Skip to content

Commit

Permalink
[secrets-store-csi-driver-provider-gcp] Chart fixes and updates (#698)
Browse files Browse the repository at this point in the history 
* Remove the -}}, which chomps whitespace and means apiVersion becomes part of the header comment

* Bump default application version

* Incorporate security improvements from the application repo's chart

* Run helm-docs
  • Loading branch information
@milesarmstrong
milesarmstrong committed Mar 15, 2024
1 parent fe6005c commit 715779b
Show file tree
Hide file tree
Showing 7 changed files with 63 additions and 46 deletions.
4 changes: 2 additions & 2 deletions charts/secrets-store-csi-driver-provider-gcp/Chart.yaml
View file
Expand Up @@ -31,12 +31,12 @@ keywords:
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.5.0
version: 0.6.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
appVersion: 1.0.0
appVersion: 1.5.0

maintainers:
- name: nlamirault
Expand Down
55 changes: 27 additions & 28 deletions charts/secrets-store-csi-driver-provider-gcp/README.md
View file
@@ -1,43 +1,42 @@
# secrets-store-csi-driver-provider-gcp

![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.0](https://img.shields.io/badge/AppVersion-1.5.0-informational?style=flat-square)

A Helm chart for Google Secret Manager Provider for Secret Store CSI Driver

**Homepage:** <https://charts.portefaix.xyz>

## Maintainers

| Name | Email | Url |
| ---------- | ----------------------------- | --- |
| nlamirault | <nicolas.lamirault@gmail.com> | |
| Name | Email | Url |
| ---- | ------ | --- |
| nlamirault | <nicolas.lamirault@gmail.com> | |

## Source Code

- <https://github.com/portefaix/portefaix-hub/tree/master/charts/secrets-store-csi-driver-provider-gcp>
* <https://github.com/portefaix/portefaix-hub/tree/master/charts/secrets-store-csi-driver-provider-gcp>

## Values

| Key | Type | Default | Description |
| ------------------------------- | ------ | ------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------- |
| additionalAnnotations | object | `{}` | Additional annotations to add to metadata |
| additionalLabels | object | `{}` | Additional labels to add to metadata |
| affinity | object | `{}` | Affinity settings for pod assignment # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
| fullnameOverride | string | `""` | Provide a name to substitute for the full names of resources |
| image.pullPolicy | string | `"IfNotPresent"` | |
| image.repository | string | `"us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin"` | |
| image.tag | string | `"v1.0.0"` | |
| imagePullSecrets | list | `[]` | |
| namespace | string | `"kube-system"` | Namespace to deploy the Secret Store CSI Driver |
| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ |
| rbac.create | bool | `true` | If true, create & use RBAC resources |
| resources | object | `{}` | Container resources (requests and limits for cpu and memory) |
| serviceAccount.annotations | object | `{}` | ServiceAccount annotations. # Use case: GKE Workload Identity for service accounts |
| serviceAccount.create | bool | `true` | Specifies whether a ServiceAccount should be created, require rbac true |
| serviceAccount.imagePullSecrets | list | `[]` | |
| serviceAccount.name | string | `nil` | The name of the ServiceAccount to use. # If not set and create is true, a name is generated using the fullname template |
| tolerations | list | `[]` | Tolerations for pod assignment # Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ |

---

Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| additionalAnnotations | object | `{}` | Additional annotations to add to metadata |
| additionalLabels | object | `{}` | Additional labels to add to metadata |
| affinity | object | `{}` | Affinity settings for pod assignment # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
| fullnameOverride | string | `""` | Provide a name to substitute for the full names of resources |
| image.pullPolicy | string | `"IfNotPresent"` | |
| image.repository | string | `"us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin"` | |
| image.tag | string | `"v1.5.0"` | |
| imagePullSecrets | list | `[]` | |
| namespace | string | `"kube-system"` | Namespace to deploy the Secret Store CSI Driver |
| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ |
| rbac.create | bool | `true` | If true, create & use RBAC resources |
| resources | object | `{}` | Container resources (requests and limits for cpu and memory) |
| serviceAccount.annotations | object | `{}` | ServiceAccount annotations. # Use case: GKE Workload Identity for service accounts |
| serviceAccount.create | bool | `true` | Specifies whether a ServiceAccount should be created, require rbac true |
| serviceAccount.imagePullSecrets | list | `[]` | |
| serviceAccount.name | string | `nil` | The name of the ServiceAccount to use. # If not set and create is true, a name is generated using the fullname template |
| tolerations | list | `[]` | Tolerations for pod assignment # Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ |

----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
2 changes: 1 addition & 1 deletion charts/secrets-store-csi-driver-provider-gcp/templates/clusterrole.yaml
View file
Expand Up @@ -14,7 +14,7 @@
#
# SPDX-License-Identifier: Apache-2.0

{{- if .Values.rbac.create -}}
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand Down
4 changes: 2 additions & 2 deletions charts/secrets-store-csi-driver-provider-gcp/templates/clusterrolebinding.yaml
View file
Expand Up @@ -14,7 +14,7 @@
#
# SPDX-License-Identifier: Apache-2.0

{{- if .Values.rbac.create -}}
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
Expand All @@ -34,4 +34,4 @@ subjects:
- kind: ServiceAccount
name: {{ template "secrets-store-csi-driver-provider-gcp.serviceAccountName" . }}
namespace: {{ template "secrets-store-csi-driver-provider-gcp.namespace" . }}
{{- end -}}
{{- end -}}
40 changes: 29 additions & 11 deletions charts/secrets-store-csi-driver-provider-gcp/templates/daemonset.yaml
View file
Expand Up @@ -37,10 +37,33 @@ spec:
{{- include "secrets-store-csi-driver-provider-gcp.labels" . | indent 8 }}
spec:
serviceAccountName: {{ template "secrets-store-csi-driver-provider-gcp.serviceAccountName" . }}
initContainers:
- name: chown-provider-mount
image: busybox
command:
- chown
- "1000:1000"
- /etc/kubernetes/secrets-store-csi-providers
volumeMounts:
- mountPath: "/etc/kubernetes/secrets-store-csi-providers"
name: providervol
hostNetwork: false
hostPID: false
hostIPC: false
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
securityContext:
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
{{- if .Values.resources }}
resources:
{{ toYaml .Values.resources | indent 12 }}
Expand All @@ -51,9 +74,8 @@ spec:
volumeMounts:
- mountPath: "/etc/kubernetes/secrets-store-csi-providers"
name: providervol
- name: mountpoint-dir
mountPath: /var/lib/kubelet/pods
mountPropagation: HostToContainer
mountPropagation: None
readOnly: false
livenessProbe:
failureThreshold: 3
httpGet:
Expand All @@ -62,6 +84,10 @@ spec:
initialDelaySeconds: 5
timeoutSeconds: 10
periodSeconds: 30
volumes:
- name: providervol
hostPath:
path: /etc/kubernetes/secrets-store-csi-providers
{{- if .Values.affinity }}
affinity:
{{ toYaml .Values.affinity | indent 8 }}
Expand All @@ -74,11 +100,3 @@ spec:
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
volumes:
- name: providervol
hostPath:
path: /etc/kubernetes/secrets-store-csi-providers
- name: mountpoint-dir
hostPath:
path: /var/lib/kubelet/pods
type: DirectoryOrCreate
2 changes: 1 addition & 1 deletion charts/secrets-store-csi-driver-provider-gcp/templates/serviceaccount.yaml
View file
Expand Up @@ -14,7 +14,7 @@
#
# SPDX-License-Identifier: Apache-2.0

{{- if .Values.serviceAccount.create -}}
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
Expand Down
2 changes: 1 addition & 1 deletion charts/secrets-store-csi-driver-provider-gcp/values.yaml
View file
Expand Up @@ -35,7 +35,7 @@ namespace: kube-system

image:
repository: us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin
tag: v1.4.0
tag: v1.5.0
pullPolicy: IfNotPresent

imagePullSecrets: []
Expand Down

0 comments on commit 715779b

Please sign in to comment.