Skip to content

Commit ff5654d

Browse files
wallrj-cyberarkwallrj-cyberark
authored
Merge pull request #722 from jetstack/cyberark-disco-agent-release-process
[VC-45029] Upgrade all the Go dependencies in preparation for a release
2 parents 026a85d + 13ec7f0 commit ff5654d

File tree

7 files changed

+795
-184
lines changed

7 files changed

+795
-184
lines changed

LICENSES

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,6 @@ github.com/google/btree,Apache-2.0
6565
github.com/google/cel-go,Apache-2.0
6666
github.com/google/cel-go,BSD-3-Clause
6767
github.com/google/gnostic-models,Apache-2.0
68-
github.com/google/go-cmp/cmp,BSD-3-Clause
6968
github.com/google/uuid,BSD-3-Clause
7069
github.com/gorilla/css/scanner,BSD-3-Clause
7170
github.com/gorilla/websocket,BSD-2-Clause
@@ -100,6 +99,8 @@ go.opentelemetry.io/otel,Apache-2.0
10099
go.opentelemetry.io/otel/trace,Apache-2.0
101100
go.uber.org/multierr,MIT
102101
go.uber.org/zap,MIT
102+
go.yaml.in/yaml/v2,Apache-2.0
103+
go.yaml.in/yaml/v3,MIT
103104
golang.org/x/crypto,BSD-3-Clause
104105
golang.org/x/exp,BSD-3-Clause
105106
golang.org/x/net,BSD-3-Clause
@@ -139,8 +140,7 @@ sigs.k8s.io/controller-runtime/pkg,Apache-2.0
139140
sigs.k8s.io/json,Apache-2.0
140141
sigs.k8s.io/json,BSD-3-Clause
141142
sigs.k8s.io/randfill,Apache-2.0
142-
sigs.k8s.io/structured-merge-diff/v4,Apache-2.0
143+
sigs.k8s.io/structured-merge-diff/v6,Apache-2.0
143144
sigs.k8s.io/yaml,MIT
144145
sigs.k8s.io/yaml,Apache-2.0
145146
sigs.k8s.io/yaml,BSD-3-Clause
146-
sigs.k8s.io/yaml/goyaml.v2,Apache-2.0

RELEASE.md

Lines changed: 26 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -15,38 +15,54 @@ The release process is semi-automated.
1515
> - Create a draft GitHub release,
1616
> - Upload the Helm chart tarball to the GitHub release.
1717
18-
1. Open the [tests GitHub Actions workflow][tests-workflow]
18+
1. Upgrade the Go dependencies.
19+
20+
You will need to install `go-mod-upgrade`:
21+
22+
```bash
23+
go install github.com/oligot/go-mod-upgrade@latest
24+
```
25+
26+
Then, run the following:
27+
28+
```bash
29+
go-mod-upgrade
30+
make generate
31+
```
32+
33+
Finally, create a PR with the changes and merge it.
34+
35+
2. Open the [tests GitHub Actions workflow][tests-workflow]
1936
and verify that it succeeds on the master branch.
2037

21-
2. Run govulncheck:
38+
3. Run govulncheck:
2239
```bash
23-
go install golang.org/x/vuln/cmd/govulncheck@latest
24-
govulncheck -v ./...
40+
make verify-govulncheck
2541
```
2642

27-
3. Create a tag for the new release:
43+
4. Create a tag for the new release:
2844
```sh
2945
export VERSION=v1.1.0
3046
git tag --annotate --message="Release ${VERSION}" "${VERSION}"
3147
git push origin "${VERSION}"
3248
```
3349

34-
4. Wait until the GitHub Actions finishes.
50+
5. Wait until the GitHub Actions finishes.
3551

36-
5. Navigate to the GitHub Releases page and select the draft release to edit.
52+
6. Navigate to the GitHub Releases page and select the draft release to edit.
3753
1. Click on “Generate release notes” to automatically compile the changelog.
3854
2. Review and refine the generated notes to ensure they’re clear and useful
3955
for end users.
4056
3. Remove any irrelevant entries, such as “update deps,” “update CI,” “update
4157
docs,” or similar internal changes that do not impact user functionality.
4258

43-
6. Publish the release.
59+
7. Publish the release.
4460

45-
7. Inform the `#venctl` channel that a new version of Venafi Kubernetes Agent has been
61+
8. Inform the `#venctl` channel that a new version of Venafi Kubernetes Agent has been
4662
released. Make sure to share any breaking change that may affect `venctl connect`
4763
or `venctl generate`.
4864

