From cb70f27128716361411dda6fe3c0f37fa36b12b1 Mon Sep 17 00:00:00 2001 From: Danny Seymour Date: Fri, 18 Nov 2022 16:40:22 -0800 Subject: [PATCH] feat(PLATFORM-1020): support custom volume mounts for certificate files This opens up supporting the use case of reading certificate files from volumes created by the Secrets Store CSI driver for k8s. --- gremlin/templates/chao-deployment.yaml | 6 +++++- gremlin/templates/chao-service-account.yaml | 4 ++++ gremlin/templates/daemonset.yaml | 6 +++++- gremlin/templates/gremlin-service-account.yaml | 4 ++++ gremlin/values.yaml | 13 +++++++++++++ 5 files changed, 31 insertions(+), 2 deletions(-) diff --git a/gremlin/templates/chao-deployment.yaml b/gremlin/templates/chao-deployment.yaml index 5a51258..c0856e9 100644 --- a/gremlin/templates/chao-deployment.yaml +++ b/gremlin/templates/chao-deployment.yaml @@ -116,8 +116,12 @@ spec: {{- end }} volumes: - name: gremlin-cert + {{- if .Values.gremlin.secret.certVolume }} +{{ .Values.gremlin.secret.certVolume | toYaml | indent 8 }} + {{- else }} secret: - secretName: {{ include "gremlin.secretName" . }} + secretName: gremlin-secret + {{- end }} {{- if .Values.ssl.certFile }} - name: ssl-cert-file secret: diff --git a/gremlin/templates/chao-service-account.yaml b/gremlin/templates/chao-service-account.yaml index 56ca195..cc76f7c 100644 --- a/gremlin/templates/chao-service-account.yaml +++ b/gremlin/templates/chao-service-account.yaml @@ -4,6 +4,10 @@ kind: ServiceAccount metadata: name: chao namespace: {{ .Release.Namespace }} + {{ if .Values.chao.serviceAccount.annotations -}} + annotations: + {{ .Values.chao.serviceAccount.annotations | toYaml }} + {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/gremlin/templates/daemonset.yaml b/gremlin/templates/daemonset.yaml index 57c1b74..ed97b16 100644 --- a/gremlin/templates/daemonset.yaml +++ b/gremlin/templates/daemonset.yaml @@ -174,8 +174,12 @@ spec: path: /proc/sysrq-trigger {{- if (eq (include "gremlin.secretType" .) "certificate") }} - name: gremlin-cert + {{- if .Values.gremlin.secret.certVolume }} +{{ .Values.gremlin.secret.certVolume | toYaml | indent 10}} + {{- else }} secret: - secretName: {{ include "gremlin.secretName" . }} + secretName: gremlin-secret + {{- end }} {{- end }} {{- if and .Values.gremlin.podSecurity.seccomp.enabled (eq "localhost/gremlin" .Values.gremlin.podSecurity.seccomp.profile) }} - name: seccomp-root diff --git a/gremlin/templates/gremlin-service-account.yaml b/gremlin/templates/gremlin-service-account.yaml index facc326..63b3646 100644 --- a/gremlin/templates/gremlin-service-account.yaml +++ b/gremlin/templates/gremlin-service-account.yaml @@ -5,6 +5,10 @@ kind: ServiceAccount metadata: name: gremlin namespace: {{ .Release.Namespace }} + {{ if .Values.gremlin.serviceAccount.annotations -}} + annotations: + {{ .Values.gremlin.serviceAccount.annotations | toYaml }} + {{- end }} {{ if .Values.gremlin.podSecurity.podSecurityPolicy.create }} --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/gremlin/values.yaml b/gremlin/values.yaml index 4102db6..f25c0ee 100644 --- a/gremlin/values.yaml +++ b/gremlin/values.yaml @@ -110,6 +110,7 @@ gremlin: # Gremlin's requirements (see gremlin.podSecurity.podSecurityPolicy and # gremlin.podSecurity.securityContextConstraints) create: true + annotations: {} podSecurity: @@ -237,6 +238,7 @@ gremlin: secret: # Gremlin supports both `certificate` and `secret` types # To manage secrets with helm, set `managed=true` and fill in either the certificate auth or secret auth sections + name: gremlin-secret type: certificate managed: false # team identifier (e.g. 11111111-1111-1111-1111-111111111111) @@ -250,6 +252,14 @@ gremlin: # team private key (e.g. -----BEGIN EC PRIVATE KEY-----...-----END EC PRIVATE KEY-----) key: + # Used to define the value of the gremlin-cert volume except the name + # This volume should always contain two files named + # - gremlin.cert + # - gremlin.key + # containing the team certificate and private key used to auth the agents + # to the gremlin API + certVolume: {} + ## Secret auth requires: `teamSecret` # team secret (e.g. 00000000-0000-0000-0000-000000000000) teamSecret: @@ -276,6 +286,9 @@ chao: affinity: {} + serviceAccount: + annotations: {} + ssl: # ssl.certFile - # Add a certificate file to Gremlin's set of certificate authorities. This argument expects a file containing the