mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-15 17:51:01 +00:00
Code Activity

feat: add hostNetwork option for controller/certController in helm chart (#2269)

Browse source 
Signed-off-by: Moritz Johner <Moritz.Johner@form3.tech>
This commit is contained in:
Moritz Johner 2023-05-02 22:00:00 +02:00 committed by GitHub
parent 6130c8f43b
commit 99a691f804
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 249 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
deploy/charts/external-secrets/README.md
View file

@ -43,6 +43,7 @@ The command removes all the Kubernetes components associated with the chart and
| certController.extraVolumeMounts | list | `[]` | |
| certController.extraVolumes | list | `[]` | |
| certController.fullnameOverride | string | `""` | |
| certController.hostNetwork | bool | `false` | Run the certController on the host network |
| certController.image.pullPolicy | string | `"IfNotPresent"` | |
| certController.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
| certController.image.tag | string | `""` | |
@ -98,6 +99,7 @@ The command removes all the Kubernetes components associated with the chart and
| extraVolumeMounts | list | `[]` | |
| extraVolumes | list | `[]` | |
| fullnameOverride | string | `""` | |
| hostNetwork | bool | `false` | Run the controller on the host network |
| image.pullPolicy | string | `"IfNotPresent"` | |
| image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | |
| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default the distroless image is used. |

1
deploy/charts/external-secrets/templates/cert-controller-deployment.yaml
View file

@ -38,6 +38,7 @@ spec:
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
hostNetwork: {{ .Values.certController.hostNetwork }}
containers:
- name: cert-controller
{{- with .Values.certController.securityContext }}

1
deploy/charts/external-secrets/templates/deployment.yaml
View file

@ -38,6 +38,7 @@ spec:
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
hostNetwork: {{ .Values.hostNetwork }}
containers:
- name: {{ .Chart.Name }}
{{- with .Values.securityContext }}

60
deploy/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap Normal file
View file

@ -0,0 +1,60 @@
should match snapshot of default values:
1: |
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: external-secrets-cert-controller
app.kubernetes.io/version: v0.8.1
helm.sh/chart: external-secrets-0.8.1
name: RELEASE-NAME-external-secrets-cert-controller
namespace: NAMESPACE
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: external-secrets-cert-controller
template:
metadata:
labels:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: external-secrets-cert-controller
spec:
automountServiceAccountToken: true
containers:
- args:
- certcontroller
- --crd-requeue-interval=5m
- --service-name=RELEASE-NAME-external-secrets-webhook
- --service-namespace=NAMESPACE
- --secret-name=RELEASE-NAME-external-secrets-webhook
- --secret-namespace=NAMESPACE
image: ghcr.io/external-secrets/external-secrets:v0.8.1
imagePullPolicy: IfNotPresent
name: cert-controller
ports:
- containerPort: 8080
name: metrics
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 20
periodSeconds: 5
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
hostNetwork: false
serviceAccountName: external-secrets-cert-controller

1
deploy/charts/external-secrets/tests/__snapshot__/controller_test.yaml.snap
View file

@ -45,4 +45,5 @@ should match snapshot of default values:
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
hostNetwork: false
serviceAccountName: RELEASE-NAME-external-secrets

72
deploy/charts/external-secrets/tests/__snapshot__/webhook_test.yaml.snap Normal file
View file

@ -0,0 +1,72 @@
should match snapshot of default values:
1: |
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: external-secrets-webhook
app.kubernetes.io/version: v0.8.1
helm.sh/chart: external-secrets-0.8.1
name: RELEASE-NAME-external-secrets-webhook
namespace: NAMESPACE
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: external-secrets-webhook
template:
metadata:
labels:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: external-secrets-webhook
spec:
automountServiceAccountToken: true
containers:
- args:
- webhook
- --port=10250
- --dns-name=RELEASE-NAME-external-secrets-webhook.NAMESPACE.svc
- --cert-dir=/tmp/certs
- --check-interval=5m
- --metrics-addr=:8080
- --healthz-addr=:8081
image: ghcr.io/external-secrets/external-secrets:v0.8.1
imagePullPolicy: IfNotPresent
name: webhook
ports:
- containerPort: 8080
name: metrics
protocol: TCP
- containerPort: 10250
name: webhook
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: 8081
initialDelaySeconds: 20
periodSeconds: 5
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /tmp/certs
name: certs
readOnly: true
hostNetwork: false
serviceAccountName: external-secrets-webhook
volumes:
- name: certs
secret:
secretName: RELEASE-NAME-external-secrets-webhook

49
deploy/charts/external-secrets/tests/cert_controller_test.yaml Normal file
View file

@ -0,0 +1,49 @@
suite: test cert controller deployment
templates:
- cert-controller-deployment.yaml
tests:
- it: should match snapshot of default values
asserts:
- matchSnapshot: {}
- it: should set imagePullPolicy to Always
set:
certController.image.pullPolicy: Always
asserts:
- equal:
path: spec.template.spec.containers[0].imagePullPolicy
value: Always
- it: should imagePullPolicy to be default value IfNotPresent
asserts:
- equal:
path: spec.template.spec.containers[0].imagePullPolicy
value: IfNotPresent
- it: should override securityContext
set:
certController.podSecurityContext:
runAsUser: 2000
certController.securityContext:
runAsUser: 3000
asserts:
- equal:
path: spec.template.spec.securityContext
value:
runAsUser: 2000
- equal:
path: spec.template.spec.containers[0].securityContext
value:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 3000
seccompProfile:
type: RuntimeDefault
- it: should override hostNetwork
set:
certController.hostNetwork: true
asserts:
- equal:
path: spec.template.spec.hostNetwork
value: true

7
deploy/charts/external-secrets/tests/controller_test.yaml
View file

@ -40,3 +40,10 @@ tests:
runAsUser: 3000
seccompProfile:
type: RuntimeDefault
- it: should override hostNetwork
set:
hostNetwork: true
asserts:
- equal:
path: spec.template.spec.hostNetwork
value: true

49
deploy/charts/external-secrets/tests/webhook_test.yaml Normal file
View file

@ -0,0 +1,49 @@
suite: test webhook deployment
templates:
- webhook-deployment.yaml
tests:
- it: should match snapshot of default values
asserts:
- matchSnapshot: {}
- it: should set imagePullPolicy to Always
set:
webhook.image.pullPolicy: Always
asserts:
- equal:
path: spec.template.spec.containers[0].imagePullPolicy
value: Always
- it: should imagePullPolicy to be default value IfNotPresent
asserts:
- equal:
path: spec.template.spec.containers[0].imagePullPolicy
value: IfNotPresent
- it: should override securityContext
set:
webhook.podSecurityContext:
runAsUser: 2000
webhook.securityContext:
runAsUser: 3000
asserts:
- equal:
path: spec.template.spec.securityContext
value:
runAsUser: 2000
- equal:
path: spec.template.spec.containers[0].securityContext
value:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 3000
seccompProfile:
type: RuntimeDefault
- it: should override hostNetwork
set:
webhook.hostNetwork: true
asserts:
- equal:
path: spec.template.spec.hostNetwork
value: true

6
deploy/charts/external-secrets/values.yaml
View file

@ -194,6 +194,9 @@ podDisruptionBudget:
minAvailable: 1
# maxUnavailable: 1
# -- Run the controller on the host network
hostNetwork: false
webhook:
# -- Specifies whether a webhook deployment be created.
create: true
@ -372,6 +375,9 @@ certController:
affinity: {}
# -- Run the certController on the host network
hostNetwork: false
# -- Pod priority class name.
priorityClassName: ""

2
hack/helm.generate.sh
View file

@ -33,7 +33,7 @@ for i in "${HELM_DIR}"/templates/crds/*.yml; do
$SEDPRG -i 's/namespace: default/namespace: {{ .Release.Namespace | quote }}/g' "$i"
$SEDPRG -i '0,/annotations/!b;//a\ {{- with .Values.crds.annotations }}\n {{- toYaml . | nindent 4}}\n {{- end }}' "$i"
sed -i '/ conversion:/i{{- if .Values.crds.conversion.enabled }}' "$i"
$SEDPRG -i '/ conversion:/i{{- if .Values.crds.conversion.enabled }}' "$i"
echo "{{- end }}" >> "$i"
mv "$i" "${i%.yml}.yaml"
done