49-
8. Inform Michael McLoughlin of the new release so he can update the
65+
9. Inform Michael McLoughlin of the new release so he can update the
5066
documentation at <https://docs.venafi.cloud/>.
5167

5268
[tests-workflow]: https://github.com/jetstack/jetstack-secure/actions/workflows/tests.yaml?query=branch%3Amaster

deploy/charts/venafi-kubernetes-agent/crd_bases/jetstack.io_venaficonnections.yaml

Lines changed: 206 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ apiVersion: apiextensions.k8s.io/v1
44
kind: CustomResourceDefinition
55
metadata:
66
annotations:
7-
controller-gen.kubebuilder.io/version: v0.17.3
7+
controller-gen.kubebuilder.io/version: v0.18.0
88
name: venaficonnections.jetstack.io
99
spec:
1010
group: jetstack.io
@@ -94,6 +94,210 @@ spec:
9494
type: object
9595
type: object
9696
x-kubernetes-map-type: atomic
97+
firefly:
98+
properties:
99+
accessToken:
100+
description: |-
101+
The list of steps to retrieve the Access Token that will be used to connect
102+
to Firefly.
103+
items:
104+
properties:
105+
hashicorpVaultLDAP:
106+
description: |-
107+
HashicorpVaultLDAP is a SecretSource step that requires a Vault token in
108+
the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It
109+
then fetches the requested secrets from Vault for use in the next step.
110+
properties:
111+
ldapPath:
112+
description: |-
113+
The full HTTP path to the secret in Vault. Example:
114+
/v1/ldap/static-cred/:role_name
115+
or
116+
/v1/ldap/creds/:role_name
117+
type: string
118+
url:
119+
description: The URL to connect to your HashiCorp Vault
120+
instance.
121+
type: string
122+
required:
123+
- ldapPath
124+
type: object
125+
hashicorpVaultOAuth:
126+
description: |-
127+
HashicorpVaultOAuth is a SecretSource that relies on a prior SecretSource
128+
step to provide an OAuth token, which this step uses to authenticate to
129+
Vault. The output of this step is a Vault token. This step allows you to use
130+
the step `HashicorpVaultSecret` afterwards.
131+
properties:
132+
authInputType:
133+
description: |-
134+
AuthInputType is the authentication method to be used to authenticate
135+
with HashiCorp Vault. The only supported value is "OIDC".
136+
enum:
137+
- OIDC
138+
type: string
139+
authPath:
140+
description: |-
141+
The login URL used for obtaining the Vault token. Example:
142+
/v1/auth/oidc/login
143+
type: string
144+
clientId:
145+
description: 'Deprecated: This field does nothing and
146+
will be removed in the future.'
147+
type: string
148+
role:
149+
description: |-
150+
The role defined in Vault that we want to use when authenticating to
151+
Vault.
152+
type: string
153+
url:
154+
description: The URL to connect to your HashiCorp Vault
155+
instance.
156+
type: string
157+
required:
158+
- authInputType
159+
- authPath
160+
- role
161+
type: object
162+
hashicorpVaultSecret:
163+
description: |-
164+
HashicorpVaultSecret is a SecretSource step that requires a Vault token in
165+
the previous step, either using a step `HashicorpVaultOAuth` or `Secret`. It
166+
then fetches the requested secrets from Vault for use in the next step.
167+
properties:
168+
fields:
169+
description: |-
170+
The fields are Vault keys pointing to the secrets passed to the next
171+
SecretSource step.
172+
173+
Example 1 (TPP, username and password): imagining that you have stored
174+
the username and password for TPP under the keys "username" and
175+
"password", you will want to set this field to `["username",
176+
"password"]`. The username is expected to be given first, the password
177+
second.
178+
items:
179+
type: string
180+
type: array
181+
secretPath:
182+
description: |-
183+
The full HTTP path to the secret in Vault. Example:
184+
/v1/secret/data/application-team-a/tpp-username-password
185+
type: string
186+
url:
187+
description: The URL to connect to your HashiCorp Vault
188+
instance.
189+
type: string
190+
required:
191+
- fields
192+
- secretPath
193+
type: object
194+
secret:
195+
description: |-
196+
Secret is a SecretSource step meant to be the first step. It retrieves secret
197+
values from a Kubernetes Secret, and passes them to the next step.
198+
properties:
199+
fields:
200+
description: |-
201+
The names of the fields we want to extract from the Kubernetes secret.
202+
These fields are passed to the next step in the chain.
203+
items:
204+
type: string
205+
type: array
206+
name:
207+
description: The name of the Kubernetes secret.
208+
type: string
209+
required:
210+
- fields
211+
- name
212+
type: object
213+
serviceAccountToken:
214+
description: |-
215+
ServiceAccountToken is a SecretSource step meant to be the first step. It
216+
uses the Kubernetes TokenRequest API to retrieve a token for a given service
217+
account, and passes it to the next step.
218+
properties:
219+
audiences:
220+
description: |-
221+
Audiences are the intendend audiences of the token. A recipient of a
222+
token must identify themself with an identifier in the list of
223+
audiences of the token, and otherwise should reject the token. A
224+
token issued for multiple audiences may be used to authenticate
225+
against any of the audiences listed but implies a high degree of
226+
trust between the target audiences.
227+
items:
228+
type: string
229+
type: array
230+
expirationSeconds:
231+
description: |-
232+
ExpirationSeconds is the requested duration of validity of the request. The
233+
token issuer may return a token with a different validity duration so a
234+
client needs to check the 'expiration' field in a response.
235+
format: int64
236+
type: integer
237+
name:
238+
description: The name of the Kubernetes service account.
239+
type: string
240+
required:
241+
- audiences
242+
- name
243+
type: object
244+
tppOAuth:
245+
description: |-
246+
TPPOAuth is a SecretSource step that authenticates to a TPP server. This
247+
step is meant to be the last step and requires a prior step that depends
248+
on the `authInputType`.
249+
properties:
250+
authInputType:
251+
description: |-
252+
AuthInputType is the authentication method to be used to authenticate
253+
with TPP. The supported values are "UsernamePassword" and "JWT".
254+
enum:
255+
- UsernamePassword
256+
- JWT
257+
type: string
258+
clientId:
259+
description: ClientID is the clientId used to authenticate
260+
with TPP.
261+
type: string
262+
url:
263+
description: |-
264+
The URL to connect to the Venafi TPP instance. The two URLs
265+
https://tpp.example.com and https://tpp.example.com/vedsdk are
266+
equivalent. The ending `/vedsdk` is optional and is stripped out
267+
by our client.
268+
If not set, defaults to the URL defined at the top-level of the
269+
TPP configuration.
270+
type: string
271+
required:
272+
- authInputType
273+
type: object
274+
vcpOAuth:
275+
description: |-
276+
VCPOAuth is a SecretSource step that authenticates to the Venafi Control
277+
Plane. This step is meant to be the last step and requires a prior step
278+
that outputs a JWT token.
279+
properties:
280+
tenantID:
281+
description: TenantID is the tenant ID used to authenticate
282+
with VCP.
283+
type: string
284+
type: object
285+
type: object
286+
x-kubernetes-validations:
287+
- message: must have exactly one field set
288+
rule: '((has(self.secret) ? 1 : 0) + (has(self.serviceAccountToken)
289+
? 1 : 0) + (has(self.hashicorpVaultOAuth) ? 1 : 0) + (has(self.hashicorpVaultSecret)
290+
? 1 : 0) + (has(self.hashicorpVaultLDAP) ? 1 : 0) + (has(self.tppOAuth)
291+
? 1 : 0) + (has(self.vcpOAuth) ? 1 : 0)) == 1'
292+
maxItems: 50
293+
type: array
294+
x-kubernetes-list-type: atomic
295+
url:
296+
description: The URL to connect to the Venafi Firefly instance.
297+
type: string
298+
required:
299+
- url
300+
type: object
97301
tpp:
98302
properties:
99303
accessToken:
@@ -1117,7 +1321,7 @@ spec:
11171321
- message: 'must have exactly ONE of the following fields set: tpp or
11181322
vcp'
11191323
rule: '(has(self.tpp) ? 1 : 0) + (has(self.vaas) ? 1 : 0) + (has(self.vcp)
1120-
? 1 : 0) == 1'
1324+
? 1 : 0) + (has(self.firefly) ? 1 : 0) == 1'
11211325
status:
11221326
properties:
11231327
conditions:

0 commit comments

Comments
 (0)