diff --git a/deploy/charts/venafi-kubernetes-agent/templates/deployment.yaml b/deploy/charts/venafi-kubernetes-agent/templates/deployment.yaml index 94f1d6fd..d9894285 100644 --- a/deploy/charts/venafi-kubernetes-agent/templates/deployment.yaml +++ b/deploy/charts/venafi-kubernetes-agent/templates/deployment.yaml @@ -74,6 +74,9 @@ spec: - name: credentials mountPath: "/etc/venafi/agent/key" readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -95,3 +98,6 @@ spec: secret: secretName: {{ default "agent-credentials" .Values.authentication.secretName }} optional: false + {{- with .Values.volumes }} + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/deploy/charts/venafi-kubernetes-agent/tests/deployment_test.yaml b/deploy/charts/venafi-kubernetes-agent/tests/deployment_test.yaml index 8d934f6d..e902c66d 100644 --- a/deploy/charts/venafi-kubernetes-agent/tests/deployment_test.yaml +++ b/deploy/charts/venafi-kubernetes-agent/tests/deployment_test.yaml @@ -74,3 +74,31 @@ tests: - contains: path: spec.template.spec.containers[0].command content: notpreflight + + # Check the volumes and volumeMounts works correctly + - it: Volumes and VolumeMounts added correctly + set: + config.organisation: test_org + config.cluster: test_cluster + values: + - ./values/custom-volumes.yaml + asserts: + - isKind: + of: Deployment + - equal: + # In template this comes after credentials and agent config volumeMounts + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "cabundle")] + value: + name: cabundle + mountPath: /etc/ssl/certs/ca-certificates.crt + subPath: ca-certificates.crt + readOnly: true + - equal: + path: spec.template.spec.volumes[?(@.name == "cabundle")].configMap + value: + name: cabundle + optional: false + defaultMode: 0644 + items: + - key: cabundle + path: ca-certificates.crt diff --git a/deploy/charts/venafi-kubernetes-agent/tests/values/custom-volumes.yaml b/deploy/charts/venafi-kubernetes-agent/tests/values/custom-volumes.yaml new file mode 100644 index 00000000..54f98ba1 --- /dev/null +++ b/deploy/charts/venafi-kubernetes-agent/tests/values/custom-volumes.yaml @@ -0,0 +1,15 @@ +volumes: + - name: cabundle + configMap: + name: cabundle + optional: false + defaultMode: 0644 + items: + - key: cabundle + path: ca-certificates.crt + +volumeMounts: + - name: cabundle + mountPath: /etc/ssl/certs/ca-certificates.crt + subPath: ca-certificates.crt + readOnly: true diff --git a/deploy/charts/venafi-kubernetes-agent/values.yaml b/deploy/charts/venafi-kubernetes-agent/values.yaml index eee7a886..f2780fd0 100644 --- a/deploy/charts/venafi-kubernetes-agent/values.yaml +++ b/deploy/charts/venafi-kubernetes-agent/values.yaml @@ -90,6 +90,34 @@ command: [] # For example `["--strict", "--oneshot"]` extraArgs: [] +# -- Additional volumes to add to the Venafi Kubernetes Agent container. This is +# useful for mounting a custom CA bundle. For example: +# +# volumes: +# - name: cabundle +# configMap: +# name: cabundle +# optional: false +# defaultMode: 0644 +# +# In order to create the ConfigMap, you can use the following command: +# +# kubectl create configmap cabundle \ +# --from-file=cabundle=./your/custom/ca/bundle.pem +volumes: [] + +# -- Additional volume mounts to add to the Venafi Kubernetes Agent container. +# This is useful for mounting a custom CA bundle. Any PEM certificate mounted +# under /etc/ssl/certs will be loaded by the Venafi Kubernetes Agent. For +# example: +# +# volumeMounts: +# - name: cabundle +# mountPath: /etc/ssl/certs/cabundle +# subPath: cabundle +# readOnly: true +volumeMounts: [] + # -- Authentication details for the Venafi Kubernetes Agent authentication: # -- Name of the secret containing the private key