,7 +1,7 @@
 annotations:
   category: DeveloperTools
 apiVersion: v2
-appVersion: v0.24.5
+appVersion: 0.28.0
 description: Helm chart for the sealed-secrets controller.
 home: https://github.com/bitnami-labs/sealed-secrets
 icon: https://bitnami.com/assets/stacks/sealed-secrets/img/sealed-secrets-stack-220x234.png
@@ -16,4 +16,4 @@ name: sealed-secrets
 sources:
 - https://github.com/bitnami-labs/sealed-secrets
 type: application
-version: 2.14.1
+version: 2.17.1

charts/sealed-secrets/README.md

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.12.0
+    controller-gen.kubebuilder.io/version: v0.15.0
   name: sealedsecrets.bitnami.com
 spec:
   group: bitnami.com
@@ -26,24 +26,30 @@ spec:
     name: v1alpha1
     schema:
       openAPIV3Schema:
-        description: SealedSecret is the K8s representation of a "sealed Secret" -
-          a regular k8s Secret that has been sealed (encrypted) using the controller's
-          key.
+        description: |-
+          SealedSecret is the K8s representation of a "sealed Secret" - a
+          regular k8s Secret that has been sealed (encrypted) using the
+          controller's key.
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
           spec:
-            description: SealedSecretSpec is the specification of a SealedSecret
+            description: SealedSecretSpec is the specification of a SealedSecret.
             properties:
               data:
                 description: Data is deprecated and will be removed eventually. Use
@@ -56,17 +62,27 @@ spec:
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
               template:
-                description: Template defines the structure of the Secret that will
-                  be created from this sealed secret.
+                description: |-
+                  Template defines the structure of the Secret that will be
+                  created from this sealed secret.
                 properties:
                   data:
                     additionalProperties:
                       type: string
-                    description: Keys that should be templated using decrypted data
+                    description: Keys that should be templated using decrypted data.
                     nullable: true
                     type: object
+                  immutable:
+                    description: |-
+                      Immutable, if set to true, ensures that data stored in the Secret cannot
+                      be updated (only object metadata can be modified).
+                      If not set to true, the field can be modified at any time.
+                      Defaulted to nil.
+                    type: boolean
                   metadata:
-                    description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+                    description: |-
+                      Standard object's metadata.
+                      More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
                     nullable: true
                     properties:
                       annotations:
@@ -91,10 +107,6 @@ spec:
                     description: Used to facilitate programmatic handling of secret
                       data.
                     type: string
-                  immutable:
-                    description: 'Immutable, if set to true, ensures that data stored in the Secret cannot be updated (only object metadata can be modified).
-                      If not set to true, the field can be modified at any time. Defaulted to nil.'
-                    type: boolean
                 type: object
             required:
             - encryptedData
@@ -127,12 +139,14 @@ spec:
                       description: The reason for the condition's last transition.
                       type: string
                     status:
-                      description: 'Status of the condition for a sealed secret. Valid
-                        values for "Synced": "True", "False", or "Unknown".'
+                      description: |-
+                        Status of the condition for a sealed secret.
+                        Valid values for "Synced": "True", "False", or "Unknown".
                       type: string
                     type:
-                      description: 'Type of condition for a sealed secret. Valid value:
-                        "Synced"'
+                      description: |-
+                        Type of condition for a sealed secret.
+                        Valid value: "Synced"
                       type: string
                   required:
                   - status

charts/sealed-secrets/crds/bitnami.com_sealedsecrets.yaml

@@ -10,6 +10,10 @@ metadata:
     {{- if .Values.commonLabels }}
     {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
     {{- end }}
+  annotations:
+    {{- if .Values.commonAnnotations }}
+    {{- include "sealed-secrets.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

charts/sealed-secrets/templates/cluster-role-binding.yaml

@@ -10,6 +10,10 @@ metadata:
     {{- if .Values.commonLabels }}
     {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
     {{- end }}
+  annotations:
+    {{- if .Values.commonAnnotations }}
+    {{- include "sealed-secrets.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
 rules:
   - apiGroups:
       - bitnami.com

charts/sealed-secrets/templates/cluster-role.yaml

@@ -18,6 +18,9 @@ metadata:
     {{- if $.Values.metrics.dashboards.annotations }}
     {{- include "sealed-secrets.render" ( dict "value" $.Values.metrics.dashboards.annotations "context" $) | nindent 4 }}
     {{- end }}
+    {{- if $.Values.commonAnnotations }}
+    {{- include "sealed-secrets.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
 data:
   {{ base $path }}: |-
 {{ $.Files.Get $path | indent 4 }}

