Go hooks (#46)

- Migrated from python to go hooks
- Fixed documentation

---------

Co-authored-by: Suleyman Farrakhov <[email protected]>

Author: farr-slmn

.werf/defines/image-build.tmpl

@@ -0,0 +1,20 @@
+{{- define "image-build.build" }}
+{{-   if ne $.SVACE_ENABLED "false" }}
+svace build --init --clear-build-dir {{ .BuildCommand }}
+attempt=0
+retries=5
+success=0
+set +e
+while [[ $attempt -lt $retries ]]; do
+  ssh -o ConnectTimeout=10 -o ServerAliveInterval=10 -o ServerAliveCountMax=12 {{ $.SVACE_ANALYZE_SSH_USER }}@{{ $.SVACE_ANALYZE_HOST }} mkdir -p /svace-analyze/{{ $.Commit.Hash }}/{{ $.ProjectName }}/.svace-dir
+  rsync -zr --timeout=10 --compress-choice=zstd --partial --append-verify .svace-dir {{ $.SVACE_ANALYZE_SSH_USER }}@{{ $.SVACE_ANALYZE_HOST }}:/svace-analyze/{{ $.Commit.Hash }}/{{ $.ProjectName }}/ && success=1 && break
+  sleep 10
+  attempt=$((attempt + 1))
+done
+set -e
+[[ $success == 1 ]] && rm -rf .svace-dir || exit 1
+{{ .BuildCommand }}
+{{-   else }}
+{{ .BuildCommand }}
+{{-   end }}
+{{- end }}

.werf/stages/bundle.yaml

@@ -12,21 +12,25 @@ import:
   - version.json
   after: setup
 # Rendering .werf/stages/python-deps.yaml is required! Comment out if not needed.
-- image: python-dependencies
-  add: /lib/python/dist
-  to: /lib/python/dist
-  after: setup
+# - image: python-dependencies
+#   add: /lib/python/dist
+#   to: /lib/python/dist
+#   after: setup
 # Uncomment if you use batch hooks built with batch-go.yaml werf job
 # - image: batch-hooks
 #   add: /usr/local/bin/batchhooks
 #   to: /hooks/batchhooks
 #   after: setup
+- image: go-hooks-artifact
+  add: /go-hooks
+  to: /hooks/go-hooks
+  after: setup
 git:
 - add: /
   to: /
   # Uncomment if you use batch-go.yaml werf job
-  # excludePaths:
-  # - hooks/batch # exclude sources
+  excludePaths:
+  - hooks/batch # exclude sources
   includePaths:
   - .helmignore
   - docs

.werf/stages/images.yaml

@@ -1,12 +1,22 @@
 {{- $ImagesBuildFiles := .Files.Glob "images/*/{Dockerfile,werf.inc.yaml}" }}
+{{- $Root := . }}
 
 {{- range $path, $content := $ImagesBuildFiles  }}
   {{- $ctx := dict }}
   {{- $_ := set $ctx "ImageName" ($path | split "/")._1 }}
   {{- $_ := set $ctx "ImagePath" (printf "/images/%s" $ctx.ImageName) }}
   {{- $_ := set $ctx "ModuleNamePrefix" "" }}
-  {{- $_ := set $ctx "GOPROXY" "https://proxy.golang.org,direct" }}
-  {{- $_ := set $ctx "SOURCE_REPO" "false" }}
+  {{- $_ := set $ctx "ModuleDir" "/" }}
+  {{- $_ := set $ctx "GOPROXY" $Root.GOPROXY }}
+  {{- $_ := set $ctx "SOURCE_REPO" $Root.SOURCE_REPO }}
+  {{- $_ := set $ctx "DistroPackagesProxy" $Root.DistroPackagesProxy }}
+  {{- $_ := set $ctx "Commit" $Root.Commit }}
+  {{- $_ := set $ctx "ProjectName" (printf "%s/%s" $Root.MODULES_MODULE_NAME $ctx.ImageName ) }}
+  {{- $_ := set $ctx "SVACE_IMAGE_SUFFIX" $Root.SVACE_IMAGE_SUFFIX }}
+  {{- $_ := set $ctx "SVACE_ENABLED" $Root.SVACE_ENABLED }}
+  {{- $_ := set $ctx "SVACE_ANALYZE_SSH_USER" $Root.SVACE_ANALYZE_SSH_USER }}
+  {{- $_ := set $ctx "SVACE_ANALYZE_HOST" $Root.SVACE_ANALYZE_HOST }}
+  {{- $_ := set $ctx "STRONGHOLD_EDITION" $Root.STRONGHOLD_EDITION }}
   {{- $_ := set $ctx "Files" $.Files }}
 ---
   {{- /* For Dockerfile just render it from the folder. */ -}}

