From c5bd20c0a0e59876f6a150925d2c8b62db29b5f7 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Wed, 18 Jun 2025 16:11:37 +0100 Subject: [PATCH] Remove jetstack-agent chart + docs I think most of the jetstack-agent stuff has been removed and is no longer relevant to what we do day-to-day. This is a first step towards cleaning up the code base so we can refactor further. There are several references in README to Jetstack secure, to the old chart, and to stuff that's no longer relevant, so I've cleaned it up a lot. I also moved the release guide to RELEASE.md to match what we do in other projects, and cleaned up the release info to be a bit more readable and focus on details that are important to us. To preserve the old Jetstack Secure functionality in the event we require it, I've already created + pushed a tag called "before-jetstack-secure-removal". If we need to do something Jetstack Secure related (such as an agent change or a chart tweak) we can create a branch from that tag and maintain that separately. Signed-off-by: Ashley Davis --- README.md | 198 +------------ RELEASE.md | 104 +++++++ deploy/charts/jetstack-agent/.helmignore | 1 - deploy/charts/jetstack-agent/Chart.yaml | 13 - deploy/charts/jetstack-agent/README.md | 180 ------------ deploy/charts/jetstack-agent/README.md.gotmpl | 134 --------- .../charts/jetstack-agent/templates/NOTES.txt | 8 - .../jetstack-agent/templates/_helpers.tpl | 62 ---- .../jetstack-agent/templates/configmap.yaml | 215 -------------- .../jetstack-agent/templates/deployment.yaml | 111 ------- .../charts/jetstack-agent/templates/rbac.yaml | 278 ------------------ .../jetstack-agent/templates/secret.yaml | 12 - .../templates/serviceaccount.yaml | 13 - .../__snapshot__/configuration_test.yaml.snap | 197 ------------- .../tests/configuration_test.yaml | 57 ---- .../jetstack-agent/tests/deployment_test.yaml | 116 -------- .../tests/values/custom-config.yaml | 15 - .../tests/values/custom-volumes.yaml | 11 - deploy/charts/jetstack-agent/values.yaml | 127 -------- 19 files changed, 118 insertions(+), 1734 deletions(-) create mode 100644 RELEASE.md delete mode 100644 deploy/charts/jetstack-agent/.helmignore delete mode 100644 deploy/charts/jetstack-agent/Chart.yaml delete mode 100644 deploy/charts/jetstack-agent/README.md delete mode 100644 deploy/charts/jetstack-agent/README.md.gotmpl delete mode 100644 deploy/charts/jetstack-agent/templates/NOTES.txt delete mode 100644 deploy/charts/jetstack-agent/templates/_helpers.tpl delete mode 100644 deploy/charts/jetstack-agent/templates/configmap.yaml delete mode 100644 deploy/charts/jetstack-agent/templates/deployment.yaml delete mode 100644 deploy/charts/jetstack-agent/templates/rbac.yaml delete mode 100644 deploy/charts/jetstack-agent/templates/secret.yaml delete mode 100644 deploy/charts/jetstack-agent/templates/serviceaccount.yaml delete mode 100644 deploy/charts/jetstack-agent/tests/__snapshot__/configuration_test.yaml.snap delete mode 100644 deploy/charts/jetstack-agent/tests/configuration_test.yaml delete mode 100644 deploy/charts/jetstack-agent/tests/deployment_test.yaml delete mode 100644 deploy/charts/jetstack-agent/tests/values/custom-config.yaml delete mode 100644 deploy/charts/jetstack-agent/tests/values/custom-volumes.yaml delete mode 100644 deploy/charts/jetstack-agent/values.yaml diff --git a/README.md b/README.md index 029d1271..08a1caeb 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +# Venafi Kubernetes Agent + [![tests](https://github.com/jetstack/jetstack-secure/actions/workflows/tests.yaml/badge.svg?branch=master&event=push)](https://github.com/jetstack/jetstack-secure/actions/workflows/tests.yaml) [![Go Reference](https://pkg.go.dev/badge/github.com/jetstack/jetstack-secure.svg)](https://pkg.go.dev/github.com/jetstack/jetstack-secure) [![Go Report Card](https://goreportcard.com/badge/github.com/jetstack/jetstack-secure)](https://goreportcard.com/report/github.com/jetstack/jetstack-secure) @@ -6,8 +8,9 @@ ## Installation -Please [review the documentation](https://platform.jetstack.io/documentation/installation/agent) -for the agent before getting started. +Please [review the documentation](https://docs.venafi.cloud/vaas/k8s-components/c-tlspk-agent-overview/) for the agent. + +Detailed installation instructions are available for a variety of methods. ## Local Execution @@ -17,11 +20,9 @@ To build and run a version from master: go run main.go agent --agent-config-file ./path/to/agent/config/file.yaml -p 0h1m0s ``` -You can find the example agent file -[here](https://github.com/jetstack/preflight/blob/master/agent.yaml). +You can find an example agent file [here](https://github.com/jetstack/preflight/blob/master/agent.yaml). -You might also want to run a local echo server to monitor requests the agent -sends: +You might also want to run a local echo server to monitor requests sent by the agent: ```bash go run main.go echo @@ -29,188 +30,17 @@ go run main.go echo ## Metrics -The Jetstack-Secure agent exposes its metrics through a Prometheus server, on port 8081. +The agent exposes its metrics through a Prometheus server, on port 8081. + The Prometheus server is disabled by default but can be enabled by passing the `--enable-metrics` flag to the agent binary. -If you deploy the agent with Helm, using the venafi-kubernetes-agent Helm chart, the metrics server will be enabled by default, on port 8081. +If you deploy the agent using the venafi-kubernetes-agent Helm chart, the metrics server will be enabled by default, on port 8081. + If you use the Prometheus Operator, you can use `--set metrics.podmonitor.enabled=true` to deploy a `PodMonitor` resource, which will add the venafi-kubernetes-agent metrics to your Prometheus server. The following metrics are collected: -- Go collector: via the [default registry](https://github.com/prometheus/client_golang/blob/34e02e282dc4a3cb55ca6441b489ec182e654d59/prometheus/registry.go#L60-L63) in Prometheus client_golang. -- Process collector: via the [default registry](https://github.com/prometheus/client_golang/blob/34e02e282dc4a3cb55ca6441b489ec182e654d59/prometheus/registry.go#L60-L63) in Prometheus client_golang. -- Agent metrics: -- `data_readings_upload_size`: Data readings upload size (in bytes) sent by the jscp in-cluster agent. - -## Tiers, Images and Helm Charts - -The Docker images are: - -| Image | Access | Tier | Docs | -| --------------------------------------------------------- | ------- | ------------------------------------------- | --------------------------- | -| `quay.io/jetstack/preflight` | Public | Tier 1 and 2 of Jetstack Secure | | -| `quay.io/jetstack/venafi-agent` | Public | Not meant for users, used for mirroring | | -| `registry.venafi.cloud/venafi-agent/venafi-agent` | Public | Tier 1 of Venafi TLS Protect for Kubernetes | | -| `private-registry.venafi.cloud/venafi-agent/venafi-agent` | Private | Tier 2 of Venafi TLS Protect for Kubernetes | [Venafi Private Registry][] | -| `private-registry.venafi.eu/venafi-agent/venafi-agent` | Private | Tier 2 of Venafi TLS Protect for Kubernetes | [Venafi Private Registry][] | - -[Jetstack Enterprise Registry]: https://platform.jetstack.io/documentation/installation/agent#1-obtain-oci-registry-credentials/ -[Venafi Private Registry]: https://docs.venafi.cloud/vaas/k8s-components/th-guide-confg-access-to-tlspk-enterprise-components/ - -The Helm charts are: - -| Helm Chart | Access | Tier | Access Documentation | -| --------------------------------------------------------------------------- | ------- | ------------------------------------------- | -------------------------------- | -| `oci://eu.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` | Private | Tier 2 of Jetstack Secure | [Jetstack Enterprise Registry][] | -| `oci://us.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` | Private | Tier 2 of Jetstack Secure | [Jetstack Enterprise Registry][] | -| `oci://quay.io/jetstack/charts/venafi-kubernetes-agent` | Public | Not meant for users, used for mirroring | | -| `oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent` | Private | Not meant for users, used for mirroring | | -| `oci://us.