Skip to content

Commit

Permalink
Add support of external-secret
Browse files Browse the repository at this point in the history
  • Loading branch information
sbrunner committed Aug 9, 2024
1 parent 2cd8155 commit 5255e47
Show file tree
Hide file tree
Showing 9 changed files with 199 additions and 10 deletions.
6 changes: 6 additions & 0 deletions .github/spell-ignore-words.txt
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,9 @@ YAML
secret.secretName
configMap.name
Lifecycle
SecretStore
ExternalSecret
secretKey
1h
1m
1s
4 changes: 4 additions & 0 deletions .github/workflows/main.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,10 @@ jobs:
run: |
curl https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/main/jsonnet/prometheus-operator/podmonitors-crd.json --output /tmp/podmonitors-crd.json
kubectl apply -f /tmp/podmonitors-crd.json
- name: Install external-secret CRD
run: |
curl https://raw.githubusercontent.com/external-secrets/external-secrets/main/deploy/crds/bundle.yaml --output /tmp/external-secrets-crd.yaml
kubectl apply -f /tmp/external-secrets-crd.yaml
- name: Apply
run: kubectl apply -f tests/expected.yaml
Expand Down
16 changes: 11 additions & 5 deletions templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,16 @@ Create the name of the service account to use
- name: {{ .name | quote }}
valueFrom:
{{ .value.type }}KeyRef:
{{ if and (hasKey .value "name" ) ( eq .value.name "self" ) -}}
{{ if and ( hasKey .value "name" ) ( eq .value.name "self" ) -}}
{{ if .value.type | eq "configMap" -}}
name: {{ include "common.fullname" ( dict "root" .root "service" .root.Values.configMaps ) }}
{{ else -}}
name: {{ include "common.fullname" ( dict "root" .root "service" .root.Values.secrets ) }}
{{ end -}}
{{ else if hasPrefix "self-external-secret-" .value.name -}}
{{- $name := substr 21 -1 .value.name }}
{{- $definition := get .root.Values.externalSecret $name }}
name: {{ include "common.fullname" ( dict "root" .root "service" $definition "serviceName" $name ) }}
{{ else if and (hasKey .value "name" ) ( eq .value.name "self-metadata" ) -}}
name: {{ include "common.fullname" ( dict "root" .root "service" .root.Values "serviceName" "metadata" ) }}
{{ else -}}
Expand Down Expand Up @@ -182,13 +186,13 @@ volumes:
secret:
{{- if eq ( default "self" $value.secret.secretName ) "self" }}
secretName: {{ include "common.fullname" ( dict "root" $root "service" $root.Values.secrets ) }}
{{- else }}
{{- if eq ( default "self" $value.secret.secretName ) "self-metadata" }}
secretName: {{ include "common.fullname" ( dict "root" $root "service" $root.Values "serviceName" "metadata" ) }}
{{- else if hasPrefix "self-external-secret-" $value.secret.secretName }}
{{- $name := substr 21 -1 $value.secret.secretName }}
{{- $definition := get $root.Values.externalSecret $name }}
secretName: {{ include "common.fullname" ( dict "root" $root "service" $definition "serviceName" $name ) }}
{{- else }}
secretName: {{ $value.secret.secretName }}
{{- end }}
{{- end }}
{{- with $value.secret.items }}
items: {{- . | toYaml | nindent 6 }}
{{- end }}
Expand All @@ -197,6 +201,8 @@ volumes:
configMap:
{{- if eq ( default "self" $value.configMap.name ) "self" }}
name: {{ include "common.fullname" ( dict "root" $root "service" $root.Values.configMaps ) }}
{{- else if eq ( default "self" $value.configMap.name ) "self-metadata" }}
name: {{ include "common.fullname" ( dict "root" $root "service" $root.Values "serviceName" "metadata" ) }}
{{- else }}
name: {{ $value.configMap.name }}
{{- end }}
Expand Down
32 changes: 32 additions & 0 deletions templates/external-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{{- range $name, $definition := .Values.services }}
{{- if eq $definition.enabled true }}
{{- if ( or $definition.data $definition.dataFrom ) }}
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: {{ include "common.fullname" ( dict "root" $ "service" $definition "serviceName" $name ) }}
{{- include "common.metadata" ( dict "root" $ "service" $definition "serviceName" $name ) | nindent 2 }}
spec:
{{- with $definition.refreshInterval }}
refreshInterval: {{ . }}
{{- end }}
{{- with $definition.secretStoreRef }}
secretStoreRef: {{- toYaml . | nindent 4 }}
{{- end }}
target:
{{- if not ( hasKey ( default ( dict ) .target ) "name" ) }}
name: {{ include "common.fullname" ( dict "root" $ "service" $definition "serviceName" "external-secret" ) }}
{{- end }}
{{- with $definition.target }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $definition.dataFrom }}
dataFrom: {{- toYaml . | nindent 4 }}
{{- end }}
{{- with $definition.data }}
data: {{- include "common.dictToList" ( dict "keyName" "secretKey" "contents" . ) | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
4 changes: 4 additions & 0 deletions templates/secret.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
{{- with .Values.secrets }}
{{- if .enabled }}
{{- if .content }}
---
apiVersion: v1
kind: Secret
Expand All @@ -17,3 +19,5 @@ data:
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
18 changes: 18 additions & 0 deletions tests/expected.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -658,6 +658,18 @@ spec:
items:
- key: testYaml
path: test.yaml
- name: self-configmap-metadata
configMap:
name: custom-custom-pod-metadata
items:
- key: testYaml
path: test.yaml
- name: self-external-secret
secret:
secretName: custom-custom-pod-app
items:
- key: hostname
path: hostname.txt
- name: self-secret
secret:
secretName: custom-custom-pod
Expand Down Expand Up @@ -1032,6 +1044,12 @@ spec:
secretKeyRef:
name: custom-custom-pod
key: "test"
- name: "SELF_VAULT"
valueFrom:
secretKeyRef:

name: custom-custom-pod-app
key: "hostname"
terminationMessagePolicy: FallbackToLogsOnError
---
# Source: custom-pod/templates/statefulset.yaml
Expand Down
39 changes: 39 additions & 0 deletions tests/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ dockerregistry:
password: '1234'

secrets:
enabled: true
annotations:
testAnnotation: annotation value for secrets
content:
Expand All @@ -53,6 +54,28 @@ secrets:
user: toto
password: toto

externalSecret:
app:
enabled: true
refreshInterval: 1h
secretStoreRef:
name: my-secret-store
kind: SecretStore
data:
hostname:
remoteRef:
key: hostname
global:
enabled: true
refreshInterval: 1h
secretStoreRef:
name: my-global-secret-store
kind: SecretStore
data:
pass:
remoteRef:
key: pass

configMaps:
annotations:
testAnnotation: annotation value for configmaps
Expand Down Expand Up @@ -198,6 +221,18 @@ services:
path: test.yaml
self-secret:
secret: {}
self-configmap-metadata:
configMap:
name: self-metadata
items:
- key: testYaml
path: test.yaml
self-external-secret:
secret:
secretName: self-external-secret-app
items:
- key: hostname
path: hostname.txt

service: &servicedefinition
type: ClusterIP
Expand Down Expand Up @@ -508,3 +543,7 @@ services:
type: configMap
name: self-metadata
key: CHART_NAME
SELF_VAULT:
type: secret
name: self-external-secret-app
key: hostname
21 changes: 19 additions & 2 deletions values.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,14 +54,15 @@
- **`password`** _(string, required)_: Password.
- **`email`** _(string)_: Email.
- **`secrets`** _(object)_: Cannot contain additional properties.
- **`enabled`** _(boolean)_: Enable the Secret. Default: `true`.
- **`nameOverride`**: Refer to _[#/definitions/nameOverride](#definitions/nameOverride)_.
- **`fullnameOverride`**: Refer to _[#/definitions/fullnameOverride](#definitions/fullnameOverride)_.
- **`serviceName`**: Refer to _[#/definitions/serviceName](#definitions/serviceName)_.
- **`releaseTrunc`**: Refer to _[#/definitions/releaseTrunc](#definitions/releaseTrunc)_.
- **`prefixTrunc`**: Refer to _[#/definitions/prefixTrunc](#definitions/prefixTrunc)_.
- **`labels`**: Refer to _[#/definitions/labels](#definitions/labels)_.
- **`annotations`**: Refer to _[#/definitions/annotations](#definitions/annotations)_.
- **`content`** _(object, required)_: Secrets configuration. Can contain additional properties.
- **`content`** _(object)_: Secrets configuration. Can contain additional properties.
- **Additional properties**
- **One of**
- _object_: Secret from a direct value. Cannot contain additional properties.
Expand All @@ -71,6 +72,22 @@
- **`type`** _(string)_: Type of the secret. Must be one of: `["basicAuth"]`.
- **`user`** _(string)_: Username.
- **`password`** _(string)_: Password.
- **`externalSecret`** _(object)_: Can contain additional properties.
- **Additional properties** _(object)_: Cannot contain additional properties.
- **`enabled`** _(boolean)_: Enable the ExternalSecret. Default: `true`.
- **`nameOverride`**: Refer to _[#/definitions/nameOverride](#definitions/nameOverride)_.
- **`fullnameOverride`**: Refer to _[#/definitions/fullnameOverride](#definitions/fullnameOverride)_.
- **`serviceName`**: Refer to _[#/definitions/serviceName](#definitions/serviceName)_.
- **`releaseTrunc`**: Refer to _[#/definitions/releaseTrunc](#definitions/releaseTrunc)_.
- **`prefixTrunc`**: Refer to _[#/definitions/prefixTrunc](#definitions/prefixTrunc)_.
- **`labels`**: Refer to _[#/definitions/labels](#definitions/labels)_.
- **`annotations`**: Refer to _[#/definitions/annotations](#definitions/annotations)_.
- **`refreshInterval`** _(string)_: The refresh interval like 1h, 1m, 1s.
- **`secretStoreRef`** _(object)_: defines which SecretStore to fetch the ExternalSecret data.
- **`target`** _(object)_: defines the Kubernetes Secret to be created.
- **`dataFrom`** _(array)_: used to fetch all properties from a specific Provider data.
- **`data`** _(object)_: Data defines the connection between the Kubernetes Secret keys and the Provider data. Can contain additional properties.
