diff --git a/assets/vals-operator/vals-operator-0.5.1.tgz b/assets/vals-operator/vals-operator-0.5.1.tgz new file mode 100644 index 000000000..6d1773f4a Binary files /dev/null and b/assets/vals-operator/vals-operator-0.5.1.tgz differ diff --git a/charts/vals-operator/vals-operator/0.5.1/.gitignore b/charts/vals-operator/vals-operator/0.5.1/.gitignore new file mode 100644 index 000000000..d9f7c8d36 --- /dev/null +++ b/charts/vals-operator/vals-operator/0.5.1/.gitignore @@ -0,0 +1,49 @@ +# These are some examples of commonly ignored file patterns. +# You should customize this list as applicable to your project. +# Learn more about .gitignore: +# https://www.atlassian.com/git/tutorials/saving-changes/gitignore + +# Node artifact files +node_modules/ +dist/ + +# Compiled Java class files +*.class + +# Compiled Python bytecode +*.py[cod] + +# Log files +*.log + +# Package files +*.jar + +# Maven +target/ +dist/ + +# JetBrains IDE +.idea/ + +# Unit test reports +TEST*.xml + +# Generated by MacOS +.DS_Store + +# Generated by Windows +Thumbs.db + +# Applications +*.app +*.exe +*.war + +# Large media files +*.mp4 +*.tiff +*.avi +*.flv +*.mov +*.wmv diff --git a/charts/vals-operator/vals-operator/0.5.1/Chart.yaml b/charts/vals-operator/vals-operator/0.5.1/Chart.yaml new file mode 100644 index 000000000..d837ab4d0 --- /dev/null +++ b/charts/vals-operator/vals-operator/0.5.1/Chart.yaml @@ -0,0 +1,16 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Vals-Operator + catalog.cattle.io/release-name: vals-operator +apiVersion: v2 +appVersion: v0.6.0 +description: This helm chart installs the Digitalis Vals Operator to manage sync secrets + from supported backends into Kubernetes +icon: https://digitalis.io/wp-content/uploads/2020/06/cropped-Digitalis-512x512-Blue_Digitalis-512x512-Blue-32x32.png +kubeVersion: '>= 1.19' +maintainers: +- email: info@digitalis.io + name: Digitalis.IO +name: vals-operator +type: application +version: 0.5.1 diff --git a/charts/vals-operator/vals-operator/0.5.1/README.md b/charts/vals-operator/vals-operator/0.5.1/README.md new file mode 100644 index 000000000..3efb45778 --- /dev/null +++ b/charts/vals-operator/vals-operator/0.5.1/README.md @@ -0,0 +1,33 @@ +vals-operator +============= +This helm chart installs the Digitalis Vals Operator to manage sync secrets from supported backends into Kubernetes + + +## Chart Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | | +| args | list | `[]` | | +| env | list | `[]` | | +| fullnameOverride | string | `""` | | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"digitalisdocker/vals-operator"` | | +| image.tag | string | `""` | | +| imagePullSecrets | list | `[]` | | +| manageCrds | bool | `true` | | +| nameOverride | string | `""` | | +| nodeSelector | object | `{}` | | +| podSecurityContext | object | `{}` | | +| replicaCount | int | `1` | | +| resources | object | `{}` | | +| secretEnv | list | `[]` | | +| securityContext | object | `{}` | | +| serviceAccount.annotations | object | `{}` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.name | string | `""` | | +| serviceMonitor.enabled | bool | `false` | | +| serviceMonitor.labels | object | `{}` | | +| tolerations | list | `[]` | | +| volumeMounts | list | `[]` | | +| volumes | list | `[]` | | diff --git a/charts/vals-operator/vals-operator/0.5.1/app-readme.md b/charts/vals-operator/vals-operator/0.5.1/app-readme.md new file mode 100644 index 000000000..3458f2059 --- /dev/null +++ b/charts/vals-operator/vals-operator/0.5.1/app-readme.md @@ -0,0 +1,9 @@ +# Vals-Operator + +Here at [Digitalis](https://digitalis.io) we love [vals](https://github.com/variantdev/vals), it's a tool we use daily to keep secrets stored securely. We also use [secrets-manager](https://github.com/tuenti/secrets-manager) on the Kubernetes deployment we manage. Inspired by these two wonderful tools we have created this operator. + +*vals-operator* syncs secrets from any secrets store supported by [vals](https://github.com/variantdev/vals) into Kubernetes. It works very similarly to [secrets-manager](https://github.com/tuenti/secrets-manager) and the code is actually based on it. Where they differ is that it not just supports HashiCorp Vault but many other secrets stores. + +## Mirroring secrets + +We have also added the ability to