Merge branch 'main' into feat/webhook-validation

samirtahir91 · Nov 14, 2024 · 615cf0c · 615cf0c
2 parents f2cf3a9 + c219192
commit 615cf0c
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 5 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.22.2 AS builder
+FROM golang:1.22.8 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 

diff --git a/README.md b/README.md
@@ -17,6 +17,9 @@ The `github-app-operator` is a Kubernetes operator that generates an access toke
 - Stores the access token in a secret specified by `accessTokenSecret`.
 
 ### Private Key Retrieval Options
+> [!TIP]
+> There is a sample constraint template and constraint for Gatekeeper to restrict the type of private key source in the `gatekeeper-policy` folder since we can't restrict it to be unique in the GithubApp CRD.
+
 
 #### 1. Using a Kubernetes Secret
 - **Configuration:**

diff --git a/gatekeeper-policy/constraint-template.yaml b/gatekeeper-policy/constraint-template.yaml
@@ -0,0 +1,22 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: githubappprivatekey
+spec:
+  crd:
+    spec:
+      names:
+        kind: GithubAppPrivateKey
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package githubappsecrets
+
+        violation[{"msg": msg}] {
+          target_keys := {"privateKeySecret", "googlePrivateKeySecret", "vaultPrivateKey"}
+          provided_keys := {key | _ = input.review.object.spec[key]}
+          intersection := target_keys & provided_keys
+          count(intersection) != 1
+          invalid := provided_keys - target_keys
+          msg := "Exactly one of privateKeySecret, googlePrivateKeySecret or vaultPrivateKey are allowed"
+        }
diff --git a/gatekeeper-policy/constraint.yaml b/gatekeeper-policy/constraint.yaml
@@ -0,0 +1,9 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: GithubAppPrivateKey
+metadata:
+  name: githubapp-unique-key-constraint
+spec:
+  match:
+    kinds:
+      - apiGroups: ["githubapp.samir.io"]
+        kinds: ["GithubApp"]
diff --git a/go.mod b/go.mod
@@ -1,10 +1,10 @@
 module github-app-operator
 
-go 1.22.2
+go 1.22.8
 
 require (
 	cloud.google.com/go/secretmanager v1.13.4
-	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/golang-jwt/jwt/v4 v4.5.1
 	github.com/hashicorp/vault/api v1.13.0
 	github.com/hashicorp/vault/api/auth/kubernetes v0.6.0
 	github.com/onsi/ginkgo/v2 v2.17.1

diff --git a/go.sum b/go.sum
@@ -74,8 +74,8 @@ github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
 github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
-github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
+github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=