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent` | Private | Not meant for users, used for mirroring | | -| `oci://registry.venafi.cloud/charts/venafi-kubernetes-agent` | Public | Tier 1 of Venafi TLS Protect for Kubernetes | | -| `oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent` | Private | Tier 2 of Venafi TLS Protect for Kubernetes | [Venafi Private Registry][] | -| `oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent` | Private | Tier 2 of Venafi TLS Protect for Kubernetes | [Venafi Private Registry][] | - -## Release Process - -> [!NOTE] -> Before starting, let Michael McLoughlin know that a release is about to be created. - -The release process is semi-automated. - -### Step 1: Git Tag and GitHub Release - -> [!NOTE] -> -> Upon pushing the tag, a GitHub Action will do the following: -> - Build and publish the container image at `quay.io/jetstack/venafi-agent`, -> - Build and publish the Helm chart at `oci://quay.io/jetstack/charts/venafi-kubernetes-agent`, -> - Create a draft GitHub release, -> - Upload the Helm chart tarball to the GitHub release. - -1. Open the [tests GitHub Actions workflow][tests-workflow] - and verify that it succeeds on the master branch. -2. Run govulncheck: - ```bash - go install golang.org/x/vuln/cmd/govulncheck@latest - govulncheck -v ./... - ``` -3. Create a tag for the new release: - ```sh - export VERSION=v1.1.0 - git tag --annotate --message="Release ${VERSION}" "${VERSION}" - git push origin "${VERSION}" - ``` -4. Wait until the GitHub Actions finishes. -5. Navigate to the GitHub Releases page and select the draft release to edit. - 1. Click on “Generate release notes” to automatically compile the changelog. - 2. Review and refine the generated notes to ensure they’re clear and useful - for end users. - 3. Remove any irrelevant entries, such as “update deps,” “update CI,” “update - docs,” or similar internal changes that do not impact user functionality. -6. Publish the release. -7. Inform the `#venctl` channel that a new version of Venafi Kubernetes Agent has been - released. Make sure to share any breaking change that may affect `venctl connect` - or `venctl generate`. -8. Inform Michael McLoughlin of the new release so he can update the - documentation at . - -[tests-workflow]: https://github.com/jetstack/jetstack-secure/actions/workflows/tests.yaml?query=branch%3Amaster - -> [!NOTE] -> -> For context, the new tag will create the following images: -> -> | Image | Automation | -> | --------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -> | `quay.io/jetstack/preflight` | No longer built. Use `quay.io/jetstack/venafi-agent` instead. | -> | `quay.io/jetstack/venafi-agent` | Automatically built by GitHub Actions [release-master](.github/workflows/release-master.yml) on Git tags | -> | `registry.venafi.cloud/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule [public-img-and-chart-replication.tf][] that runs every 30 minutes, all image tags containing `X.X.X` are replicated, including e.g. `1.0.0-alpha.0` | -> | `private-registry.venafi.cloud/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule [private-img-and-chart-replication.tf][] that runs every 10 minutes, all image tags containing `X.X.X` are replicated, including e.g. `1.0.0-alpha.0` | -> | `private-registry.venafi.eu/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule [private-img-and-chart-replication.tf][] that runs every 10 minutes, all image tags containing `X.X.X` are replicated, including e.g. `1.0.0-alpha.0` | -> -> and the following OCI Helm charts: -> -> | Helm Chart | Automation | -> | --------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -> | `oci://eu.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` | Manually triggered, GitHub Actions workflow [release_venafi-agent_chart.yaml][] | -> | `oci://us.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` | Manually triggered, GitHub Actions workflow [release_venafi-agent_chart.yaml][] | -> | `oci://quay.io/jetstack/charts/venafi-kubernetes-agent` | Automatically built by GitHub Actions [release-master](.github/workflows/release-master.yml) on Git tags[] | -> | `oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent` | Automatically built by GitHub Actions [release_enterprise_builds.yaml][] | -> | `oci://us.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent` | Automatically built by GitHub Actions [release_enterprise_builds.yaml][] | -> | `oci://registry.venafi.cloud/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule [public-img-and-chart-replication.tf][] that runs every 30 minutes, all image tags containing `X.X.X` are replicated, including e.g. `v1.0.0-alpha.0` | -> | `oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule [private-img-and-chart-replication.tf][] that runs every 10 minutes, all image tags containing `X.X.X` are replicated, including e.g. `v1.0.0-alpha.0` | -> | `oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule [private-img-and-chart-replication.tf][] that runs every 10 minutes, all image tags containing `X.X.X` are replicated, including e.g. `v1.0.0-alpha.0` | -> -> Here is replication flow for OCI Helm charts: -> -> ```text -> v1.1.0 (Git tag in the jetstack-secure repo) -> └── oci://quay.io/jetstack/charts/venafi-kubernetes-agent --version 1.1.0 (GitHub Actions in the jetstack-secure repo) -> ├── oci://us.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent (Enterprise Builds's GitHub Actions) -> └── oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent (Enterprise Builds's GitHub Actions) -> ├── oci://registry.venafi.cloud/charts/venafi-kubernetes-agent --version 1.1.0 (Harbor Replication) -> └── oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent --version 1.1.0 (Harbor Replication) -> └── oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent --version 1.1.0 (Harbor Replication) -> ``` -> -> And the replication flow for Docker images: -> -> ```text -> v1.1.0 (Git tag in the jetstack-secure repo) -> └── quay.io/jetstack/venafi-agent:v1.1.0 (GitHub Actions in the jetstack-secure repo) -> ├── us.gcr.io/jetstack-secure-enterprise/venafi-agent:v1.1.0 (Enterprise Builds's GitHub Actions) -> └── eu.gcr.io/jetstack-secure-enterprise/venafi-agent:v1.1.0 (Enterprise Builds's GitHub Actions) -> ├── registry.venafi.cloud/venafi-agent/venafi-agent:v1.1.0 (Harbor Replication) -> ├── private-registry.venafi.cloud/venafi-agent/venafi-agent:v1.1.0 (Harbor Replication) -> └── private-registry.venafi.eu/venafi-agent/venafi-agent:v1.1.0 (Harbor Replication) -> ``` - -[public-img-and-chart-replication.tf]: https://gitlab.com/venafi/vaas/delivery/harbor/-/blob/3d114f54092eb44a1deb0edc7c4e8a2d4f855aa2/public-registry/module/subsystems/tlspk/replication.tf -[private-img-and-chart-replication.tf]: https://gitlab.com/venafi/vaas/delivery/harbor/-/blob/3d114f54092eb44a1deb0edc7c4e8a2d4f855aa2/private-registry/module/subsystems/tlspk/replication.tf -[release_venafi-agent_chart.yaml]: https://github.com/jetstack/enterprise-builds/blob/main/.github/workflows/release_venafi-agent_chart.yaml -[release_enterprise_builds.yaml]: https://github.com/jetstack/enterprise-builds/actions/workflows/release_enterprise_builds.yaml - -### Step 2: Test the Helm chart "venafi-kubernetes-agent" with venctl connect - -NOTE(mael): TBD - -### (Optional) Step 3: Release the Helm Chart "jetstack-secure" - -This step is performed by Peter Fiddes and Adrian Lai separately from the main -release process. - -The `jetstack-secure` chart is for [Jetstack -Secure](https://platform.jetstack.io/documentation/installation/agent#jetstack-agent-helm-chart-installation). -It is composed of two OCI Helm charts: - -- `oci://eu.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` -- `oci://us.