feat: delete secret volumne for private key and add secret name

vjripoll · vjripoll · commit 91e0bd3b7c6a · 2026-01-07T09:29:12.000+01:00
diff --git a/charts/agent-control-bootstrap/Chart.yaml b/charts/agent-control-bootstrap/Chart.yaml
@@ -3,9 +3,9 @@ name: agent-control-bootstrap
 description: Bootstraps New Relic' Agent Control
 
 type: application
-version: 1.1.0
+version: 1.1.1
 # agent-control-deployment chart default version.
-appVersion: 1.1.0
+appVersion: 1.1.1
 annotations:
   # agent-control-cd chart default version.
   agentControlCdVersion: 1.0.0
diff --git a/charts/agent-control-bootstrap/templates/_helpers.tpl b/charts/agent-control-bootstrap/templates/_helpers.tpl
@@ -21,5 +21,13 @@ overrides:
     {{- $config = mustMergeOverwrite $config (dict "config" (dict "cdRemoteUpdate" false "cdReleaseName" "")) -}}
   {{- end -}}
 
+  {{- $authSecret := (default dict .Values.config).authSecret | default dict -}}
+  {{- $sName := $authSecret.secretName | default "agent-control-auth" -}}
+  {{- $sKey  := $authSecret.secretKeyName | default "private_key" -}}
+
+  {{- $secretObj := dict "secret_name" $sName "secret_key_name" $sKey -}}
+
+  {{- $config = mustMergeOverwrite $config (dict "config" (dict "auth_secret" $secretObj)) -}}
+
   {{- $config | toYaml | b64enc -}}
-{{- end -}}
+{{- end -}}
diff --git a/charts/agent-control-bootstrap/tests/ac_deployment_secret_test.yaml b/charts/agent-control-bootstrap/tests/ac_deployment_secret_test.yaml
@@ -4,18 +4,26 @@ chart:
 
 tests:
   - it: should render expected defaults
+    set:
+      config.authSecret.secretName: agent-control-auth
+      config.authSecret.secretKeyName: private_key
     asserts:
       - template: templates/ac-deployment-secret.yaml
         equal:
           decodeBase64: true
           path: data["agent-control-deployment.yaml"]
           value: |-
             config:
+              auth_secret:
+                secret_key_name: private_key
+                secret_name: agent-control-auth
               cdReleaseName: agent-control-cd
             subAgentsNamespace: newrelic
 
   - it: should set cdRemoteUpdate as false and cdReleaseName as empty when agentControlCd is disabled
     set:
+      config.authSecret.secretName: agent-control-auth
+      config.authSecret.secretKeyName: private_key
       agentControlCd:
         enabled: false
     asserts:
@@ -25,12 +33,17 @@ tests:
           path: data["agent-control-deployment.yaml"]
           value: |-
             config:
+              auth_secret:
+                secret_key_name: private_key
+                secret_name: agent-control-auth
               cdReleaseName: ""
               cdRemoteUpdate: false
             subAgentsNamespace: newrelic
 
   - it: should override cdRemoteUpdate and cdReleaseName when agentControlCd is disabled
     set:
+      config.authSecret.secretName: agent-control-auth
+      config.authSecret.secretKeyName: private_key
       agentControlDeployment:
         chartValues:
           config:
@@ -47,6 +60,9 @@ tests:
           path: data["agent-control-deployment.yaml"]
           value: |-
             config:
+              auth_secret:
+                secret_key_name: private_key
+                secret_name: agent-control-auth
               cdReleaseName: ""
               cdRemoteUpdate: false
               extraNestedValues: unchanged
@@ -55,6 +71,8 @@ tests:
 
   - it: should override config.cdReleaseName when agentControlCd is enabled
     set:
+      config.authSecret.secretName: agent-control-auth
+      config.authSecret.secretKeyName: private_key
       agentControlDeployment:
         chartValues:
           config:
@@ -71,13 +89,18 @@ tests:
           path: data["agent-control-deployment.yaml"]
           value: |-
             config:
+              auth_secret:
+                secret_key_name: private_key
+                secret_name: agent-control-auth
               cdReleaseName: custom-cd-release
               extraNestedValues: unchanged
             extraValues: unchanged
             subAgentsNamespace: newrelic
 
   - it: should not override cdRemoteUpdate when agentControlCd is enabled
     set:
+      config.authSecret.secretName: agent-control-auth
+      config.authSecret.secretKeyName: private_key
       agentControlDeployment:
         chartValues:
           config:
@@ -91,6 +114,28 @@ tests:
           path: data["agent-control-deployment.yaml"]
           value: |-
             config:
+              auth_secret:
+                secret_key_name: private_key
+                secret_name: agent-control-auth
               cdReleaseName: agent-control-cd
               cdRemoteUpdate: false
             subAgentsNamespace: newrelic
+
+  - it: should set custom secretPrivateKeyName
+    set:
+      config:
+        authSecret:
+          secretName: my-custom-secret
+          secretKeyName: my-custom-key
+    asserts:
+      - template: templates/ac-deployment-secret.yaml
+        equal:
+          decodeBase64: true
+          path: data["agent-control-deployment.yaml"]
+          value: |-
+            config:
+              auth_secret:
+                secret_key_name: my-custom-key
+                secret_name: my-custom-secret
+              cdReleaseName: agent-control-cd
+            subAgentsNamespace: newrelic
diff --git a/charts/agent-control-bootstrap/tests/agent-control-cd-disabled_test.yaml b/charts/agent-control-bootstrap/tests/agent-control-cd-disabled_test.yaml
@@ -2,6 +2,8 @@ suite: Validate installation job setup
 tests:
   - it: do not include agent-control-cd permissions if disabled
     set:
+      config.authSecret.secretName: agent-control-auth
+      config.authSecret.secretKeyName: private_key
       agentControlCd:
         enabled: false
     asserts:
@@ -22,6 +24,8 @@ tests:
 
   - it: include extra volumes even if agentControlCd is disabled
     set:
+      config.authSecret.secretName: agent-control-auth
+      config.authSecret.secretKeyName: private_key
       installation:
         extraVolumes:
           - name: some-volume-name
diff --git a/charts/agent-control-bootstrap/tests/agent-control-cd_test.yaml b/charts/agent-control-bootstrap/tests/agent-control-cd_test.yaml
@@ -2,6 +2,8 @@ suite: Validate agent-control-cd Installation
 tests:
   - it: should leverage correct image tag
     set:
+      config.authSecret.secretName: agent-control-auth
+      config.authSecret.secretKeyName: private_key
       toolkitImage:
         tag: 123
         repository: test
@@ -16,6 +18,8 @@ tests:
           value: "test:123"
   - it: should allow custom repositoryUrl
     set:
+      config.authSecret.secretName: agent-control-auth
+      config.authSecret.secretKeyName: private_key
       agentControlCd:
         chartRepositoryUrl: "https://example.com/some/url"
     asserts:
@@ -33,6 +37,8 @@ tests:
 
   - it: should mount the TLS certificate secrets if configured
     set:
+      config.authSecret.secretName: agent-control-auth
+      config.authSecret.secretKeyName: private_key
       agentControlCd:
         repositoryCertificateSecretReferenceName: my-cert-secret
     asserts:
@@ -53,6 +59,8 @@ tests:
 
   - it: should use basic auth when configured
     set:
+      config.authSecret.secretName: agent-control-auth
+      config.authSecret.secretKeyName: private_key
       agentControlCd:
         repositorySecretReferenceName: my-basic-auth-secret
     asserts:
@@ -63,6 +71,8 @@ tests:
 
   - it: if basic auth and TLS are configured, uses TLS
     set:
+      config.authSecret.secretName: agent-control-auth
+      config.authSecret.secretKeyName: private_key
       agentControlCd:
         repositoryCertificateSecretReferenceName: my-cert-secret
         repositorySecretReferenceName: my-basic-auth-secret
diff --git a/charts/agent-control-bootstrap/tests/agent-control-deployment_test.yaml b/charts/agent-control-bootstrap/tests/agent-control-deployment_test.yaml
@@ -37,6 +37,8 @@ tests:
 
   - it: should configure arguments correctly
     set:
+      config.authSecret.secretName: agent-control-auth
+      config.authSecret.secretKeyName: private_key
       installation:
         log:
           level: trace
@@ -90,6 +92,8 @@ tests:
 
   - it: Should include volumes from secrets
     set:
+      config.authSecret.secretName: agent-control-auth
+      config.authSecret.secretKeyName: private_key
       agentControlCd:
         repositoryCertificateSecretReferenceName: cert-secret
     asserts:
@@ -124,6 +128,8 @@ tests:
 
   - it: Should include environment variables
     set:
+      config.authSecret.secretName: agent-control-auth
+      config.authSecret.secretKeyName: private_key
       agentControlCd:
         repositorySecretReferenceName: some-secret
     asserts:
diff --git a/charts/agent-control-deployment/Chart.yaml b/charts/agent-control-deployment/Chart.yaml
@@ -4,7 +4,7 @@ description: A Helm chart to install New Relic Agent Control on Kubernetes
 
 type: application
 
-version: 1.1.0
+version: 1.1.1
 appVersion: "1.6.1"
 
 dependencies:
diff --git a/charts/agent-control-deployment/README.md b/charts/agent-control-deployment/README.md
@@ -96,6 +96,13 @@ agents:
 			<td>"true"</td>
 			<td>enables or disables remote update from Fleet Control for the agent-control-cd chart</td>
 		</tr>
+        <tr>
+			<td>config.secretPrivateKeyName</td>
+			<td>string</td>
+			<td>`""`</td>
+			<td>Provide the secret name from where the private key should be loaded</td>
+		</tr>
+		<tr>
 		<tr>
 			<td>config.fleet_control.enabled</td>
 			<td>bool</td>
diff --git a/charts/agent-control-deployment/templates/_helpers.tpl b/charts/agent-control-deployment/templates/_helpers.tpl
@@ -72,6 +72,11 @@ cluster name, licenses, and custom attributes
 {{- /* Add ac_remote_update and cd_remote_update to the config */ -}}
 {{- $k8s = mustMerge $k8s (dict "ac_remote_update" .Values.config.acRemoteUpdate "cd_remote_update" .Values.config.cdRemoteUpdate) -}}
 {{- $k8s = mustMerge $k8s (dict "ac_release_name" .Release.Name "cd_release_name" .Values.config.cdReleaseName) -}}
+{{- $authSecret := .Values.config.authSecret | default dict -}}
+{{- $sName := $authSecret.secretName | default "agent-control-auth" -}}
+{{- $sKey  := $authSecret.secretKeyName | default "private_key" -}}
+{{- $secretObj := dict "secret_name" $sName "secret_key_name" $sKey -}}
+{{- $k8s = mustMerge $k8s (dict "auth_secret" $secretObj) -}}
 {{- $config = mustMerge $config (dict "k8s" $k8s) -}}
 
 {{- with .Values.config.log -}}
diff --git a/charts/agent-control-deployment/templates/deployment-agentcontrol.yaml b/charts/agent-control-deployment/templates/deployment-agentcontrol.yaml
@@ -111,11 +111,6 @@ spec:
               mountPath: /etc/newrelic-agent-control/local-data/agent-control/local_config.yaml
               readOnly: true
               subPath: config.yaml
-            {{- if ((.Values.config).fleet_control).enabled }}
-            - name: auth-secret-private-key
-              mountPath: "/etc/newrelic-agent-control/keys"
-              readOnly: true
-            {{- end }}
             {{- with .Values.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -145,14 +140,6 @@ spec:
                 path: config.yaml
         - name: var-lib-newrelic-agent-control
           emptyDir: {}
-        {{- if ((.Values.config).fleet_control).enabled }}
-        - name: auth-secret-private-key
-          secret:
-            secretName: {{ include "newrelic-agent-control.auth.secret.name" . }}
-            items:
-              - key: private_key
-                path: from-secret.key
-        {{- end }}
         {{- with .Values.extraVolumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
diff --git a/charts/agent-control-deployment/tests/auth_secret_test.yaml b/charts/agent-control-deployment/tests/auth_secret_test.yaml
@@ -8,7 +8,7 @@ release:
   namespace: my-namespace
 
 tests:
-  - it: authSecret is created and mounted correctly by default
+  - it: authSecret is NOT mounted as volume (auth handled via k8s API)
     set:
       cluster: test
       config:
@@ -28,9 +28,7 @@ tests:
               mountPath: /etc/newrelic-agent-control/local-data/agent-control/local_config.yaml
               readOnly: true
               subPath: config.yaml
-            - mountPath: /etc/newrelic-agent-control/keys
-              name: auth-secret-private-key
-              readOnly: true
+
       - template: templates/deployment-agentcontrol.yaml
         equal:
           path: spec.template.spec.volumes
@@ -43,12 +41,6 @@ tests:
                     path: config.yaml
             - name: var-lib-newrelic-agent-control
               emptyDir: {}
-            - name: auth-secret-private-key
-              secret:
-                secretName: my-release-agent-control-auth
-                items:
-                  - key: private_key
-                    path: from-secret.key
 
   - it: no mount and secret is created when auth is disabled
     set:
@@ -67,4 +59,4 @@ tests:
         notContains:
           path: spec.template.spec.volumes
           content:
-            name: auth-secret-private-key
+            name: auth-secret-private-key
diff --git a/charts/agent-control-deployment/tests/configmap_agentcontrol_config_test.yaml b/charts/agent-control-deployment/tests/configmap_agentcontrol_config_test.yaml
diff --git a/charts/agent-control-deployment/tests/deployment_agentcontrol_subagent_configs_test.yaml b/charts/agent-control-deployment/tests/deployment_agentcontrol_subagent_configs_test.yaml
diff --git a/charts/agent-control-deployment/values.yaml b/charts/agent-control-deployment/values.yaml
