From 8b818b903dce45d242b1ffd70968b176678fe9b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charled.breteche@gmail.com>
Date: Fri, 20 Jan 2023 21:04:25 +0100
Subject: [PATCH] refactor: move helm image pull secrets in config folder
 (#6069)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 charts/kyverno/README.md                      |  4 +-
 charts/kyverno/templates/_helpers.tpl         |  4 --
 charts/kyverno/templates/config/_helpers.tpl  |  8 +++-
 .../{ => config}/imagepullsecret.yaml         |  4 +-
 charts/kyverno/values.yaml                    | 39 ++++++++-----------
 5 files changed, 26 insertions(+), 33 deletions(-)
 rename charts/kyverno/templates/{ => config}/imagepullsecret.yaml (63%)

diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index b5ff616988..9d6762bf65 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -151,6 +151,8 @@ The command removes all the Kubernetes components associated with the chart and
 | metricsConfig.namespaces.include | list | `[]` | List of namespaces to capture metrics for. |
 | metricsConfig.namespaces.exclude | list | `[]` | list of namespaces to NOT capture metrics for. |
 | metricsConfig.metricsRefreshInterval | string | `nil` | Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics |
+| imagePullSecrets | object | `{}` | Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument |
+| existingImagePullSecrets | list | `[]` | Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument |
 | customLabels | object | `{}` | Additional labels |
 | rbac.create | bool | `true` | Create ClusterRoles, ClusterRoleBindings, and ServiceAccount |
 | rbac.serviceAccount.create | bool | `true` | Create a ServiceAccount |
@@ -192,8 +194,6 @@ The command removes all the Kubernetes components associated with the chart and
 | extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the binary. |
 | extraInitContainers | list | `[]` | Array of extra init containers |
 | extraContainers | list | `[]` | Array of extra containers to run alongside kyverno |
-| imagePullSecrets | object | `{}` | Image pull secrets for image verify and imageData policies. This will define the `--imagePullSecrets` Kyverno argument. |
-| existingImagePullSecrets | list | `[]` | Existing Image pull secrets for image verify and imageData policies. This will define the `--imagePullSecrets` Kyverno argument. |
 | resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits |
 | resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests |
 | initResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
diff --git a/charts/kyverno/templates/_helpers.tpl b/charts/kyverno/templates/_helpers.tpl
index 8e88329421..328455a7e6 100644
--- a/charts/kyverno/templates/_helpers.tpl
+++ b/charts/kyverno/templates/_helpers.tpl
@@ -142,10 +142,6 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
 {{- end }}
 {{- end }}
 
-{{- define "kyverno.imagePullSecret" }}
-{{- printf "{\"auths\":{\"%s\":{\"auth\":\"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }}
-{{- end }}
-
 {{- define "kyverno.image" -}}
   {{- if .image.registry -}}
 {{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
diff --git a/charts/kyverno/templates/config/_helpers.tpl b/charts/kyverno/templates/config/_helpers.tpl
index 19fe028db2..2d4ce400d9 100644
--- a/charts/kyverno/templates/config/_helpers.tpl
+++ b/charts/kyverno/templates/config/_helpers.tpl
@@ -39,7 +39,7 @@ app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
   {{- end }}
 {{- end }}
 {{- tpl (join "" $resourceFilters) . }}
-{{- end }}
+{{- end -}}
 
 {{- define "kyverno.config.webhooks" -}}
 {{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }}
@@ -51,4 +51,8 @@ app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
   {{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
 {{- end }}
 {{- $newWebhook | toJson }}
-{{- end }}
+{{- end -}}
+
+{{- define "kyverno.config.imagePullSecret" -}}
+{{- printf "{\"auths\":{\"%s\":{\"auth\":\"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }}
+{{- end -}}
diff --git a/charts/kyverno/templates/imagepullsecret.yaml b/charts/kyverno/templates/config/imagepullsecret.yaml
similarity index 63%
rename from charts/kyverno/templates/imagepullsecret.yaml
rename to charts/kyverno/templates/config/imagepullsecret.yaml
index f6e8c11ded..19ce98ce44 100644
--- a/charts/kyverno/templates/imagepullsecret.yaml
+++ b/charts/kyverno/templates/config/imagepullsecret.yaml
@@ -6,8 +6,8 @@ metadata:
   name: {{ $name }}
   namespace: {{ template "kyverno.namespace" $ }}
   labels:
-    {{- include "kyverno.labels" $ | nindent 4 }}
+    {{- include "kyverno.config.labels" $ | nindent 4 }}
 type: kubernetes.io/dockerconfigjson
 data:
-  .dockerconfigjson: {{ template "kyverno.imagePullSecret" $secret }}
+  .dockerconfigjson: {{ template "kyverno.config.imagePullSecret" $secret }}
 {{ end }}
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index 96bb578ec8..2f6f399ce9 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -120,6 +120,22 @@ metricsConfig:
   metricsRefreshInterval: ~
   # metricsRefreshInterval: 24h
 
+# -- Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument
+imagePullSecrets: {}
+  # regcred:
+  #   registry: foo.example.com
+  #   username: foobar
+  #   password: secret
+  # regcred2:
+  #   registry: bar.example.com
+  #   username: barbaz
+  #   password: secret2
+
+# -- Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument
+existingImagePullSecrets: []
+  # - test-registry
+  # - other-test-registry
+
 # -- Additional labels
 customLabels: {}
 
@@ -301,29 +317,6 @@ extraContainers: []
 #   image: busybox
 #   command: ['sh', '-c', 'echo Hello && sleep 3600']
 
-# -- Image pull secrets for image verify and imageData policies.
-# This will define the `--imagePullSecrets` Kyverno argument.
-imagePullSecrets: {}
-  # Define two image pull secrets
-  # imagePullSecrets:
-  #   regcred:
-  #     registry: foo.example.com
-  #     username: foobar
-  #     password: secret
-  #   regcred2:
-  #     registry: bar.example.com
-  #     username: barbaz
-  #     password: secret2
-
-
-# -- Existing Image pull secrets for image verify and imageData policies.
-# This will define the `--imagePullSecrets` Kyverno argument.
-existingImagePullSecrets: []
-  # Define an existing image pull secret
-  # existingImagePullSecrets:
-  # - test-registry
-  # - other-test-registry
-
 resources:
   # -- Pod resource limits
   limits: