mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
feat: add hostNetwork option for controller/certController in helm chart (#2269)
Signed-off-by: Moritz Johner <Moritz.Johner@form3.tech>
This commit is contained in:
parent
6130c8f43b
commit
99a691f804
11 changed files with 249 additions and 1 deletions
|
@ -43,6 +43,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||||
| certController.extraVolumeMounts | list | `[]` | |
|
| certController.extraVolumeMounts | list | `[]` | |
|
||||||
| certController.extraVolumes | list | `[]` | |
|
| certController.extraVolumes | list | `[]` | |
|
||||||
| certController.fullnameOverride | string | `""` | |
|
| certController.fullnameOverride | string | `""` | |
|
||||||
|
| certController.hostNetwork | bool | `false` | Run the certController on the host network |
|
||||||
| certController.image.pullPolicy | string | `"IfNotPresent"` | |
|
| certController.image.pullPolicy | string | `"IfNotPresent"` | |
|
||||||
| certController.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
|
| certController.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
|
||||||
| certController.image.tag | string | `""` | |
|
| certController.image.tag | string | `""` | |
|
||||||
|
@ -98,6 +99,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||||
| extraVolumeMounts | list | `[]` | |
|
| extraVolumeMounts | list | `[]` | |
|
||||||
| extraVolumes | list | `[]` | |
|
| extraVolumes | list | `[]` | |
|
||||||
| fullnameOverride | string | `""` | |
|
| fullnameOverride | string | `""` | |
|
||||||
|
| hostNetwork | bool | `false` | Run the controller on the host network |
|
||||||
| image.pullPolicy | string | `"IfNotPresent"` | |
|
| image.pullPolicy | string | `"IfNotPresent"` | |
|
||||||
| image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
|
| image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
|
||||||
| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default the distroless image is used. |
|
| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default the distroless image is used. |
|
||||||
|
|
|
@ -38,6 +38,7 @@ spec:
|
||||||
securityContext:
|
securityContext:
|
||||||
{{- toYaml . | nindent 8 }}
|
{{- toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
hostNetwork: {{ .Values.certController.hostNetwork }}
|
||||||
containers:
|
containers:
|
||||||
- name: cert-controller
|
- name: cert-controller
|
||||||
{{- with .Values.certController.securityContext }}
|
{{- with .Values.certController.securityContext }}
|
||||||
|
|
|
@ -38,6 +38,7 @@ spec:
|
||||||
securityContext:
|
securityContext:
|
||||||
{{- toYaml . | nindent 8 }}
|
{{- toYaml . | nindent 8 }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
hostNetwork: {{ .Values.hostNetwork }}
|
||||||
containers:
|
containers:
|
||||||
- name: {{ .Chart.Name }}
|
- name: {{ .Chart.Name }}
|
||||||
{{- with .Values.securityContext }}
|
{{- with .Values.securityContext }}
|
||||||
|
|
|
@ -0,0 +1,60 @@
|
||||||
|
should match snapshot of default values:
|
||||||
|
1: |
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/instance: RELEASE-NAME
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/name: external-secrets-cert-controller
|
||||||
|
app.kubernetes.io/version: v0.8.1
|
||||||
|
helm.sh/chart: external-secrets-0.8.1
|
||||||
|
name: RELEASE-NAME-external-secrets-cert-controller
|
||||||
|
namespace: NAMESPACE
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
revisionHistoryLimit: 10
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/instance: RELEASE-NAME
|
||||||
|
app.kubernetes.io/name: external-secrets-cert-controller
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/instance: RELEASE-NAME
|
||||||
|
app.kubernetes.io/name: external-secrets-cert-controller
|
||||||
|
spec:
|
||||||
|
automountServiceAccountToken: true
|
||||||
|
containers:
|
||||||
|
- args:
|
||||||
|
- certcontroller
|
||||||
|
- --crd-requeue-interval=5m
|
||||||
|
- --service-name=RELEASE-NAME-external-secrets-webhook
|
||||||
|
- --service-namespace=NAMESPACE
|
||||||
|
- --secret-name=RELEASE-NAME-external-secrets-webhook
|
||||||
|
- --secret-namespace=NAMESPACE
|
||||||
|
image: ghcr.io/external-secrets/external-secrets:v0.8.1
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
name: cert-controller
|
||||||
|
ports:
|
||||||
|
- containerPort: 8080
|
||||||
|
name: metrics
|
||||||
|
protocol: TCP
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /readyz
|
||||||
|
port: 8081
|
||||||
|
initialDelaySeconds: 20
|
||||||
|
periodSeconds: 5
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 1000
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
hostNetwork: false
|
||||||
|
serviceAccountName: external-secrets-cert-controller
|
|
@ -45,4 +45,5 @@ should match snapshot of default values:
|
||||||
runAsUser: 1000
|
runAsUser: 1000
|
||||||
seccompProfile:
|
seccompProfile:
|
||||||
type: RuntimeDefault
|
type: RuntimeDefault
|
||||||
|
hostNetwork: false
|
||||||
serviceAccountName: RELEASE-NAME-external-secrets
|
serviceAccountName: RELEASE-NAME-external-secrets
|
||||||
|
|
|
@ -0,0 +1,72 @@
|
||||||
|
should match snapshot of default values:
|
||||||
|
1: |
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/instance: RELEASE-NAME
|
||||||
|
app.kubernetes.io/managed-by: Helm
|
||||||
|
app.kubernetes.io/name: external-secrets-webhook
|
||||||
|
app.kubernetes.io/version: v0.8.1
|
||||||
|
helm.sh/chart: external-secrets-0.8.1
|
||||||
|
name: RELEASE-NAME-external-secrets-webhook
|
||||||
|
namespace: NAMESPACE
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
revisionHistoryLimit: 10
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/instance: RELEASE-NAME
|
||||||
|
app.kubernetes.io/name: external-secrets-webhook
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/instance: RELEASE-NAME
|
||||||
|
app.kubernetes.io/name: external-secrets-webhook
|
||||||
|
spec:
|
||||||
|
automountServiceAccountToken: true
|
||||||
|
containers:
|
||||||
|
- args:
|
||||||
|
- webhook
|
||||||
|
- --port=10250
|
||||||
|
- --dns-name=RELEASE-NAME-external-secrets-webhook.NAMESPACE.svc
|
||||||
|
- --cert-dir=/tmp/certs
|
||||||
|
- --check-interval=5m
|
||||||
|
- --metrics-addr=:8080
|
||||||
|
- --healthz-addr=:8081
|
||||||
|
image: ghcr.io/external-secrets/external-secrets:v0.8.1
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
name: webhook
|
||||||
|
ports:
|
||||||
|
- containerPort: 8080
|
||||||
|
name: metrics
|
||||||
|
protocol: TCP
|
||||||
|
- containerPort: 10250
|
||||||
|
name: webhook
|
||||||
|
protocol: TCP
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /readyz
|
||||||
|
port: 8081
|
||||||
|
initialDelaySeconds: 20
|
||||||
|
periodSeconds: 5
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 1000
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /tmp/certs
|
||||||
|
name: certs
|
||||||
|
readOnly: true
|
||||||
|
hostNetwork: false
|
||||||
|
serviceAccountName: external-secrets-webhook
|
||||||
|
volumes:
|
||||||
|
- name: certs
|
||||||
|
secret:
|
||||||
|
secretName: RELEASE-NAME-external-secrets-webhook
|
|
@ -0,0 +1,49 @@
|
||||||
|
suite: test cert controller deployment
|
||||||
|
templates:
|
||||||
|
- cert-controller-deployment.yaml
|
||||||
|
tests:
|
||||||
|
- it: should match snapshot of default values
|
||||||
|
asserts:
|
||||||
|
- matchSnapshot: {}
|
||||||
|
- it: should set imagePullPolicy to Always
|
||||||
|
set:
|
||||||
|
certController.image.pullPolicy: Always
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.template.spec.containers[0].imagePullPolicy
|
||||||
|
value: Always
|
||||||
|
- it: should imagePullPolicy to be default value IfNotPresent
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.template.spec.containers[0].imagePullPolicy
|
||||||
|
value: IfNotPresent
|
||||||
|
- it: should override securityContext
|
||||||
|
set:
|
||||||
|
certController.podSecurityContext:
|
||||||
|
runAsUser: 2000
|
||||||
|
certController.securityContext:
|
||||||
|
runAsUser: 3000
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.template.spec.securityContext
|
||||||
|
value:
|
||||||
|
runAsUser: 2000
|
||||||
|
- equal:
|
||||||
|
path: spec.template.spec.containers[0].securityContext
|
||||||
|
value:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 3000
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
- it: should override hostNetwork
|
||||||
|
set:
|
||||||
|
certController.hostNetwork: true
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.template.spec.hostNetwork
|
||||||
|
value: true
|
|
@ -40,3 +40,10 @@ tests:
|
||||||
runAsUser: 3000
|
runAsUser: 3000
|
||||||
seccompProfile:
|
seccompProfile:
|
||||||
type: RuntimeDefault
|
type: RuntimeDefault
|
||||||
|
- it: should override hostNetwork
|
||||||
|
set:
|
||||||
|
hostNetwork: true
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.template.spec.hostNetwork
|
||||||
|
value: true
|
||||||
|
|
49
deploy/charts/external-secrets/tests/webhook_test.yaml
Normal file
49
deploy/charts/external-secrets/tests/webhook_test.yaml
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
suite: test webhook deployment
|
||||||
|
templates:
|
||||||
|
- webhook-deployment.yaml
|
||||||
|
tests:
|
||||||
|
- it: should match snapshot of default values
|
||||||
|
asserts:
|
||||||
|
- matchSnapshot: {}
|
||||||
|
- it: should set imagePullPolicy to Always
|
||||||
|
set:
|
||||||
|
webhook.image.pullPolicy: Always
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.template.spec.containers[0].imagePullPolicy
|
||||||
|
value: Always
|
||||||
|
- it: should imagePullPolicy to be default value IfNotPresent
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.template.spec.containers[0].imagePullPolicy
|
||||||
|
value: IfNotPresent
|
||||||
|
- it: should override securityContext
|
||||||
|
set:
|
||||||
|
webhook.podSecurityContext:
|
||||||
|
runAsUser: 2000
|
||||||
|
webhook.securityContext:
|
||||||
|
runAsUser: 3000
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.template.spec.securityContext
|
||||||
|
value:
|
||||||
|
runAsUser: 2000
|
||||||
|
- equal:
|
||||||
|
path: spec.template.spec.containers[0].securityContext
|
||||||
|
value:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 3000
|
||||||
|
seccompProfile:
|
||||||
|
type: RuntimeDefault
|
||||||
|
- it: should override hostNetwork
|
||||||
|
set:
|
||||||
|
webhook.hostNetwork: true
|
||||||
|
asserts:
|
||||||
|
- equal:
|
||||||
|
path: spec.template.spec.hostNetwork
|
||||||
|
value: true
|
|
@ -194,6 +194,9 @@ podDisruptionBudget:
|
||||||
minAvailable: 1
|
minAvailable: 1
|
||||||
# maxUnavailable: 1
|
# maxUnavailable: 1
|
||||||
|
|
||||||
|
# -- Run the controller on the host network
|
||||||
|
hostNetwork: false
|
||||||
|
|
||||||
webhook:
|
webhook:
|
||||||
# -- Specifies whether a webhook deployment be created.
|
# -- Specifies whether a webhook deployment be created.
|
||||||
create: true
|
create: true
|
||||||
|
@ -372,6 +375,9 @@ certController:
|
||||||
|
|
||||||
affinity: {}
|
affinity: {}
|
||||||
|
|
||||||
|
# -- Run the certController on the host network
|
||||||
|
hostNetwork: false
|
||||||
|
|
||||||
# -- Pod priority class name.
|
# -- Pod priority class name.
|
||||||
priorityClassName: ""
|
priorityClassName: ""
|
||||||
|
|
||||||
|
|
|
@ -33,7 +33,7 @@ for i in "${HELM_DIR}"/templates/crds/*.yml; do
|
||||||
$SEDPRG -i 's/namespace: default/namespace: {{ .Release.Namespace | quote }}/g' "$i"
|
$SEDPRG -i 's/namespace: default/namespace: {{ .Release.Namespace | quote }}/g' "$i"
|
||||||
$SEDPRG -i '0,/annotations/!b;//a\ {{- with .Values.crds.annotations }}\n {{- toYaml . | nindent 4}}\n {{- end }}' "$i"
|
$SEDPRG -i '0,/annotations/!b;//a\ {{- with .Values.crds.annotations }}\n {{- toYaml . | nindent 4}}\n {{- end }}' "$i"
|
||||||
|
|
||||||
sed -i '/ conversion:/i{{- if .Values.crds.conversion.enabled }}' "$i"
|
$SEDPRG -i '/ conversion:/i{{- if .Values.crds.conversion.enabled }}' "$i"
|
||||||
echo "{{- end }}" >> "$i"
|
echo "{{- end }}" >> "$i"
|
||||||
mv "$i" "${i%.yml}.yaml"
|
mv "$i" "${i%.yml}.yaml"
|
||||||
done
|
done
|
Loading…
Reference in a new issue