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` - -> [!NOTE] -> -> The [jetstack-agent](deploy/charts/jetstack-agent/README.md) chart has a -> different version number to the agent. This is because the first version of -> _this_ chart was given version `0.1.0`, while the app version at the time was -> `0.1.38`. And this allows the chart to be updated and released more frequently -> than the Docker image if necessary. - -The process is as follows: - -1. Create a branch. -2. Increment version numbers. - 1. Increment the `version` value in [Chart.yaml](deploy/charts/jetstack-agent/Chart.yaml). - DO NOT use a `v` prefix. - The `v` prefix [breaks Helm OCI operations](https://github.com/helm/helm/issues/11107). - 2. Increment the `appVersion` value in [Chart.yaml](deploy/charts/jetstack-agent/Chart.yaml). - Use a `v` prefix, to match the Docker image tag. - 3. Increment the `image.tag` value in [values.yaml](deploy/charts/jetstack-agent/values.yaml). - Use a `v` prefix, to match the Docker image tag. - 4. Update the Helm unit test snapshots: - ```sh - helm unittest ./deploy/charts/jetstack-agent --update-snapshot - ``` -3. Create a pull request and wait for it to be approved. -4. Merge the branch -5. Manually trigger the Helm Chart workflow: - [release_js-agent_chart.yaml](https://github.com/jetstack/enterprise-builds/actions/workflows/release_js-agent_chart.yaml). +- Go collector: via the [default registry](https://github.com/prometheus/client_golang/blob/34e02e282dc4a3cb55ca6441b489ec182e654d59/prometheus/registry.go#L60-L63) in Prometheus `client_golang`. +- Process collector: via the [default registry](https://github.com/prometheus/client_golang/blob/34e02e282dc4a3cb55ca6441b489ec182e654d59/prometheus/registry.go#L60-L63) in Prometheus `client_golang`. +- Agent metrics: `data_readings_upload_size`: Data readings upload size (in bytes) sent by the in-cluster agent. diff --git a/RELEASE.md b/RELEASE.md new file mode 100644 index 00000000..5da2667d --- /dev/null +++ b/RELEASE.md @@ -0,0 +1,104 @@ +# Release Process + +> [!NOTE] +> Before starting, let Michael McLoughlin know that a release is about to be created so that documentation can be prepared in advance. + +The release process is semi-automated. + +### Step 1: Git Tag and GitHub Release + +> [!NOTE] +> +> Upon pushing the tag, a GitHub Action will do the following: +> - Build and publish the container image at `quay.io/jetstack/venafi-agent`, +> - Build and publish the Helm chart at `oci://quay.io/jetstack/charts/venafi-kubernetes-agent`, +> - Create a draft GitHub release, +> - Upload the Helm chart tarball to the GitHub release. + +1. Open the [tests GitHub Actions workflow][tests-workflow] + and verify that it succeeds on the master branch. + +2. Run govulncheck: + ```bash + go install golang.org/x/vuln/cmd/govulncheck@latest + govulncheck -v ./... + ``` + +3. Create a tag for the new release: + ```sh + export VERSION=v1.1.0 + git tag --annotate --message="Release ${VERSION}" "${VERSION}" + git push origin "${VERSION}" + ``` + +4. Wait until the GitHub Actions finishes. + +5. Navigate to the GitHub Releases page and select the draft release to edit. + 1. Click on “Generate release notes” to automatically compile the changelog. + 2. Review and refine the generated notes to ensure they’re clear and useful + for end users. + 3. Remove any irrelevant entries, such as “update deps,” “update CI,” “update + docs,” or similar internal changes that do not impact user functionality. + +6. Publish the release. + +7. Inform the `#venctl` channel that a new version of Venafi Kubernetes Agent has been + released. Make sure to share any breaking change that may affect `venctl connect` + or `venctl generate`. + +8. Inform Michael McLoughlin of the new release so he can update the + documentation at . + +[tests-workflow]: https://github.com/jetstack/jetstack-secure/actions/workflows/tests.yaml?query=branch%3Amaster + +## Release Artifact Information + +For context, the new tag will create the following images: + +| Image | Automation | +| --------------------------------------------------------- | -------------------------------------------------------------------------------------------- | +| `quay.io/jetstack/venafi-agent` | Automatically built by the [release action](.github/workflows/release.yml) on Git tag pushes | +| `registry.venafi.cloud/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule | +| `private-registry.venafi.cloud/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule | +| `private-registry.venafi.eu/venafi-agent/venafi-agent` | Automatically mirrored by Harbor Replication rule | + +and the following OCI Helm charts: + +| Helm Chart | Automation | +| -------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | +| `oci://quay.io/jetstack/charts/venafi-kubernetes-agent` | Automatically built by the [release action](.github/workflows/release.yml) on Git tag pushes | +| `oci://registry.venafi.cloud/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule | +| `oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule | +| `oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent` | Automatically mirrored by Harbor Replication rule | + +Here is replication flow for OCI Helm charts: + +```text +v1.1.0 (Git tag in the jetstack-secure repo) + └── oci://quay.io/jetstack/charts/venafi-kubernetes-agent --version 1.1.0 (GitHub Actions in the jetstack-secure repo) + ├── oci://us.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent (Enterprise Builds's GitHub Actions) + └── oci://eu.gcr.io/jetstack-secure-enterprise/charts/venafi-kubernetes-agent (Enterprise Builds's GitHub Actions) + ├── oci://registry.venafi.cloud/charts/venafi-kubernetes-agent --version 1.1.0 (Harbor Replication) + └── oci://private-registry.venafi.cloud/charts/venafi-kubernetes-agent --version 1.1.0 (Harbor Replication) + └── oci://private-registry.venafi.eu/charts/venafi-kubernetes-agent --version 1.1.0 (Harbor Replication) +``` + +And the replication flow for Docker images: + +```text +v1.1.0 (Git tag in the jetstack-secure repo) + └── quay.io/jetstack/venafi-agent:v1.1.0 (GitHub Actions in the jetstack-secure repo) + ├── us.gcr.io/jetstack-secure-enterprise/venafi-agent:v1.1.0 (Enterprise Builds's GitHub Actions) + └── eu.gcr.io/jetstack-secure-enterprise/venafi-agent:v1.1.0 (Enterprise Builds's GitHub Actions) + ├── registry.venafi.cloud/venafi-agent/venafi-agent:v1.1.0 (Harbor Replication) + ├── private-registry.venafi.cloud/venafi-agent/venafi-agent:v1.1.0 (Harbor Replication) + └── private-registry.venafi.eu/venafi-agent/venafi-agent:v1.1.0 (Harbor Replication) +``` + +[public-img-and-chart-replication.tf]: https://gitlab.com/venafi/vaas/delivery/harbor/-/blob/3d114f54092eb44a1deb0edc7c4e8a2d4f855aa2/public-registry/module/subsystems/tlspk/replication.tf +[private-img-and-chart-replication.tf]: https://gitlab.com/venafi/vaas/delivery/harbor/-/blob/3d114f54092eb44a1deb0edc7c4e8a2d4f855aa2/private-registry/module/subsystems/tlspk/replication.tf +[release_enterprise_builds.yaml]: https://github.com/jetstack/enterprise-builds/actions/workflows/release_enterprise_builds.yaml + +### Step 2: Test the Helm chart "venafi-kubernetes-agent" with venctl connect + +NOTE(mael): TBD diff --git a/deploy/charts/jetstack-agent/.helmignore b/deploy/charts/jetstack-agent/.helmignore deleted file mode 100644 index 2b29f276..00000000 --- a/deploy/charts/jetstack-agent/.helmignore +++ /dev/null @@ -1 +0,0 @@ -tests diff --git a/deploy/charts/jetstack-agent/Chart.yaml b/deploy/charts/jetstack-agent/Chart.yaml deleted file mode 100644 index 31eb3780..00000000 --- a/deploy/charts/jetstack-agent/Chart.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v2 -name: jetstack-agent -description: TLS Protect for Kubernetes Agent -type: application -version: 0.4.0 -appVersion: "v0.1.43" -home: https://github.com/jetstack/jetstack-secure -maintainers: -- name: JSCP and CRE Team - email: tls-protect-for-kubernetes@jetstack.io - url: https://platform.jetstack.io/documentation -sources: -- https://github.com/jetstack/jetstack-secure diff --git a/deploy/charts/jetstack-agent/README.md b/deploy/charts/jetstack-agent/README.md deleted file mode 100644 index e5f2f6a8..00000000 --- a/deploy/charts/jetstack-agent/README.md +++ /dev/null @@ -1,180 +0,0 @@ -# jetstack-agent - -TLS Protect for Kubernetes Agent - -![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.43](https://img.shields.io/badge/AppVersion-v0.1.43-informational?style=flat-square) - -## Additional Information - -The Jetstack Secure agent helm chart installs the Kubernetes agent that connects to the TLS Protect For Kubernetes (TLSPK) platform. -It will require a valid TLS Protect for Kubernetes organisation with a license to add the new cluster. -You can sign up for a free account with up to two clusters [here](https://platform.jetstack.io/). -You should also choose a unique name for your cluster that it will appear under in the TLSPK platform. - -## Installation: - -Using chart installation, there are two credentials required. - -- A credential to allow helm to pull the chart from our private OCI registry. -- An agent credential used by the agent to authenticate to TLSPK. - -### 1) Obtain OCI registry credentials - -The helm chart is an OCI chart artifact hosted on both EU and US registries: - -- `oci://eu.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` -- `oci://us.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` - -More detailed instructions on how to access our registry are available in [this guide](https://platform.jetstack.io/documentation/installation/enterprise-registry). - -For chart installation, run the following to set a registry configuration -file, so `helm` can authenticate to our private OCI registry: - -```shell -export TLSPK_DOCKER_CONFIG_PATH="$(pwd)" -export TLSPK_DOCKER_CONFIG_FILE="${TLSPK_DOCKER_CONFIG_PATH}/config.json" -jsctl registry auth output --format=dockerconfig > "${TLSPK_DOCKER_CONFIG_FILE}" -``` - -To validate you registry credentials are working with `helm`, we can use it to -show us the full list of values available to configure the chart: - -```shell -export TLSPK_REGISTRY="eu.gcr.io/jetstack-secure-enterprise" -helm show values oci://${TLSPK_REGISTRY}/charts/jetstack-agent --registry-config "${TLSPK_DOCKER_CONFIG_FILE}" -``` - -**Note**: Feel free to alter the registry to the US equivalent if that is closer -to you, for example: `export TLSPK_REGISTRY="us.gcr.io/jetstack-secure-enterprise"` - -### 2) Obtaining TLSPK agent credentials: - -Set the following environments variables for ease of installation: - -```shell -export TLSPK_ORG="" -export TLSPK_CLUSTER_NAME="" -``` - -Obtain your service account credential, this can be done through the UI or [jsctl](https://github.com/jetstack/jsctl/releases) - -For example with `jsctl`: - -```shell -jsctl auth login -jsctl set organization ${TLSPK_ORG} -jsctl auth clusters create-service-account ${TLSPK_CLUSTER_NAME} | tee credentials.json -``` - -Store this carefully as we will need it to create a Kubernetes secret in the -installation cluster. - -### 3) Deploying the chart: - -Once credentials are obtained, there are two ways to install the chart: - -#### Option 1 (Recommended): Create secret manually - -Use the credential obtained in the previous step to create the secret in cluster: - -```shell -kubectl create secret generic agent-credentials --namespace jetstack-secure --from-file=credentials.json -``` - -Install the chart with the basic configuration: - -```shell -helm upgrade --install --create-namespace -n jetstack-secure jetstack-agent \ - oci://${TLSPK_REGISTRY}/charts/jetstack-agent \ - --registry-config "${TLSPK_DOCKER_CONFIG_FILE}" \ - --set config.organisation="${TLSPK_ORG}" \ - --set config.cluster="${TLSPK_CLUSTER_NAME}" -``` - -#### Option 2 (Not Recommended): Create secret with helm chart install - -Set this environment variable to contain the encoded agent credential: - -```shell -export HELM_SECRET="$(cat credentials.json | base64 -w0)" -``` - -Installing the chart with additional configuration options for the agents -credential, read from the environment variable just set: - -```shell -helm upgrade --install --create-namespace -n jetstack-secure jetstack-agent \ - oci://${TLSPK_REGISTRY}/charts/jetstack-agent \ - --registry-config "${TLSPK_DOCKER_CONFIG_FILE}" \ - --set config.organisation="${TLSPK_ORG}" \ - --set config.cluster="${TLSPK_CLUSTER_NAME}" \ - --set authentication.createSecret=true \ - --set authentication.secretValue="${HELM_SECRET}" -``` - -### 4) Deployment Verification - -Check the agent logs to ensure you see a similar entry to the following: - -```console -2023/04/19 14:11:41 Running Agent... -2023/04/19 14:11:41 Posting data to: https://platform.jetstack.io -2023/04/19 14:11:42 Data sent successfully. -``` - -You can do this with the following command: - -```shell -kubectl logs -n jetstack-secure $(kubectl get pod -n jetstack-secure -l app.kubernetes.io/instance=agent -o jsonpath='{.items[0].metadata.name}') -``` - -## Values - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | | -| authentication | object | `{"createSecret":false,"secretKey":"credentials.json","secretName":"agent-credentials","secretValue":"","type":"file"}` | Authentication section for the agent | -| authentication.createSecret | bool | `false` | Reccomend that you do not use this and instead creat the credential secret outside of helm | -| authentication.secretKey | string | `"credentials.json"` | Key name in secret | -| authentication.secretName | string | `"agent-credentials"` | Name of the secret containing agent credentials.json | -| authentication.secretValue | string | `""` | Base64 encoded value from Jetstack Secure Dashboard - only required when createSecret is true | -| authentication.type | string | `"file"` | Type can be "file"/"token" determining how the agent should authenticate the to the backend | -| command | list | `[]` | Override the jetstack-agent entrypoint with specified command. | -| config | object | `{"cluster":"","dataGatherers":{"custom":[],"default":true},"organisation":"","override":{"config":null,"configmap":{"key":null,"name":null},"enabled":false},"period":"0h1m0s","server":"https://platform.jetstack.io"}` | Configuration section for the Jetstack Agent itself | -| config.cluster | string | `""` | REQUIRED - Your Jetstack Secure Cluster Name | -| config.dataGatherers | object | `{"custom":[],"default":true}` | Configure data that is gathered from your cluster, for full details see https://platform.jetstack.io/documentation/configuration/jetstack-agent/configuration | -| config.dataGatherers.custom | list | `[]` | A list of data gatherers to limit agent scope | -| config.dataGatherers.default | bool | `true` | Use the standard full set of data gatherers | -| config.organisation | string | `""` | REQUIRED - Your Jetstack Secure Organisation Name | -| config.override | object | `{"config":null,"configmap":{"key":null,"name":null},"enabled":false}` | Provide an Override to allow completely custom agent configuration | -| config.override.config | string | `nil` | Embed the agent configuration here in the chart values | -| config.override.configmap | object | `{"key":null,"name":null}` | Sepcify ConfigMap details to load config from existing ConfigMap | -| config.override.enabled | bool | `false` | Override disabled by default | -| config.period | string | `"0h1m0s"` | Send data back to the platform every minute unless changed | -| config.server | string | `"https://platform.jetstack.io"` | Overrides the server if using a proxy between agent and Jetstack Secure | -| extraArgs | list | `[]` | Add additional arguments to the default `agent` command. | -| fullnameOverride | string | `""` | Helm default setting, use this to shorten install name | -| image.pullPolicy | string | `"IfNotPresent"` | Defaults to only pull if not already present | -| image.repository | string | `"quay.io/jetstack/preflight"` | Default to Open Source image repository | -| image.tag | string | `"v0.1.43"` | Overrides the image tag whose default is the chart appVersion | -| imagePullSecrets | list | `[]` | Specify image pull credentials if using a prviate registry | -| nameOverride | string | `""` | Helm default setting to override release name, leave blank | -| nodeSelector | object | `{}` | | -| podAnnotations | object | `{}` | | -| podSecurityContext | object | `{}` | | -| replicaCount | int | `1` | default replicas, do not scale up | -| resources.limits.cpu | string | `"500m"` | | -| resources.limits.memory | string | `"500Mi"` | | -| resources.requests.cpu | string | `"200m"` | | -| resources.requests.memory | string | `"200Mi"` | | -| securityContext.capabilities.drop[0] | string | `"ALL"` | | -| securityContext.readOnlyRootFilesystem | bool | `true` | | -| securityContext.runAsNonRoot | bool | `true` | | -| securityContext.runAsUser | int | `1000` | | -| serviceAccount.annotations | object | `{}` | Annotations to add to the service account | -| serviceAccount.create | bool | `true` | Specifies whether a service account should be created @default true | -| serviceAccount.name | string | `""` | | -| tolerations | list | `[]` | | -| volumeMounts | list | `[]` | Additional volume mounts to add to the jetstack-agent container. | -| volumes | list | `[]` | Additional volumes to add to the jetstack-agent pod. | - diff --git a/deploy/charts/jetstack-agent/README.md.gotmpl b/deploy/charts/jetstack-agent/README.md.gotmpl deleted file mode 100644 index c3366e52..00000000 --- a/deploy/charts/jetstack-agent/README.md.gotmpl +++ /dev/null @@ -1,134 +0,0 @@ -{{ template "chart.header" . }} -{{ template "chart.description" . }} - -{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }} - -## Additional Information - -The Jetstack Secure agent helm chart installs the Kubernetes agent that connects to the TLS Protect For Kubernetes (TLSPK) platform. -It will require a valid TLS Protect for Kubernetes organisation with a license to add the new cluster. -You can sign up for a free account with up to two clusters [here](https://platform.jetstack.io/). -You should also choose a unique name for your cluster that it will appear under in the TLSPK platform. - -## Installation: - -Using chart installation, there are two credentials required. - -- A credential to allow helm to pull the chart from our private OCI registry. -- An agent credential used by the agent to authenticate to TLSPK. - -### 1) Obtain OCI registry credentials - -The helm chart is an OCI chart artifact hosted on both EU and US registries: - -- `oci://eu.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` -- `oci://us.gcr.io/jetstack-secure-enterprise/charts/jetstack-agent` - -More detailed instructions on how to access our registry are available in [this guide](https://platform.jetstack.io/documentation/installation/enterprise-registry). - -For chart installation, run the following to set a registry configuration -file, so `helm` can authenticate to our private OCI registry: - -```shell -export TLSPK_DOCKER_CONFIG_PATH="$(pwd)" -export TLSPK_DOCKER_CONFIG_FILE="${TLSPK_DOCKER_CONFIG_PATH}/config.json" -jsctl registry auth output --format=dockerconfig > "${TLSPK_DOCKER_CONFIG_FILE}" -``` - -To validate you registry credentials are working with `helm`, we can use it to -show us the full list of values available to configure the chart: - -```shell -export TLSPK_REGISTRY="eu.gcr.io/jetstack-secure-enterprise" -helm show values oci://${TLSPK_REGISTRY}/charts/jetstack-agent --registry-config "${TLSPK_DOCKER_CONFIG_FILE}" -``` - -**Note**: Feel free to alter the registry to the US equivalent if that is closer -to you, for example: `export TLSPK_REGISTRY="us.gcr.io/jetstack-secure-enterprise"` - -### 2) Obtaining TLSPK agent credentials: - -Set the following environments variables for ease of installation: - -```shell -export TLSPK_ORG="" -export TLSPK_CLUSTER_NAME="" -``` - -Obtain your service account credential, this can be done through the UI or [jsctl](https://github.com/jetstack/jsctl/releases) - -For example with `jsctl`: - -```shell -jsctl auth login -jsctl set organization ${TLSPK_ORG} -jsctl auth clusters create-service-account ${TLSPK_CLUSTER_NAME} | tee credentials.json -``` - -Store this carefully as we will need it to create a Kubernetes secret in the -installation cluster. - -### 3) Deploying the chart: - -Once credentials are obtained, there are two ways to install the chart: - -#### Option 1 (Recommended): Create secret manually - -Use the credential obtained in the previous step to create the secret in cluster: - -```shell -kubectl create secret generic agent-credentials --namespace jetstack-secure --from-file=credentials.json -``` - -Install the chart with the basic configuration: - -```shell -helm upgrade --install --create-namespace -n jetstack-secure jetstack-agent \ - oci://${TLSPK_REGISTRY}/charts/jetstack-agent \ - --registry-config "${TLSPK_DOCKER_CONFIG_FILE}" \ - --set config.organisation="${TLSPK_ORG}" \ - --set config.cluster="${TLSPK_CLUSTER_NAME}" -``` - -#### Option 2 (Not Recommended): Create secret with helm chart install - -Set this environment variable to contain the encoded agent credential: - -```shell -export HELM_SECRET="$(cat credentials.json | base64 -w0)" -``` - -Installing the chart with additional configuration options for the agents -credential, read from the environment variable just set: - -```shell -helm upgrade --install --create-namespace -n jetstack-secure jetstack-agent \ - oci://${TLSPK_REGISTRY}/charts/jetstack-agent \ - --registry-config "${TLSPK_DOCKER_CONFIG_FILE}" \ - --set config.organisation="${TLSPK_ORG}" \ - --set config.cluster="${TLSPK_CLUSTER_NAME}" \ - --set authentication.createSecret=true \ - --set authentication.secretValue="${HELM_SECRET}" -``` - -### 4) Deployment Verification - -Check the agent logs to ensure you see a similar entry to the following: - -```console -2023/04/19 14:11:41 Running Agent... -2023/04/19 14:11:41 Posting data to: https://platform.jetstack.io -2023/04/19 14:11:42 Data sent successfully. -``` - -You can do this with the following command: - -```shell -kubectl logs -n jetstack-secure $(kubectl get pod -n jetstack-secure -l app.kubernetes.io/instance=agent -o jsonpath='{.items[0].metadata.name}') -``` - -{{ template "chart.requirementsSection" . }} - -{{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/deploy/charts/jetstack-agent/templates/NOTES.txt b/deploy/charts/jetstack-agent/templates/NOTES.txt deleted file mode 100644 index 6d5d5ee6..00000000 --- a/deploy/charts/jetstack-agent/templates/NOTES.txt +++ /dev/null @@ -1,8 +0,0 @@ -1. Please make sure you have the credentials secret: "{{ .Values.authentication.secretName }}" available -> kubectl get secret -n {{ .Release.Namespace }} {{ .Values.authentication.secretName }} - -2. Check the application is running with the following: -> kubectl get pods -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} - -3. Check the application logs for successful connection to the platform: -> kubectl logs -n {{ .Release.Namespace }} $(kubectl get pod -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} -o jsonpath='{.items[0].metadata.name}') diff --git a/deploy/charts/jetstack-agent/templates/_helpers.tpl b/deploy/charts/jetstack-agent/templates/_helpers.tpl deleted file mode 100644 index 6a68a905..00000000 --- a/deploy/charts/jetstack-agent/templates/_helpers.tpl +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "jetstack-agent.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "jetstack-agent.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" $name .Release.Name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "jetstack-agent.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "jetstack-agent.labels" -}} -helm.sh/chart: {{ include "jetstack-agent.chart" . }} -{{ include "jetstack-agent.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "jetstack-agent.selectorLabels" -}} -app.kubernetes.io/name: {{ include "jetstack-agent.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "jetstack-agent.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "jetstack-agent.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/deploy/charts/jetstack-agent/templates/configmap.yaml b/deploy/charts/jetstack-agent/templates/configmap.yaml deleted file mode 100644 index 78fa3cc2..00000000 --- a/deploy/charts/jetstack-agent/templates/configmap.yaml +++ /dev/null @@ -1,215 +0,0 @@ -{{ if not (and .Values.config.override.enabled .Values.config.override.configmap.name) }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: agent-config - namespace: {{ .Release.Namespace }} - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -data: -{{- if .Values.config.override.config }} - config.yaml: |- - {{- toYaml .Values.config.override.config | nindent 4 }} -{{- else }} - config.yaml: |- - server: {{ .Values.config.server | quote }} - organization_id: {{ required "Organisation is a required input value" .Values.config.organisation }} - cluster_id: {{ required "Cluster is a required input value" .Values.config.cluster }} - data-gatherers: - # gather k8s apiserver version information - - kind: "k8s-discovery" - name: "k8s-discovery" - # pods data is used in the pods and application_versions packages - - kind: "k8s-dynamic" - name: "k8s/pods" - config: - resource-type: - resource: pods - version: v1 - # gather services for pod readiness probe rules - - kind: "k8s-dynamic" - name: "k8s/services" - config: - resource-type: - resource: services - version: v1 - # gather higher level resources to ensure data to determine ownership is present - - kind: "k8s-dynamic" - name: "k8s/deployments" - config: - resource-type: - version: v1 - resource: deployments - group: apps - - kind: "k8s-dynamic" - name: "k8s/replicasets" - config: - resource-type: - version: v1 - resource: replicasets - group: apps - - kind: "k8s-dynamic" - name: "k8s/statefulsets" - config: - resource-type: - version: v1 - resource: statefulsets - group: apps - - kind: "k8s-dynamic" - name: "k8s/daemonsets" - config: - resource-type: - version: v1 - resource: daemonsets - group: apps - - kind: "k8s-dynamic" - name: "k8s/jobs" - config: - resource-type: - version: v1 - resource: jobs - group: batch - - kind: "k8s-dynamic" - name: "k8s/cronjobs" - config: - resource-type: - version: v1 - resource: cronjobs - group: batch - - kind: "k8s-dynamic" - name: "k8s/ingresses" - config: - resource-type: - group: networking.k8s.io - version: v1 - resource: ingresses -{{- if or .Values.config.dataGatherers.default (has "secret" .Values.config.dataGatherers.custom) }} - - kind: "k8s-dynamic" - name: "k8s/secrets" - config: - resource-type: - version: v1 - resource: secrets -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "cert-manager" .Values.config.dataGatherers.custom) }} - - kind: "k8s-dynamic" - name: "k8s/certificates" - config: - resource-type: - group: cert-manager.io - version: v1 - resource: certificates - - kind: "k8s-dynamic" - name: "k8s/certificaterequests" - config: - resource-type: - group: cert-manager.io - version: v1 - resource: certificaterequests - - kind: "k8s-dynamic" - name: "k8s/issuers" - config: - resource-type: - group: cert-manager.io - version: v1 - resource: issuers - - kind: "k8s-dynamic" - name: "k8s/clusterissuers" - config: - resource-type: - group: cert-manager.io - version: v1 - resource: clusterissuers -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "googlecas" .Values.config.dataGatherers.custom) }} - - kind: "k8s-dynamic" - name: "k8s/googlecasissuers" - config: - resource-type: - group: cas-issuer.jetstack.io - version: v1beta1 - resource: googlecasissuers - - kind: "k8s-dynamic" - name: "k8s/googlecasclusterissuers" - config: - resource-type: - group: cas-issuer.jetstack.io - version: v1beta1 - resource: googlecasclusterissuers -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "awspca" .Values.config.dataGatherers.custom) }} - - kind: "k8s-dynamic" - name: "k8s/awspcaissuer" - config: - resource-type: - group: awspca.cert-manager.io - version: v1beta1 - resource: awspcaissuers - - kind: "k8s-dynamic" - name: "k8s/awspcaclusterissuers" - config: - resource-type: - group: awspca.cert-manager.io - version: v1beta1 - resource: awspcaclusterissuers -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "webhook" .Values.config.dataGatherers.custom) }} - - kind: "k8s-dynamic" - name: "k8s/mutatingwebhookconfigurations" - config: - resource-type: - group: admissionregistration.k8s.io - version: v1 - resource: mutatingwebhookconfigurations - - kind: "k8s-dynamic" - name: "k8s/validatingwebhookconfigurations" - config: - resource-type: - group: admissionregistration.k8s.io - version: v1 - resource: validatingwebhookconfigurations -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "istio" .Values.config.dataGatherers.custom) }} - - kind: "k8s-dynamic" - name: "k8s/gateways" - config: - resource-type: - group: networking.istio.io - version: v1alpha3 - resource: gateways - - kind: "k8s-dynamic" - name: "k8s/virtualservices" - config: - resource-type: - group: networking.istio.io - version: v1alpha3 - resource: virtualservices -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "openshift" .Values.config.dataGatherers.custom) }} - - kind: "k8s-dynamic" - name: "k8s/routes" - config: - resource-type: - version: v1 - group: route.openshift.io - resource: routes -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "venafienhancedissuer" .Values.config.dataGatherers.custom) }} - - kind: "k8s-dynamic" - name: "k8s/venaficlusterissuers" - config: - resource-type: - group: jetstack.io - version: v1alpha1 - resource: venaficlusterissuers - - kind: "k8s-dynamic" - name: "k8s/venafiissuers" - config: - resource-type: - group: jetstack.io - version: v1alpha1 - resource: venafiissuers -{{- end }} -{{- end }} -{{- end }} diff --git a/deploy/charts/jetstack-agent/templates/deployment.yaml b/deploy/charts/jetstack-agent/templates/deployment.yaml deleted file mode 100644 index 64b0be22..00000000 --- a/deploy/charts/jetstack-agent/templates/deployment.yaml +++ /dev/null @@ -1,111 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "jetstack-agent.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - {{- include "jetstack-agent.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "jetstack-agent.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "jetstack-agent.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if eq .Values.authentication.type "token" }} - env: - - name: API_TOKEN - valueFrom: - secretKeyRef: - name: {{ default "agent-credentials" .Values.authentication.secretName }} - key: {{ default "apitoken" .Values.authentication.secretKey }} - {{- end }} - {{- if not (empty .Values.command) }} - command: - {{- range .Values.command }} - - {{ . | quote }} - {{- end }} - {{- end }} - args: - - "agent" - - "-c" - {{- if .Values.config.override.enabled }} - - "/etc/jetstack-secure/agent/config/{{ default "config.yaml" .Values.config.override.configmap.key }}" - {{- else }} - - "/etc/jetstack-secure/agent/config/config.yaml" - {{- end }} - {{- if eq .Values.authentication.type "file" }} - - "-k" - - "/etc/jetstack-secure/agent/credentials/{{ default "credentials.json" .Values.authentication.secretKey}}" - {{- end }} - - "-p" - - "0h1m0s" - {{- range .Values.extraArgs }} - - {{ . | quote }} - {{- end }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumeMounts: - - name: config - mountPath: "/etc/jetstack-secure/agent/config" - readOnly: true - {{- if eq .Values.authentication.type "file" }} - - name: credentials - mountPath: "/etc/jetstack-secure/agent/credentials" - readOnly: true - {{- end }} - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - {{- if .Values.config.override.enabled }} - - name: config - configMap: - name: {{ default "agent-config" .Values.config.override.configmap.name }} - optional: false - {{- else }} - - name: config - configMap: - name: agent-config - optional: false - {{- end }} - - name: credentials - secret: - secretName: {{ default "agent-credentials" .Values.authentication.secretName }} - optional: false - {{- with .Values.volumes }} - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/deploy/charts/jetstack-agent/templates/rbac.yaml b/deploy/charts/jetstack-agent/templates/rbac.yaml deleted file mode 100644 index 3cb3c2f9..00000000 --- a/deploy/charts/jetstack-agent/templates/rbac.yaml +++ /dev/null @@ -1,278 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-cluster-viewer - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: view -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- if or .Values.config.dataGatherers.default (has "node" .Values.config.dataGatherers.custom) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "jetstack-agent.fullname" . }}-node-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-node-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - name: {{ include "jetstack-agent.fullname" . }}-node-reader - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "secret" .Values.config.dataGatherers.custom) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "jetstack-agent.fullname" . }}-secret-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-secret-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - name: {{ include "jetstack-agent.fullname" . }}-secret-reader - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "cert-manager" .Values.config.dataGatherers.custom) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "jetstack-agent.fullname" . }}-cert-manager-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -rules: - - apiGroups: ["cert-manager.io"] - resources: - - certificates - - certificaterequests - - issuers - - clusterissuers - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-cert-manager-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - name: {{ include "jetstack-agent.fullname" . }}-cert-manager-reader - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "googlecas" .Values.config.dataGatherers.custom) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "jetstack-agent.fullname" . }}-googlecas-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -rules: - - apiGroups: ["cas-issuer.jetstack.io"] - resources: - - googlecasissuers - - googlecasclusterissuers - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-googlecas-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - name: {{ include "jetstack-agent.fullname" . }}-googlecas-reader - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "awspca" .Values.config.dataGatherers.custom) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "jetstack-agent.fullname" . }}-awspca-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -rules: - - apiGroups: ["awspca.cert-manager.io"] - resources: - - awspcaissuers - - awspcaclusterissuers - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-awspca-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - name: {{ include "jetstack-agent.fullname" . }}-awspca-reader - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "webhook" .Values.config.dataGatherers.custom) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "jetstack-agent.fullname" . }}-webhook-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -rules: - - apiGroups: ["admissionregistration.k8s.io"] - resources: - - validatingwebhookconfigurations - - mutatingwebhookconfigurations - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-webhook-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - name: {{ include "jetstack-agent.fullname" . }}-webhook-reader - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "openshift" .Values.config.dataGatherers.custom) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "jetstack-agent.fullname" . }}-openshift-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -rules: - - apiGroups: ["*.openshift.io"] - resources: - - routes - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-openshift-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - name: {{ include "jetstack-agent.fullname" . }}-openshift-reader - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "istio" .Values.config.dataGatherers.custom) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "jetstack-agent.fullname" . }}-istio-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -rules: - - apiGroups: ["networking.istio.io"] - resources: - - virtualservices - - gateways - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-istio-reader - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - name: {{ include "jetstack-agent.fullname" . }}-istio-reader - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- if or .Values.config.dataGatherers.default (has "venafienhancedissuer" .Values.config.dataGatherers.custom) }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "jetstack-agent.fullname" . }}-venafi-enhanced-reader -rules: - - apiGroups: ["jetstack.io"] - resources: - - venafiissuers - - venaficlusterissuers - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "jetstack-agent.fullname" . }}-venafi-enhanced-reader -roleRef: - kind: ClusterRole - name: {{ include "jetstack-agent.fullname" . }}-venafi-enhanced-reader - apiGroup: rbac.authorization.k8s.io -subjects: - - kind: ServiceAccount - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/deploy/charts/jetstack-agent/templates/secret.yaml b/deploy/charts/jetstack-agent/templates/secret.yaml deleted file mode 100644 index 0ac6e286..00000000 --- a/deploy/charts/jetstack-agent/templates/secret.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.authentication.createSecret -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.authentication.secretName}} - namespace: {{ .Release.Namespace }} - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} -type: Opaque -data: - {{ default "credentials.json" .Values.authentication.secretKey}}: {{ .Values.authentication.secretValue }} -{{- end -}} diff --git a/deploy/charts/jetstack-agent/templates/serviceaccount.yaml b/deploy/charts/jetstack-agent/templates/serviceaccount.yaml deleted file mode 100644 index 9f9e5d67..00000000 --- a/deploy/charts/jetstack-agent/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "jetstack-agent.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "jetstack-agent.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/deploy/charts/jetstack-agent/tests/__snapshot__/configuration_test.yaml.snap b/deploy/charts/jetstack-agent/tests/__snapshot__/configuration_test.yaml.snap deleted file mode 100644 index b6f0d01f..00000000 --- a/deploy/charts/jetstack-agent/tests/__snapshot__/configuration_test.yaml.snap +++ /dev/null @@ -1,197 +0,0 @@ -render correctly when only required config is given: - 1: | - apiVersion: v1 - data: - config.yaml: |- - server: "https://platform.jetstack.io" - organization_id: test_org - cluster_id: test_cluster - data-gatherers: - # gather k8s apiserver version information - - kind: "k8s-discovery" - name: "k8s-discovery" - # pods data is used in the pods and application_versions packages - - kind: "k8s-dynamic" - name: "k8s/pods" - config: - resource-type: - resource: pods - version: v1 - # gather services for pod readiness probe rules - - kind: "k8s-dynamic" - name: "k8s/services" - config: - resource-type: - resource: services - version: v1 - # gather higher level resources to ensure data to determine ownership is present - - kind: "k8s-dynamic" - name: "k8s/deployments" - config: - resource-type: - version: v1 - resource: deployments - group: apps - - kind: "k8s-dynamic" - name: "k8s/replicasets" - config: - resource-type: - version: v1 - resource: replicasets - group: apps - - kind: "k8s-dynamic" - name: "k8s/statefulsets" - config: - resource-type: - version: v1 - resource: statefulsets - group: apps - - kind: "k8s-dynamic" - name: "k8s/daemonsets" - config: - resource-type: - version: v1 - resource: daemonsets - group: apps - - kind: "k8s-dynamic" - name: "k8s/jobs" - config: - resource-type: - version: v1 - resource: jobs - group: batch - - kind: "k8s-dynamic" - name: "k8s/cronjobs" - config: - resource-type: - version: v1 - resource: cronjobs - group: batch - - kind: "k8s-dynamic" - name: "k8s/ingresses" - config: - resource-type: - group: networking.k8s.io - version: v1 - resource: ingresses - - kind: "k8s-dynamic" - name: "k8s/secrets" - config: - resource-type: - version: v1 - resource: secrets - - kind: "k8s-dynamic" - name: "k8s/certificates" - config: - resource-type: - group: cert-manager.io - version: v1 - resource: certificates - - kind: "k8s-dynamic" - name: "k8s/certificaterequests" - config: - resource-type: - group: cert-manager.io - version: v1 - resource: certificaterequests - - kind: "k8s-dynamic" - name: "k8s/issuers" - config: - resource-type: - group: cert-manager.io - version: v1 - resource: issuers - - kind: "k8s-dynamic" - name: "k8s/clusterissuers" - config: - resource-type: - group: cert-manager.io - version: v1 - resource: clusterissuers - - kind: "k8s-dynamic" - name: "k8s/googlecasissuers" - config: - resource-type: - group: cas-issuer.jetstack.io - version: v1beta1 - resource: googlecasissuers - - kind: "k8s-dynamic" - name: "k8s/googlecasclusterissuers" - config: - resource-type: - group: cas-issuer.jetstack.io - version: v1beta1 - resource: googlecasclusterissuers - - kind: "k8s-dynamic" - name: "k8s/awspcaissuer" - config: - resource-type: - group: awspca.cert-manager.io - version: v1beta1 - resource: awspcaissuers - - kind: "k8s-dynamic" - name: "k8s/awspcaclusterissuers" - config: - resource-type: - group: awspca.cert-manager.io - version: v1beta1 - resource: awspcaclusterissuers - - kind: "k8s-dynamic" - name: "k8s/mutatingwebhookconfigurations" - config: - resource-type: - group: admissionregistration.k8s.io - version: v1 - resource: mutatingwebhookconfigurations - - kind: "k8s-dynamic" - name: "k8s/validatingwebhookconfigurations" - config: - resource-type: - group: admissionregistration.k8s.io - version: v1 - resource: validatingwebhookconfigurations - - kind: "k8s-dynamic" - name: "k8s/gateways" - config: - resource-type: - group: networking.istio.io - version: v1alpha3 - resource: gateways - - kind: "k8s-dynamic" - name: "k8s/virtualservices" - config: - resource-type: - group: networking.istio.io - version: v1alpha3 - resource: virtualservices - - kind: "k8s-dynamic" - name: "k8s/routes" - config: - resource-type: - version: v1 - group: route.openshift.io - resource: routes - - kind: "k8s-dynamic" - name: "k8s/venaficlusterissuers" - config: - resource-type: - group: jetstack.io - version: v1alpha1 - resource: venaficlusterissuers - - kind: "k8s-dynamic" - name: "k8s/venafiissuers" - config: - resource-type: - group: jetstack.io - version: v1alpha1 - resource: venafiissuers - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: jetstack-agent - app.kubernetes.io/version: v0.1.43 - helm.sh/chart: jetstack-agent-0.4.0 - name: agent-config - namespace: NAMESPACE diff --git a/deploy/charts/jetstack-agent/tests/configuration_test.yaml b/deploy/charts/jetstack-agent/tests/configuration_test.yaml deleted file mode 100644 index a1e4a0f9..00000000 --- a/deploy/charts/jetstack-agent/tests/configuration_test.yaml +++ /dev/null @@ -1,57 +0,0 @@ -suite: test configuration overrides -templates: - - templates/configmap.yaml - -tests: - - it: should not generate a configmap when name and override given - set: - config.override.enabled: true - config.override.configmap.name: custom-agent-config - template: configmap.yaml - asserts: - # No congifmap is produced - - hasDocuments: - count: 0 - - - it: embedded config is only config in configmap - set: - config.override.enabled: true - values: - - values/custom-config.yaml - template: configmap.yaml - asserts: - # ConfigMap is generated - - containsDocument: - kind: ConfigMap - apiVersion: v1 - name: agent-config - documentIndex: 0 - # Assert ths content matches the input - # This was tricky due to the |- and the alphabetical ordering - - equal: - path: data - value: - config.yaml: |- - cluster_id: test_cluster - data-gatherers: - - kind: k8s-discovery - name: k8s-discovery - organization_id: test_org - server: https://platform.jetstack.io - - # This checks the configmap is rendered properly when required config is given - - it: render correctly when only required config is given - set: - config.organisation: test_org - config.cluster: test_cluster - template: configmap.yaml - asserts: - - hasDocuments: - count: 1 - - isKind: - of: ConfigMap - - isAPIVersion: - of: v1 - - matchSnapshot: {} - - \ No newline at end of file diff --git a/deploy/charts/jetstack-agent/tests/deployment_test.yaml b/deploy/charts/jetstack-agent/tests/deployment_test.yaml deleted file mode 100644 index 72ed79ea..00000000 --- a/deploy/charts/jetstack-agent/tests/deployment_test.yaml +++ /dev/null @@ -1,116 +0,0 @@ -suite: test deployment -templates: - - deployment.yaml - -tests: - # Basic checks on deployment - - it: templates as expected - set: - image.tag: latest - config.organisation: test_org - config.cluster: test_cluster - template: deployment.yaml - asserts: - - isKind: - of: Deployment - # Validate name matches - - matchRegex: - path: metadata.name - pattern: ^jetstack-agent-* - # Check is latest is set as tag that it uses that tag - - equal: - path: spec.template.spec.containers[0].image - value: quay.io/jetstack/preflight:latest - - # Check naming works with nameOverride - - it: Deployment name is set when nameOverride is used - set: - config.organisation: test_org - config.cluster: test_cluster - nameOverride: example - template: deployment.yaml - asserts: - - isKind: - of: Deployment - - matchRegex: - path: metadata.name - pattern: ^example-RELEASE-NAME$ - # see example output as why this has to be like this. It's more subtle than - # the fullnameOverride: - # Actual: - # agent-RELEASE-NAME - # Diff: - # --- Expected - # +++ Actual - # @@ -1,2 +1,2 @@ - # -agent-* - # +agent-RELEASE-NAME - - # Check similar with fullnameOverride - - it: Deployment name is set when fullnameOverride is used - set: - config.organisation: test_org - config.cluster: test_cluster - fullnameOverride: example - template: deployment.yaml - asserts: - - isKind: - of: Deployment - - equal: - path: metadata.name - value: example - - # Checking extraArgs are passed - - it: Extra Args passed in a valid format when supplied - set: - config.organisation: test_org - config.cluster: test_cluster - extraArgs: ["--strict", "--one-shot"] - template: deployment.yaml - asserts: - - isKind: - of: Deployment - - contains: - path: spec.template.spec.containers[0].args - content: --strict - - contains: - path: spec.template.spec.containers[0].args - content: --one-shot - - # Check command is present when configured - - it: Command passes to deployment manifest - set: - config.organisation: test_org - config.cluster: test_cluster - command: ["notpreflight"] - template: deployment.yaml - asserts: - - isKind: - of: Deployment - - contains: - path: spec.template.spec.containers[0].command - content: notpreflight - - # Check the volumes and volumeMounts works correctly - - it: Volumes and VolumeMounts added correctly - set: - config.organisation: test_org - config.cluster: test_cluster - values: - - ./values/custom-volumes.yaml - asserts: - - isKind: - of: Deployment - - equal: - # In template this comes after credentials and agent config volumeMounts - path: spec.template.spec.containers[0].volumeMounts[?(@.name == "cabundle")] - value: - mountPath: /etc/ssl/certs/ - name: cabundle - readOnly: true - - equal: - path: spec.template.spec.volumes[?(@.name == "cabundle")].configmap - value: - defaultMode: 420 - name: cabundle - optional: true diff --git a/deploy/charts/jetstack-agent/tests/values/custom-config.yaml b/deploy/charts/jetstack-agent/tests/values/custom-config.yaml deleted file mode 100644 index ee3489b2..00000000 --- a/deploy/charts/jetstack-agent/tests/values/custom-config.yaml +++ /dev/null @@ -1,15 +0,0 @@ -# -- Configuration section for the Jetstack Agent itself -config: - # -- Provide an Override to allow completely custom agent configuration - override: - # -- Override disabled by default - enabled: true - # -- Embed the agent configuration here in the chart values - config: - server: "https://platform.jetstack.io" - organization_id: test_org - cluster_id: test_cluster - data-gatherers: - # gather k8s apiserver version information - - kind: "k8s-discovery" - name: "k8s-discovery" diff --git a/deploy/charts/jetstack-agent/tests/values/custom-volumes.yaml b/deploy/charts/jetstack-agent/tests/values/custom-volumes.yaml deleted file mode 100644 index 394222c7..00000000 --- a/deploy/charts/jetstack-agent/tests/values/custom-volumes.yaml +++ /dev/null @@ -1,11 +0,0 @@ -volumes: - - name: cabundle - configmap: - name: cabundle - optional: true - defaultMode: 0644 - -volumeMounts: - - name: cabundle - readOnly: true - mountPath: /etc/ssl/certs/ diff --git a/deploy/charts/jetstack-agent/values.yaml b/deploy/charts/jetstack-agent/values.yaml deleted file mode 100644 index 351b55a7..00000000 --- a/deploy/charts/jetstack-agent/values.yaml +++ /dev/null @@ -1,127 +0,0 @@ -# Default values for jetstack-agent. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# -- default replicas, do not scale up -replicaCount: 1 - -image: - # -- Default to Open Source image repository - repository: quay.io/jetstack/preflight - # -- Defaults to only pull if not already present - pullPolicy: IfNotPresent - # -- Overrides the image tag whose default is the chart appVersion - tag: "v0.1.43" - -# -- Specify image pull credentials if using a prviate registry -imagePullSecrets: [] - -# -- Helm default setting to override release name, leave blank -nameOverride: "" -# -- Helm default setting, use this to shorten install name -fullnameOverride: "" - -serviceAccount: - # -- Specifies whether a service account should be created - # @default true - create: true - # -- Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: {} - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - -resources: - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - requests: - memory: 200Mi - cpu: 200m - limits: - memory: 500Mi - cpu: 500m - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -# -- Additional volumes to add to the jetstack-agent pod. -volumes: [] - -# -- Additional volume mounts to add to the jetstack-agent container. -volumeMounts: [] - -# -- Override the jetstack-agent entrypoint with specified command. -command: [] - -# -- Add additional arguments to the default `agent` command. -extraArgs: [] - -# -- Authentication section for the agent -authentication: - # -- Reccomend that you do not use this and instead creat the credential secret outside of helm - createSecret: false - # -- Type can be "file"/"token" determining how the agent should authenticate the to the backend - type: file - # -- Name of the secret containing agent credentials.json - secretName: agent-credentials - # -- Key name in secret - secretKey: "credentials.json" - # -- Base64 encoded value from Jetstack Secure Dashboard - only required when createSecret is true - secretValue: "" - -# -- Configuration section for the Jetstack Agent itself -config: - # -- Overrides the server if using a proxy between agent and Jetstack Secure - server: "https://platform.jetstack.io" - # -- REQUIRED - Your Jetstack Secure Organisation Name - organisation: "" - # -- REQUIRED - Your Jetstack Secure Cluster Name - cluster: "" - # -- Send data back to the platform every minute unless changed - period: "0h1m0s" - - # -- Configure data that is gathered from your cluster, for full details see https://platform.jetstack.io/documentation/configuration/jetstack-agent/configuration - dataGatherers: - # -- Use the standard full set of data gatherers - default: true - # -- A list of data gatherers to limit agent scope - custom: [] - # Full list that makes up the default role - # - node - # - secret - # - cert-manager - # - googlecas - # - awspca - # - webhook - # - openshift - # - istio - # - venafienhancedissuer - - # -- Provide an Override to allow completely custom agent configuration - override: - # -- Override disabled by default - enabled: false - # -- Embed the agent configuration here in the chart values - config: - # -- Sepcify ConfigMap details to load config from existing ConfigMap - configmap: - name: - key: