Thanks for your interest in the CyberArk Secrets Provider for Kubernetes. We welcome contributions!
- Contributing to the CyberArk Secrets Provider for Kubernetes
To work in this codebase, you will want to have Go version 1.25.3+ installed.
The full documentation for the Cyberark Secrets Provider for Kubernetes can be found here for Secrets Manager, Self-Hosted and here for Conjur Open Source.
Before you can start contributing to the CyberArk Secrets Provider for Kubernetes project, you must:
-
Setup your environment.
a. For detailed instructions on how to setup a Secrets Manager, Self-Hosted env, see Secrets Manager, Self-Hosted Setup.
b. For detailed instructions on how to setup a Conjur Open Source env, see Conjur Open Source Setup.
-
Setup the CyberArk Secrets Provider for Kubernetes
a. For detailed setup instructions for Secrets Manager, Self-Hosted, see CyberArk Secrets Provider for Kubernetes for Secrets Manager, Self-Hosted.
b. For detailed setup instructions for Conjur Open Source, see CyberArk Secrets Provider for Kubernetes for Conjur Open Source.
You can now deploy a local development environment for Kubernetes using Docker Desktop. Docker Desktop provides a convenient way to deploy and develop from your machine against a locally deployed cluster.
-
Docker Desktop installed
-
Kubernetes enabled in Docker Desktop
-
Navigate to Docker Preferences
-
Click on the Kubernetes tab and "Enable Kubernetes"
-
-
The Secrets Provider for K8s uses the Kubernetes Conjur deploy repository to deploy Secrets Manager, Self-Hosted / Conjur Open Source on Kubernetes. By default, 2.0 Gib of memory is allocated to Docker on your computer.
To successfully deploy a Secrets Manager, Self-Hosted cluster (Leader + Followers + Standbys), you will need to increase the memory limit to 6 Gib. To do so, perform the following:
-
Navigate to Docker preferences
-
Click on "Resources" and slide the "Memory" bar to 6
-
-
If you intend to deploy the Secrets Provider via Helm, you will need to install the Helm CLI. See here for instructions on how to do so.
To deploy a local development environment, perform the following:
-
Run
./bin/buildto build the Secrets Provider image locally -
Ensure you are in the proper local context. Otherwise, the deployment will not run successfully
Run kubectl config current-context to verify which context you are currently in so if needed, you can switch back to it easily
Run kubectl config use-context docker-desktop to switch to a local context. This is the context you will need to run the development environment
-
Navigate to
bootstrap.envand uncomment theLocal DEV Envsection, ensuring thatDEV=true. Additionally, you can deploy the Secrets Provider locally using HELM. To do so, also uncommentDEV_HELM -
Run
./bin/start --dev, appending--ossor--dapaccording to the environment that needs to be deployed -
To view the pod(s) that were deployed and the Secrets Provider logs, run
kubectl get podsandkubectl logs -l app=test-env -c cyberark-secrets-provider-for-k8s --tail=100respectively. You can also view Secrets Manager, Self-Hosted / Conjur Open Source pod logs by runningkubectl get pods -n local-conjurandkubectl logs -l app=conjur-oss -n local-conjur -c conjur --tail=100 -
If a cluster is already locally deployed run
./bin/start --dev --reloadto build your local changes and redeploy them to the local Secrets Provider K8s cluster
Assuming you have a running local cluster per the previous section and a valid kubeconfig, you can run the Golang-based integration tests by simply running go test -timeout 0 -v ./e2e --tags=e2e from the project root folder. This will execute the tests against the local cluster.
NOTE: This assumes that the cluster is running with the default values in bootstrap.env for local DEV clusters.
To remove K8s resources from your local environment perform the following:
-
Run
kubectl get all --all-namespacesto list all resources across all namespaces in your cluster -
Run
kubectl delete <resource-type> <name-of-resource> --namespace <namespace>
Note that for Deployments, you must first delete the Deployment and then the Pod. Otherwise the Pod will terminate and another will start it its place.
- Currently, deploying a local dev environment only works against a local K8s cluster and not an Openshift one
-
Search our open issues in GitHub to see what features are planned.
-
Select an existing issue or open a new issue to propose changes or fixes.
-
Add the
implementinglabel to the issue that you open or modify. -
Run existing tests locally and ensure they pass.
-
Create a branch and add your changes. Include appropriate tests and ensure that they pass.
-
Submit a pull request, linking the issue in the description (e.g. Connected to #123).
-
Add the
implementedlabel to the issue and request that a Cyberark engineer reviews and merges your code.
From here your pull request is reviewed. Once you have implemented all reviewer feedback, your code is merged into the project. Congratulations, you're a contributor!
