Adding Dependentbot action and reworking the CA creation logic (#16)

* Update supported Linkerd version

Signed-off-by: Denis Arslanbekov <[email protected]>

* Added CODEOWNERS

Signed-off-by: Denis Arslanbekov <[email protected]>

* Added dependabot

Signed-off-by: Denis Arslanbekov <[email protected]>

* Added stale action

Signed-off-by: Denis Arslanbekov <[email protected]>

* Update github-action (added build for arm64 arch)

Signed-off-by: Denis Arslanbekov <[email protected]>

* Update helm-chart

Signed-off-by: Denis Arslanbekov <[email protected]>

---------

Signed-off-by: Denis Arslanbekov <[email protected]>

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @aatarasoff

.github/dependabot.yaml

@@ -0,0 +1,25 @@
+---
+version: 2
+updates:
+  - package-ecosystem: gomod
+    directory: "/"
+    schedule:
+      interval: weekly
+    labels:
+      - dependencies
+      - go
+  - package-ecosystem: github-actions
+    directory: "/"
+    rebase-strategy: disabled
+    schedule:
+      interval: weekly
+    labels:
+      - dependencies
+      - github_actions
+  - package-ecosystem: docker
+    directory: "/injector"
+    schedule:
+      interval: weekly
+    labels:
+      - dependencies
+      - docker

.github/stale.yaml

@@ -0,0 +1,19 @@
+---
+daysUntilStale: 21
+daysUntilClose: 7
+exemptLabels:
+  - on-hold
+
+staleLabel: stale
+
+issues:
+  markComment: >
+    This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.
+  closeComment: >
+    Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.
+pulls:
+  markComment: >
+    This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.
+  closeComment: >
+    Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Pull Request. Do not hesitate to reopen it later if necessary.
+limitPerRun: 30

.github/workflows/publish-webhook.yaml

@@ -3,7 +3,7 @@ name: Publish Docker image
 on:
   push:
     tags:
-      - '[0-9]+.[0-9]+.[0-9]+'
+      - "[0-9]+.[0-9]+.[0-9]+"
 
 jobs:
   push_to_registries:
@@ -28,10 +28,19 @@ jobs:
           images: |
             aatarasoff/linkerd-easyauth-webhook
 
-      - name: Build and push Docker images
-        uses: docker/build-push-action@v3
+      - name: Set up docker buildx
+        uses: docker/setup-buildx-action@v3
         with:
-          file: ./injector/Dockerfile
+          version: latest
+
+      - name: Build docker image
+        uses: docker/build-push-action@v5
+        with:
+          file: injector/Dockerfile
+          context: injector
+          platforms: linux/amd64, linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/release-charts.yaml

@@ -31,4 +31,4 @@ jobs:
         with:
           charts_dir: charts
         env:
-          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/release-cli.yaml

@@ -3,7 +3,7 @@ name: Release EasyAuthCLI
 on:
   push:
     tags:
-      - '[0-9]+.[0-9]+.[0-9]+'
+      - "[0-9]+.[0-9]+.[0-9]+"
 
 jobs:
   release-cli:
@@ -17,7 +17,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: '^1.18.3'
+          go-version: "^1.18.3"
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v3
@@ -27,4 +27,4 @@ jobs:
           args: release --rm-dist
           workdir: .
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -1,36 +1,45 @@
 # Linkerd EasyAuth Extension
 
 ## Motivation
+
 Simplify the Linkerd Authorization Policies management according to [the article](https://itnext.io/a-practical-guide-for-linkerd-authorization-policies-6cfdb50392e9) by giving a bunch of predefined policies and opinionated structures.
 
 Special checkers to find obsolete resources and misconfigurations, plus ultra-fast `authz` command implementation (up to 10x faster than original one).
 
 ## Supported versions
+
 | Linkerd Version | EasyAuth Version |
-|-----------------|------------------|
+| --------------- | ---------------- |
 | 2.11.x          | 0.1.0 - 0.4.0    |
 | 2.12.x          | \>= 0.5.0        |
+| 2.13.x          | \>= 0.5.0        |
+| 2.14.x          | \>= 0.5.0        |
 
-New `AuthorizationPolicy` is supported since `0.6.0`.  New `HTTPRoute` is supported since `0.8.0`
+New `AuthorizationPolicy` is supported since `0.6.0`. New `HTTPRoute` is supported since `0.8.0`
 
