Merge pull request #2700 from Infisical/infisical-helm-auto-create-sa

Add support for auto creating SA for job and deployment

helm-charts/infisical-standalone-postgres/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 1.4.0 (November 06, 2024)
+
+Changes:
+* Chart is now fully documented 
+* New fields introduced: `infisical.databaseSchemaMigrationJob.image` and `infisical.serviceAccount`
+
+Features:
+
+* Added support for auto creating service account with required permissions via `infisical.serviceAccount.create`
+
 ## 1.3.0 (October 28, 2024)
 
 Changes:

helm-charts/infisical-standalone-postgres/Chart.yaml

@@ -1,13 +1,13 @@
 apiVersion: v2
 name: infisical-standalone
-description: A helm chart for a full Infisical application
+description: A helm chart to deploy Infisical
 
 type: application
 
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.3.0
+version: 1.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

helm-charts/infisical-standalone-postgres/README.md

@@ -0,0 +1,66 @@
+# infisical-standalone
+
+![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.1](https://img.shields.io/badge/AppVersion-1.0.1-informational?style=flat-square)
+
+A helm chart to deploy Infisical
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://charts.bitnami.com/bitnami | postgresql | 14.1.3 |
+| https://charts.bitnami.com/bitnami | redis | 18.14.0 |
+| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.0.13 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| fullnameOverride | string | `""` | Overrides the full name of the release, affecting resource names |
+| infisical.affinity | object | `{}` | Node affinity settings for pod placement |
+| infisical.autoDatabaseSchemaMigration | bool | `true` | Automatically migrates new database schema when deploying |
+| infisical.databaseSchemaMigrationJob.image.pullPolicy | string | `"IfNotPresent"` | Pulls image only if not present on the node |
+| infisical.databaseSchemaMigrationJob.image.repository | string | `"ghcr.io/groundnuty/k8s-wait-for"` | Image repository for migration wait job |
+| infisical.databaseSchemaMigrationJob.image.tag | string | `"no-root-v2.0"` | Image tag version |
+| infisical.deploymentAnnotations | object | `{}` | Custom annotations for Infisical deployment |
+| infisical.enabled | bool | `true` |  |
+| infisical.fullnameOverride | string | `""` | Override for the full name of Infisical resources in this deployment |
+| infisical.image.imagePullSecrets | list | `[]` | Secret references for pulling the image, if needed |
+| infisical.image.pullPolicy | string | `"IfNotPresent"` | Pulls image only if not already present on the node |
+| infisical.image.repository | string | `"infisical/infisical"` | Image repository for the Infisical service |
+| infisical.image.tag | string | `"v0.93.1-postgres"` | Specific version tag of the Infisical image. View the latest version here https://hub.docker.com/r/infisical/infisical |
+| infisical.kubeSecretRef | string | `"infisical-secrets"` | Kubernetes Secret reference containing Infisical root credentials |
+| infisical.name | string | `"infisical"` |  |
+| infisical.podAnnotations | object | `{}` | Custom annotations for Infisical pods |
+| infisical.replicaCount | int | `2` | Number of pod replicas for high availability |
+| infisical.resources.limits.memory | string | `"600Mi"` | Memory limit for Infisical container |
+| infisical.resources.requests.cpu | string | `"350m"` | CPU request for Infisical container |
+| infisical.service.annotations | object | `{}` | Custom annotations for Infisical service |
+| infisical.service.nodePort | string | `""` | Optional node port for service when using NodePort type |
+| infisical.service.type | string | `"ClusterIP"` | Service type, can be changed based on exposure needs (e.g., LoadBalancer) |
+| infisical.serviceAccount.annotations | object | `{}` | Custom annotations for the auto-created service account |
+| infisical.serviceAccount.create | bool | `true` | Creates a new service account if true, with necessary permissions for this chart |
+| infisical.serviceAccount.name | string | `nil` | Optional custom service account name, if existing service account is used |
+| ingress.annotations | object | `{}` | Custom annotations for ingress resource |
+| ingress.enabled | bool | `true` | Enable or disable ingress configuration |
+| ingress.hostName | string | `""` | Hostname for ingress access, e.g., app.example.com |
+| ingress.ingressClassName | string | `"nginx"` | Specifies the ingress class, useful for multi-ingress setups |
+| ingress.nginx.enabled | bool | `true` | Enable NGINX-specific settings, if using NGINX ingress controller |
+| ingress.tls | list | `[]` | TLS settings for HTTPS access |
+| nameOverride | string | `""` | Overrides the default release name |
+| postgresql.auth.database | string | `"infisicalDB"` | Database name for Infisical |
+| postgresql.auth.password | string | `"root"` | Password for PostgreSQL database access |
+| postgresql.auth.username | string | `"infisical"` | Database username for PostgreSQL |
+| postgresql.enabled | bool | `true` | Enables an in-cluster PostgreSQL deployment. To achieve HA for Postgres, we recommend deploying https://github.com/zalando/postgres-operator instead. |
+| postgresql.fullnameOverride | string | `"postgresql"` | Full name override for PostgreSQL resources |
+| postgresql.name | string | `"postgresql"` | PostgreSQL resource name |
+| postgresql.useExistingPostgresSecret.enabled | bool | `false` | Set to true if using an existing Kubernetes secret that contains PostgreSQL connection string |
+| postgresql.useExistingPostgresSecret.existingConnectionStringSecret.key | string | `""` | Key name in the Kubernetes secret that holds the connection string |
+| postgresql.useExistingPostgresSecret.existingConnectionStringSecret.name | string | `""` | Kubernetes secret name containing the PostgreSQL connection string |
+| redis.architecture | string | `"standalone"` | Redis deployment type (e.g., standalone or cluster) |
+| redis.auth.password | string | `"mysecretpassword"` | Redis password |
+| redis.cluster.enabled | bool | `false` | Clustered Redis deployment |
+| redis.enabled | bool | `true` | Enables an in-cluster Redis deployment |
+| redis.fullnameOverride | string | `"redis"` | Full name override for Redis resources |
+| redis.name | string | `"redis"` | Redis resource name |
+| redis.usePassword | bool | `true` | Requires a password for Redis authentication |

helm-charts/infisical-standalone-postgres/templates/_helpers.tpl

@@ -40,6 +40,23 @@ component: {{ .Values.infisical.name | quote }}
 {{ include "infisical.common.matchLabels" . }}
 {{- end -}}
 
+{{- define "infisical.roleName" -}}
+{{- printf "%s-infisical" .Release.Name -}}
+{{- end -}}
+
+{{- define "infisical.roleBindingName" -}}
+{{- printf "%s-infisical" .Release.Name -}}
+{{- end -}}
+
+{{- define "infisical.serviceAccountName" -}}
+{{- if .Values.infisical.serviceAccount.create -}}
+{{- printf "%s-infisical" .Release.Name -}}
+{{- else -}}
+{{- .Values.infisical.serviceAccount.name | default "default" -}}
+{{- end -}}
+{{- end -}}
+
+
 {{/*
 Create a fully qualified backend name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

helm-charts/infisical-standalone-postgres/templates/infisical.yaml

@@ -34,10 +34,11 @@ spec:
         {{- toYaml $infisicalValues.image.imagePullSecrets | nindent 6 }}
     {{- end }}
     {{- if $infisicalValues.autoDatabaseSchemaMigration }}
+      serviceAccountName: {{ include "infisical.serviceAccountName" . }}
       initContainers:
       - name: "migration-init"
-        image: {{ $infisicalValues.databaseSchemaMigrationInitContainer.image }}
-        imagePullPolicy: {{ $infisicalValues.databaseSchemaMigrationInitContainer.imagePullPolicy }}
+        image: "{{ $infisicalValues.databaseSchemaMigrationJob.image.repository }}:{{ $infisicalValues.databaseSchemaMigrationJob.image.tag }}"
+        imagePullPolicy: {{ $infisicalValues.databaseSchemaMigrationJob.image.pullPolicy }}
         args: 
         - "job"
         - "{{ .Release.Name }}-schema-migration-{{ .Release.Revision }}"

helm-charts/infisical-standalone-postgres/templates/jobs-rbac.yaml

@@ -1,8 +1,25 @@
+---
+{{- if .Values.infisical.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ printf "%s-infisical" .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "infisical.labels" . | nindent 4 }}
+  {{- with .Values.infisical.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: k8s-wait-for-infisical-schema-migration
+  name: {{ include "infisical.roleName" . }}
   namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "infisical.labels" . | nindent 4 }}
 rules:
   - apiGroups: ["batch"]
     resources: ["jobs"]
@@ -11,13 +28,15 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: infisical-database-schema-migration
+  name: {{ include "infisical.roleBindingName" . }}
   namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "infisical.labels" . | nindent 4 }}
 subjects:
-  - kind: ServiceAccount
-    name: {{ .Values.infisical.databaseSchemaMigrationJob.serviceAccountName | default "default" }}
-    namespace: {{ .Release.Namespace }}
+- kind: ServiceAccount
+  name: {{ include "infisical.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
 roleRef:
-  kind: Role
-  name: k8s-wait-for-infisical-schema-migration
   apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "infisical.roleName" . }}

helm-charts/infisical-standalone-postgres/templates/schema-migration-job.yaml

@@ -16,7 +16,7 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name | quote }}
         helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
     spec:
-      serviceAccountName: {{ .Values.infisical.databaseSchemaMigrationJob.serviceAccountName | default "default" }}
+      serviceAccountName: {{ include "infisical.serviceAccountName" . }}
     {{- if $infisicalValues.image.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml $infisicalValues.image.imagePullSecrets | nindent 6 }}

helm-charts/infisical-standalone-postgres/values.yaml

@@ -1,81 +1,139 @@
+# -- Overrides the default release name
 nameOverride: ""
+
+# -- Overrides the full name of the release, affecting resource names
 fullnameOverride: ""
 
 infisical:
-  enabled: true
-  name: infisical
+  enabled: true # -- Enable Infisical chart deployment
+  name: infisical # -- Sets the name of the deployment within this chart
+
+  # -- Automatically migrates new database schema when deploying
   autoDatabaseSchemaMigration: true
-  databaseSchemaMigrationInitContainer:
-      image: "ghcr.io/groundnuty/k8s-wait-for:no-root-v2.0"
-      imagePullPolicy: IfNotPresent
 
   databaseSchemaMigrationJob:
-    serviceAccountName: default
-
+    image:
+      # -- Image repository for migration wait job
+      repository: ghcr.io/groundnuty/k8s-wait-for
+      # -- Image tag version
+      tag: no-root-v2.0
+      # -- Pulls image only if not present on the node
+      pullPolicy: IfNotPresent
+
+  serviceAccount:
+    # -- Creates a new service account if true, with necessary permissions for this chart
+    create: true
+    # -- Custom annotations for the auto-created service account
+    annotations: {}
+    # -- Optional custom service account name, if existing service account is used
+    name: null
+
+  # -- Override for the full name of Infisical resources in this deployment
   fullnameOverride: ""
+  # -- Custom annotations for Infisical pods
   podAnnotations: {}
+  # -- Custom annotations for Infisical deployment
   deploymentAnnotations: {}
+  # -- Number of pod replicas for high availability
   replicaCount: 2
 
   image:
+    # -- Image repository for the Infisical service
     repository: infisical/infisical
-    tag: "v0.46.3-postgres"
+    # -- Specific version tag of the Infisical image. View the latest version here https://hub.docker.com/r/infisical/infisical
+    tag: "v0.93.1-postgres"
+    # -- Pulls image only if not already present on the node
     pullPolicy: IfNotPresent
+    # -- Secret references for pulling the image, if needed
     imagePullSecrets: []
 
+  # -- Node affinity settings for pod placement
   affinity: {}
+  # -- Kubernetes Secret reference containing Infisical root credentials
   kubeSecretRef: "infisical-secrets"
 
   service:
+    # -- Custom annotations for Infisical service
     annotations: {}
+    # -- Service type, can be changed based on exposure needs (e.g., LoadBalancer)
     type: ClusterIP
+    # -- Optional node port for service when using NodePort type
     nodePort: ""
 
   resources:
     limits:
+      # -- Memory limit for Infisical container
       memory: 600Mi
     requests:
+      # -- CPU request for Infisical container
       cpu: 350m
 
 ingress:
+  # -- Enable or disable ingress configuration
   enabled: true
+  # -- Hostname for ingress access, e.g., app.example.com
   hostName: ""
+  # -- Specifies the ingress class, useful for multi-ingress setups
   ingressClassName: nginx
+
   nginx:
+    # -- Enable NGINX-specific settings, if using NGINX ingress controller
     enabled: true
+
+  # -- Custom annotations for ingress resource
   annotations: {}
+  # -- TLS settings for HTTPS access
   tls:
     []
+    # -- TLS secret name for HTTPS
     # - secretName: letsencrypt-prod
+    # -- Domain name to associate with the TLS certificate
     #   hosts:
     #     - some.domain.com
 
 postgresql:
-  # -- When enabled, this will start up a in cluster Postgres
+  # -- Enables an in-cluster PostgreSQL deployment. To achieve HA for Postgres, we recommend deploying https://github.com/zalando/postgres-operator instead.
   enabled: true
+  # -- PostgreSQL resource name
   name: "postgresql"
+  # -- Full name override for PostgreSQL resources
   fullnameOverride: "postgresql"
+
   auth:
+    # -- Database username for PostgreSQL
     username: infisical
+    # -- Password for PostgreSQL database access
     password: root
+    # -- Database name for Infisical
     database: infisicalDB
+
   useExistingPostgresSecret:
-    # -- When this is enabled, postgresql.enabled needs to be false
+    # -- Set to true if using an existing Kubernetes secret that contains PostgreSQL connection string
     enabled: false
-    # -- The name from where to get the existing postgresql connection string
     existingConnectionStringSecret:
-      # -- The name of the secret that contains the postgres connection string
+      # -- Kubernetes secret name containing the PostgreSQL connection string
       name: ""
-      # -- Secret key name that contains the postgres connection string
+      # -- Key name in the Kubernetes secret that holds the connection string
       key: ""
 
 redis:
+  # -- Enables an in-cluster Redis deployment
   enabled: true
+  # -- Redis resource name
   name: "redis"
+  # -- Full name override for Redis resources
   fullnameOverride: "redis"
+
   cluster:
+    # -- Clustered Redis deployment
     enabled: false
+
+  # -- Requires a password for Redis authentication
   usePassword: true
+
   auth:
+    # -- Redis password
     password: "mysecretpassword"
+
+  # -- Redis deployment type (e.g., standalone or cluster)
   architecture: standalone