From bcd9ab1a393fc2fbc8cfb01fc1a0bac896663363 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Fri, 28 Jun 2024 13:26:09 +0200 Subject: [PATCH 1/2] helm: venafi agent: add volumes and volumeMounts for custom CA bundles --- .../templates/deployment.yaml | 6 ++++ .../tests/deployment_test.yaml | 28 ++++++++++++++++++ .../tests/values/custom-volumes.yaml | 15 ++++++++++ .../venafi-kubernetes-agent/values.yaml | 29 +++++++++++++++++++ 4 files changed, 78 insertions(+) create mode 100644 deploy/charts/venafi-kubernetes-agent/tests/values/custom-volumes.yaml diff --git a/deploy/charts/venafi-kubernetes-agent/templates/deployment.yaml b/deploy/charts/venafi-kubernetes-agent/templates/deployment.yaml index 94f1d6fd..d9894285 100644 --- a/deploy/charts/venafi-kubernetes-agent/templates/deployment.yaml +++ b/deploy/charts/venafi-kubernetes-agent/templates/deployment.yaml @@ -74,6 +74,9 @@ spec: - name: credentials mountPath: "/etc/venafi/agent/key" readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -95,3 +98,6 @@ spec: secret: secretName: {{ default "agent-credentials" .Values.authentication.secretName }} optional: false + {{- with .Values.volumes }} + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/deploy/charts/venafi-kubernetes-agent/tests/deployment_test.yaml b/deploy/charts/venafi-kubernetes-agent/tests/deployment_test.yaml index 8d934f6d..e902c66d 100644 --- a/deploy/charts/venafi-kubernetes-agent/tests/deployment_test.yaml +++ b/deploy/charts/venafi-kubernetes-agent/tests/deployment_test.yaml @@ -74,3 +74,31 @@ tests: - contains: path: spec.template.spec.containers[0].command content: notpreflight + + # Check the volumes and volumeMounts works correctly + - it: Volumes and VolumeMounts added correctly + set: + config.organisation: test_org + config.cluster: test_cluster + values: + - ./values/custom-volumes.yaml + asserts: + - isKind: + of: Deployment + - equal: + # In template this comes after credentials and agent config volumeMounts + path: spec.template.spec.containers[0].volumeMounts[?(@.name == "cabundle")] + value: + name: cabundle + mountPath: /etc/ssl/certs/ca-certificates.crt + subPath: ca-certificates.crt + readOnly: true + - equal: + path: spec.template.spec.volumes[?(@.name == "cabundle")].configMap + value: + name: cabundle + optional: false + defaultMode: 0644 + items: + - key: cabundle + path: ca-certificates.crt diff --git a/deploy/charts/venafi-kubernetes-agent/tests/values/custom-volumes.yaml b/deploy/charts/venafi-kubernetes-agent/tests/values/custom-volumes.yaml new file mode 100644 index 00000000..54f98ba1 --- /dev/null +++ b/deploy/charts/venafi-kubernetes-agent/tests/values/custom-volumes.yaml @@ -0,0 +1,15 @@ +volumes: + - name: cabundle + configMap: + name: cabundle + optional: false + defaultMode: 0644 + items: + - key: cabundle + path: ca-certificates.crt + +volumeMounts: + - name: cabundle + mountPath: /etc/ssl/certs/ca-certificates.crt + subPath: ca-certificates.crt + readOnly: true diff --git a/deploy/charts/venafi-kubernetes-agent/values.yaml b/deploy/charts/venafi-kubernetes-agent/values.yaml index eee7a886..5a0e7213 100644 --- a/deploy/charts/venafi-kubernetes-agent/values.yaml +++ b/deploy/charts/venafi-kubernetes-agent/values.yaml @@ -90,6 +90,35 @@ command: [] # For example `["--strict", "--oneshot"]` extraArgs: [] +# -- Additional volumes to add to the Venafi Kubernetes Agent container. This is +# useful for mounting a custom CA bundle. For example: +# +# volumes: +# - name: cabundle +# configMap: +# name: cabundle +# optional: false +# defaultMode: 0644 +# items: +# - key: cabundle +# path: ca-certificates.crt +# +# In order to create the ConfigMap, you can use the following command: +# +# kubectl create configmap cabundle \ +# --from-file=cabundle=./your/custom/ca/bundle.pem +volumes: [] + +# -- Additional volume mounts to add to the Venafi Kubernetes Agent container. +# This is useful for mounting a custom CA bundle. For example: +# +# volumeMounts: +# - name: cabundle +# mountPath: /etc/ssl/certs/ca-certificates.crt +# subPath: ca-certificates.crt +# readOnly: true +volumeMounts: [] + # -- Authentication details for the Venafi Kubernetes Agent authentication: # -- Name of the secret containing the private key From 6a8878e14ef6bff948833d938c9c7d0ce7114414 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Valais?= Date: Fri, 28 Jun 2024 16:06:19 +0200 Subject: [PATCH 2/2] helm: venafi agent: use the simpler /etc/ssl/certs/cabundle Because Go loads all certs under /etc/ssl/certs, not just /etc/ssl/certs/ca-certificates.crt. --- deploy/charts/venafi-kubernetes-agent/values.yaml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/deploy/charts/venafi-kubernetes-agent/values.yaml b/deploy/charts/venafi-kubernetes-agent/values.yaml index 5a0e7213..f2780fd0 100644 --- a/deploy/charts/venafi-kubernetes-agent/values.yaml +++ b/deploy/charts/venafi-kubernetes-agent/values.yaml @@ -99,9 +99,6 @@ extraArgs: [] # name: cabundle # optional: false # defaultMode: 0644 -# items: -# - key: cabundle -# path: ca-certificates.crt # # In order to create the ConfigMap, you can use the following command: # @@ -110,12 +107,14 @@ extraArgs: [] volumes: [] # -- Additional volume mounts to add to the Venafi Kubernetes Agent container. -# This is useful for mounting a custom CA bundle. For example: +# This is useful for mounting a custom CA bundle. Any PEM certificate mounted +# under /etc/ssl/certs will be loaded by the Venafi Kubernetes Agent. For +# example: # # volumeMounts: # - name: cabundle -# mountPath: /etc/ssl/certs/ca-certificates.crt -# subPath: ca-certificates.crt +# mountPath: /etc/ssl/certs/cabundle +# subPath: cabundle # readOnly: true volumeMounts: []