.werf/stages/python-deps.yaml

@@ -48,6 +48,7 @@ spec:
        WoR9b11eYfyrnKCYoSqBoi2dwkCkV1a0GN9vStwiBnKnAmV3B8B5yMnSjmp+42gt
        o2SYzqM=
        -----END CERTIFICATE-----
+   connectionConfiguration: Manual
 ```
 
 **Крайне рекомендуется задавать переменную `caCert`. Если она не задана, будет использовано содержимое системного ca-certificates.**

docs/USAGE_RU.md

@@ -0,0 +1,32 @@
+// Copyright (c) Flant JSC
+// SPDX-License-Identifier: Apache-2.0
+
+package api
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type SecretStoreImportSpec struct {
+	AuthPath      string `json:"authPath,omitempty"`
+	Namespace     string `json:"namespace,omitempty"`
+	Address       string `json:"address,omitempty"`
+	CACert        string `json:"caCert,omitempty"`
+	Audience      string `json:"audience,omitempty"`
+	SkipTLSVerify bool   `json:"skipTLSVerify,omitempty"`
+	Files         []*struct {
+		Name   string `json:"name,omitempty"`
+		Source struct {
+			Key  string `json:"key,omitempty"`
+			Path string `json:"path,omitempty"`
+		} `json:"source,omitempty"`
+	} `json:"files,omitempty"`
+	Role string `json:"role,omitempty"`
+	Type string `json:"type,omitempty"`
+}
+
+type SecretStoreImport struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              SecretStoreImportSpec `json:"spec,omitempty"`
+}

hooks/batch/api/secrets-store-import.go

@@ -0,0 +1,11 @@
+// Copyright (c) Flant JSC
+// SPDX-License-Identifier: Apache-2.0
+
+package common
+
+import (
+	ensure_crds "github.com/deckhouse/module-sdk/common-hooks/ensure_crds"
+)
+
+var _ = ensure_crds.RegisterEnsureCRDsHookEM("../crds/*.yaml")
+var _ = ensure_crds.RegisterEnsureCRDsHookEM("../crds/*/*.yaml")

hooks/batch/common/ensure_crds.go

@@ -0,0 +1,22 @@
+// Copyright (c) Flant JSC
+// SPDX-License-Identifier: Apache-2.0
+
+package common
+
+import (
+	"fmt"
+	"secrets-store-integration-hook/consts"
+
+	tlscertificate "github.com/deckhouse/module-sdk/common-hooks/tls-certificate"
+)
+
+var _ = tlscertificate.RegisterInternalTLSHookEM(tlscertificate.GenSelfSignedTLSHookConf{
+	CN:                    consts.WebhookName,
+	TLSSecretName:         fmt.Sprintf("%s-tls", consts.WebhookName),
+	Namespace:             consts.ModuleNamespace,
+	CommonCACanonicalName: "Deckhouse",
+	SANs: tlscertificate.DefaultSANs([]string{
+		fmt.Sprintf("%s.%s.svc", consts.WebhookName, consts.ModuleNamespace),
+	}),
+	FullValuesPathPrefix: fmt.Sprintf("%s.internal.webhookCert", consts.DotValuesModuleName),
+})

hooks/batch/common/webhook_certificate.go

@@ -0,0 +1,15 @@
+// Copyright (c) Flant JSC
+// SPDX-License-Identifier: Apache-2.0
+
+package consts
+
+const (
+	ModuleName          string = "secrets-store-integration"
+	ModuleNamespace     string = "d8-secrets-store-integration"
+	DotValuesModuleName string = "secretsStoreIntegration"
+	WebhookName         string = "vault-secrets-webhook"
+	SSIKind             string = "SecretsStoreImport"
+	SSIapiVersion       string = "deckhouse.io/v1alpha1"
+	SPCKind             string = "SecretProviderClass"
+	SPCapiVersion       string = "secrets-store.csi.x-k8s.io/v1"
+)

hooks/batch/consts/consts.go

@@ -0,0 +1,102 @@
+module secrets-store-integration-hook
+
+go 1.23.10
+
+toolchain go1.24.6
+
+require (
+	github.com/deckhouse/module-sdk v0.3.6
+	k8s.io/apimachinery v0.30.11
+	sigs.k8s.io/secrets-store-csi-driver v1.5.3
+)
+
+require (
+	github.com/DataDog/gostackparse v0.7.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/caarlos0/env/v11 v11.3.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cloudflare/cfssl v1.6.5 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/deckhouse/deckhouse/pkg/log v0.0.0-20250424095005-9ab587d01d7a // indirect
+	github.com/docker/cli v24.0.0+incompatible // indirect
+	github.com/docker/distribution v2.8.2+incompatible // indirect
+	github.com/docker/docker v25.0.6+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/ettle/strcase v0.2.0 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/gojuno/minimock/v3 v3.4.5 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/certificate-transparency-go v1.1.7 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/go-containerregistry v0.17.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/hashicorp/errwrap v1.0.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jmoiron/sqlx v1.3.5 // indirect
+	github.com/jonboulle/clockwork v0.4.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.16.5 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc3 // indirect
+	github.com/pelletier/go-toml v1.9.3 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/client_golang v1.19.0 // indirect
+	github.com/prometheus/client_model v0.5.0 // indirect
+	github.com/prometheus/common v0.48.0 // indirect
+	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/sylabs/oci-tools v0.7.0 // indirect
+	github.com/tidwall/gjson v1.18.0 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.0 // indirect
+	github.com/vbatts/tar-split v0.11.3 // indirect
+	github.com/weppos/publicsuffix-go v0.30.0 // indirect
+	github.com/zmap/zcrypto v0.0.0-20230310154051-c8b263fd8300 // indirect
+	github.com/zmap/zlint/v3 v3.5.0 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/oauth2 v0.27.0 // indirect
+	golang.org/x/sync v0.12.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/term v0.30.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/time v0.8.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/api v0.30.11 // indirect
+	k8s.io/apiextensions-apiserver v0.30.11 // indirect
+	k8s.io/client-go v0.30.11 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
+	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
+	sigs.k8s.io/controller-runtime v0.18.7 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
+)