Skip to content
This repository was archived by the owner on Nov 24, 2023. It is now read-only.

Commit d3f63f3

Browse files
claudiolclaudiol
authored
Merge pull request #20 from claudiol/golang-external-secrets-chart
Initial commit for golang external secrets chart
2 parents fea0930 + 7130c9a commit d3f63f3

8 files changed

+170
-0
lines changed

charts/golang-external-secrets/Chart.yaml

+16
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
apiVersion: v2
2+
description: A Helm chart to configure the golang-based external-secrets
3+
keywords:
4+
- pattern
5+
name: golang-external-secrets
6+
version: 0.0.1
7+
dependencies:
8+
- name: external-secrets
9+
version: "0.8.2"
10+
repository: "https://charts.external-secrets.io"
11+
# "https://external-secrets.github.io/kubernetes-external-secrets"
12+
maintainers:
13+
- name: michele
14+
email: [email protected]
15+
- name: claudiol
16+
email: [email protected]

charts/golang-external-secrets/README.md

+14
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
# Subchart Update
2+
3+
When updating this sub-chart, please remember to tweak the image tag in values.yaml.
4+
That is because we want to use -ubi images if possible and there is no suffix option, so
5+
we just override the tag with the version + "-ubi"
6+
7+
## Steps
8+
9+
1. Edit the version in Chart.yaml
10+
2. Run `helm dependency update .`
11+
3. Run `./update-helm-dependency.sh`
12+
4. Tweak `values.yaml` with the new image versions
13+
5. Run `make test`
14+
6. Commit to git

charts/golang-external-secrets/charts/external-secrets-0.8.2.tgz

76.7 KB
Binary file not shown.

charts/golang-external-secrets/local-patches/0001-runasuser-comment-out.patch

+30
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
diff --color -urN external-secrets.orig/values.yaml external-secrets/values.yaml
2+
--- external-secrets.orig/values.yaml 2023-05-22 12:42:54.000000000 +0200
3+
+++ external-secrets/values.yaml 2023-05-22 16:20:02.748621794 +0200
4+
@@ -117,7 +117,7 @@
5+
- ALL
6+
readOnlyRootFilesystem: true
7+
runAsNonRoot: true
8+
- runAsUser: 1000
9+
+ # runAsUser: 1000
10+
seccompProfile:
11+
type: RuntimeDefault
12+
13+
@@ -331,7 +331,7 @@
14+
- ALL
15+
readOnlyRootFilesystem: true
16+
runAsNonRoot: true
17+
- runAsUser: 1000
18+
+ # runAsUser: 1000
19+
seccompProfile:
20+
type: RuntimeDefault
21+
22+
@@ -453,7 +453,7 @@
23+
- ALL
24+
readOnlyRootFilesystem: true
25+
runAsNonRoot: true
26+
- runAsUser: 1000
27+
+ # runAsUser: 1000
28+
seccompProfile:
29+
type: RuntimeDefault
30+

charts/golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml

+23
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
---
2+
apiVersion: v1
3+
kind: Secret
4+
metadata:
5+
name: golang-external-secrets
6+
namespace: golang-external-secrets
7+
annotations:
8+
kubernetes.io/service-account.name: golang-external-secrets
9+
type: kubernetes.io/service-account-token
10+
---
11+
apiVersion: rbac.authorization.k8s.io/v1
12+
kind: ClusterRoleBinding
13+
metadata:
14+
name: role-tokenreview-binding
15+
namespace: default
16+
roleRef:
17+
apiGroup: rbac.authorization.k8s.io
18+
kind: ClusterRole
19+
name: system:auth-delegator
20+
subjects:
21+
- kind: ServiceAccount
22+
name: golang-external-secrets
23+
namespace: golang-external-secrets

charts/golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml

+38
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
apiVersion: external-secrets.io/v1beta1
2+
kind: ClusterSecretStore
3+
metadata:
4+
name: vault-backend
5+
namespace: golang-external-secrets
6+
spec:
7+
provider:
8+
vault:
9+
server: https://vault-vault.{{ .Values.global.hubClusterDomain }}
10+
path: secret
11+
# Version of KV backend
12+
version: v2
13+
{{ if .Values.clusterGroup.isHubCluster }}
14+
caProvider:
15+
type: ConfigMap
16+
name: kube-root-ca.crt
17+
key: ca.crt
18+
namespace: golang-external-secrets
19+
{{ else }}
20+
caProvider:
21+
type: Secret
22+
name: hub-ca
23+
key: hub-kube-root-ca.crt
24+
namespace: imperative
25+
{{ end }}
26+
auth:
27+
kubernetes:
28+
{{ if .Values.clusterGroup.isHubCluster }}
29+
mountPath: {{ .Values.mountPath }}
30+
role: {{ .Values.mountRole }}
31+
{{ else }}
32+
mountPath: {{ $.Values.global.clusterDomain }}
33+
role: {{ $.Values.global.clusterDomain }}-role
34+
{{ end }}
35+
secretRef:
36+
name: golang-external-secrets
37+
namespace: golang-external-secrets
38+
key: "token"

charts/golang-external-secrets/update-helm-dependency.sh

+29
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
#!/bin/bash
2+
set -eu
3+
4+
# Get the version of the dependency and then unquote it
5+
TMPVER=$(sed -e '1,/^version:/ d' "Chart.yaml" | grep "version:" | awk '{ print $2 }')
6+
VERSION=$(eval echo "${TMPVER}")
7+
8+
# Chart format is external-secrets-0.8.0.tgz
9+
NAME="external-secrets"
10+
TAR="${NAME}-${VERSION}.tgz"
11+
CHARTDIR="charts"
12+
13+
if [ ! -f "${CHARTDIR}/${TAR}" ]; then
14+
echo "Charts $TAR not found"
15+
exit 1
16+
fi
17+
18+
pushd "${CHARTDIR}"
19+
rm -rf "${NAME}"
20+
tar xfz "${TAR}"
21+
pushd "${NAME}"
22+
for i in ../../local-patches/*.patch; do
23+
filterdiff "${i}" -p1 -x 'test/*' | patch -p1
24+
done
25+
find . -type f -iname '*.orig' -exec rm -f "{}" \;
26+
popd
27+
tar cvfz "${TAR}" "${NAME}"
28+
rm -rf "${NAME}"
29+
popd

charts/golang-external-secrets/values.yaml

+20
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
---
2+
mountPath: "hub"
3+
mountRole: "hub-role"
4+
5+
global:
6+
hubClusterDomain: hub.example.com
7+
clusterDomain: foo.example.com
8+
9+
clusterGroup:
10+
isHubCluster: true
11+
12+
external-secrets:
13+
image:
14+
tag: v0.8.2-ubi
15+
webhook:
16+
image:
17+
tag: v0.8.2-ubi
18+
certController:
19+
image:
20+
tag: v0.8.2-ubi

0 commit comments

Comments
 (0)