From 4e796e7e419d83d2bfed27e73756c4f3501bf2cd Mon Sep 17 00:00:00 2001 From: Maidul Islam Date: Wed, 6 Nov 2024 16:37:34 -0500 Subject: [PATCH] Add support for auto creating SA for job and deployment --- .../CHANGELOG.md | 10 +++ .../infisical-standalone-postgres/Chart.yaml | 4 +- .../infisical-standalone-postgres/README.md | 66 +++++++++++++++ .../templates/_helpers.tpl | 17 ++++ .../templates/infisical.yaml | 5 +- .../templates/jobs-rbac.yaml | 33 ++++++-- .../templates/schema-migration-job.yaml | 2 +- .../infisical-standalone-postgres/values.yaml | 84 ++++++++++++++++--- 8 files changed, 196 insertions(+), 25 deletions(-) create mode 100644 helm-charts/infisical-standalone-postgres/README.md diff --git a/helm-charts/infisical-standalone-postgres/CHANGELOG.md b/helm-charts/infisical-standalone-postgres/CHANGELOG.md index a9608b7b4f..80b3d7fcce 100644 --- a/helm-charts/infisical-standalone-postgres/CHANGELOG.md +++ b/helm-charts/infisical-standalone-postgres/CHANGELOG.md @@ -1,3 +1,13 @@ +## 1.4.0 (November 06, 2024) + +Changes: +* Chart is now fully documented +* New fields introduced: `infisical.databaseSchemaMigrationJob.image` and `infisical.serviceAccount` + +Features: + +* Added support for auto creating service account with required permissions via `infisical.serviceAccount.create` + ## 1.3.0 (October 28, 2024) Changes: diff --git a/helm-charts/infisical-standalone-postgres/Chart.yaml b/helm-charts/infisical-standalone-postgres/Chart.yaml index f4bdc7082b..a4cbc49c77 100644 --- a/helm-charts/infisical-standalone-postgres/Chart.yaml +++ b/helm-charts/infisical-standalone-postgres/Chart.yaml @@ -1,13 +1,13 @@ apiVersion: v2 name: infisical-standalone -description: A helm chart for a full Infisical application +description: A helm chart to deploy Infisical type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.3.0 +version: 1.4.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm-charts/infisical-standalone-postgres/README.md b/helm-charts/infisical-standalone-postgres/README.md new file mode 100644 index 0000000000..ef1839dc2f --- /dev/null +++ b/helm-charts/infisical-standalone-postgres/README.md @@ -0,0 +1,66 @@ +# infisical-standalone + +![Version: 1.3.0](https://img.shields.io/badge/Version-1.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.1](https://img.shields.io/badge/AppVersion-1.0.1-informational?style=flat-square) + +A helm chart to deploy Infisical + +## Requirements + +| Repository | Name | Version | +|------------|------|---------| +| https://charts.bitnami.com/bitnami | postgresql | 14.1.3 | +| https://charts.bitnami.com/bitnami | redis | 18.14.0 | +| https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.0.13 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| fullnameOverride | string | `""` | Overrides the full name of the release, affecting resource names | +| infisical.affinity | object | `{}` | Node affinity settings for pod placement | +| infisical.autoDatabaseSchemaMigration | bool | `true` | Automatically migrates new database schema when deploying | +| infisical.databaseSchemaMigrationJob.image.pullPolicy | string | `"IfNotPresent"` | Pulls image only if not present on the node | +| infisical.databaseSchemaMigrationJob.image.repository | string | `"ghcr.io/groundnuty/k8s-wait-for"` | Image repository for migration wait job | +| infisical.databaseSchemaMigrationJob.image.tag | string | `"no-root-v2.0"` | Image tag version | +| infisical.deploymentAnnotations | object | `{}` | Custom annotations for Infisical deployment | +| infisical.enabled | bool | `true` | | +| infisical.fullnameOverride | string | `""` | Override for the full name of Infisical resources in this deployment | +| infisical.image.imagePullSecrets | list | `[]` | Secret references for pulling the image, if needed | +| infisical.image.pullPolicy | string | `"IfNotPresent"` | Pulls image only if not already present on the node | +| infisical.image.repository | string | `"infisical/infisical"` | Image repository for the Infisical service | +| infisical.image.tag | string | `"v0.93.1-postgres"` | Specific version tag of the Infisical image. View the latest version here https://hub.docker.com/r/infisical/infisical | +| infisical.kubeSecretRef | string | `"infisical-secrets"` | Kubernetes Secret reference containing