Proposal/add pre commit (#88)

* Added Role / RoleBinding / Documentation * updated 1.17+ api versions to rbac.authorization.k8s.io/v1 * proposal to introduce pre-commit to kapitan-reference Co-authored-by: danny.heinrich <[email protected]>
kapicorp · May 17, 2021 · f415e6e · f415e6e
1 parent d9a10f6
commit f415e6e
Show file tree

Hide file tree

Showing 30 changed files with 451 additions and 282 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,27 @@
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v3.4.0
+    hooks:
+    -   id: trailing-whitespace
+    # -   id: end-of-file-fixer
+    -   id: check-docstring-first
+    -   id: check-json
+    -   id: check-yaml
+        exclude:  |
+            (?x)(
+                ^compiled/|
+            )
+    -   id: debug-statements
+    -   id: name-tests-test
+    -   id: requirements-txt-fixer
+    -   id: double-quote-string-fixer
+    -   id: check-merge-conflict
+# -   repo: https://github.com/gruntwork-io/pre-commit
+#     rev: v0.1.12
+#     hooks:
+#     -   id: shellcheck
+#         exclude:  |
+#             (?x)(
+#                 ^kapitan|
+#                 ^templates/scripts/import_kubernetes_clusters
+#             )
diff --git a/README.md b/README.md
@@ -75,11 +75,11 @@ Compiled global (0.76s)
 Compiled examples (2.60s)
 Compiled pritunl (2.03s)
 Compiled sock-shop (4.36s)
-``` 
+```
 
 ## Generators
 
-As explained in the blog post [Keep your ship together with Kapitan](https://medium.com/kapitan-blog/keep-your-ship-together-with-kapitan-d82d441cc3e7). generators are a 
+As explained in the blog post [Keep your ship together with Kapitan](https://medium.com/kapitan-blog/keep-your-ship-together-with-kapitan-d82d441cc3e7). generators are a
 powerful idea to simplify the management your setup.
 
 We will release initially generators for kubernetes manifests, terraform and spinnaker pipelines.
@@ -129,6 +129,3 @@ We have used this generator extensively, and we know it covers the majority of t
 If you want a specific example, please let us know (or submit your PR)
 
 By adding more example we will be able to stress test the library to make sure we really satisfy all the most common use cases.
-
-
-
diff --git a/compiled/dev-sockshop/docs/README.md b/compiled/dev-sockshop/docs/README.md
@@ -1,4 +1,4 @@
-# dev-sockshop 
+# dev-sockshop
 
 |||
 | --- | --- |

diff --git a/compiled/echo-server/docs/README.md b/compiled/echo-server/docs/README.md
@@ -1,4 +1,4 @@
-# echo-server 
+# echo-server
 
 |||
 | --- | --- |

diff --git a/compiled/examples/docs/README.md b/compiled/examples/docs/README.md
@@ -1,4 +1,4 @@
-# examples 
+# examples
 
 |||
 | --- | --- |

diff --git a/compiled/gke-pvm-killer/docs/README.md b/compiled/gke-pvm-killer/docs/README.md
@@ -1,4 +1,4 @@
-# gke-pvm-killer 
+# gke-pvm-killer
 
 |||
 | --- | --- |

diff --git a/compiled/global/README.md b/compiled/global/README.md
@@ -1,5 +1,5 @@
 | *Target* |
-| -------- | 
+| -------- |
 |[dev-sockshop](../dev-sockshop/docs/README.md)|
 |[echo-server](../echo-server/docs/README.md)|
 |[examples](../examples/docs/README.md)|

diff --git a/compiled/global/docs/README.md b/compiled/global/docs/README.md
@@ -1,4 +1,4 @@
-# global 
+# global
 
 |||
 | --- | --- |

diff --git a/compiled/mysql/docs/README.md b/compiled/mysql/docs/README.md
@@ -1,4 +1,4 @@
-# mysql 
+# mysql
 
 |||
 | --- | --- |

diff --git a/compiled/postgres-proxy/docs/README.md b/compiled/postgres-proxy/docs/README.md
@@ -1,4 +1,4 @@
-# postgres-proxy 
+# postgres-proxy
 
 |||
 | --- | --- |

diff --git a/compiled/pritunl/docs/README.md b/compiled/pritunl/docs/README.md
@@ -1,4 +1,4 @@
-# pritunl 
+# pritunl
 
 |||
 | --- | --- |

diff --git a/compiled/prod-sockshop/docs/README.md b/compiled/prod-sockshop/docs/README.md
@@ -1,4 +1,4 @@
-# prod-sockshop 
+# prod-sockshop
 
 |||
 | --- | --- |

diff --git a/compiled/sock-shop/docs/README.md b/compiled/sock-shop/docs/README.md
@@ -1,4 +1,4 @@
-# sock-shop 
+# sock-shop
 
 |||
 | --- | --- |

diff --git a/compiled/tesoro/docs/README.md b/compiled/tesoro/docs/README.md
@@ -1,4 +1,4 @@
-# tesoro 
+# tesoro
 