charts/sealed-secrets/templates/configmap-dashboards.yaml

@@ -8,9 +8,10 @@ metadata:
     {{- if .Values.commonLabels }}
     {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
     {{- end }}
-  {{- if .Values.commonAnnotations }}
-  annotations: {{- toYaml .Values.commonAnnotations | nindent 4 }}
-  {{- end }}
+  annotations:
+    {{- if .Values.commonAnnotations }}
+    {{- include "sealed-secrets.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
 spec:
   replicas: 1
   {{- if .Values.revisionHistoryLimit }}
@@ -81,6 +82,14 @@ spec:
             - --key-renew-period
             - {{ .Values.keyrenewperiod | quote }}
             {{- end }}
+            {{- if .Values.keyttl }}
+            - --key-ttl
+            - {{ .Values.keyttl | quote }}
+            {{- end }}
+            {{- if .Values.keycutofftime }}
+            - --key-cutoff-time
+            - {{ .Values.keycutofftime | quote }}
+            {{- end }}
             {{- if .Values.rateLimit }}
             - --rate-limit
             - {{ .Values.rateLimit | quote }}
@@ -105,7 +114,7 @@ spec:
             {{- end }}
             - --privatekey-annotations
             - {{ trimSuffix "," $privatekeyAnnotations | quote }}
-            {{- end }}            
+            {{- end }}
             {{- if $.Values.privateKeyLabels }}
             {{- $privateKeyLabels := ""}}
             {{- range $k, $v := $.Values.privateKeyLabels }}
@@ -120,14 +129,59 @@ spec:
             {{- if .Values.logInfoStdout }}
             - --log-info-stdout
             {{- end }}
+            {{- if .Values.logLevel }}
+            - --log-level
+            - {{ .Values.logLevel }}
+            {{- end }}
+            {{- if .Values.logFormat }}
+            - --log-format
+            - {{ .Values.logFormat }}
+            {{- end }}
+            {{- if .Values.containerPorts.http }}
+            - --listen-addr
+            - {{ printf ":%s" (.Values.containerPorts.http | toString ) }}
+            {{- end }}
+            {{- if .Values.containerPorts.metrics }}
+            - --listen-metrics-addr
+            - {{ printf ":%s" (.Values.containerPorts.metrics | toString) }}
+            {{- end }}
+            {{- if .Values.maxRetries }}
+            - --max-unseal-retries
+            - {{ .Values.maxRetries | quote }}
+            {{- end }}
           {{- end }}
           image: {{ printf "%s/%s:%s" .Values.image.registry .Values.image.repository .Values.image.tag }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            {{- if (.Values.resources.limits).cpu }}
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+                  divisor: "1"
+            {{- end }}
+            {{- if (.Values.resources.limits).memory }}
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+                  divisor: "1"
+            {{- end }}
           ports:
-            - containerPort: 8080
-              name: http
-            - containerPort: 8081
-              name: metrics
+            - name: http
+              containerPort: {{ .Values.containerPorts.http | default "8080" }}
+              {{- if .Values.hostNetwork }}
+              hostPort: {{ .Values.containerPorts.http }}
+              {{- else if .Values.hostPorts.http }}
+              hostPort: {{ .Values.hostPorts.http }}
+              {{- end }}
+            - name: metrics
+              containerPort: {{ .Values.containerPorts.metrics | default "8081" }}
+              {{- if .Values.hostNetwork }}
+              hostPort: {{ .Values.containerPorts.metrics }}
+              {{- else if .Values.hostPorts.metrics }}
+              hostPort: {{ .Values.hostPorts.metrics }}
+              {{- end }}
           {{- if .Values.startupProbe.enabled }}
           startupProbe: {{- include "sealed-secrets.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }}
             tcpSocket:
@@ -159,13 +213,13 @@ spec:
           {{- end }}
           volumeMounts:
             {{- if .Values.additionalVolumeMounts }}
-              {{- toYaml .Values.additionalVolumeMounts | nindent 12 }} 
+              {{- toYaml .Values.additionalVolumeMounts | nindent 12 }}
             {{- end }}
             - mountPath: /tmp
               name: tmp
-      volumes: 
+      volumes:
       {{- if .Values.additionalVolumes }}
-        {{- toYaml .Values.additionalVolumes | nindent 8 }} 
+        {{- toYaml .Values.additionalVolumes | nindent 8 }}
       {{- end }}
         - name: tmp
           emptyDir: {}

charts/sealed-secrets/templates/deployment.yaml

@@ -8,12 +8,13 @@ metadata:
     {{- if .Values.commonLabels }}
     {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
     {{- end }}
-  {{- if .Values.ingress.annotations }}
   annotations:
     {{- if .Values.ingress.annotations }}
     {{- include "sealed-secrets.render" ( dict "value" .Values.ingress.annotations "context" $) | nindent 4 }}
     {{- end }}
-  {{- end }}
+    {{- if .Values.commonAnnotations }}
+    {{- include "sealed-secrets.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
 spec:
   {{- if and .Values.ingress.ingressClassName (eq "true" (include "sealed-secrets.supportsIngressClassname" .)) }}
   ingressClassName: {{ .Values.ingress.ingressClassName | quote }}