feat(PLATFORM-1020): support custom volume mounts for certificate files

This opens up supporting the use case of reading certificate files from volumes created by the Secrets Store CSI driver for k8s.
gremlin · Nov 19, 2022 · cb70f27 · cb70f27
1 parent 0116f63
commit cb70f27
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 2 deletions.
diff --git a/gremlin/templates/chao-deployment.yaml b/gremlin/templates/chao-deployment.yaml
@@ -116,8 +116,12 @@ spec:
 {{- end }}
       volumes:
       - name: gremlin-cert
+        {{- if .Values.gremlin.secret.certVolume }}
+{{ .Values.gremlin.secret.certVolume | toYaml | indent 8 }}
+        {{- else }}
         secret:
-          secretName: {{ include "gremlin.secretName" . }}
+          secretName: gremlin-secret
+        {{- end }}
 {{- if .Values.ssl.certFile }}
       - name: ssl-cert-file
         secret:

diff --git a/gremlin/templates/chao-service-account.yaml b/gremlin/templates/chao-service-account.yaml
@@ -4,6 +4,10 @@ kind: ServiceAccount
 metadata:
   name: chao
   namespace: {{ .Release.Namespace }}
+  {{ if .Values.chao.serviceAccount.annotations -}}
+  annotations:
+    {{ .Values.chao.serviceAccount.annotations | toYaml }}
+  {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

diff --git a/gremlin/templates/daemonset.yaml b/gremlin/templates/daemonset.yaml
@@ -174,8 +174,12 @@ spec:
             path: /proc/sysrq-trigger
         {{- if (eq (include "gremlin.secretType" .) "certificate") }}
         - name: gremlin-cert
+        {{- if .Values.gremlin.secret.certVolume }}
+{{ .Values.gremlin.secret.certVolume | toYaml | indent 10}}
+          {{- else }}
           secret:
-            secretName: {{ include "gremlin.secretName" . }}
+            secretName: gremlin-secret
+          {{- end }}
         {{- end }}
         {{- if and .Values.gremlin.podSecurity.seccomp.enabled (eq "localhost/gremlin" .Values.gremlin.podSecurity.seccomp.profile) }}
         - name: seccomp-root

diff --git a/gremlin/templates/gremlin-service-account.yaml b/gremlin/templates/gremlin-service-account.yaml
@@ -5,6 +5,10 @@ kind: ServiceAccount
 metadata:
   name: gremlin
   namespace: {{ .Release.Namespace }}
+  {{ if .Values.gremlin.serviceAccount.annotations -}}
+  annotations:
+    {{ .Values.gremlin.serviceAccount.annotations | toYaml }}
+  {{- end }}
 {{ if .Values.gremlin.podSecurity.podSecurityPolicy.create }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/gremlin/values.yaml b/gremlin/values.yaml
@@ -110,6 +110,7 @@ gremlin:
     #   Gremlin's requirements (see gremlin.podSecurity.podSecurityPolicy and
     #   gremlin.podSecurity.securityContextConstraints)
     create: true
+    annotations: {}
 
   podSecurity:
 
@@ -237,6 +238,7 @@ gremlin:
   secret:
     # Gremlin supports both `certificate` and `secret` types
     # To manage secrets with helm, set `managed=true` and fill in either the certificate auth or secret auth sections
+    name: gremlin-secret
     type: certificate
     managed: false
     # team identifier (e.g. 11111111-1111-1111-1111-111111111111)
@@ -250,6 +252,14 @@ gremlin:
     # team private key (e.g. -----BEGIN EC PRIVATE KEY-----...-----END EC PRIVATE KEY-----)
     key:
 
+    # Used to define the value of the gremlin-cert volume except the name
+    # This volume should always contain two files named
+    # - gremlin.cert
+    # - gremlin.key
+    # containing the team certificate and private key used to auth the agents
+    # to the gremlin API
+    certVolume: {}
+
     ## Secret auth requires: `teamSecret`
     # team secret (e.g. 00000000-0000-0000-0000-000000000000)
     teamSecret:
@@ -276,6 +286,9 @@ chao:
 
   affinity: {}
 
+  serviceAccount:
+    annotations: {}
+
 ssl:
   # ssl.certFile -
   # Add a certificate file to Gremlin's set of certificate authorities. This argument expects a file containing the