 ## How to use it
 
 ## CLI
+
 Grab latest binaries from the releases page: https://github.com/aatarasoff/linkerd-easyauth/releases.
 
 ### Usage
-```
+
+```bash
 linkerd easyauth [COMMAND] -n <namespace> [FLAGS]
 ```
 
 ### Supported commands
+
 - `authcheck`: checks for obsolete `Server` and policies resources like `ServerAuthorization`, `AuthorizationPolicy`, `MeshTLSAuthentication`, `NetworkAuthentication`, and `HTTPRoute`, checks that PODs ports have `Server` resource
 - `list`: list of Pods that were injected by `linkerd.io/easyauth-enabled: true` annotation (more information below)
 - `authz`: fast implementation for fetch the list authorization policies for a resource (use caching)
 
 ## Helm chart
+
 Install the helm chart with injector and policies:
-```
+
+```bash
 > kubectl create ns linkerd-easyauth
 
 # Edit namespace and add standard linkerd annotations
@@ -40,14 +49,17 @@ Install the helm chart with injector and policies:
 ```
 
 ### What the helm chart provides
+
 - Injector that adds `linkerd.io/easyauth-enabled: true` label for all meshed pods (you can limit namespaces via helmchart)
 - `Server` in terms of Linkerd authorization policies for `linkerd-admin-port`
 - `AuthorizationPolicy` resources that provides basic allow policies for ingress, Linkerd itself, and monitoring
 
 ### What the helm chart does not provide
+
 Because the `Server` should be one per service per port, we can define the server for the linkerd proxy admin port only.
 For each port that should be used by other pods, or Linkerd you should add the server definition manually:
-```
+
+```yaml
 ---
 apiVersion: policy.linkerd.io/v1beta1
 kind: Server
@@ -61,11 +73,14 @@ spec:
     matchLabels:
       <app-label>: <app-unique-value>
   port: <my-port-name>
-``` 
+```
 
 ### Important Values
+
 #### Meshed Apps Namespaces
+
 Because all `AuthorizationPolicy` policies are Namespaced scope then we should add common policies to each namespace with our apps:
+
 ```
 meshedApps:
   namespaces:
@@ -74,7 +89,9 @@ meshedApps:
 ```
 
 #### Cluster Network Common Policy
+
 In case of using route-based policy you should authorize requests for passing probes by adding app-specific `HTTPRoute` and policies for it for each app:
+
 ```yaml
 apiVersion: policy.linkerd.io/v1alpha1
 kind: AuthorizationPolicy
@@ -97,28 +114,31 @@ The Helm chart generates NetworkAuthentication with name `cluster-network-authn`
 You should explicitly provide cluster network or authorize kubelet only. It depends on the K8s implementation you are using and could be setup via `clusterNetwork` section in the values.
 
 #### Kubelet CIDR
-> **⚠ WARNING: 2.11.x only**  
+
+> **⚠ WARNING: 2.11.x only**
 
 Because of [the issue](https://github.com/linkerd/linkerd2/issues/7050), in 2.11.x version of Linkerd you should explicitly provide CIDR for kubelet.
 It depends on the K8s implementation you are using.
 
 There are two possibility. If you can define CIDR precisely then you can use it
-```
-  kubelet:
-    cidr:
-      - cidr: 10.164.0.0/20
+
+```yaml
+kubelet:
+  cidr:
+    - cidr: 10.164.0.0/20
 ```
 
 If you cannot do it, but you have GKE-like pattern then you can define octets and ranges for generation the bunch of `/32` CIDR:
-```
-  kubelet:
-    cidr: []
-    # generate by pattern octet0:{low1-high1}:{low2-high2}:octet3 (10.169.150.1)
-    generator:
-      octet0: 10
-      low1: 168
-      high1: 172
-      low2: 0
-      high2: 256
-      octet3: 1
+
+```yaml
+kubelet:
+  cidr: []
+  # generate by pattern octet0:{low1-high1}:{low2-high2}:octet3 (10.169.150.1)
+  generator:
+    octet0: 10
+    low1: 168
+    high1: 172
+    low2: 0
+    high2: 256
+    octet3: 1
 ```

charts/linkerd-easyauth/Chart.yaml

@@ -2,4 +2,4 @@ apiVersion: v1
 appVersion: "0.9.0"
 description: A Helm chart for Linkerd easyauth extension.
 name: linkerd-easyauth
-version: "0.9.0"
+version: "0.9.0"

charts/linkerd-easyauth/templates/auth-policies.yml

@@ -106,4 +106,4 @@ spec:
     {{- end }}
     {{- end }}
     {{- end }}
-{{ end }}
+{{ end }}

charts/linkerd-easyauth/templates/rbac.yml

@@ -1,4 +1,5 @@
 {{- $host := printf "easyauth-injector.%s.svc" .Values.namespace }}
+{{- if not (lookup "v1" "Secret" .Release.Namespace "easyauth-injector-k8s-tls") }}
 {{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}
 ---
 kind: Secret
@@ -10,6 +11,7 @@ type: kubernetes.io/tls
 data:
   tls.crt: {{ (b64enc (trim $ca.Cert)) }}
   tls.key: {{ (b64enc (trim $ca.Key)) }}
+{{- end }}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -74,4 +76,4 @@ webhooks:
         apiGroups: [""]
         apiVersions: ["v1"]
         resources: ["pods"]
-    sideEffects: None
+    sideEffects: None