Initial commit

.github/workflows/build.yaml

@@ -0,0 +1,74 @@
+name: Build Artifacts
+on:
+  release:
+    types: [created]
+  push:
+    branches:
+      - '**'
+  workflow_dispatch:
+    inputs:
+      publish_docker:
+        description: "Publish image to ghcr.io/netcracker/qubership-credential-manager"
+        type: boolean
+        default: false
+        required: false
+
+env:
+  TAG_NAME: ${{ github.event.release.tag_name || github.ref }}
+  PUSH: ${{ github.event_name != 'workflow_dispatch' || inputs.publish_docker }}
+
+jobs:
+  multiplatform_build:
+    strategy:
+      fail-fast: false
+      matrix:
+        component:
+          - name: qubership-credential-manager
+            file: build/Dockerfile
+            context: ""
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Validate
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" && "${{ github.ref }}" == refs/tags* ]]; then
+            echo -e "\033[91mManual workflow run on tags is not allowed!\033[0m"
+            exit 1
+          fi
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${GITHUB_ACTOR}
+          password: ${{secrets.GITHUB_TOKEN}}
+      - name: Prepare Tag
+        run: echo "TAG_NAME=$(echo ${TAG_NAME} | sed 's@refs/tags/@@;s@refs/heads/@@;s@/@_@g')" >> $GITHUB_ENV
+      - name: Get package IDs for delete 
+        id: get-ids-for-delete
+        uses: Netcracker/[email protected]
+        with:
+          component-name: ${{ matrix.component.name }}
+          component-tag: ${{ env.TAG_NAME }}
+          access-token: ${{secrets.GITHUB_TOKEN}}
+        if: ${{ env.PUSH }}
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          no-cache: true
+          context: ${{ matrix.component.context }}
+          file: ${{ matrix.component.file }}
+          platforms: linux/amd64 #,linux/arm64
+          push: ${{ env.PUSH }}
+          tags: ghcr.io/netcracker/${{ matrix.component.name }}:${{ env.TAG_NAME }}
+          provenance: false
+      - uses: actions/delete-package-versions@v5
+        with: 
+          package-name: ${{ matrix.component.name }}
+          package-type: 'container'
+          package-version-ids: ${{ steps.get-ids-for-delete.outputs.ids-for-delete }}
+        if: ${{ steps.get-ids-for-delete.outputs.ids-for-delete != '' }}

.github/workflows/clean.yaml

@@ -0,0 +1,33 @@
+name: Branch Deleted
+on: delete
+
+env:
+  COMPONENT_NAME: qubership-credential-manager
+  TAG_NAME: ${{ github.event.ref }}
+
+jobs:
+  delete:
+    if: github.event.ref_type == 'branch'
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Prepare Tag
+        run: echo "TAG_NAME=$(echo ${TAG_NAME} | sed 's@refs/heads/@@;s@/@_@g')" >> $GITHUB_ENV
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${GITHUB_ACTOR}
+          password: ${{secrets.GITHUB_TOKEN}}
+      - name: Get package IDs for delete 
+        id: get-ids-for-delete
+        uses: Netcracker/[email protected]
+        with:
+          component-name: ${{ env.COMPONENT_NAME }}
+          component-tag: ${{ env.TAG_NAME }}
+          access-token: ${{secrets.GITHUB_TOKEN}}
+      - uses: actions/delete-package-versions@v5
+        with: 
+          package-name: ${{ env.COMPONENT_NAME }}
+          package-type: 'container'
+          package-version-ids: ${{ steps.get-ids-for-delete.outputs.ids-for-delete }}
+        if: ${{ steps.get-ids-for-delete.outputs.ids-for-delete != '' }}

.github/workflows/license.yaml

@@ -0,0 +1,24 @@
+name: Add License Header
+on:
+  push:
+    branches:
+      - 'main'
+env:
+   COPYRIGHT_COMPANY: 'NetCracker Technology Corporation'
+   COPYRIGHT_YEAR: '2024-2025'
+jobs:
+  license:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GH_ACCESS_TOKEN }}
+      - run: docker run -v "${PWD}:/src" -i ghcr.io/google/addlicense -v -c "${{ env.COPYRIGHT_COMPANY }}" -y "${{ env.COPYRIGHT_YEAR }}" $(find . -type f -name "*.go" -o -type f -name "*.py" | xargs echo)
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          commit-message: Auto-update license header
+          branch: license-update
+          title: Add License Header
+          body: Automated license header update
+          delete-branch: true

