From 620f980c26a7e256c08059d48795902cabf43faf Mon Sep 17 00:00:00 2001 From: Charith Ellawala Date: Wed, 26 Apr 2023 16:57:32 +0100 Subject: [PATCH] enhancement(helm): Volume mounts for Cerbos Cloud (#1547) If the user is using the default settings, automatically mount `emptyDir` volumes for temp and cache directories. Also adds an example values file for connecting to Cerbos Cloud. Signed-off-by: Charith Ellawala --- deploy/charts/cerbos/templates/_helpers.tpl | 9 ++++++++ .../charts/cerbos/templates/deployment.yaml | 15 ++++++++++++ .../charts/cerbos/values-bundle-storage.yaml | 23 +++++++++++++++++++ 3 files changed, 47 insertions(+) create mode 100644 deploy/charts/cerbos/values-bundle-storage.yaml diff --git a/deploy/charts/cerbos/templates/_helpers.tpl b/deploy/charts/cerbos/templates/_helpers.tpl index 5a80c0dd7..313ccd0f8 100644 --- a/deploy/charts/cerbos/templates/_helpers.tpl +++ b/deploy/charts/cerbos/templates/_helpers.tpl @@ -147,3 +147,12 @@ Merge the configurations to obtain the final configuration file {{ mustMergeOverwrite $defaultConf .Values.cerbos.config $derivedConf | toYaml }} {{- end }} +{{/* +Detect if bundle driver is used with default config +*/}} +{{- define "cerbos.defaultBundleDriverEnabled" -}} +{{- $isBundleDriver := (eq (dig "config" "storage" "driver" "" .Values.cerbos) "bundle") -}} +{{- $isDefaultTmp := (eq (dig "config" "storage" "bundle" "remote" "tempDir" "" .Values.cerbos) "") -}} +{{- $isDefaultCache := (eq (dig "config" "storage" "bundle" "remote" "cacheDir" "" .Values.cerbos) "") -}} +{{- if (and $isBundleDriver $isDefaultTmp $isDefaultCache) -}}yes{{- else -}}no{{- end -}} +{{- end }} diff --git a/deploy/charts/cerbos/templates/deployment.yaml b/deploy/charts/cerbos/templates/deployment.yaml index f6cc0910a..fc544e1dd 100644 --- a/deploy/charts/cerbos/templates/deployment.yaml +++ b/deploy/charts/cerbos/templates/deployment.yaml @@ -1,4 +1,5 @@ {{- $tlsDisabled := (eq (include "cerbos.tlsSecretName" .) "None") -}} +{{- $defaultBundleDriverEnabled := (eq (include "cerbos.defaultBundleDriverEnabled" .) "yes") -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -81,8 +82,15 @@ spec: - name: config mountPath: /config readOnly: true + {{- if $defaultBundleDriverEnabled }} + - name: bundletmp + mountPath: /tmp + - name: bundlecache + mountPath: /.cache + {{- else }} - name: work mountPath: /work + {{- end }} {{- if not $tlsDisabled }} - name: certs mountPath: /certs @@ -95,8 +103,15 @@ spec: - name: config configMap: name: {{ include "cerbos.fullname" . }} + {{- if $defaultBundleDriverEnabled }} + - name: bundletmp + emptyDir: {} + - name: bundlecache + emptyDir: {} + {{- else }} - name: work emptyDir: {} + {{- end }} {{- if not $tlsDisabled }} - name: certs secret: diff --git a/deploy/charts/cerbos/values-bundle-storage.yaml b/deploy/charts/cerbos/values-bundle-storage.yaml new file mode 100644 index 000000000..ba441d7e6 --- /dev/null +++ b/deploy/charts/cerbos/values-bundle-storage.yaml @@ -0,0 +1,23 @@ +# Illustrates how to connect to Cerbos Cloud +# Prerequisites: +# - Sign-up to Cerbos Cloud and follow the instructions to create an API key +# - Create a Kubernetes secret named `cerbos-cloud-credentials`: +# kubectl create secret generic cerbos-cloud-credentials \ +# --from-literal=CERBOS_CLOUD_CLIENT_ID= \ +# --from-literal=CERBOS_CLOUD_CLIENT_SECRET= \ +# --from-literal=CERBOS_CLOUD_SECRET_KEY= + +cerbos: + config: + # Configure the bundle storage driver + storage: + driver: "bundle" + bundle: + remote: + bundleLabel: "YOUR_LABEL" # Alternatively, add `CERBOS_CLOUD_BUNDLE=` to the secret you created above. + +# Create environment variables from the secret. +envFrom: + - secretRef: + name: cerbos-cloud-credentials +