- **Additional properties** _(object)_: defines the connection between the Kubernetes Secret key and the Provider data. The map key became the secretKey.
- **`configMaps`** _(object)_: Cannot contain additional properties.
- **`nameOverride`**: Refer to _[#/definitions/nameOverride](#definitions/nameOverride)_.
- **`fullnameOverride`**: Refer to _[#/definitions/fullnameOverride](#definitions/fullnameOverride)_.
Expand Down Expand Up @@ -137,7 +154,7 @@
- **`failedJobsHistoryLimit`** _(integer)_: CronJob - failedJobsHistoryLimit.
- **`concurrencyPolicy`** _(string)_: CronJob - concurrencyPolicy. Must be one of: `["Allow", "Forbid", "Replace"]`.
- **`volumeClaimTemplates`** _(array)_: The volume claim templates, the key is the name of the volume claim template.
- **`volumes`** _(object)_: The volumes configuration, the key is the name of the volume, if `secret.secretName` or `configMap.name` is not defined, or defined to 'self' the internal one will be used, use 'self-metadata' for the metadata ConfigMap.
- **`volumes`** _(object)_: The volumes configuration, the key is the name of the volume, if `secret.secretName` or `configMap.name` is not defined, or defined to 'self' the internal one will be used, use 'self-metadata' for the metadata ConfigMap, 'self-external-secret' for the external secret.
- **`pdb`** _(object)_: The Pod disruption budget configuration. Cannot contain additional properties. Default: `{"enabled": true, "maxUnavailable": 1}`.
- **`enabled`** _(boolean)_: Enable the Pod disruption budget. Default: `true`.
- **`minAvailable`** _(integer)_: The minimum number of Pods available.
Expand Down
69 changes: 66 additions & 3 deletions values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -468,6 +468,11 @@
"type": "object",
"additionalProperties": false,
"properties": {
"enabled": {
"type": "boolean",
"description": "Enable the Secret",
"default": true
},
"nameOverride": {
"$ref": "#/definitions/nameOverride"
},
Expand Down Expand Up @@ -534,8 +539,66 @@
]
}
}
},
"required": ["content"]
}
},
"externalSecret": {
"type": "object",
"additionalProperties": {
"type": "object",
"additionalProperties": false,
"properties": {
"enabled": {
"type": "boolean",
"description": "Enable the ExternalSecret",
"default": true
},
"nameOverride": {
"$ref": "#/definitions/nameOverride"
},
"fullnameOverride": {
"$ref": "#/definitions/fullnameOverride"
},
"serviceName": {
"$ref": "#/definitions/serviceName"
},
"releaseTrunc": {
"$ref": "#/definitions/releaseTrunc"
},
"prefixTrunc": {
"$ref": "#/definitions/prefixTrunc"
},
"labels": {
"$ref": "#/definitions/labels"
},
"annotations": {
"$ref": "#/definitions/annotations"
},
"refreshInterval": {
"type": "string",
"description": "The refresh interval like 1h, 1m, 1s"
},
"secretStoreRef": {
"type": "object",
"description": "defines which SecretStore to fetch the ExternalSecret data."
},
"target": {
"type": "object",
"description": "defines the Kubernetes Secret to be created."
},
"dataFrom": {
"type": "array",
"description": "used to fetch all properties from a specific Provider data."
},
"data": {
"type": "object",
"description": "Data defines the connection between the Kubernetes Secret keys and the Provider data.",
"additionalProperties": {
"type": "object",
"description": "defines the connection between the Kubernetes Secret key and the Provider data. The map key became the secretKey"
}
}
}
}
},
"configMaps": {
"type": "object",
Expand Down Expand Up @@ -803,7 +866,7 @@
},
"volumes": {
"type": "object",
"description": "The volumes configuration, the key is the name of the volume, if `secret.secretName` or `configMap.name` is not defined, or defined to 'self' the internal one will be used, use 'self-metadata' for the metadata ConfigMap"
"description": "The volumes configuration, the key is the name of the volume, if `secret.secretName` or `configMap.name` is not defined, or defined to 'self' the internal one will be used, use 'self-metadata' for the metadata ConfigMap, 'self-external-secret' for the external secret"
},
"pdb": {
"type": "object",
Expand Down

0 comments on commit 5255e47

Please sign in to comment.