Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support of external-secret #215

Merged
merged 1 commit into from
Aug 13, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/spell-ignore-words.txt
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,9 @@ YAML
secret.secretName
configMap.name
Lifecycle
SecretStore
ExternalSecret
secretKey
1h
1m
1s
4 changes: 4 additions & 0 deletions .github/workflows/main.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,10 @@ jobs:
run: |
curl https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/main/jsonnet/prometheus-operator/podmonitors-crd.json --output /tmp/podmonitors-crd.json
kubectl apply -f /tmp/podmonitors-crd.json
- name: Install external-secret CRD
run: |
curl https://raw.githubusercontent.com/external-secrets/external-secrets/main/deploy/crds/bundle.yaml --output /tmp/external-secrets-crd.yaml
kubectl apply -f /tmp/external-secrets-crd.yaml

- name: Apply
run: kubectl apply -f tests/expected.yaml
Expand Down
16 changes: 11 additions & 5 deletions templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,16 @@ Create the name of the service account to use
- name: {{ .name | quote }}
valueFrom:
{{ .value.type }}KeyRef:
{{ if and (hasKey .value "name" ) ( eq .value.name "self" ) -}}
{{ if and ( hasKey .value "name" ) ( eq .value.name "self" ) -}}
{{ if .value.type | eq "configMap" -}}
name: {{ include "common.fullname" ( dict "root" .root "service" .root.Values.configMaps ) }}
{{ else -}}
name: {{ include "common.fullname" ( dict "root" .root "service" .root.Values.secrets ) }}
{{ end -}}
{{ else if hasPrefix "self-external-secret-" .value.name -}}
{{- $name := substr 21 -1 .value.name }}
{{- $definition := get .root.Values.externalSecrets $name }}
name: {{ include "common.fullname" ( dict "root" .root "service" $definition "serviceName" $name ) }}
{{ else if and (hasKey .value "name" ) ( eq .value.name "self-metadata" ) -}}
name: {{ include "common.fullname" ( dict "root" .root "service" .root.Values "serviceName" "metadata" ) }}
{{ else -}}
Expand Down Expand Up @@ -182,13 +186,13 @@ volumes:
secret:
{{- if eq ( default "self" $value.secret.secretName ) "self" }}
secretName: {{ include "common.fullname" ( dict "root" $root "service" $root.Values.secrets ) }}
{{- else }}
{{- if eq ( default "self" $value.secret.secretName ) "self-metadata" }}
secretName: {{ include "common.fullname" ( dict "root" $root "service" $root.Values "serviceName" "metadata" ) }}
{{- else if hasPrefix "self-external-secret-" $value.secret.secretName }}
{{- $name := substr 21 -1 $value.secret.secretName }}
{{- $definition := get $root.Values.externalSecrets $name }}
secretName: {{ include "common.fullname" ( dict "root" $root "service" $definition "serviceName" $name ) }}
{{- else }}
secretName: {{ $value.secret.secretName }}
{{- end }}
{{- end }}
{{- with $value.secret.items }}
items: {{- . | toYaml | nindent 6 }}
{{- end }}
Expand All @@ -197,6 +201,8 @@ volumes:
configMap:
{{- if eq ( default "self" $value.configMap.name ) "self" }}
name: {{ include "common.fullname" ( dict "root" $root "service" $root.Values.configMaps ) }}
{{- else if eq ( default "self" $value.configMap.name ) "self-metadata" }}
name: {{ include "common.fullname" ( dict "root" $root "service" $root.Values "serviceName" "metadata" ) }}
{{- else }}
name: {{ $value.configMap.name }}
{{- end }}
Expand Down
32 changes: 32 additions & 0 deletions templates/external-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
{{- range $name, $definition := .Values.externalSecrets }}
{{- if eq $definition.enabled true }}
{{- if ( or $definition.data $definition.dataFrom ) }}
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: {{ include "common.fullname" ( dict "root" $ "service" $definition "serviceName" $name ) }}
{{- include "common.metadata" ( dict "root" $ "service" $definition "serviceName" $name ) | nindent 2 }}
spec:
{{- with $definition.refreshInterval }}
refreshInterval: {{ . }}
{{- end }}
{{- with $definition.secretStoreRef }}
secretStoreRef: {{- toYaml . | nindent 4 }}
{{- end }}
target:
{{- if not ( hasKey ( default ( dict ) .target ) "name" ) }}
name: {{ include "common.fullname" ( dict "root" $ "service" $definition "serviceName" "external-secret" ) }}
{{- end }}
{{- with $definition.target }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $definition.dataFrom }}
dataFrom: {{- toYaml . | nindent 4 }}
{{- end }}
{{- with $definition.data }}
data: {{- include "common.dictToList" ( dict "keyName" "secretKey" "contents" . ) | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
4 changes: 4 additions & 0 deletions templates/secret.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
{{- with .Values.secrets }}
{{- if .enabled }}
{{- if .content }}
---
apiVersion: v1
kind: Secret
Expand All @@ -17,3 +19,5 @@ data:
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
66 changes: 66 additions & 0 deletions tests/expected.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -658,6 +658,18 @@ spec:
items:
- key: testYaml
path: test.yaml
- name: self-configmap-metadata
configMap:
name: custom-custom-pod-metadata
items:
- key: testYaml
path: test.yaml
- name: self-external-secret
secret:
secretName: custom-custom-pod-app
items:
- key: hostname
path: hostname.txt
- name: self-secret
secret:
secretName: custom-custom-pod
Expand Down Expand Up @@ -1032,6 +1044,12 @@ spec:
secretKeyRef:
name: custom-custom-pod
key: "test"
- name: "SELF_VAULT"
valueFrom:
secretKeyRef:

