temporary branch to tag v0.22.4 on dockerhub

temporary branch to tag v0.22.4 on dockerhub

Signed-off-by: Volkan Özçelik <ovolkan@vmware.com>

helm-charts/0.22.4/Chart.yaml

@@ -0,0 +1,65 @@
+# /*
+# | Protect your secrets, protect your sensitive data.
+# : Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/ keep your secrets… secret
+# >/
+# <>/' Copyright 2023–present VMware Secrets Manager contributors.
+# >/' SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: v2
+name: vsecm
+description: Helm chart for VMware Secrets Manager
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+sources:
+- https://github.com/vmware-tanzu/secrets-manager
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.22.4
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.22.4"
+home: https://vsecm.com/
+
+icon: https://vsecm.com/assets/vsecm-256.png
+
+keywords:
+ - secrets
+ - kubernetes
+ - secrets-manager
+ - spire
+ - spiffe
+ - zero-trust
+ - cloud-native
+ - edge
+ - secret-management
+ - security
+
+dependencies:
+ - name: spire
+ repository: file://charts/spire
+ version: 0.22.4
+ condition: global.deploySpire
+ - name: safe
+ repository: file://charts/safe
+ version: 0.22.4
+ condition: global.deploySafe
+ - name: sentinel
+ repository: file://charts/sentinel
+ version: 0.22.4
+ condition: global.deploySentinel

helm-charts/0.22.4/README.md

@@ -0,0 +1,76 @@
+# VMware Secrets Manager (VSecM) Helm Chart
+[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/vsecm)](https://artifacthub.io/packages/helm/vsecm/vsecm)
+
+VMware Secrets Manager keeps your secrets secret. With VSecM, you can rest assured
+that your sensitive data is always secure and protected. VSecM is perfect for
+securely storing arbitrary configuration information at a central location and
+securely dispatching it to workloads.
+
+## Installation
+
+To use VMware Secrets Manager, follow the steps below:
+
+1. Add VMware Secrets Manager Helm repository:
+
+ ```bash
+ helm repo add vsecm https://vmware-tanzu.github.io/secrets-manager/
+ ```
+
+2. Update helm repository:
+
+ ```bash
+ helm repo update
+ ```
+
+3. Install VMware Secrets Manager using Helm:
+
+ ```bash
+ helm install vsecm vsecm/vsecm --version 0.22.4
+ ```
+
+## Options
+
+The following options can be passed to the `helm install` command to set global
+variables:
+
+*`--set global.deploySpire=<true/false>`:
+ This flag can be passed to install or skip SPIRE.
+*`--set global.baseImage=<distroless/distroless-fips/photon/photos-fips>`:
+ This flag can be passed to install VSecM with the given baseImage Docker image.
+
+Default values are `true` and `distroless` for `global.deploySpire`
+and `global.baseImage` respectively.
+
+Here's an example command with the above options:
+
+```bash
+helm install vsecm vsecm/helm-charts --version 0.22.4 \
+ --set global.deploySpire=true --set global.baseImage=distroless
+```
+
+Make sure to replace `<true/false>` and
+`<distroless/distroless-fips/photon/photos-fips>` with the desired values.
+
+## Environment Configuration
+
+**VMware Secrets Manager** can be tweaked further using environment variables.
+
+[Check out **Configuring VSecM** on the official documentation][configuring-vsecm]
+for details.
+
+These environment variable configurations are expose through subcharts.
+You can modify them as follows:
+
+```bash
+helm install vsecm vsecm/helm-charts --version 0.22.4 \
+--set safe.environments.VSECM_LOG_LEVEL="7"
+--set sentinel.environments.VSECM_LOGL_LEVEL="5"
+# You can update other environment variables too.
+# Most of the time VSecM assumes sane defaults if you don’t set them.
+```
+
+[configuring-vsecm]: https://vsecm.com/docs/configuration/
+
+## License
+
+This project is licensed under the [BSD 2-Clause License](https://github.com/vmware-tanzu/secrets-manager/blob/main/LICENSE).

helm-charts/0.22.4/charts/safe/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm-charts/0.22.4/charts/safe/Chart.yaml

@@ -0,0 +1,34 @@
+# /*
+# | Protect your secrets, protect your sensitive data.
+# : Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/ keep your secrets… secret
+# >/
+# <>/' Copyright 2023–present VMware Secrets Manager contributors.
+# >/' SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: v2
+name: safe
+description: Helm chart for VMware Secrets Manager (VSecM) Safe
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.22.4
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.22.4"

helm-charts/0.22.4/charts/safe/templates/Deployment.yaml

@@ -0,0 +1,106 @@
+# /*
+# | Protect your secrets, protect your sensitive data.
+# : Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/ keep your secrets… secret
+# >/
+# <>/' Copyright 2023–present VMware Secrets Manager contributors.
+# >/' SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "safe.fullname" . }}
+ namespace: {{ .Values.global.vsecm.namespace }}
+ labels:
+ {{- include "safe.labels" . | nindent 4 }}
+spec:
+ {{- if not .Values.autoscaling.enabled }}
+ replicas: {{ .Values.replicaCount }}
+ {{- end }}
+ selector:
+ matchLabels:
+ {{- include "safe.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ {{- with .Values.podAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ {{- include "safe.selectorLabels" . | nindent 8 }}
+ spec:
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ serviceAccountName: {{ include "safe.serviceAccountName" . }}
+ securityContext:
+ {{- toYaml .Values.podSecurityContext | nindent 8 }}
+ containers:
+ - name: main
+ image: "{{ .Values.global.registry }}/{{- include "safe.repository" .}}:{{ .Values.global.images.safe.tag }}"
+ imagePullPolicy: {{ .Values.global.images.safe.pullPolicy }}
+ ports:
+ - containerPort: 8443
+ volumeMounts:
+ - name: spire-agent-socket
+ mountPath: /spire-agent-socket
+ readOnly: true
+ - name: vsecm-data
+ mountPath: /data
+ - name: vsecm-age
+ mountPath: /key
+ readOnly: true
+ #
+ # You can configure VSecM Safe by providing environment variables.
+ #
+ # See https://vsecm.com/configuration for more information about
+ # these environment variables.
+ #
+ # When you don’t explicitly provide env vars here, VSecM Safe
+ # will assume the default values outlined in the given link above.
+ #
+ env:
+ {{- range .Values.environments }}
+ - name: {{ .name }}
+ value: {{ .value | quote }}
+ {{- end }}
+ - name: VSECM_SYSTEM_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ livenessProbe:
+ httpGet:
+ path: /
+ port: {{ .Values.livenessPort }}
+ initialDelaySeconds: 1
+ periodSeconds: 10
+ readinessProbe:
+ httpGet:
+ path: /
+ port: {{ .Values.readynessPort }}
+ initialDelaySeconds: 1
+ periodSeconds: 10
+ resources:
+ {{- toYaml .Values.resources | nindent 12 }}
+ volumes:
+ # Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket
+ # ref: https://github.com/spiffe/spiffe-csi
+ - name: spire-agent-socket
+ csi:
+ driver: "csi.spiffe.io"
+ readOnly: true
+ # `vsecm-data` is used to persist the encrypted backups of the secrets.
+ - name: vsecm-data
+ hostPath:
+ path: /var/local/vsecm/data
+ type: DirectoryOrCreate
+ # `vsecm-age` stores the encryption keys to restore secrets from vsecm-data.
+ - name: vsecm-age
+ secret:
+ secretName: {{ .Values.ageKeySecretName }}
+ items:
+ - key: KEY_TXT
+ path: key.txt

helm-charts/0.22.4/charts/safe/templates/RoleBinding.yaml

@@ -0,0 +1,44 @@
+# /*
+# | Protect your secrets, protect your sensitive data.
+# : Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/ keep your secrets… secret
+# >/
+# <>/' Copyright 2023–present VMware Secrets Manager contributors.
+# >/' SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: vsecm-secret-readwriter-binding
+subjects:
+ - kind: ServiceAccount
+ name: vsecm-safe
+ namespace: {{ .Values.global.vsecm.namespace }}
+roleRef:
+ kind: ClusterRole
+ name: vsecm-secret-readwriter
+ apiGroup: rbac.authorization.k8s.io
+
+##
+#
+# Alternatively, for a tighter security, you can define a `RoleBinding`
+# instead of a `ClusterRoleBinding`. It will be more secure, yet harder to
+# maintain. See the discussion about above `Role`s and `RoleBinding`s.
+#
+# apiVersion: rbac.authorization.k8s.io/v1
+# kind: RoleBinding
+# metadata:
+# name: vsecm-secret-readwriter-binding
+# namespace: {{ .Values.global.vsecm.namespace }}
+# subjects:
+# - kind: ServiceAccount
+# name: vsecm-safe
+# namespace: {{ .Values.global.vsecm.namespace }}
+# roleRef:
+# kind: Role
+# name: vsecm-secret-readwriter
+# apiGroup: rbac.authorization.k8s.io
+#
+##

helm-charts/0.22.4/charts/safe/templates/ServicAaccount.yaml

@@ -0,0 +1,24 @@
+{{- if .Values.serviceAccount.create -}}
+# /*
+# | Protect your secrets, protect your sensitive data.
+# : Explore VMware Secrets Manager docs at https://vsecm.com/
+# </
+# <>/ keep your secrets… secret
+# >/
+# <>/' Copyright 2023–present VMware Secrets Manager contributors.
+# >/' SPDX-License-Identifier: BSD-2-Clause
+# */
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "safe.serviceAccountName" . }}
+ namespace: {{ .Values.global.vsecm.namespace }}
+ labels:
+ {{- include "safe.labels" . | nindent 4 }}
+ {{- with .Values.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+automountServiceAccountToken: true
+{{- end }}