Infisical root credentials | +| infisical.name | string | `"infisical"` | | +| infisical.podAnnotations | object | `{}` | Custom annotations for Infisical pods | +| infisical.replicaCount | int | `2` | Number of pod replicas for high availability | +| infisical.resources.limits.memory | string | `"600Mi"` | Memory limit for Infisical container | +| infisical.resources.requests.cpu | string | `"350m"` | CPU request for Infisical container | +| infisical.service.annotations | object | `{}` | Custom annotations for Infisical service | +| infisical.service.nodePort | string | `""` | Optional node port for service when using NodePort type | +| infisical.service.type | string | `"ClusterIP"` | Service type, can be changed based on exposure needs (e.g., LoadBalancer) | +| infisical.serviceAccount.annotations | object | `{}` | Custom annotations for the auto-created service account | +| infisical.serviceAccount.create | bool | `true` | Creates a new service account if true, with necessary permissions for this chart | +| infisical.serviceAccount.name | string | `nil` | Optional custom service account name, if existing service account is used | +| ingress.annotations | object | `{}` | Custom annotations for ingress resource | +| ingress.enabled | bool | `true` | Enable or disable ingress configuration | +| ingress.hostName | string | `""` | Hostname for ingress access, e.g., app.example.com | +| ingress.ingressClassName | string | `"nginx"` | Specifies the ingress class, useful for multi-ingress setups | +| ingress.nginx.enabled | bool | `true` | Enable NGINX-specific settings, if using NGINX ingress controller | +| ingress.tls | list | `[]` | TLS settings for HTTPS access | +| nameOverride | string | `""` | Overrides the default release name | +| postgresql.auth.database | string | `"infisicalDB"` | Database name for Infisical | +| postgresql.auth.password | string | `"root"` | Password for PostgreSQL database access | +| postgresql.auth.username | string | `"infisical"` | Database username for PostgreSQL | +| postgresql.enabled | bool | `true` | Enables an in-cluster PostgreSQL deployment. To achieve HA for Postgres, we recommend deploying https://github.com/zalando/postgres-operator instead. | +| postgresql.fullnameOverride | string | `"postgresql"` | Full name override for PostgreSQL resources | +| postgresql.name | string | `"postgresql"` | PostgreSQL resource name | +| postgresql.useExistingPostgresSecret.enabled | bool | `false` | Set to true if using an existing Kubernetes secret that contains PostgreSQL connection string | +| postgresql.useExistingPostgresSecret.existingConnectionStringSecret.key | string | `""` | Key name in the Kubernetes secret that holds the connection string | +| postgresql.useExistingPostgresSecret.existingConnectionStringSecret.name | string | `""` | Kubernetes secret name containing the PostgreSQL connection string | +| redis.architecture | string | `"standalone"` | Redis deployment type (e.g., standalone or cluster) | +| redis.auth.password | string | `"mysecretpassword"` | Redis password | +| redis.cluster.enabled | bool | `false` | Clustered Redis deployment | +| redis.enabled | bool | `true` | Enables an in-cluster Redis deployment | +| redis.fullnameOverride | string | `"redis"` | Full name override for Redis resources | +| redis.name | string | `"redis"` | Redis resource name | +| redis.usePassword | bool | `true` | Requires a password for Redis authentication | diff --git a/helm-charts/infisical-standalone-postgres/templates/_helpers.tpl b/helm-charts/infisical-standalone-postgres/templates/_helpers.tpl index 85d32af3f1..4f85ccd9ca 100644 --- a/helm-charts/infisical-standalone-postgres/templates/_helpers.tpl +++ b/helm-charts/infisical-standalone-postgres/templates/_helpers.tpl @@ -40,6 +40,23 @@ component: {{ .Values.infisical.name | quote }} {{ include "infisical.common.matchLabels" . }} {{- end -}} +{{- define "infisical.roleName" -}} +{{- printf "%s-infisical" .Release.Name -}} +{{- end -}} + +{{- define "infisical.roleBindingName" -}} +{{- printf "%s-infisical" .Release.Name -}} +{{- end -}} + +{{- define "infisical.serviceAccountName" -}} +{{- if .Values.infisical.serviceAccount.create -}} +{{- printf "%s-infisical" .Release.Name -}} +{{- else -}} +{{- .Values.infisical.serviceAccount.name | default "default" -}} +{{- end -}} +{{- end -}} + + {{/* Create a fully qualified backend name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). diff --git a/helm-charts/infisical-standalone-postgres/templates/infisical.yaml b/helm-charts/infisical-standalone-postgres/templates/infisical.yaml index 440005e49f..ac941c9b27 100644 --- a/helm-charts/infisical-standalone-postgres/templates/infisical.yaml +++ b/helm-charts/infisical-standalone-postgres/templates/infisical.yaml @@ -34,10 +34,11 @@ spec: {{- toYaml $infisicalValues.image.imagePullSecrets | nindent 6 }} {{- end }} {{- if $infisicalValues.autoDatabaseSchemaMigration }} + serviceAccountName: {{ include "infisical.serviceAccountName" . }} initContainers: - name: "migration-init" - image: {{ $infisicalValues.databaseSchemaMigrationInitContainer.image }} - imagePullPolicy: {{ $infisicalValues.databaseSchemaMigrationInitContainer.imagePullPolicy }} + image: "{{ $infisicalValues.databaseSchemaMigrationJob.image.repository }}:{{ $infisicalValues.databaseSchemaMigrationJob.image.tag }}" + imagePullPolicy: {{ $infisicalValues.databaseSchemaMigrationJob.image.pullPolicy }} args: - "job" - "{{ .Release.Name }}-schema-migration-{{ .Release.Revision }}" diff --git a/helm-charts/infisical-standalone-postgres/templates/jobs-rbac.yaml b/helm-charts/infisical-standalone-postgres/templates/jobs-rbac.yaml index 75c4364d5a..38230d9a12 100644 --- a/helm-charts/infisical-standalone-postgres/templates/jobs-rbac.yaml +++ b/helm-charts/infisical-standalone-postgres/templates/jobs-rbac.yaml @@ -1,8 +1,25 @@ +--- +{{- if .Values.infisical.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ printf "%s-infisical" .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "infisical.labels" . | nindent 4 }} + {{- with .Values.infisical.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: k8s-wait-for-infisical-schema-migration + name: {{ include "infisical.roleName" . }} namespace: {{ .Release.Namespace }} + labels: + {{- include "infisical.labels" . | nindent 4 }} rules: - apiGroups: ["batch"] resources: ["jobs"] @@ -11,13 +28,15 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: infisical-database-schema-migration + name: {{ include "infisical.roleBindingName" . }} namespace: {{ .Release.Namespace }} + labels: + {{- include "infisical.labels" . | nindent 4 }} subjects: - - kind: ServiceAccount - name: {{ .Values.infisical.databaseSchemaMigrationJob.serviceAccountName | default "default" }} - namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: {{ include "infisical.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} roleRef: - kind: Role - name: k8s-wait-for-infisical-schema-migration apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "infisical.roleName" . }} \ No newline at end of file diff --git a/helm-charts/infisical-standalone-postgres/templates/schema-migration-job.yaml b/helm-charts/infisical-standalone-postgres/templates/schema-migration-job.yaml index 06a1f840b5..bb1b918059 100644 --- a/helm-charts/infisical-standalone-postgres/templates/schema-migration-job.yaml +++ b/helm-charts/infisical-standalone-postgres/templates/schema-migration-job.yaml @@ -16,7 +16,7 @@ spec: app.kubernetes.io/instance: {{ .Release.Name | quote }} helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" spec: - serviceAccountName: {{ .Values.infisical.databaseSchemaMigrationJob.serviceAccountName | default "default" }} + serviceAccountName: {{ include "infisical.serviceAccountName" . }} {{- if $infisicalValues.image.imagePullSecrets }} imagePullSecrets: {{- toYaml $infisicalValues.image.imagePullSecrets | nindent 6 }} diff --git a/helm-charts/infisical-standalone-postgres/values.yaml b/helm-charts/infisical-standalone-postgres/values.yaml index 1581b1625b..24ea7c0bdd 100644 --- a/helm-charts/infisical-standalone-postgres/values.yaml +++ b/helm-charts/infisical-standalone-postgres/values.yaml @@ -1,81 +1,139 @@ +# -- Overrides the default release name nameOverride: "" + +# -- Overrides the full name of the release, affecting resource names fullnameOverride: "" infisical: - enabled: true - name: infisical + enabled: true # -- Enable Infisical chart deployment + name: infisical # -- Sets the name of the deployment within this chart + + # -- Automatically migrates new database