copy secrets between namespaces. It uses the format `ref+k8s://namespace/secret#key`. This way you can keep secrets generated in one namespace in sync with any other namespace in the cluster. diff --git a/charts/vals-operator/vals-operator/0.5.1/crds/valssecrets.yaml b/charts/vals-operator/vals-operator/0.5.1/crds/valssecrets.yaml new file mode 100644 index 000000000..406ba1e83 --- /dev/null +++ b/charts/vals-operator/vals-operator/0.5.1/crds/valssecrets.yaml @@ -0,0 +1,130 @@ + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.4.1 + "helm.sh/hook": crd-install + "helm.sh/hook-delete-policy": "before-hook-creation" + creationTimestamp: null + name: valssecrets.digitalis.io +spec: + group: digitalis.io + names: + kind: ValsSecret + listKind: ValsSecretList + plural: valssecrets + singular: valssecret + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ValsSecret is the Schema for the valssecrets API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ValsSecretSpec defines the desired state of ValsSecret + properties: + data: + additionalProperties: + properties: + encoding: + description: Encoding type for the secret. Only base64 supported. + Optional + type: string + ref: + description: Ref value to the secret in the format ref+backend://path + https://github.com/variantdev/vals + type: string + required: + - ref + type: object + type: object + databases: + items: + properties: + driver: + description: Defines the database type + type: string + hosts: + description: List of hosts to connect to, they'll be tried in + sequence until one succeeds + items: + type: string + type: array + loginCredentials: + description: Credentials to access the database + properties: + namespace: + description: Optional namespace of the secret, default current + namespace + type: string + passwordKey: + description: Key in the secret containing the database username + type: string + secretName: + description: Name of the secret containing the credentials + to be able to log in to the database + type: string + usernameKey: + description: Key in the secret containing the database username + type: string + required: + - passwordKey + - secretName + type: object + passwordKey: + description: Key in the secret containing the database username + type: string + port: + description: Database port number + type: integer + userHost: + description: Used for MySQL only, the host part for the username + type: string + usernameKey: + description: Key in the secret containing the database username + type: string + required: + - driver + - hosts + - passwordKey + type: object + type: array + name: + type: string + ttl: + format: int64 + type: integer + type: + type: string + required: + - data + type: object + status: + description: ValsSecretStatus defines the observed state of ValsSecret + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/vals-operator/vals-operator/0.5.1/questions.yaml b/charts/vals-operator/vals-operator/0.5.1/questions.yaml new file mode 100644 index 000000000..7976cff0c --- /dev/null +++ b/charts/vals-operator/vals-operator/0.5.1/questions.yaml @@ -0,0 +1,26 @@ +questions: +#image configurations +- variable: image.repository + default: "digitalisdocker/vals-operator" + description: image registry + type: string + label: Image Registry + group: "Container Images" +- variable: image.tag + default: "v0.3.0" + description: Image tag + type: string + label: Image Tag + group: "Container Images" +- variable: imagePullSecrets + default: "" + description: secret name to pull image + type: string + label: Image Pull Secrets + group: "Container Images" +- variable: environmentSecret + default: "" + description: "The secret containing env variables to access the backend secrets store." + label: Config Secret + type: string + group: "Settings" diff --git a/charts/vals-operator/vals-operator/0.5.1/templates/NOTES.txt b/charts/vals-operator/vals-operator/0.5.1/templates/NOTES.txt new file mode 100644 index 000000000..e69de29bb diff --git a/charts/vals-operator/vals-operator/0.5.1/templates/_helpers.tpl b/charts/vals-operator/vals-operator/0.5.1/templates/_helpers.tpl new file mode 100644 index 000000000..dcd31f04a --- /dev/null +++ b/charts/vals-operator/vals-operator/0.5.1/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "vals-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "vals-operator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "vals-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "vals-operator.labels" -}} +helm.sh/chart: {{ include "vals-operator.chart" . }} +{{ include "vals-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "vals-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "vals-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "vals-operator.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "vals-operator.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/vals-operator/vals-operator/0.5.1/templates/crds.yaml b/charts/vals-operator/vals-operator/0.5.1/templates/crds.yaml new file mode 100644 index 000000000..0b71ef8c6 --- /dev/null +++ b/charts/vals-operator/vals-operator/0.5.1/templates/crds.yaml @@ -0,0 +1,6 @@ +{{- if .Values.manageCrds -}} +{{- range $path, $bytes := .Files.Glob "crds/*.yaml" }} +{{ $.Files.Get $path }} +--- +{{- end }} +{{- end }} diff --git a/charts/vals-operator/vals-operator/0.5.1/templates/deployment.yaml b/charts/vals-operator/vals-operator/0.5.1/templates/deployment.yaml new file mode 100644 index 000000000..334c566e7 --- /dev/null +++ b/charts/vals-operator/vals-operator/0.5.1/templates/deployment.yaml @@ -0,0 +1,73 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "vals-operator.fullname" . }} + labels: + {{- include "vals-operator.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "vals-operator.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "vals-operator.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "vals-operator.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.args }} + args: + {{- toYaml .Values.args | nindent 12 }} + {{- end }} + {{- if .Values.environmentSecret }} + envFrom: + - secretRef: + name: "{{ .Values.environmentSecret }}" + {{- else }} + envFrom: + {{- toYaml .Values.secretEnv | nindent 12 }} + {{- end }} + {{- if .Values.env }} + env: + {{- toYaml .Values.env | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.volumeMounts }} + volumeMounts: + {{- toYaml .Values.volumeMounts | nindent 12 }} + {{- end }} + ports: + - containerPort: {{ .Values.metricsPort | default 8080 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.volumes }} + volumes: + {{- toYaml .Values.volumes | nindent 8 }} + {{- end }} diff --git a/charts/vals-operator/vals-operator/0.5.1/templates/serviceaccount.yaml b/charts/vals-operator/vals-operator/0.5.1/templates/serviceaccount.yaml new file mode 100644 index 000000000..67f271063 --- /dev/null +++ b/charts/vals-operator/vals-operator/0.5.1/templates/serviceaccount.yaml @@ -0,0 +1,64 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: vals-operator + labels: + {{- include "vals-operator.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - "secrets" + verbs: + - "get" + - "list" + - "watch" + - "update" + - "delete" + - "create" +- apiGroups: + - "" + resources: + - "events" + verbs: + - "create" + - "patch" +- apiGroups: + - "digitalis.io" + resources: + - "valssecrets" + verbs: + - "get" + - "list" + - "watch" + - "update" + - "delete" + - "create" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vals-operator + labels: + {{- include "vals-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: vals-operator +subjects: + - kind: ServiceAccount + name: {{ include "vals-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "vals-operator.serviceAccountName" . }} + labels: + {{- include "vals-operator.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/vals-operator/vals-operator/0.5.1/templates/servicemonitor.yaml b/charts/vals-operator/vals-operator/0.5.1/templates/servicemonitor.yaml new file mode 100644 index 000000000..4b6e11eeb --- /dev/null +++ b/charts/vals-operator/vals-operator/0.5.1/templates/servicemonitor.yaml @@ -0,0 +1,37 @@ +{{- if .Values.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "vals-operator.fullname" . }} + labels: + {{- if .Values.serviceMonitor.labels }} + {{ toYaml .Values.serviceMonitor.labels | nindent 4 }} + {{- else }} + app: {{ template "vals-operator.name" . }} + chart: {{ template "vals-operator.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- end }} + {{- if .Values.serviceMonitor.namespace }} + namespace: {{ .Values.serviceMonitor.namespace }} + {{- end }} +spec: + endpoints: + - targetPort: "metrics" + {{- if .Values.serviceMonitor.interval }} + interval: {{ .Values.serviceMonitor.interval }} + {{- end }} + {{- if .Values.