From 99a691f804c4a89cacc32223ebd3db67bf7f174e Mon Sep 17 00:00:00 2001 From: Moritz Johner <100202497+moritzjohner-form3@users.noreply.github.com> Date: Tue, 2 May 2023 22:00:00 +0200 Subject: [PATCH] feat: add hostNetwork option for controller/certController in helm chart (#2269) Signed-off-by: Moritz Johner --- deploy/charts/external-secrets/README.md | 2 + .../templates/cert-controller-deployment.yaml | 1 + .../templates/deployment.yaml | 1 + .../cert_controller_test.yaml.snap | 60 ++++++++++++++++ .../__snapshot__/controller_test.yaml.snap | 1 + .../tests/__snapshot__/webhook_test.yaml.snap | 72 +++++++++++++++++++ .../tests/cert_controller_test.yaml | 49 +++++++++++++ .../tests/controller_test.yaml | 7 ++ .../external-secrets/tests/webhook_test.yaml | 49 +++++++++++++ deploy/charts/external-secrets/values.yaml | 6 ++ hack/helm.generate.sh | 2 +- 11 files changed, 249 insertions(+), 1 deletion(-) create mode 100644 deploy/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap create mode 100644 deploy/charts/external-secrets/tests/__snapshot__/webhook_test.yaml.snap create mode 100644 deploy/charts/external-secrets/tests/cert_controller_test.yaml create mode 100644 deploy/charts/external-secrets/tests/webhook_test.yaml diff --git a/deploy/charts/external-secrets/README.md b/deploy/charts/external-secrets/README.md index b495dc9b4..8ad7f9d6b 100644 --- a/deploy/charts/external-secrets/README.md +++ b/deploy/charts/external-secrets/README.md @@ -43,6 +43,7 @@ The command removes all the Kubernetes components associated with the chart and | certController.extraVolumeMounts | list | `[]` | | | certController.extraVolumes | list | `[]` | | | certController.fullnameOverride | string | `""` | | +| certController.hostNetwork | bool | `false` | Run the certController on the host network | | certController.image.pullPolicy | string | `"IfNotPresent"` | | | certController.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | | | certController.image.tag | string | `""` | | @@ -98,6 +99,7 @@ The command removes all the Kubernetes components associated with the chart and | extraVolumeMounts | list | `[]` | | | extraVolumes | list | `[]` | | | fullnameOverride | string | `""` | | +| hostNetwork | bool | `false` | Run the controller on the host network | | image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | | | image.tag | string | `""` | The image tag to use. The default is the chart appVersion. There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default the distroless image is used. | diff --git a/deploy/charts/external-secrets/templates/cert-controller-deployment.yaml b/deploy/charts/external-secrets/templates/cert-controller-deployment.yaml index 66282d5eb..a9a6dee8b 100644 --- a/deploy/charts/external-secrets/templates/cert-controller-deployment.yaml +++ b/deploy/charts/external-secrets/templates/cert-controller-deployment.yaml @@ -38,6 +38,7 @@ spec: securityContext: {{- toYaml . | nindent 8 }} {{- end }} + hostNetwork: {{ .Values.certController.hostNetwork }} containers: - name: cert-controller {{- with .Values.certController.securityContext }} diff --git a/deploy/charts/external-secrets/templates/deployment.yaml b/deploy/charts/external-secrets/templates/deployment.yaml index 7500f6e67..6db2fc403 100644 --- a/deploy/charts/external-secrets/templates/deployment.yaml +++ b/deploy/charts/external-secrets/templates/deployment.yaml @@ -38,6 +38,7 @@ spec: securityContext: {{- toYaml . | nindent 8 }} {{- end }} + hostNetwork: {{ .Values.hostNetwork }} containers: - name: {{ .Chart.Name }} {{- with .Values.securityContext }} diff --git a/deploy/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap b/deploy/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap new file mode 100644 index 000000000..477f5ee21 --- /dev/null +++ b/deploy/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap @@ -0,0 +1,60 @@ +should match snapshot of default values: + 1: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: external-secrets-cert-controller + app.kubernetes.io/version: v0.8.1 + helm.sh/chart: external-secrets-0.8.1 + name: RELEASE-NAME-external-secrets-cert-controller + namespace: NAMESPACE + spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: external-secrets-cert-controller + template: + metadata: + labels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: external-secrets-cert-controller + spec: + automountServiceAccountToken: true + containers: + - args: + - certcontroller + - --crd-requeue-interval=5m + - --service-name=RELEASE-NAME-external-secrets-webhook + - --service-namespace=NAMESPACE + - --secret-name=RELEASE-NAME-external-secrets-webhook + - --secret-namespace=NAMESPACE + image: ghcr.io/external-secrets/external-secrets:v0.8.1 + imagePullPolicy: IfNotPresent + name: cert-controller + ports: + - containerPort: 8080 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 20 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + hostNetwork: false + serviceAccountName: external-secrets-cert-controller diff --git a/deploy/charts/external-secrets/tests/__snapshot__/controller_test.yaml.snap b/deploy/charts/external-secrets/tests/__snapshot__/controller_test.yaml.snap index bbea3cff7..cd1f2b0eb 100644 --- a/deploy/charts/external-secrets/tests/__snapshot__/controller_test.yaml.snap +++ b/deploy/charts/external-secrets/tests/__snapshot__/controller_test.yaml.snap @@ -45,4 +45,5 @@ should match snapshot of default values: runAsUser: 1000 seccompProfile: type: RuntimeDefault + hostNetwork: false serviceAccountName: RELEASE-NAME-external-secrets diff --git a/deploy/charts/external-secrets/tests/__snapshot__/webhook_test.yaml.snap b/deploy/charts/external-secrets/tests/__snapshot__/webhook_test.yaml.snap new file mode 100644 index 000000000..df5a4b03b --- /dev/null +++ b/deploy/charts/external-secrets/tests/__snapshot__/webhook_test.yaml.snap @@ -0,0 +1,72 @@ +should match snapshot of default values: + 1: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: external-secrets-webhook + app.kubernetes.io/version: v0.8.1 + helm.sh/chart: external-secrets-0.8.1 + name: RELEASE-NAME-external-secrets-webhook + namespace: NAMESPACE + spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: external-secrets-webhook + template: + metadata: + labels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: external-secrets-webhook + spec: + automountServiceAccountToken: true + containers: + - args: + - webhook + - --port=10250 + - --dns-name=RELEASE-NAME-external-secrets-webhook.NAMESPACE.svc + - --cert-dir=/tmp/certs + - --check-interval=5m + - --metrics-addr=:8080 + - --healthz-addr=:8081 + image: ghcr.io/external-secrets/external-secrets:v0.8.1 + imagePullPolicy: IfNotPresent + name: webhook + ports: + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 10250 + name: webhook + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 20 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /tmp/certs + name: certs + readOnly: true + hostNetwork: false + serviceAccountName: external-secrets-webhook + volumes: + - name: certs + secret: + secretName: RELEASE-NAME-external-secrets-webhook diff --git a/deploy/charts/external-secrets/tests/cert_controller_test.yaml b/deploy/charts/external-secrets/tests/cert_controller_test.yaml new file mode 100644 index 000000000..5d66e32df --- /dev/null +++ b/deploy/charts/external-secrets/tests/cert_controller_test.yaml @@ -0,0 +1,49 @@ +suite: test cert controller deployment +templates: + - cert-controller-deployment.yaml +tests: + - it: should match snapshot of default values + asserts: + - matchSnapshot: {} + - it: should set imagePullPolicy to Always + set: + certController.image.pullPolicy: Always + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: Always + - it: should imagePullPolicy to be default value IfNotPresent + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: IfNotPresent + - it: should override securityContext + set: + certController.podSecurityContext: + runAsUser: 2000 + certController.securityContext: + runAsUser: 3000 + asserts: + - equal: + path: spec.template.spec.securityContext + value: + runAsUser: 2000 + - equal: + path: spec.template.spec.containers[0].securityContext + value: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 3000 + seccompProfile: + type: RuntimeDefault + - it: should override hostNetwork + set: + certController.hostNetwork: true + asserts: + - equal: + path: spec.template.spec.hostNetwork + value: true diff --git a/deploy/charts/external-secrets/tests/controller_test.yaml b/deploy/charts/external-secrets/tests/controller_test.yaml index 2e81d1624..727e71cf6 100644 --- a/deploy/charts/external-secrets/tests/controller_test.yaml +++ b/deploy/charts/external-secrets/tests/controller_test.yaml @@ -40,3 +40,10 @@ tests: runAsUser: 3000 seccompProfile: type: RuntimeDefault + - it: should override hostNetwork + set: + hostNetwork: true + asserts: + - equal: + path: spec.template.spec.hostNetwork + value: true diff --git a/deploy/charts/external-secrets/tests/webhook_test.yaml b/deploy/charts/external-secrets/tests/webhook_test.yaml new file mode 100644 index 000000000..9c6eb695e --- /dev/null +++ b/deploy/charts/external-secrets/tests/webhook_test.yaml @@ -0,0 +1,49 @@ +suite: test webhook deployment +templates: + - webhook-deployment.yaml +tests: + - it: should match snapshot of default values + asserts: + - matchSnapshot: {} + - it: should set imagePullPolicy to Always + set: + webhook.image.pullPolicy: Always + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: Always + - it: should imagePullPolicy to be default value IfNotPresent + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: IfNotPresent + - it: should override securityContext + set: + webhook.podSecurityContext: + runAsUser: 2000 + webhook.securityContext: + runAsUser: 3000 + asserts: + - equal: + path: spec.template.spec.securityContext + value: + runAsUser: 2000 + - equal: + path: spec.template.spec.containers[0].securityContext + value: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 3000 + seccompProfile: + type: RuntimeDefault + - it: should override hostNetwork + set: + webhook.hostNetwork: true + asserts: + - equal: + path: spec.template.spec.hostNetwork + value: true diff --git a/deploy/charts/external-secrets/values.yaml b/deploy/charts/external-secrets/values.yaml index 4b501acc4..20dc6614a 100644 --- a/deploy/charts/external-secrets/values.yaml +++ b/deploy/charts/external-secrets/values.yaml @@ -194,6 +194,9 @@ podDisruptionBudget: minAvailable: 1 # maxUnavailable: 1 +# -- Run the controller on the host network +hostNetwork: false + webhook: # -- Specifies whether a webhook deployment be created. create: true @@ -372,6 +375,9 @@ certController: affinity: {} + # -- Run the certController on the host network + hostNetwork: false + # -- Pod priority class name. priorityClassName: "" diff --git a/hack/helm.generate.sh b/hack/helm.generate.sh index e72760c78..098aba04b 100755 --- a/hack/helm.generate.sh +++ b/hack/helm.generate.sh @@ -33,7 +33,7 @@ for i in "${HELM_DIR}"/templates/crds/*.yml; do $SEDPRG -i 's/namespace: default/namespace: {{ .Release.Namespace | quote }}/g' "$i" $SEDPRG -i '0,/annotations/!b;//a\ {{- with .Values.crds.annotations }}\n {{- toYaml . | nindent 4}}\n {{- end }}' "$i" - sed -i '/ conversion:/i{{- if .Values.crds.conversion.enabled }}' "$i" + $SEDPRG -i '/ conversion:/i{{- if .Values.crds.conversion.enabled }}' "$i" echo "{{- end }}" >> "$i" mv "$i" "${i%.yml}.yaml" done \ No newline at end of file