vals-operator: "make charts"

pull/264/head
Sergio Rua 2021-11-25 10:53:46 +00:00
parent 871f2a4095
commit 7d14c3354c
No known key found for this signature in database
GPG Key ID: AD5C658B2DA15D37
15 changed files with 585 additions and 0 deletions

Binary file not shown.

View File

@ -0,0 +1,50 @@
# These are some examples of commonly ignored file patterns.
# You should customize this list as applicable to your project.
# Learn more about .gitignore:
# https://www.atlassian.com/git/tutorials/saving-changes/gitignore
# Node artifact files
node_modules/
dist/
# Compiled Java class files
*.class
# Compiled Python bytecode
*.py[cod]
# Log files
*.log
# Package files
*.jar
# Maven
target/
dist/
# JetBrains IDE
.idea/
# Unit test reports
TEST*.xml
# Generated by MacOS
.DS_Store
# Generated by Windows
Thumbs.db
# Applications
*.app
*.exe
*.war
# Large media files
*.mp4
*.tiff
*.avi
*.flv
*.mov
*.wmv

View File

@ -0,0 +1,16 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Vals-Operator
catalog.cattle.io/release-name: vals-operator
apiVersion: v2
appVersion: v0.3.0
description: This helm chart installs the Digitalis Vals Operator to manage sync secrets
from supported backends into Kubernetes
icon: https://digitalis.io/wp-content/uploads/2020/06/cropped-Digitalis-512x512-Blue_Digitalis-512x512-Blue-32x32.png
kubeVersion: '>= 1.19'
maintainers:
- email: info@digitalis.io
name: Digitalis.IO
name: vals-operator
type: application
version: 0.2.1

View File

@ -0,0 +1,38 @@
vals-operator
=============
This helm chart installs the Digitalis Vals Operator to manage sync secrets from supported backends into Kubernetes
Current chart version is `0.1.0`
## Chart Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | |
| args | list | `[]` | |
| env | list | `[]` | |
| fullnameOverride | string | `""` | |
| image.pullPolicy | string | `"IfNotPresent"` | |
| image.repository | string | `"digitalisdocker/vals-operator"` | |
| image.tag | string | `""` | |
| imagePullSecrets | list | `[]` | |
| manageCrds | bool | `true` | |
| nameOverride | string | `""` | |
| nodeSelector | object | `{}` | |
| podSecurityContext | object | `{}` | |
| replicaCount | int | `1` | |
| resources | object | `{}` | |
| secretEnv | list | `[]` | |
| securityContext | object | `{}` | |
| serviceAccount.annotations | object | `{}` | |
| serviceAccount.create | bool | `true` | |
| serviceAccount.name | string | `""` | |
| serviceMonitor.enabled | bool | `false` | |
| serviceMonitor.labels | object | `{}` | |
| tolerations | list | `[]` | |
| volumeMounts | list | `[]` | |
| volumes | list | `[]` | |

View File

@ -0,0 +1,9 @@
# Vals-Operator
Here at [Digitalis](https://digitalis.io) we love [vals](https://github.com/variantdev/vals), it's a tool we use daily to keep secrets stored securely. We also use [secrets-manager](https://github.com/tuenti/secrets-manager) on the Kubernetes deployment we manage. Inspired by these two wonderful tools we have created this operator.
*vals-operator* syncs secrets from any secrets store supported by [vals](https://github.com/variantdev/vals) into Kubernetes. It works very similarly to [secrets-manager](https://github.com/tuenti/secrets-manager) and the code is actually based on it. Where they differ is that it not just supports HashiCorp Vault but many other secrets stores.
## Mirroring secrets
We have also added the ability to copy secrets between namespaces. It uses the format `ref+k8s://namespace/secret#key`. This way you can keep secrets generated in one namespace in sync with any other namespace in the cluster.

View File

@ -0,0 +1,79 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1
"helm.sh/hook": crd-install
"helm.sh/hook-delete-policy": "before-hook-creation"
creationTimestamp: null
name: valssecrets.digitalis.io
spec:
group: digitalis.io
names:
kind: ValsSecret
listKind: ValsSecretList
plural: valssecrets
singular: valssecret
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: ValsSecret is the Schema for the valssecrets API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ValsSecretSpec defines the desired state of ValsSecret
properties:
data:
additionalProperties:
properties:
encoding:
description: Encoding type for the secret. Only base64 supported.
Optional
type: string
ref:
description: Ref value to the secret in the format ref+backend://path
https://github.com/variantdev/vals
type: string
required:
- ref
type: object
type: object
name:
type: string
ttl:
format: int64
type: integer
type:
type: string
required:
- data
type: object
status:
description: ValsSecretStatus defines the observed state of ValsSecret
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -0,0 +1,26 @@
questions:
#image configurations
- variable: image.repository
default: "digitalisdocker/vals-operator"
description: image registry
type: string
label: Image Registry
group: "Container Images"
- variable: image.tag
default: "v0.3.0"
description: Image tag
type: string
label: Image Tag
group: "Container Images"
- variable: imagePullSecrets
default: ""
description: secret name to pull image
type: string
label: Image Pull Secrets
group: "Container Images"
- variable: environmentSecret
default: ""
description: "The secret containing env variables to access the backend secrets store."
label: Config Secret
type: string
group: "Settings"

View File

@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "vals-operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "vals-operator.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "vals-operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "vals-operator.labels" -}}
helm.sh/chart: {{ include "vals-operator.chart" . }}
{{ include "vals-operator.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "vals-operator.selectorLabels" -}}
app.kubernetes.io/name: {{ include "vals-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "vals-operator.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "vals-operator.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,6 @@
{{- if .Values.manageCrds -}}
{{- range $path, $bytes := .Files.Glob "crds/*.yaml" }}
{{ $.Files.Get $path }}
---
{{- end }}
{{- end }}

View File

@ -0,0 +1,73 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "vals-operator.fullname" . }}
labels:
{{- include "vals-operator.labels" . | nindent 4 }}
spec:
replicas: 1
selector:
matchLabels:
{{- include "vals-operator.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "vals-operator.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "vals-operator.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.args }}
args:
{{- toYaml .Values.args | nindent 12 }}
{{- end }}
{{- if .Values.environmentSecret }}
envFrom:
- secretRef:
name: "{{ .Values.environmentSecret }}"
{{- else }}
envFrom:
{{- toYaml .Values.secretEnv | nindent 12 }}
{{- end }}
{{- if .Values.env }}
env:
{{- toYaml .Values.env | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- if .Values.volumeMounts }}
volumeMounts:
{{- toYaml .Values.volumeMounts | nindent 12 }}
{{- end }}
ports:
- containerPort: {{ .Values.metricsPort | default 8080 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.volumes }}
volumes:
{{- toYaml .Values.volumes | nindent 8 }}
{{- end }}

View File

@ -0,0 +1,64 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: vals-operator
labels:
{{- include "vals-operator.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- "secrets"
verbs:
- "get"
- "list"
- "watch"
- "update"
- "delete"
- "create"
- apiGroups:
- ""
resources:
- "events"
verbs:
- "create"
- "patch"
- apiGroups:
- "digitalis.io"
resources:
- "valssecrets"
verbs:
- "get"
- "list"
- "watch"
- "update"
- "delete"
- "create"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: vals-operator
labels:
{{- include "vals-operator.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vals-operator
subjects:
- kind: ServiceAccount
name: {{ include "vals-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "vals-operator.serviceAccountName" . }}
labels:
{{- include "vals-operator.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,37 @@
{{- if .Values.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "vals-operator.fullname" . }}
labels:
{{- if .Values.serviceMonitor.labels }}
{{ toYaml .Values.serviceMonitor.labels | nindent 4 }}
{{- else }}
app: {{ template "vals-operator.name" . }}
chart: {{ template "vals-operator.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- end }}
{{- if .Values.serviceMonitor.namespace }}
namespace: {{ .Values.serviceMonitor.namespace }}
{{- end }}
spec:
endpoints:
- targetPort: "metrics"
{{- if .Values.serviceMonitor.interval }}
interval: {{ .Values.serviceMonitor.interval }}
{{- end }}
{{- if .Values.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
{{- end }}
path: /metrics
port: {{ .Values.metricsPort | default 8080 }}
tlsConfig:
insecureSkipVerify: true
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels:
{{- include "vals-operator.selectorLabels" . | nindent 6 }}
{{- end }}

View File

@ -0,0 +1,104 @@
replicaCount: 1
image:
repository: digitalisdocker/vals-operator
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
manageCrds: true
# additional arguments to operator
args: []
# -exclude-namespaces string
# Comma separated list of namespaces to ignore.
# -health-probe-bind-address string
# The address the probe endpoint binds to. (default ":8081")
# -kubeconfig string
# Paths to a kubeconfig. Only required if out-of-cluster.
# -leader-elect
# Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.
# -metrics-bind-address string
# The address the metric endpoint binds to. (default ":8080")
# -reconcile-period duration
# How often the controller will re-queue secretdefinition events (default 5s)
# -record-changes
# Records every time a secret has been updated. You can view them with kubectl describe. It may also be disabled globally and enabled per secret via the annotation 'vals-operator.digitalis.io/record: "true"' (default true)
# -watch-namespaces string
# Comma separated list of namespaces that vals-operator will watch.
# -zap-devel
# Development Mode defaults(encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode defaults(encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default true)
# -zap-encoder value
# Zap log encoding (one of 'json' or 'console')
# -zap-log-level value
# Zap Level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity
# -zap-stacktrace-level value
# Zap Level at and above which stacktraces are captured (one of 'info', 'error', 'panic').
environmentSecret: ""
# See https://github.com/variantdev/vals
# for information on setting up your backend environment.
env: []
# - name: VAULT_SKIP_VERIFY
# value: "true"
secretEnv: []
# - secretRef:
# name: aws-creds
volumes: []
# - name: creds
# secret:
# secretName: gcs-credentials
volumeMounts: []
# - name: creds
# mountPath: /secret
# readOnly: true
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
metricsPort: 8080
serviceMonitor:
# When set to true then use a ServiceMonitor to collect metrics
enabled: false
# Custom labels to use in the ServiceMonitor to be matched with a specific Prometheus
labels: {}
# Set the namespace the ServiceMonitor should be deployed to
# namespace: default
# Set how frequently Prometheus should scrape
# interval: 30s
# Set timeout for scrape
# scrapeTimeout: 10s
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}

View File

@ -2421,4 +2421,25 @@ entries:
urls:
- assets/universal-crossplane/universal-crossplane-1.2.200100.tgz
version: 1.2.200100
vals-operator:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Vals-Operator
catalog.cattle.io/release-name: vals-operator
apiVersion: v2
appVersion: v0.3.0
created: "2021-11-25T10:52:50.167122Z"
description: This helm chart installs the Digitalis Vals Operator to manage sync
secrets from supported backends into Kubernetes
digest: ffe514f9f55f6a342594f4c8c60e2108caf547397eb586a12cc93aef84cc8c43
icon: https://digitalis.io/wp-content/uploads/2020/06/cropped-Digitalis-512x512-Blue_Digitalis-512x512-Blue-32x32.png
kubeVersion: '>= 1.19'
maintainers:
- email: info@digitalis.io
name: Digitalis.IO
name: vals-operator
type: application
urls:
- assets/vals-operator/vals-operator-0.2.1.tgz
version: 0.2.1
generated: "2021-06-23T17:44:55.374388-07:00"