diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 3a1e0c3..13be3a1 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -731,6 +731,39 @@ Return puppetdb certificate name without extension {{- end -}} {{- end -}} +{{/* +Return unique list of volumes from puppetserver.extraSecrets +*/}} +{{- define "puppetserver.extraSecrets.volumes" -}} +{{- $secretList := list -}} +{{- range $secret := .Values.puppetserver.extraSecrets -}} +{{- if not (has $secret.name $secretList) -}} +{{- $secretList = append $secretList $secret.name -}} +{{- end -}} +{{- end -}} +{{- range $secretName := $secretList }} +- name: {{ $secretName }}-volume + secret: + secretName: {{ $secretName }} +{{- end -}} +{{- end -}} + +{{/* +Return volumeMounts from puppetserver.extraSecrets +*/}} +{{- define "puppetserver.extraSecrets.volumeMounts" -}} +{{- range $secret := .Values.puppetserver.extraSecrets }} +- name: {{ $secret.name }}-volume +{{- range $k, $v := $secret }} +{{- if not (eq $k "name") }} + {{ $k }}: {{ $v }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + + + {{/* ************************************************************************************* The following definitions were more complex and necessary during part of this development. Now they are essentially just stubs but left here in case they might be needed again soon. diff --git a/templates/puppet-preInstall.job.yaml b/templates/puppet-preInstall.job.yaml index fab4688..30d5d3b 100644 --- a/templates/puppet-preInstall.job.yaml +++ b/templates/puppet-preInstall.job.yaml @@ -95,6 +95,7 @@ spec: {{- end }} - name: puppet-serverdata-storage mountPath: /opt/puppetlabs/server/data/puppetserver/ + {{- include "puppetserver.extraSecrets.volumeMounts" . | nindent 12 }} securityContext: runAsUser: 0 runAsNonRoot: false @@ -167,6 +168,7 @@ spec: mountPath: /crl {{- end }} {{- end }} + {{- include "puppetserver.extraSecrets.volumeMounts" . | nindent 12 }} {{- if .Values.global.runAsNonRoot }} securityContext: runAsUser: {{ .Values.global.securityContext.runAsUser }} @@ -225,6 +227,7 @@ spec: mountPath: /crl {{- end }} {{- end }} + {{- include "puppetserver.extraSecrets.volumeMounts" . | nindent 12 }} {{- if .Values.global.runAsNonRoot }} securityContext: runAsUser: {{ .Values.global.securityContext.runAsUser }} @@ -299,6 +302,7 @@ spec: mountPath: /docker-custom-entrypoint.d/{{ $key }} subPath: {{ $key }} {{- end }} + {{- include "puppetserver.extraSecrets.volumeMounts" . | nindent 12 }} securityContext: runAsUser: 0 runAsNonRoot: false @@ -368,11 +372,7 @@ spec: secretName: {{ template "puppetserver.hiera.privateSecret" . }} {{- end }} {{- end }} - {{- range $extraSecret := .Values.puppetserver.extraSecrets }} - - name: {{ $extraSecret.name }} - secret: - secretName: {{ $extraSecret.name }} - {{- end }} + {{- include "puppetserver.extraSecrets.volumes" . | nindent 8 }} {{- if or .Values.puppetserver.preGeneratedCertsJob.enabled .Values.singleCA.enabled }} - name: puppetserver-certs {{- if not .Values.singleCA.enabled }} diff --git a/templates/puppet-r10k-deployment.yaml b/templates/puppet-r10k-deployment.yaml index 3770b30..97d05a0 100644 --- a/templates/puppet-r10k-deployment.yaml +++ b/templates/puppet-r10k-deployment.yaml @@ -99,6 +99,7 @@ spec: - name: r10k-code-volume mountPath: /etc/puppetlabs/puppet/r10k_code.yaml subPath: r10k_code.yaml + {{- include "puppetserver.extraSecrets.volumeMounts" . | nindent 10 }} readinessProbe: exec: command: @@ -176,6 +177,7 @@ spec: mountPath: /etc/puppetlabs/puppet/eyaml/keys/private_key.pkcs7.pem subPath: private_key.pkcs7.pem {{- end }} + {{- include "puppetserver.extraSecrets.volumeMounts" . | nindent 12 }} readinessProbe: exec: command: ["/bin/sh", "-ec", "test -f {{ .Values.r10k.hiera.cronJob.successFile }}"] @@ -271,9 +273,5 @@ spec: name: {{ .Values.hiera.eyaml.existingMap }} {{- end }} {{- end }} - {{- range $extraSecret := .Values.puppetserver.extraSecrets }} - - name: {{ $extraSecret.name }} - secret: - secretName: {{ $extraSecret.name }} - {{- end }} + {{- include "puppetserver.extraSecrets.volumes" . | nindent 8 }} {{- end }} diff --git a/templates/puppetserver-deployment-compilers.yaml b/templates/puppetserver-deployment-compilers.yaml index b5b1f5b..7d1f733 100644 --- a/templates/puppetserver-deployment-compilers.yaml +++ b/templates/puppetserver-deployment-compilers.yaml @@ -196,6 +196,7 @@ spec: {{- end }} - name: puppet-serverdata-storage mountPath: /opt/puppetlabs/server/data/puppetserver/ + {{- include "puppetserver.extraSecrets.volumeMounts" . | nindent 12 }} {{- end }} containers: - name: {{ template "puppetserver.fullname" . }} @@ -305,6 +306,7 @@ spec: mountPath: /etc/puppetlabs/puppet/eyaml/keys {{- end }} {{- end }} + {{- include "puppetserver.extraSecrets.volumeMounts" . | nindent 12 }} securityContext: {{- if .Values.global.runAsNonRoot }} runAsUser: {{ .Values.global.securityContext.runAsUser }} @@ -380,7 +382,7 @@ spec: mountPath: /etc/puppetlabs/code/ - name: puppet-puppet-storage mountPath: /etc/puppetlabs/puppet/ - + {{- include "puppetserver.extraSecrets.volumeMounts" . | nindent 10 }} readinessProbe: exec: command: @@ -440,6 +442,7 @@ spec: mountPath: /etc/puppetlabs/code/ - name: puppet-puppet-storage mountPath: /etc/puppetlabs/puppet/ + {{- include "puppetserver.extraSecrets.volumeMounts" . | nindent 10 }} readinessProbe: exec: command: ["/bin/sh", "-ec", "test -f {{ .Values.r10k.hiera.cronJob.successFile }}"] @@ -690,11 +693,7 @@ spec: persistentVolumeClaim: claimName: {{ template "puppetserver.persistence.confd.claimName" . }} {{- end }} - {{- range $extraSecret := .Values.puppetserver.extraSecrets }} - - name: {{ $extraSecret.name }} - secret: - secretName: {{ $extraSecret.name }} - {{- end }} + {{- include "puppetserver.extraSecrets.volumes" . | nindent 8 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} diff --git a/templates/puppetserver-deployment-masters.yaml b/templates/puppetserver-deployment-masters.yaml index 636a625..1429af2 100644 --- a/templates/puppetserver-deployment-masters.yaml +++ b/templates/puppetserver-deployment-masters.yaml @@ -219,6 +219,7 @@ spec: subPath: site.pp - name: puppet-serverdata-storage mountPath: /opt/puppetlabs/server/data/puppetserver/ + {{- include "puppetserver.extraSecrets.volumeMounts" . | nindent 12 }} {{- end }} containers: - name: {{ template "puppetserver.fullname" . }} @@ -328,6 +329,7 @@ spec: {{- end }} {{- end }} {{- end }} + {{- include "puppetserver.extraSecrets.volumeMounts" . | nindent 12 }} securityContext: {{- if .Values.global.runAsNonRoot }} runAsUser: {{ .Values.global.securityContext.runAsUser }} @@ -412,6 +414,7 @@ spec: - name: r10k-code-volume mountPath: /etc/puppetlabs/puppet/r10k_code.yaml subPath: r10k_code.yaml + {{- include "puppetserver.extraSecrets.volumeMounts" . | nindent 10 }} readinessProbe: exec: command: @@ -471,6 +474,7 @@ spec: mountPath: /etc/puppetlabs/code/ - name: puppet-puppet-storage mountPath: /etc/puppetlabs/puppet/ + {{- include "puppetserver.extraSecrets.volumeMounts" . | nindent 10 }} readinessProbe: exec: command: ["/bin/sh", "-ec", "test -f {{ .Values.r10k.hiera.cronJob.successFile }}"] @@ -733,11 +737,7 @@ spec: persistentVolumeClaim: claimName: {{ template "puppetserver.persistence.confd.claimName" . }} {{- end }} - {{- range $extraSecret := .Values.puppetserver.extraSecrets }} - - name: {{ $extraSecret.name }} - secret: - secretName: {{ $extraSecret.name }} - {{- end }} + {{- include "puppetserver.extraSecrets.volumes" . | nindent 8 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} diff --git a/values.yaml b/values.yaml index f315c37..62264f0 100644 --- a/values.yaml +++ b/values.yaml @@ -567,7 +567,14 @@ puppetserver: # #!/bin/sh # echo hi - ## Optional Secrets to mount in puppetserver container + ## Optional Secrets to mount in puppetserver container. Each secret is defined by its desired + ## volumeMounts properties + ## + ## Sample: + ## extraSecrets: + ## - name: myBigSecret + ## mountPath: /custom/path/secret + ## readOnly: true ## extraSecrets: []