name: custom-custom-pod-app
key: "hostname"
terminationMessagePolicy: FallbackToLogsOnError
---
# Source: custom-pod/templates/statefulset.yaml
Expand Down Expand Up @@ -1398,6 +1416,54 @@ spec:
port:
number: 8080
---
# Source: custom-pod/templates/external-secret.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: custom-custom-pod-app
labels:
helm.sh/chart: custom-pod
app.kubernetes.io/version: "1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: custom-pod
app.kubernetes.io/instance: custom
app.kubernetes.io/component: app
spec:
refreshInterval: 1h
secretStoreRef:
kind: SecretStore
name: my-secret-store
target:
name: custom-custom-pod-external-secret
data:
- secretKey: hostname
remoteRef:
key: hostname
---
# Source: custom-pod/templates/external-secret.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: custom-custom-pod-global
labels:
helm.sh/chart: custom-pod
app.kubernetes.io/version: "1.0"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: custom-pod
app.kubernetes.io/instance: custom
app.kubernetes.io/component: global
spec:
refreshInterval: 1h
secretStoreRef:
kind: SecretStore
name: my-global-secret-store
target:
name: custom-custom-pod-external-secret
data:
- secretKey: pass
remoteRef:
key: pass
---
# Source: custom-pod/templates/podmonitor.yaml
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
Expand Down
39 changes: 39 additions & 0 deletions tests/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ dockerregistry:
password: '1234'

secrets:
enabled: true
annotations:
testAnnotation: annotation value for secrets
content:
Expand All @@ -53,6 +54,28 @@ secrets:
user: toto
password: toto

externalSecrets:
app:
enabled: true
refreshInterval: 1h
secretStoreRef:
name: my-secret-store
kind: SecretStore
data:
hostname:
remoteRef:
key: hostname
global:
enabled: true
refreshInterval: 1h
secretStoreRef:
name: my-global-secret-store
kind: SecretStore
data:
pass:
remoteRef:
key: pass

configMaps:
annotations:
testAnnotation: annotation value for configmaps
Expand Down Expand Up @@ -198,6 +221,18 @@ services:
path: test.yaml
self-secret:
secret: {}
self-configmap-metadata:
configMap:
name: self-metadata
items:
- key: testYaml
path: test.yaml
self-external-secret:
secret:
secretName: self-external-secret-app
items:
- key: hostname
path: hostname.txt

service: &servicedefinition
type: ClusterIP
Expand Down Expand Up @@ -508,3 +543,7 @@ services:
type: configMap
name: self-metadata
key: CHART_NAME
SELF_VAULT:
type: secret
name: self-external-secret-app
key: hostname
21 changes: 19 additions & 2 deletions values.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,14 +54,15 @@
- **`password`** _(string, required)_: Password.
- **`email`** _(string)_: Email.
- **`secrets`** _(object)_: Cannot contain additional properties.
- **`enabled`** _(boolean)_: Enable the Secret. Default: `true`.
- **`nameOverride`**: Refer to _[#/definitions/nameOverride](#definitions/nameOverride)_.
- **`fullnameOverride`**: Refer to _[#/definitions/fullnameOverride](#definitions/fullnameOverride)_.
- **`serviceName`**: Refer to _[#/definitions/serviceName](#definitions/serviceName)_.
- **`releaseTrunc`**: Refer to _[#/definitions/releaseTrunc](#definitions/releaseTrunc)_.
- **`prefixTrunc`**: Refer to _[#/definitions/prefixTrunc](#definitions/prefixTrunc)_.
- **`labels`**: Refer to _[#/definitions/labels](#definitions/labels)_.
- **`annotations`**: Refer to _[#/definitions/annotations](#definitions/annotations)_.
- **`content`** _(object, required)_: Secrets configuration. Can contain additional properties.
- **`content`** _(object)_: Secrets configuration. Can contain additional properties.
- **Additional properties**
- **One of**
- _object_: Secret from a direct value. Cannot contain additional properties.
Expand All @@ -71,6 +72,22 @@
- **`type`** _(string)_: Type of the secret. Must be one of: `["basicAuth"]`.
- **`user`** _(string)_: Username.
- **`password`** _(string)_: Password.
- **`externalSecrets`** _(object)_: Can contain additional properties.
- **Additional properties** _(object)_: Cannot contain additional properties.
- **`enabled`** _(boolean)_: Enable the ExternalSecret. Default: `true`.
- **`nameOverride`**: Refer to _[#/definitions/nameOverride](#definitions/nameOverride)_.
- **`fullnameOverride`**: Refer to _[#/definitions/fullnameOverride](#definitions/fullnameOverride)_.
- **`serviceName`**: Refer to _[#/definitions/serviceName](#definitions/serviceName)_.
- **`releaseTrunc`**: Refer to _[#/definitions/releaseTrunc](#definitions/releaseTrunc)_.
- **`prefixTrunc`**: Refer to _[#/definitions/prefixTrunc](#definitions/prefixTrunc)_.
- **`labels`**: Refer to _[#/definitions/labels](#definitions/labels)_.
- **`annotations`**: Refer to _[#/definitions/annotations](#definitions/annotations)_.
- **`refreshInterval`** _(string)_: The refresh interval like 1h, 1m, 1s.
- **`secretStoreRef`** _(object)_: defines which SecretStore to fetch the ExternalSecret data.
- **`target`** _(object)_: defines the Kubernetes Secret to be created.
- **`dataFrom`** _(array)_: used to fetch all properties from a specific Provider data.
- **`data`** _(object)_: Data defines the connection between the Kubernetes Secret keys and the Provider data. Can contain additional properties.
- **Additional properties** _(object)_: defines the connection between the Kubernetes Secret key and the Provider data. The map key became the secretKey.
- **`configMaps`** _(object)_: Cannot contain additional properties.
- **`nameOverride`**: Refer to _[#/definitions/nameOverride](#definitions/nameOverride)_.
- **`fullnameOverride`**: Refer to _[#/definitions/fullnameOverride](#definitions/fullnameOverride)_.
Expand Down Expand Up @@ -137,7 +154,7 @@
- **`failedJobsHistoryLimit`** _(integer)_: CronJob - failedJobsHistoryLimit.
- **`concurrencyPolicy`** _(string)_: CronJob - concurrencyPolicy. Must be one of: `["Allow", "Forbid", "Replace"]`.
- **`volumeClaimTemplates`** _(array)_: The volume claim templates, the key is the name of the volume claim template.
- **`volumes`** _(object)_: The volumes configuration, the key is the name of the volume, if `secret.secretName` or `configMap.name` is not defined, or defined to 'self' the internal one will be used, use 'self-metadata' for the metadata ConfigMap.
- **`volumes`** _(object)_: The volumes configuration, the key is the name of the volume, if `secret.secretName` or `configMap.name` is not defined, or defined to 'self' the internal one will be used, use 'self-metadata' for the metadata ConfigMap, 'self-external-secret' for the external secret.
- **`pdb`** _(object)_: The Pod disruption budget configuration. Cannot contain additional properties. Default: `{"enabled": true, "maxUnavailable": 1}`.
- **`enabled`** _(boolean)_: Enable the Pod disruption budget. Default: `true`.
- **`minAvailable`** _(integer)_: The minimum number of Pods available.
Expand Down
Loading
Loading