 |||
 | --- | --- |

diff --git a/compiled/tesoro/scripts/generate_tesoro_certs.sh b/compiled/tesoro/scripts/generate_tesoro_certs.sh
@@ -22,7 +22,7 @@ openssl req -x509 -new -nodes -key ${CACERT_KEY} -subj "/CN=CA-${CN}" -sha256 -d
 openssl genrsa -out ${CERT_KEY} 2048 > /dev/null
 openssl req -new -sha256 -key ${CERT_KEY} -subj "/CN=${CN}" -out csr.csr >/dev/null
 openssl x509 -req -in csr.csr -CA ${CACERT_PEM} -extfile <(printf "subjectAltName=DNS:${CN}")  -CAkey ${CACERT_KEY} -CAcreateserial -out ${CERT_PEM} -days 500 -sha256 > /dev/null
-openssl x509 -in ${CERT_PEM} -noout 
+openssl x509 -in ${CERT_PEM} -noout
 popd
 kapitan refs -t tesoro --write plain:targets/tesoro/kapicorp-tesoro-cert-pem --base64 -f ${SCRIPT_TMP_DIR}/${CERT_PEM}
 kapitan refs -t tesoro --write plain:targets/tesoro/kapicorp-tesoro-cert-key --base64 -f ${SCRIPT_TMP_DIR}/${CERT_KEY}

diff --git a/compiled/tutorial/docs/README.md b/compiled/tutorial/docs/README.md
@@ -1,4 +1,4 @@
-# tutorial 
+# tutorial
 
 |||
 | --- | --- |

diff --git a/components/generators/kubernetes/README.md b/components/generators/kubernetes/README.md
@@ -28,7 +28,7 @@ classes:
 
 ### EVERY CHANGE -> Compile your targets
 
-EVERY time you make a change, you will want to tell `kapitan` to compile your targets. 
+EVERY time you make a change, you will want to tell `kapitan` to compile your targets.
 `kapitan` will create a folder for each target under the `compiled` folder
 
 #### To compile only the `demo` target
@@ -85,8 +85,8 @@ parameters:
     echo-server:
       <other config>
       env:
-        KAPITAN_SECRET: 
-          secretKeyRef: 
+        KAPITAN_SECRET:
+          secretKeyRef:
             name: a_secret          *OPTIONAL*
             key: 'kapitan_secret'
 ```
@@ -247,7 +247,7 @@ Creating both `secrets` and `config maps` is very simple with Kapitan Generators
       config_maps:
         config:
           data:
-            echo-service.conf: 
+            echo-service.conf:
               value: |-
                 # A configuration file
                 example: true
@@ -279,7 +279,7 @@ Note that in the previous example the config map is not mounted, because the `mo
         config:
           mount: /opt/echo-service
           data:
-            echo-service.conf: 
+            echo-service.conf:
               value: |-
                 # A configuration file
                 example: true
@@ -471,7 +471,7 @@ The deployment uses all (applicable) configurations available to the `deployment
             accessModes: ["ReadWriteOnce"]
             storageClassName: "myStorageClass"
             resources:
-              requests: 
+              requests:
                 storage: 10Gi
 ```
 #### HostPath
@@ -512,7 +512,7 @@ The statefulset uses all (applicable) configurations available to the `deploymen
             accessModes: ["ReadWriteOnce"]
             storageClassName: "standard"
             resources:
-              requests: 
+              requests:
                 storage: 10Gi
 ```
 
@@ -591,7 +591,7 @@ parameters:
         nginx:
           image: nginx
           ports:
-            nginx: 
+            nginx:
               service_port: 80
 ```
 
@@ -609,7 +609,7 @@ parameters:
         nginx:
           image: nginx
           ports:
-            nginx: 
+            nginx:
               service_port: 80
           config_maps:
             config:
@@ -668,7 +668,7 @@ You can also generate Network Policies by simply adding them under the `network_
       # One or many network policies
       network_policies:
         default:
-          pod_selector: 
+          pod_selector:
             name: echo-server
           ingress:
             - from:
@@ -807,6 +807,104 @@ spec:
       name: tesoro
 ```
 
+### Role, Role-Bindings and Cluster-Role, Cluster-Role-Bindings
+
+```yaml
+parameters:
+  components:
+    filebeat:
+      # ServiceAccount
+      service_account:
+        enabled: true
+        create: true
+
+      # ROLE + Binding
+      role:
+        binding:
+          subjects:
+            - kind: ServiceAccount
+          roleRef:
+            apiGroup: rbac.authorization.k8s.io
+            kind: Role
+        rules:
+          - apiGroups:
+            - ""
+            resources:
+            - secrets
+            verbs:
+            - create
+            - delete
+          - apiGroups:
+            - ""
+            resources:
+            - pods
+            - pods/log
+            verbs:
+            - get
+            - create
+            - delete
+            - list
+            - watch
+            - update
+```
+
+produces the following resource
+
+```yaml
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    name: filebeat
+  name: filebeat
+  namespace: filebeat
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - create
+      - delete
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+      - pods/log
+    verbs:
+      - get
+      - create
+      - delete
+      - list
+      - watch
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    name: filebeat
+  name: filebeat
+  namespace: filebeat
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: filebeat
+subjects:
+  - kind: ServiceAccount
+    name: filebeat
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    name: filebeat
+  name: filebeat
+  namespace: filebeat
+
+```
+
 ## Defining default values for multiple components
 
 Sometimes, when defining many components, you and up repeating many repeating configurations.
@@ -837,7 +935,7 @@ For instance, when we enable the [`features.tesoro`](../../../inventory/classes/
       default_config:
         globals:
           secrets:
-            labels: 
+            labels:
               tesoro.kapicorp.com: enabled
 ```
-Original file line number
+Diff line change
@@ -1,4 +1,4 @@
-    # mysql
+    # mysql
     |||
     | --- | --- |
@@ Expand Down @@