Support syncing

README.md

@@ -20,6 +20,8 @@ An example values file that fetches from HashiCorp Vault and GitLab CI:
 inventory:
   # Run every 15 minutes
   schedule: '*/15 * * * *'
+  # Set to `true` to enable syncing secrets from GitGuardian into your vaults
+  sync: false
   config:
     sources:
       vault-secrets:

charts/nhi-scout/templates/cronjob.yaml → charts/nhi-scout/templates/_cronjob.tpl

@@ -1,8 +1,8 @@
----
+{{- define "nhi-scout.cronjob" -}}
 apiVersion: batch/v1
 kind: CronJob
 metadata:
-  name: {{ include "nhi-scout.fullname" . }}
+  name: {{ .cronjob_name }}-{{ include "nhi-scout.fullname" . }}
   labels:
     {{- include "nhi-scout.labels" . | nindent 4 }}
 spec:
@@ -26,11 +26,7 @@ spec:
               image: "{{ .Values.image.repository }}:{{ .Values.inventory.version }}"
               imagePullPolicy: {{ .Values.image.pullPolicy }}
               args:
-                {{- if ne .Values.inventory.config.gitguardian nil }}
-                - fetch-and-send
-                {{- else }}
-                - fetch
-                {{- end }}
+                - {{ .command }}
                 {{- if .Values.inventory.log_level }}
                 - --verbose={{ .Values.inventory.log_level }}
                 {{- end}}
@@ -70,3 +66,4 @@ spec:
             {{- range .Values.volumes }}
             - {{ toJson . }}
             {{- end }}
+{{- end -}}

charts/nhi-scout/templates/cronjob_inventory.yaml

@@ -0,0 +1,6 @@
+{{ $command := "fetch" -}}
+{{- if ne .Values.inventory.config.gitguardian nil }}
+{{ $command = "fetch-and-send" -}}
+{{- end }}
+
+{{ include "nhi-scout.cronjob" (merge . (dict "cronjob_name" "inventory" "command" $command) ) }}

charts/nhi-scout/templates/cronjob_sync.yaml

@@ -0,0 +1,3 @@
+{{ if .Values.inventory.config.gitguardian }}
+{{ include "nhi-scout.cronjob" (merge . (dict "cronjob_name" "sync" "command" "sync-secrets") ) }}
+{{ end }}

charts/nhi-scout/tests/cronjob_test.yaml → charts/nhi-scout/tests/base_cronjob_test.yaml

@@ -1,20 +1,21 @@
 ---
 # Test docs: https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md
-suite: test cronjob
+suite: test base cronjob
 values:
 - ../test_values.yaml
 templates:
-- cronjob.yaml
+- cronjob_inventory.yaml
+- cronjob_sync.yaml
+set:
+  inventory.config.gitguardian.api_token: "foobar"
+  inventory.config.gitguardian.endpoint: "https://some-url.com"
 tests:
 - it: should work
   set:
     inventory.version: latest
   asserts:
   - isKind:
       of: CronJob
-  - matchRegex:
-      path: metadata.name
-      pattern: -nhi-scout$
   - equal:
       path: spec.jobTemplate.spec.template.spec.containers[0].image
       value: ghcr.io/gitguardian/gitguardian-nhi-scout/chainguard:latest
@@ -97,23 +98,6 @@ tests:
         name: foo
         value: bar
 
-- it: should use the gitguardian command if set
-  set:
-    inventory.config.gitguardian.api_token: "foobar"
-    inventory.config.gitguardian.endpoint: "https://some-url.com"
-  asserts:
-  - equal:
-      path: spec.jobTemplate.spec.template.spec.containers[0].args[0]
-      value: "fetch-and-send"
-
-- it: should use the fetch command if no upload is set
-  set:
-    inventory.config.gitguardian: null
-  asserts:
-  - equal:
-      path: spec.jobTemplate.spec.template.spec.containers[0].args[0]
-      value: "fetch"
-
 - it: should use the right log level
   set:
     inventory.config.log_level: info

charts/nhi-scout/tests/inventory_cronjob_test.yaml

@@ -0,0 +1,34 @@
+---
+# Test docs: https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md
+suite: test inventory cronjob
+values:
+- ../test_values.yaml
+templates:
+- cronjob_inventory.yaml
+tests:
+- it: should work
+  set:
+    inventory.version: latest
+  asserts:
+  - isKind:
+      of: CronJob
+  - matchRegex:
+      path: metadata.name
+      pattern: inventory-.*-nhi-scout$
+
+- it: should use the gitguardian command if set
+  set:
+    inventory.config.gitguardian.api_token: "foobar"
+    inventory.config.gitguardian.endpoint: "https://some-url.com"
+  asserts:
+  - equal:
+      path: spec.jobTemplate.spec.template.spec.containers[0].args[0]
+      value: "fetch-and-send"
+
+- it: should use the fetch command if no upload is set
+  set:
+    inventory.config.gitguardian: null
+  asserts:
+  - equal:
+      path: spec.jobTemplate.spec.template.spec.containers[0].args[0]
+      value: "fetch"

charts/nhi-scout/tests/sync_cronjob_test.yaml

@@ -0,0 +1,34 @@
+---
+# Test docs: https://github.com/helm-unittest/helm-unittest/blob/main/DOCUMENT.md
+suite: test sync cronjob
+values:
+- ../test_values.yaml
+templates:
+- cronjob_sync.yaml
+set:
+  inventory.config.gitguardian.api_token: "foobar"
+  inventory.config.gitguardian.endpoint: "https://some-url.com"
+tests:
+- it: should work
+  set:
+    inventory.version: latest
+  asserts:
+  - isKind:
+      of: CronJob
+  - matchRegex:
+      path: metadata.name
+      pattern: sync-.*-nhi-scout$
+
+- it: should use the gitguardian command if set
+  asserts:
+  - equal:
+      path: spec.jobTemplate.spec.template.spec.containers[0].args[0]
+      value: "sync-secrets"
+
+- it: should use the fetch command if no upload is set
+  set:
+    inventory.config.gitguardian: null
+  asserts:
+  - containsDocument:
+      kind: CronJob
+    not: true

charts/nhi-scout/values-base-schema.schema.json

@@ -8,6 +8,7 @@
       "properties": {
         "version": {"type": "string"},
         "schedule": {"type": "string"},
+        "sync": {"type": "boolean"},
         "log_level": {
           "$ref": "inventory-log-level.schema.json"
         },

charts/nhi-scout/values.schema.json

@@ -23,6 +23,12 @@
           "type": "string",
           "minLength": 0
         },
+        "sync": {
+          "enum": [
+            false,
+            true
+          ]
+        },
         "version": {
           "type": "string",
           "minLength": 0

charts/nhi-scout/values.yaml

@@ -9,6 +9,8 @@ inventory:
   # Schedule to run the collection on
   schedule: "*/15 * * * *"
   log_level: info
+  # Enable syncing secrets to vaults
+  sync: false
   # Need to add this explicitly
   config: null