To run existing unit tests, run ./bin/test_unit
When contributing to the CyberArk Secrets Provider for Kubernetes project, be sure to add the appropriate unit tests to either already existing test files or create new ones.
To follow Go testing conventions when creating a new test file, perform the following:
-
Create a new test file that matches the file naming pattern "*_test.go" in the proper
pkgfolder, close to the source code. -
Add the following to the import statement at the beginning of the file
import ( "testing" )
-
Create tests.
-
Run test suite,
./bin/test_unit
Our integration tests can be run against either a GKE / Openshift remote cluster. To do so, run ./bin/start and add the proper flags.
To deploy Secrets Manager, Self-Hosted / Conjur Open Source, add the --oss / --dap flags to the above command. By default, the integration tests run Secrets Manager, Self-Hosted, so no flag is required.
To deploy on GKE, add --gke. For Openshift, use --oldest / --current / --next. By default, the integration tests run on a GKE cluster,
so no flag is required.
For example:
- Deploy Conjur Open Source on GKE, run
./bin/start --oss --gke - Deploy Secrets Manager, Self-Hosted on Openshift, run
./bin/start --dap --current
To view tracing output from Secrets Provider, you can enable Jaeger tracing.
-
Create a local Jaeger instance.
kubectl create namespace jaeger kubectl config set-context --current --namespace=jaeger helm repo add jaegertracing https://jaegertracing.github.io/helm-charts helm install jaeger jaegertracing/jaeger
Wait about 5 minutes for the Jaeger instance to be ready (you can check the status with
kubectl get pods -n jaeger). Then run the following commands to expose the Jaeger UI on localhost:8080:pod_name=$(kubectl get pods --namespace jaeger -l "app.kubernetes.io/instance=jaeger,app.kubernetes.io/component=query" -o jsonpath="{.items[0].metadata.name}") kubectl port-forward --namespace jaeger $pod_name 8080:16686
-
Uncomment the following line in the template for the environment you are using in
bootstrap.env, for example, if usingSECRETS_MODE="p2f-rotation"then you'll need to update deploy/dev/config/k8s/secrets-provider-p2f-rotation.sh.yml:conjur.org/jaeger-collector-url: http://jaeger-collector.jaeger.svc.cluster.local:14268/api/traces
Now reload the dev environment with
./bin/start --dev --reloadand optionally run the e2e tests withgo test -timeout 0 -v ./e2e --tags=e2e.
Releases should be created by maintainers only. To create a tag and release, follow the instructions in this section.
- Review the git log and ensure the changelog contains all relevant recent changes with references to GitHub issues or PRs, if possible.
- Ensure that all documentation that needs to be written has been written by TW, approved by PO/Engineer, and pushed to the forward-facing documentation.
- Scan the project for vulnerabilities
-
Update the
CHANGELOG.mdfile with the new version and the changes that are included in the release. -
Update the version in the Chart version file.
-
Update
NOTICES.txtgo install github.com/google/go-licenses@latest # Verify that dependencies fit into supported licenses types. # If there is new dependency having unsupported license, that license should be # included to notices.tpl file in order to get generated in NOTICES.txt. $(go env GOPATH)/bin/go-licenses check ./... \ --allowed_licenses="MIT,ISC,Apache-2.0,BSD-3-Clause,BSD-2-Clause" \ --ignore $(go list std | awk 'NR > 1 { printf(",") } { printf("%s",$0) } END { print "" }') # If no errors occur, proceed to generate updated NOTICES.txt $(go env GOPATH)/bin/go-licenses report ./... \ --template notices.tpl \ --ignore github.com/cyberark/secrets-provider-for-k8s \ --ignore $(go list std | awk 'NR > 1 { printf(",") } { printf("%s",$0) } END { print "" }') \ > NOTICES.txt
-
Commit these changes -
Bump version to x.y.zis an acceptable commit message - and open a PR for review.
- Every build packages the Secrets Provider Helm chart for us. The package can be found under the 'Artifacts' tab of the Jenkins build and will resemble
secrets-provider-<version>.tgz. Navigate to the 'Artifacts' tab of the tagged version build and save this file. You will need it for the next step. - Clone the repo helm-charts and do the following:
- Move the Helm package file created in the previous step to the docs folder in the
helm-chartsrepo. - Go to the
helm-chartsrepo root folder and execute thereindex.shscript file located there. - Create a PR with those changes.
- Move the Helm package file created in the previous step to the docs folder in the
- Merging into main/master branches will automatically trigger a release. If successful, this release can be promoted at a later time.
- Jenkins build parameters can be utilized to promote a successful release or manually trigger aditional releases as needed.
- Reference the internal automated release doc for releasing and promoting.
- Visit the Red Hat project page once the images have been pushed and manually choose to publish the latest release.