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }} + {{- end }} + path: /metrics + port: {{ .Values.metricsPort | default 8080 }} + tlsConfig: + insecureSkipVerify: true + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{- include "vals-operator.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/vals-operator/vals-operator/0.5.1/values.yaml b/charts/vals-operator/vals-operator/0.5.1/values.yaml new file mode 100644 index 000000000..5bc2d97ad --- /dev/null +++ b/charts/vals-operator/vals-operator/0.5.1/values.yaml @@ -0,0 +1,106 @@ +replicaCount: 1 + +image: + repository: digitalisdocker/vals-operator + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +manageCrds: true + +# additional arguments to operator +args: [] + # -exclude-namespaces string + # Comma separated list of namespaces to ignore. + # -health-probe-bind-address string + # The address the probe endpoint binds to. (default ":8081") + # -kubeconfig string + # Paths to a kubeconfig. Only required if out-of-cluster. + # -leader-elect + # Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. + # -metrics-bind-address string + # The address the metric endpoint binds to. (default ":8080") + # -reconcile-period duration + # How often the controller will re-queue vals-operator events. (default 5s) + # -record-changes + # Records every time a secret has been updated. You can view them with kubectl describe. It may also be disabled globally and enabled per secret via the annotation 'vals-operator.digitalis.io/record: "true"' (default true) + # -ttl duration + # How often to check backend for updates. (default 5m0s) + # -watch-namespaces string + # Comma separated list of namespaces that vals-operator will watch. + # -zap-devel + # Development Mode defaults(encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode defaults(encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default true) + # -zap-encoder value + # Zap log encoding (one of 'json' or 'console') + # -zap-log-level value + # Zap Level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity + # -zap-stacktrace-level value + # Zap Level at and above which stacktraces are captured (one of 'info', 'error', 'panic'). + + +environmentSecret: "" + +# See https://github.com/variantdev/vals +# for information on setting up your backend environment. +env: [] + # - name: VAULT_SKIP_VERIFY + # value: "true" + +secretEnv: [] + # - secretRef: + # name: aws-creds + +volumes: [] + # - name: creds + # secret: + # secretName: gcs-credentials +volumeMounts: [] + # - name: creds + # mountPath: /secret + # readOnly: true + + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +metricsPort: 8080 +serviceMonitor: + # When set to true then use a ServiceMonitor to collect metrics + enabled: false + # Custom labels to use in the ServiceMonitor to be matched with a specific Prometheus + labels: {} + # Set the namespace the ServiceMonitor should be deployed to + # namespace: default + # Set how frequently Prometheus should scrape + # interval: 30s + # Set timeout for scrape + # scrapeTimeout: 10s + +resources: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/index.yaml b/index.yaml index 065e129b5..8dc2f5457 100755 --- a/index.yaml +++ b/index.yaml @@ -3752,6 +3752,26 @@ entries: - assets/universal-crossplane/universal-crossplane-1.2.200100.tgz version: 1.2.200100 vals-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Vals-Operator + catalog.cattle.io/release-name: vals-operator + apiVersion: v2 + appVersion: v0.6.0 + created: "2022-03-04T10:37:28.513835Z" + description: This helm chart installs the Digitalis Vals Operator to manage sync + secrets from supported backends into Kubernetes + digest: 79559a888d386a7f716530c50b4f20e1cc8dfd7efdee0c46bb742bfdfafe308d + icon: https://digitalis.io/wp-content/uploads/2020/06/cropped-Digitalis-512x512-Blue_Digitalis-512x512-Blue-32x32.png + kubeVersion: '>= 1.19' + maintainers: + - email: info@digitalis.io + name: Digitalis.IO + name: vals-operator + type: application + urls: + - assets/vals-operator/vals-operator-0.5.1.tgz + version: 0.5.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Vals-Operator