Skip to content

Commit

Permalink
helm
Browse files Browse the repository at this point in the history
  • Loading branch information
@btungut
btungut committed Nov 25, 2021
1 parent 6d648c6 commit 1bd5c32
Show file tree
Hide file tree
Showing 13 changed files with 320 additions and 32 deletions.
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
*.7z
*.tar
*.tar.gz
.local/
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
##
Expand Down
23 changes: 23 additions & 0 deletions helm/.helmignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
6 changes: 6 additions & 0 deletions helm/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: v2
name: azure-keyvault-secret-operator
description: Azure KeyVault Secret Operator
type: application
version: 0.0.1
appVersion: "0.0.1"
48 changes: 48 additions & 0 deletions helm/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@

{{- define "azure-keyvault-secret-operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}


{{- define "azure-keyvault-secret-operator.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}


{{- define "azure-keyvault-secret-operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}


{{- define "azure-keyvault-secret-operator.labels" -}}
helm.sh/chart: {{ include "azure-keyvault-secret-operator.chart" . }}
{{ include "azure-keyvault-secret-operator.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}


{{- define "azure-keyvault-secret-operator.selectorLabels" -}}
app.kubernetes.io/name: {{ include "azure-keyvault-secret-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}


{{- define "azure-keyvault-secret-operator.serviceAccountName" -}}
{{ include "azure-keyvault-secret-operator.fullname" . }}
{{- end }}

{{- define "azure-keyvault-secret-operator.clusterRoleName" -}}
{{ include "azure-keyvault-secret-operator.fullname" . }}
{{- end }}
103 changes: 103 additions & 0 deletions helm/templates/crd.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: "azurekeyvaults.btungut.io"
labels:
{{- include "azure-keyvault-secret-operator.labels" . | nindent 4 }}
spec:
group: "btungut.io"
scope: Cluster
names:
plural: "azurekeyvaults"
singular: "azurekeyvault"
kind: "AzureKeyVault"
shortNames:
- "akv"
- "azurekv"
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
description: "An Azure KeyVault reference which is responsible to sync its contents"
properties:
spec:
type: object
required: ["name", "resourceGroup", "servicePrincipal", "objects"]
properties:
name:
type: string
description: "Azure KeyVault resource name"
resourceGroup:
type: string
description: "Resource group which includes Azure KeyVault"
syncVersion:
type: integer
description: "Optional version value which is being tracked by operator to identify that whether secrets need to be updated or not"
minimum: 1
default: 1
servicePrincipal:
type: object
description: "Authorized service principal which is used against Azure APIs"
required: ["secretName", "secretNamespace","tenantIdField", "clientIdField", "clientSecretField"]
properties:
secretName:
type: string
description: "Secret name which includes service principal credentials"
secretNamespace:
type: string
description: "Secret namespace which includes service principal credentials."
tenantIdField:
type: string
description: "The data/field name that correspond to Tenant Id of Azure"
clientIdField:
type: string
description: "The data/field name that correspond to Client Id (app id) of service principal"
clientSecretField:
type: string
description: "The data/field name that correspond to Client Secret (password) of service principal"
objects:
type: array
description: "List of Azure KeyVault contents and Kubernetes secrets which needs to be synced"
items:
type: object
required: ["name", "type", "copyTo"]
properties:
name:
type: string
description: "Name of Azure KeyVault content"
type:
type: string
description: "Type of Azure KeyVault content (secret,certificate or key)"
pattern: "(^secret$)|(^certificate$)|(^key$)"
copyTo:
type: array
description: "List of kubernetes secrets which is created with referenced Azure KeyVault contents"
items:
type: object
required: ["namespace", "secretName"]
properties:
namespace:
type: string
description: "Namespace of to be created secret"
secretName:
type: string
description: "Name of to be created secret"
secretType:
type: string
description: "Type of to be created secret (default : Opaque)"
pattern: "(^[Oo]paque$)|(^kubernetes.io/(service-account-token|dockercfg|dockerconfigjson|basic-auth|ssh-auth|tls)$)|(^bootstrap.kubernetes.io/token$)"
default: "Opaque"
additionalPrinterColumns:
- name: "syncVersion"
jsonPath: .spec.syncVersion
type: integer
- name: "serviceprincipal-secret-namespace"
jsonPath: .spec.servicePrincipal.secretNamespace
type: string
- name: "serviceprincipal-secret-name"
jsonPath: .spec.servicePrincipal.secretName
type: string

50 changes: 50 additions & 0 deletions helm/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "azure-keyvault-secret-operator.fullname" . }}
labels:
{{- include "azure-keyvault-secret-operator.labels" . | nindent 4 }}
spec:
replicas: 1
selector:
matchLabels:
{{- include "azure-keyvault-secret-operator.selectorLabels" . | nindent 6 }}
strategy:
type: Recreate
template:
metadata:
labels:
{{- include "azure-keyvault-secret-operator.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.rbac.enabled }}
serviceAccountName: {{ include "azure-keyvault-secret-operator.serviceAccountName" . }}
{{- end }}
containers:
- name: operator
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: IfNotPresent
env:
- name: LogLevel
value: {{ .Values.configs.LogLevel | quote }}
- name: EnableJsonLogging
value: {{ .Values.configs.EnableJsonLogging | quote }}
- name: ReconciliationFrequency
value: {{ .Values.configs.ReconciliationFrequency | quote }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
31 changes: 31 additions & 0 deletions helm/templates/rbac/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
{{- if .Values.rbac.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "azure-keyvault-secret-operator.clusterRoleName" . }}
labels:
{{- include "azure-keyvault-secret-operator.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["*"]

- apiGroups: [""]
resources: ["namespaces", "namespaces/status"]
verbs: ["list", "get", "watch"]

- apiGroups: [btungut.io]
resources: [azurekeyvaults]
verbs: [list, watch, patch, get, update]

- apiGroups: [apiextensions.k8s.io]
resources: [customresourcedefinitions]
verbs: [list, get]

- apiGroups: [events.k8s.io]
resources: [events]
verbs: [create]
- apiGroups: [""]
resources: [events]
verbs: [create]
{{- end }}
16 changes: 16 additions & 0 deletions helm/templates/rbac/clusterrolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{{- if .Values.rbac.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "azure-keyvault-secret-operator.clusterRoleName" . }}
labels:
{{- include "azure-keyvault-secret-operator.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ include "azure-keyvault-secret-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ include "azure-keyvault-secret-operator.clusterRoleName" . }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
8 changes: 8 additions & 0 deletions helm/templates/rbac/serviceaccount.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{{- if .Values.rbac.enabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "azure-keyvault-secret-operator.serviceAccountName" . }}
labels:
{{- include "azure-keyvault-secret-operator.labels" . | nindent 4 }}
{{- end }}
27 changes: 27 additions & 0 deletions helm/values.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
nameOverride: ""
fullnameOverride: ""

image:
repository: btungut/azure-keyvault-secret-operator
tag: 0.0.1

configs:
LogLevel: "Information" # valid values: Verbose, Debug, Information, Warning, Error, Fatal (default : Information)
EnableJsonLogging: "false" # valid values: true, false as string
ReconciliationFrequency: "00:00:30" # timespan hh:mm:ss

rbac:
enabled: true

resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 100m
memory: 64Mi

imagePullSecrets: []
nodeSelector: {}
tolerations: []
affinity: {}
4 changes: 3 additions & 1 deletion manifests/03-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ spec:
selector:
matchLabels:
app: azure-keyvault-secret-operator
strategy:
type: Recreate
template:
metadata:
labels:
Expand All @@ -17,7 +19,7 @@ spec:
restartPolicy: Always
containers:
- name: operator
image: k3s-nonprod-01:5000/operator:5
image: btungut/azure-keyvault-secret-operator:0.0.1
env:
- name: LogLevel
value: "Debug" # valid values: Verbose, Debug, Information, Warning, Error, Fatal (default : Information)
Expand Down
31 changes: 0 additions & 31 deletions manifests/example.yaml
View file

This file was deleted.

4 changes: 4 additions & 0 deletions src/Program.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,10 @@ private static void Bootstrap()
{
AppConfiguration.LogLevel = Serilog.Events.LogEventLevel.Verbose;
}

//Validation
if (AppConfiguration.ReconciliationFrequency < TimeSpan.FromSeconds(10))
throw new ArgumentOutOfRangeException(nameof(AppConfiguration.ReconciliationFrequency), "ReconciliationFrequency couldn't be less than 10 seconds.");
}

private static void ConfigureLogging()
Expand Down

0 comments on commit 1bd5c32

Please sign in to comment.