schema when deploying autoDatabaseSchemaMigration: true - databaseSchemaMigrationInitContainer: - image: "ghcr.io/groundnuty/k8s-wait-for:no-root-v2.0" - imagePullPolicy: IfNotPresent databaseSchemaMigrationJob: - serviceAccountName: default - + image: + # -- Image repository for migration wait job + repository: ghcr.io/groundnuty/k8s-wait-for + # -- Image tag version + tag: no-root-v2.0 + # -- Pulls image only if not present on the node + pullPolicy: IfNotPresent + + serviceAccount: + # -- Creates a new service account if true, with necessary permissions for this chart + create: true + # -- Custom annotations for the auto-created service account + annotations: {} + # -- Optional custom service account name, if existing service account is used + name: null + + # -- Override for the full name of Infisical resources in this deployment fullnameOverride: "" + # -- Custom annotations for Infisical pods podAnnotations: {} + # -- Custom annotations for Infisical deployment deploymentAnnotations: {} + # -- Number of pod replicas for high availability replicaCount: 2 image: + # -- Image repository for the Infisical service repository: infisical/infisical - tag: "v0.46.3-postgres" + # -- Specific version tag of the Infisical image. View the latest version here https://hub.docker.com/r/infisical/infisical + tag: "v0.93.1-postgres" + # -- Pulls image only if not already present on the node pullPolicy: IfNotPresent + # -- Secret references for pulling the image, if needed imagePullSecrets: [] + # -- Node affinity settings for pod placement affinity: {} + # -- Kubernetes Secret reference containing Infisical root credentials kubeSecretRef: "infisical-secrets" service: + # -- Custom annotations for Infisical service annotations: {} + # -- Service type, can be changed based on exposure needs (e.g., LoadBalancer) type: ClusterIP + # -- Optional node port for service when using NodePort type nodePort: "" resources: limits: + # -- Memory limit for Infisical container memory: 600Mi requests: + # -- CPU request for Infisical container cpu: 350m ingress: + # -- Enable or disable ingress configuration enabled: true + # -- Hostname for ingress access, e.g., app.example.com hostName: "" + # -- Specifies the ingress class, useful for multi-ingress setups ingressClassName: nginx + nginx: + # -- Enable NGINX-specific settings, if using NGINX ingress controller enabled: true + + # -- Custom annotations for ingress resource annotations: {} + # -- TLS settings for HTTPS access tls: [] + # -- TLS secret name for HTTPS # - secretName: letsencrypt-prod + # -- Domain name to associate with the TLS certificate # hosts: # - some.domain.com postgresql: - # -- When enabled, this will start up a in cluster Postgres + # -- Enables an in-cluster PostgreSQL deployment. To achieve HA for Postgres, we recommend deploying https://github.com/zalando/postgres-operator instead. enabled: true + # -- PostgreSQL resource name name: "postgresql" + # -- Full name override for PostgreSQL resources fullnameOverride: "postgresql" + auth: + # -- Database username for PostgreSQL username: infisical + # -- Password for PostgreSQL database access password: root + # -- Database name for Infisical database: infisicalDB + useExistingPostgresSecret: - # -- When this is enabled, postgresql.enabled needs to be false + # -- Set to true if using an existing Kubernetes secret that contains PostgreSQL connection string enabled: false - # -- The name from where to get the existing postgresql connection string existingConnectionStringSecret: - # -- The name of the secret that contains the postgres connection string + # -- Kubernetes secret name containing the PostgreSQL connection string name: "" - # -- Secret key name that contains the postgres connection string + # -- Key name in the Kubernetes secret that holds the connection string key: "" redis: + # -- Enables an in-cluster Redis deployment enabled: true + # -- Redis resource name name: "redis" + # -- Full name override for Redis resources fullnameOverride: "redis" + cluster: + # -- Clustered Redis deployment enabled: false + + # -- Requires a password for Redis authentication usePassword: true + auth: + # -- Redis password password: "mysecretpassword" + + # -- Redis deployment type (e.g., standalone or cluster) architecture: standalone