From 19c4701511e49875ace40257289ebc25304d1ce8 Mon Sep 17 00:00:00 2001 From: David Collom Date: Thu, 23 Jan 2025 17:07:33 +0000 Subject: [PATCH] Fix issue 314 - Helm chart does not support CA cert configuration (#316) --- .gitignore | 1 + deploy/charts/version-checker/README.md | 2 + .../templates/_pod_helpers.tpl | 185 ++++++++++++++++++ .../version-checker/templates/deployment.yaml | 155 ++------------- .../version-checker/templates/secret.yaml | 22 ++- .../tests/deployment_test.yaml | 95 ++++++++- deploy/charts/version-checker/values.yaml | 16 +- 7 files changed, 321 insertions(+), 155 deletions(-) create mode 100644 deploy/charts/version-checker/templates/_pod_helpers.tpl diff --git a/.gitignore b/.gitignore index 3733fa19..5931a6c0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ /bin coverage.out +.debug diff --git a/deploy/charts/version-checker/README.md b/deploy/charts/version-checker/README.md index 7362d307..66252eea 100644 --- a/deploy/charts/version-checker/README.md +++ b/deploy/charts/version-checker/README.md @@ -31,6 +31,8 @@ A Helm chart for version-checker | ecr.sessionToken | string | `nil` | ECR session token for read access to private registries | | env | object | `{}` | Can be used to provide custom environment variables e.g. proxy settings | | existingSecret | string | `""` | Provide an existing Secret within the cluster to use for authentication and configuration of version-checker | +| extraVolumeMounts | list | `[]` | Allow for extra Volume Mounts to version-checkers container | +| extraVolumes | list | `[]` | Allow for extra Volumes to be associated to the pod | | gcr.token | string | `nil` | Access token for read access to private GCR registries | | ghcr.token | string | `nil` | Personal Access token for read access to GHCR releases | | image.imagePullSecret | string | `nil` | Pull secrects - name of existing secret | diff --git a/deploy/charts/version-checker/templates/_pod_helpers.tpl b/deploy/charts/version-checker/templates/_pod_helpers.tpl new file mode 100644 index 00000000..adfd4402 --- /dev/null +++ b/deploy/charts/version-checker/templates/_pod_helpers.tpl @@ -0,0 +1,185 @@ +{{- define "version-checker.pod.args" -}} +- "--image-cache-timeout={{.Values.versionChecker.imageCacheTimeout}}" +- "--log-level={{.Values.versionChecker.logLevel}}" +- "--metrics-serving-address={{.Values.versionChecker.metricsServingAddress}}" +- "--test-all-containers={{.Values.versionChecker.testAllContainers}}" +{{- end -}} + +{{- define "version-checker.pod.envs.selfhosted" -}} + {{- $chartname := include "version-checker.name" . -}} + {{range $index, $element := .Values.selfhosted }} + # Selfhosted + {{- if $element.host }} + - name: VERSION_CHECKER_SELFHOSTED_HOST_{{ $element.name }} + valueFrom: + secretKeyRef: + name: {{ $chartname }} + key: selfhosted.{{ $element.name }}.host + {{- end -}} + {{- if $element.username }} + - name: VERSION_CHECKER_SELFHOSTED_USERNAME_{{ $element.name }} + valueFrom: + secretKeyRef: + name: {{ $chartname }} + key: selfhosted.{{ $element.name }}.username + {{- end -}} + {{- if $element.password }} + - name: VERSION_CHECKER_SELFHOSTED_PASSWORD_{{ $element.name }} + valueFrom: + secretKeyRef: + name: {{ $chartname }} + key: selfhosted.{{ $element.name }}.password + {{- end -}} + {{- if and (hasKey $element "token") $element.token }} + - name: VERSION_CHECKER_SELFHOSTED_TOKEN_{{ $element.name }} + valueFrom: + secretKeyRef: + name: {{ $chartname }} + key: selfhosted.{{ $element.name }}.token + {{- end -}} + {{- if and (hasKey $element "ca_path") $element.ca_path }} + - name: VERSION_CHECKER_SELFHOSTED_CA_PATH_{{ $element.name }} + valueFrom: + secretKeyRef: + name: {{ $chartname }} + key: selfhosted.{{ $element.name }}.ca_path + {{- end -}} + {{- if and (hasKey $element "insecure") $element.insecure }} + - name: VERSION_CHECKER_SELFHOSTED_INSECURE_{{ $element.name }} + valueFrom: + secretKeyRef: + name: {{ $chartname }} + key: selfhosted.{{ $element.name }}.insecure + {{- end -}} + {{- end }} +{{- end -}} + +{{- define "version-checker.pod.envs.docker" -}} + {{- $chartname := include "version-checker.name" . -}} + {{- if .Values.docker.token }} + - name: VERSION_CHECKER_DOCKER_TOKEN + valueFrom: + secretKeyRef: + name: {{ $chartname }} + key: docker.token + {{- end }} + {{- if .Values.docker.username }} + - name: VERSION_CHECKER_DOCKER_USERNAME + valueFrom: + secretKeyRef: + name: {{ $chartname }} + key: docker.username + {{- end }} + {{- if .Values.docker.password }} + - name: VERSION_CHECKER_DOCKER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ $chartname }} + key: docker.password + {{- end -}} +{{- end -}} + +{{- define "version-checker.pod.envs.acr" -}} + {{- $chartname := include "version-checker.name" . -}} + {{- if .Values.acr.refreshToken }} + - name: VERSION_CHECKER_ACR_REFRESH_TOKEN + valueFrom: + secretKeyRef: + name: {{ $chartname }} + key: acr.refreshToken + {{- end }} + {{- if .Values.acr.username }} + - name: VERSION_CHECKER_ACR_USERNAME + valueFrom: + secretKeyRef: + name: {{ $chartname }} + key: acr.username + {{- end }} + {{- if .Values.acr.password }} + - name: VERSION_CHECKER_ACR_PASSWORD + valueFrom: + secretKeyRef: + name: {{ $chartname }} + key: acr.password + {{- end }} +{{- end -}} + +{{- define "version-checker.pod.envs.ecr" -}} + {{- $chartname := include "version-checker.name" . -}} + {{- if .Values.ecr.iamRoleArn }} + - name: VERSION_CHECKER_ECR_IAM_ROLE_ARN + value: {{ .Values.ecr.iamRoleArn }} + {{- end }} + {{- if .Values.ecr.accessKeyID }} + - name: VERSION_CHECKER_ECR_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: {{ $chartname }} + key: ecr.accessKeyID + {{- end -}} + {{- if .Values.ecr.secretAccessKey }} + - name: VERSION_CHECKER_ECR_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ $chartname }} + key: ecr.secretAccessKey + {{- end }} + {{- if .Values.ecr.sessionToken }} + - name: VERSION_CHECKER_ECR_SESSION_TOKEN + valueFrom: + secretKeyRef: + name: {{ $chartname }} + key: ecr.sessionToken + {{- end }} +{{- end -}} + +{{- define "version-checker.pod.envs.quay" -}} + {{- $chartname := include "version-checker.name" . -}} + {{- if .Values.quay.token }} + - name: VERSION_CHECKER_QUAY_TOKEN + valueFrom: + secretKeyRef: + name: {{ $chartname }} + key: quay.token + {{- end -}} +{{- end -}} + +{{- define "version-checker.pod.envs.ghcr" -}} + {{- $chartname := include "version-checker.name" . -}} + {{- if .Values.ghcr.token }} + # GHCR + - name: VERSION_CHECKER_GHCR_TOKEN + valueFrom: + secretKeyRef: + name: {{ $chartname }} + key: ghcr.token + {{- end -}} +{{- end -}} + +{{- define "version-checker.pod.envs.gcr" -}} + {{- $chartname := include "version-checker.name" . -}} + {{- if .Values.gcr.token }} + # GCR + - name: VERSION_CHECKER_GCR_TOKEN + valueFrom: + secretKeyRef: + name: {{ $chartname }} + key: gcr.token + {{- end -}} +{{- end -}} + + +{{- define "version-checker.pod.volumes" -}} +{{- $secretEnabled := false -}} +{{- if or .Values.acr.refreshToken .Values.acr.username .Values.acr.password .Values.docker.token .Values.docker.username .Values.docker.password .Values.ecr.accessKeyID .Values.ecr.secretAccessKey .Values.ecr.sessionToken .Values.gcr.token .Values.quay.token (not (eq (len .Values.selfhosted) 0)) -}} +{{- $secretEnabled = true -}} +{{- end -}} +{{- if $secretEnabled -}} +- name: {{ include "version-checker.name" . }} + secret: + secretName: {{ include "version-checker.name" . }} +{{- end }} +{{- if and .Values.extraVolumes (gt (len .Values.extraVolumes) 0) }} +{{ toYaml .Values.extraVolumes -}} +{{- end -}} +{{- end -}} diff --git a/deploy/charts/version-checker/templates/deployment.yaml b/deploy/charts/version-checker/templates/deployment.yaml index 23e68ed4..66360507 100644 --- a/deploy/charts/version-checker/templates/deployment.yaml +++ b/deploy/charts/version-checker/templates/deployment.yaml @@ -1,7 +1,3 @@ -{{- $secretEnabled := false }} -{{- if or .Values.acr.refreshToken .Values.acr.username .Values.acr.password .Values.docker.token .Values.docker.username .Values.docker.password .Values.ecr.accessKeyID .Values.ecr.secretAccessKey .Values.ecr.sessionToken .Values.gcr.token .Values.quay.token (not (eq (len .Values.selfhosted) 0)) }} -{{- $secretEnabled = true }} -{{- end }} {{ $chartname := include "version-checker.name" . }} apiVersion: apps/v1 kind: Deployment @@ -48,10 +44,7 @@ spec: containerPort: 8080 command: ["version-checker"] args: - - "--image-cache-timeout={{.Values.versionChecker.imageCacheTimeout}}" - - "--log-level={{.Values.versionChecker.logLevel}}" - - "--metrics-serving-address={{.Values.versionChecker.metricsServingAddress}}" - - "--test-all-containers={{.Values.versionChecker.testAllContainers}}" + {{- include "version-checker.pod.args" . | nindent 8 }} resources: {{- toYaml .Values.resources | nindent 12 }} {{- with .Values.securityContext }} @@ -72,145 +65,27 @@ spec: name: {{.Values.existingSecret}} {{- end }} env: - {{- if .Values.acr.refreshToken }} - # ACR - - name: VERSION_CHECKER_ACR_REFRESH_TOKEN - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: acr.refreshToken - {{- end }} - {{- if .Values.acr.username }} - - name: VERSION_CHECKER_ACR_USERNAME - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: acr.username - {{- end }} - {{- if .Values.acr.password }} - - name: VERSION_CHECKER_ACR_PASSWORD - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: acr.password - {{- end -}} - - {{- if .Values.ecr.iamRoleArn }} - # ECR - - name: VERSION_CHECKER_ECR_IAM_ROLE_ARN - value: {{ .Values.ecr.iamRoleArn }} - {{- end }} - {{- if .Values.ecr.accessKeyID }} - - name: VERSION_CHECKER_ECR_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: ecr.accessKeyID - {{- end -}} - {{- if .Values.ecr.secretAccessKey }} - - name: VERSION_CHECKER_ECR_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: ecr.secretAccessKey - {{- end }} - {{- if .Values.ecr.sessionToken }} - - name: VERSION_CHECKER_ECR_SESSION_TOKEN - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: ecr.sessionToken - {{- end -}} - {{- if .Values.docker.token }} - # Docker - - name: VERSION_CHECKER_DOCKER_TOKEN - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: docker.token - {{- end }} - {{- if .Values.docker.username }} - - name: VERSION_CHECKER_DOCKER_USERNAME - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: docker.username - {{- end }} - {{- if .Values.docker.password }} - - name: VERSION_CHECKER_DOCKER_PASSWORD - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: docker.password - {{- end -}} - {{- if .Values.gcr.token }} - # GCR - - name: VERSION_CHECKER_GCR_TOKEN - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: gcr.token - {{- end -}} - {{- if .Values.ghcr.token }} - # GHCR - - name: VERSION_CHECKER_GHCR_TOKEN - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: ghcr.token - {{- end -}} - {{- if .Values.quay.token }} - # Quay - - name: VERSION_CHECKER_QUAY_TOKEN - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: quay.token - {{- end -}} - {{range $index, $element := .Values.selfhosted }} - # Selfhosted - {{- if $element.host }} - - name: VERSION_CHECKER_SELFHOSTED_HOST_{{ $element.name }} - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: selfhosted.{{ $element.name }}.host - {{- end -}} - {{- if $element.username }} - - name: VERSION_CHECKER_SELFHOSTED_USERNAME_{{ $element.name }} - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: selfhosted.{{ $element.name }}.username - {{- end -}} - {{- if $element.password }} - - name: VERSION_CHECKER_SELFHOSTED_PASSWORD_{{ $element.name }} - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: selfhosted.{{ $element.name }}.password - {{- end -}} - {{- if $element.token }} - - name: VERSION_CHECKER_SELFHOSTED_TOKEN_{{ $element.name }} - valueFrom: - secretKeyRef: - name: {{ $chartname }} - key: selfhosted.{{ $element.name }}.token - {{- end -}} - {{- end -}} + {{ include "version-checker.pod.envs.acr" . | nindent 8 }} + {{ include "version-checker.pod.envs.ecr" . | nindent 8 }} + {{ include "version-checker.pod.envs.docker" . | nindent 6 }} + {{- include "version-checker.pod.envs.gcr" . | nindent 8 }} + {{- include "version-checker.pod.envs.ghcr" . | nindent 8 }} + {{- include "version-checker.pod.envs.quay" . | nindent 8 }} + {{- include "version-checker.pod.envs.selfhosted" . | nindent 6 }} + # Extra Envs {{- if .Values.env }} {{- toYaml .Values.env | nindent 8 }} - {{- end -}} + {{- end }} + volumeMounts: + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} {{- with .Values.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} volumes: - {{- if $secretEnabled }} - - name: {{ include "version-checker.name" . }} - secret: - secretName: {{ include "version-checker.name" . }} - {{ end }} + {{- include "version-checker.pod.volumes" . | nindent 8 }} {{- with .Values.affinity }} affinity: {{- toYaml . | nindent 8 }} diff --git a/deploy/charts/version-checker/templates/secret.yaml b/deploy/charts/version-checker/templates/secret.yaml index 948af622..6d80ed35 100644 --- a/deploy/charts/version-checker/templates/secret.yaml +++ b/deploy/charts/version-checker/templates/secret.yaml @@ -51,18 +51,24 @@ data: # Selfhosted {{range $index, $element := .Values.selfhosted }} - {{- if $element.host }} + {{- if $element.host }} selfhosted.{{ $element.name }}.host: {{ $element.host | b64enc }} - {{- end }} - {{- if $element.username }} + {{- end }} + {{- if $element.username }} selfhosted.{{ $element.name }}.username: {{ $element.username | b64enc }} - {{- end }} - {{- if $element.password }} + {{- end }} + {{- if $element.password }} selfhosted.{{ $element.name }}.password: {{ $element.password | b64enc }} - {{- end }} - {{- if $element.token }} + {{- end }} + {{- if $element.token }} selfhosted.{{ $element.name }}.token: {{ $element.token | b64enc }} - {{- end }} + {{- end }} + {{- if and (hasKey $element "insecure") $element.insecure }} + selfhosted.{{ $element.name }}.token: {{ $element.insecure | b64enc }} + {{- end }} + {{- if and (hasKey $element "ca_path") $element.ca_path }} + selfhosted.{{ $element.name }}.token: {{ $element.ca_path | b64enc }} + {{- end }} {{- end }} kind: Secret diff --git a/deploy/charts/version-checker/tests/deployment_test.yaml b/deploy/charts/version-checker/tests/deployment_test.yaml index 0a538f71..c084fc8b 100644 --- a/deploy/charts/version-checker/tests/deployment_test.yaml +++ b/deploy/charts/version-checker/tests/deployment_test.yaml @@ -263,7 +263,7 @@ tests: name: version-checker # Self Hosted - - it: Self hosted should work + - it: "Self hosted: should work" set: selfhosted: - name: bob @@ -307,8 +307,46 @@ tests: key: selfhosted.bob.password name: version-checker + - it: "Self hosted: With Insecure" + set: + selfhosted: + - name: bob + host: http://example.com + username: asgasasf + password: hunter1 + insecure: "true" + asserts: + - contains: + path: spec.template.spec.containers[0].env + count: 1 + content: + name: VERSION_CHECKER_SELFHOSTED_INSECURE_bob + valueFrom: + secretKeyRef: + key: selfhosted.bob.insecure + name: version-checker + + - it: "Self hosted: With CA_PATH Set" + set: + selfhosted: + - name: bob + host: http://example.com + username: asgasasf + password: hunter1 + ca_path: "/mnt/ca.pam" + asserts: + - contains: + path: spec.template.spec.containers[0].env + count: 1 + content: + name: VERSION_CHECKER_SELFHOSTED_CA_PATH_bob + valueFrom: + secretKeyRef: + key: selfhosted.bob.ca_path + name: version-checker + # Multiple Self Hosted - - it: Multiple Self hosted should work + - it: "Self hosted: Multiple Self hosted should work" set: selfhosted: - name: bob @@ -383,7 +421,7 @@ tests: secretRef: name: preexistingsecret - - it: SecretEnabled + - it: "Volumes: SecretEnabled" set: acr.refreshToken: asgasga asserts: @@ -394,6 +432,57 @@ tests: secret: secretName: version-checker + - it: "Volumes: extra Volumes exist" + set: + extraVolumes: + - name: empty-dir + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: empty-dir + emptyDir: {} + + - it: "Volumes: Secrets Enabled" + set: + acr.refreshToken: abc + extraVolumes: + - name: empty-dir + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: empty-dir + emptyDir: {} + - contains: + path: spec.template.spec.volumes + content: + name: version-checker + secret: + secretName: version-checker + + - it: "VolumeMounts: extra VolumeMounts exist" + set: + extraVolumeMounts: + - name: empty-dir + mountPath: /test/mount/path + extraVolumes: + - name: empty-dir + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: empty-dir + mountPath: /test/mount/path + - contains: + path: spec.template.spec.volumes + content: + name: empty-dir + emptyDir: {} + - it: Resources are reflected set: resources: diff --git a/deploy/charts/version-checker/values.yaml b/deploy/charts/version-checker/values.yaml index 2f8b3105..6bc6ab51 100644 --- a/deploy/charts/version-checker/values.yaml +++ b/deploy/charts/version-checker/values.yaml @@ -110,6 +110,8 @@ selfhosted: # username: foo # password: bar # token: + # insecure: + # ca_path: # -- Provide an existing Secret within the cluster to use for authentication and configuration of version-checker existingSecret: "" @@ -147,7 +149,8 @@ securityContext: podSecurityContext: {} # -- Set affinity -affinity: {} +affinity: + {} # podAntiAffinity: # requiredDuringSchedulingIgnoredDuringExecution: # - labelSelector: @@ -156,9 +159,9 @@ affinity: {} # app.kubernetes.io/instance: release-name # topologyKey: kubernetes.io/hostname - # -- Set topologySpreadConstraints -topologySpreadConstraints: [] +topologySpreadConstraints: + [] # - labelSelector: # matchLabels: # app.kubernetes.io/name: version-checker @@ -167,7 +170,6 @@ topologySpreadConstraints: [] # topologyKey: topology.kubernetes.io/zone # whenUnsatisfiable: ScheduleAnyway - # Configure the readiness probe for version-checker readinessProbe: # -- Enable/Disable the setting of a readinessProbe @@ -211,3 +213,9 @@ serviceMonitor: enabled: false # -- Additional labels to add to the ServiceMonitor additionalLabels: {} + +# -- Allow for extra Volume Mounts to version-checkers container +extraVolumeMounts: [] + +# -- Allow for extra Volumes to be associated to the pod +extraVolumes: []