.gitignore

@@ -0,0 +1 @@
+/build/_output/*

CODE-OF-CONDUCT.md

@@ -0,0 +1,73 @@
+# Code of Conduct
+
+This repository is governed by following code of conduct guidelines.
+
+We put collaboration, trust, respect and transparency as core values for our community.
+Our community welcomes participants from all over the world with different experience,
+opinion and ideas to share.
+
+We have adopted this code of conduct and require all contributors to agree with that to build a healthy,
+safe and productive community for all.
+
+The guideline is aimed to support a community where all people should feel safe to participate,
+introduce new ideas and inspire others, regardless of:
+
+* Age
+* Gender
+* Gender identity or expression
+* Family status
+* Marital status
+* Ability
+* Ethnicity
+* Race
+* Sex characteristics
+* Sexual identity and orientation
+* Education
+* Native language
+* Background
+* Caste
+* Religion
+* Geographic location
+* Socioeconomic status
+* Personal appearance
+* Any other dimension of diversity
+
+## Our Standards
+
+We are welcoming the following behavior:
+
+* Be respectful for different ideas, opinions and points of view
+* Be constructive and professional
+* Use inclusive language
+* Be collaborative and show the empathy
+* Focus on the best results for the community
+
+The following behavior is unacceptable:
+
+* Violence, threats of violence, or inciting others to commit self-harm
+* Personal attacks, trolling, intentionally spreading misinformation, insulting/derogatory comments
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic address, without explicit permission
+* Derogatory language
+* Encouraging unacceptable behavior
+* Other conduct which could reasonably be considered inappropriate in a professional community
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of the Code of Conduct
+and are expected to take appropriate actions in response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments,
+commits, code, wiki edits, issues, and other contributions that are not aligned
+to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors
+that they deem inappropriate, threatening, offensive, or harmful.
+
+## Reporting
+
+If you believe you’re experiencing unacceptable behavior that will not be tolerated as outlined above,
+please report to `[email protected]`. All complaints will be reviewed and investigated and will result in a response
+that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality
+with regard to the reporter of an incident.
+
+Please also report if you observe a potentially dangerous situation, someone in distress, or violations of these guidelines,
+even if the situation is not happening to you.

CONTRIBUTING.md

@@ -0,0 +1,12 @@
+# Contribution Guide
+
+We'd love to accept patches and contributions to this project.
+Please, follow these guidelines to make the contribution process easy and effective for everyone involved.
+
+## Contributor License Agreement
+
+You must sign the [Contributor License Agreement](https://pages.netcracker.com/cla-main.html) in order to contribute.
+
+## Code of Conduct
+
+Please make sure to read and follow the [Code of Conduct](CODE-OF-CONDUCT.md).

Makefile

@@ -0,0 +1,42 @@
+DOCKER_FILE := build/Dockerfile
+
+ifndef TAG_ENV
+override TAG_ENV = local
+endif
+
+ifndef DOCKER_NAMES
+override DOCKER_NAMES = "ghcr.io/netcracker/qubership-credential-manager:${TAG_ENV}"
+endif
+
+sandbox-build: deps docker-build
+
+all: sandbox-build docker-push
+
+local: fmt deps docker-build
+
+deps:
+	go mod tidy
+	GO111MODULE=on
+
+update:
+	go get -u ./...
+
+fmt:
+	gofmt -l -s -w .
+
+compile:
+	CGO_ENABLED=0 go build -o ./build/_output/bin/qubership-credential-manager \
+				-gcflags all=-trimpath=${GOPATH} -asmflags all=-trimpath=${GOPATH} ./cmd/qubership-credential-manager
+
+
+docker-build:
+	$(foreach docker_tag,$(DOCKER_NAMES),docker build --file="${DOCKER_FILE}" --pull -t $(docker_tag) ./;)
+
+docker-push:
+	$(foreach docker_tag,$(DOCKER_NAMES),docker push $(docker_tag);)
+
+clean:
+	rm -rf build/_output
+
+test:
+	go test -v ./...

README.md

@@ -1 +1,53 @@
-# qubership-credential-manager
+# qubership-credential-manager
+
+This component is used to support credentials change functionality.
+
+Credential manager consists of several packages.
+
+# Coniguration
+
+## environment variables
+The next environment variables must be configured:
+
+`IS_HOOK` - Required for hook module `IsHook() bool` function.
+`SECRET_NAMES` - List of coma separated secret names to work with.
+
+# Modules
+
+## hook
+This module is used in pre-deploy hook for creation of secret old version.
+
+API:
+
+`PrepareOldCreds(secrets []string)` - The function accepts slice of secret names as an argument.
+New secrets with the same content and name with postfix `-old` will be created for all of the provided secrets.
+Secrets also will be locked with `locked-for-watcher=true` annotation on them.
+
+
+## informer
+This module allows you to create watcher for secret.
+
+API:
+
+`Watch(secretNames []string, reconcileFunc func())` - The function accepts slice of secret names for watching and function which triggers reconcile.
+After method execution whatchers will be created for selected secrets. One watcher per secret. On each secret change `reconcileFunc` function will be triggered. (Except the case when secret is "Locked"). If watcher is already present for a secret, new watcher won't be created.
+
+## manager
+This module provides functionality to define secret change, and perform credentials update. Functions for setting secret hash also included.
+
+API:
+
+`AreCredsChanged(secretNames []string) (bool, error)` - This function accepts slice of secret names. If at least one of the secrets was changed,
+this function returns `true`.
+
+`ActualizeCreds(secretName string, changeCredsFunc func(newSecret, oldSecret *corev1.Secret) error) error` - The function accepts secret name and the function for credentials change. If secret data has diff `changeCredsFunc` function will be executed. After `changeCredsFunc` function execution secret with postfix `-old` will be updated with new data from secret with `secretName` name. At the end `secretName` secret will be unlocked by setting `locked-for-watcher=false` annotation.
+
+`GetAnnotationName(id int) string` - This function provides annotation name for secret hash based on `id`.
+
+`CalculateSecretDataHash(secretName string) (string, error)` - This function provides sha256 hashsum for `secretName` secret data.
+
+`AddAnnotationsToPodTemplate(template *corev1.PodTemplateSpec, annotations map[string]string)` - This function merge `annotations` with Pod Template Spec existing annotations.
+
+`AddCredHashToPodTemplate(secretNames []string, template *corev1.PodTemplateSpec) error` - This function calculates secret hashes and sets them in  Pod Template Spec annotations.
+
+`SetOwnerRefForSecretCopies(secretNames []string, ownerRef []metav1.OwnerReference) error` - The function sets provided owner reference for secret copies with `-old` prefix, created by operator or pre-deploy hook.

SECURITY.md

@@ -0,0 +1,15 @@
+# Security Reporting Process
+
+Please, report any security issue to `[email protected]` where the issue will be triaged appropriately.
+
+If you know of a publicly disclosed security vulnerability please IMMEDIATELY email `[email protected]`
+to inform the team about the vulnerability, so we may start the patch, release, and communication process.
+
+# Security Release Process
+
+If the vulnerability is found in the latest stable release, then it would be fixed in patch version for that release.
+E.g., issue is found in 2.5.0 release, then 2.5.1 version with a fix will be released.
+By default, older versions will not have security releases.
+
+If the issue doesn't affect any existing public releases, the fix for medium and high issues is performed
+in a main branch before releasing a new version. For low priority issues the fix can be planned for future releases.

build.sh

@@ -0,0 +1,4 @@
+set -e -u
+set -x
+
+go test ./...

build/Dockerfile

@@ -0,0 +1,32 @@
+FROM --platform=$BUILDPLATFORM golang:1.22.5-alpine3.20 AS builder
+
+ENV GOSUMDB=off
+
+WORKDIR /workspace
+
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+
+RUN go mod download
+
+COPY pkg/ pkg/
+COPY cmd/ cmd/
+
+RUN go mod tidy
+
+# Build
+ARG TARGETOS TARGETARCH
+RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o ./build/_output/bin/qubership-credential-manager \
+    -gcflags all=-trimpath=${GOPATH} -asmflags all=-trimpath=${GOPATH} ./cmd/qubership-credential-manager
+
+FROM alpine:3.20.3
+
+ENV CONTROLLER=/usr/local/bin/qubership-credential-manager \
+    USER_UID=1001
+
+COPY --from=builder /workspace/build/_output/bin/qubership-credential-manager ${CONTROLLER}
+
+USER ${USER_UID}
+
+CMD ["sh", "-c", "${CONTROLLER}"]