diff --git a/toggle-django-helm/templates/_helpers.tpl b/toggle-django-helm/templates/_helpers.tpl index 07a4665..cf4655a 100644 --- a/toggle-django-helm/templates/_helpers.tpl +++ b/toggle-django-helm/templates/_helpers.tpl @@ -31,6 +31,28 @@ {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Create the name of the service account to use +*/}} +{{- define "django-app.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "django-app.fullname" .) .Values.serviceAccountName }} +{{- else }} +{{- default "default" .Values.serviceAccountName }} +{{- end }} +{{- end }} + +{{/* +Create the name of the secret to be used by the django-app +*/}} +{{- define "django-app.secretProviderName" -}} +{{- if .Values.secretsStoreCsiDriverProviderName }} + {{- .Values.secretsStoreCsiDriverProviderName -}} +{{- else }} + {{- printf "%s-secret-provider" (include "django-app.fullname" .) -}} +{{- end -}} +{{- end -}} + {{/* Create the name of the secret to be used by the django-app */}} @@ -68,6 +90,10 @@ Generate image metadata -}} image: "{{ printf "%s:%s" $merged.name $merged.tag }}" imagePullPolicy: {{ default "IfNotPresent" $merged.imagePullPolicy }} +{{- with $merged.imagePullSecrets }} +imagePullSecrets: +{{- toYaml . | nindent 2 }} +{{- end }} {{- end }} {{/* @@ -118,8 +144,64 @@ Generate env configs for app types {{/* Generate default annotations for app deployments */}} +{{- define "django-app.appDefaultDeploymentAnnotations" -}} +annotations: + reloader.stakater.com/auto: "true" +{{- end }} + +{{/* +Generate default annotations for app pods +*/}} {{- define "django-app.appDefaultAnnotations" -}} -reloader.stakater.com/auto: "true" checksum/secret: {{ include (print .Template.BasePath "/config/secret.yaml") . | sha256sum }} checksum/configmap: {{ include (print .Template.BasePath "/config/configmap.yaml") . | sha256sum }} +{{- with .Values.podAnnotations }} +{{ toYaml . }} +{{- end }} +{{- end }} + +{{/* +Generate default labels for app deployments +*/}} +{{- define "django-app.appDefaultLabels" -}} +{{- with .Values.podLabels -}} +{{ toYaml . }} +{{- end }} +{{- end }} + +{{/* +Generate default volumes for app deployments +*/}} +{{- define "django-app.appDefaultVolumes" -}} +{{- if or .Values.secretsStoreCsiDriver.create .Values.podVolumes -}} +volumes: +{{- if .Values.secretsStoreCsiDriver.create }} + - name: {{ template "django-app.secretname" . }} + csi: + driver: "secrets-store.csi.k8s.io" + readOnly: true + volumeAttributes: + secretProviderClass: {{ template "django-app.secretProviderName" . }} +{{- end }} +{{- if .Values.podVolumes }} +{{ .Values.podVolumes | toYaml | indent 2 }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Generate default volumes mounts for app deployments +*/}} +{{- define "django-app.appDefaultVolumeMounts" -}} +{{- if or .Values.secretsStoreCsiDriver.create .Values.podVolumeMounts -}} +volumeMounts: +{{- if .Values.secretsStoreCsiDriver.create }} + - name: {{ template "django-app.secretname" . }} + mountPath: /mnt/secrets-store + readOnly: true +{{- end }} +{{- if .Values.podVolumeMounts }} +{{ .Values.podVolumeMounts | toYaml | indent 2 }} +{{- end }} +{{- end }} {{- end }} diff --git a/toggle-django-helm/templates/api/deployment.yaml b/toggle-django-helm/templates/api/deployment.yaml index 0fffb15..3d64f61 100644 --- a/toggle-django-helm/templates/api/deployment.yaml +++ b/toggle-django-helm/templates/api/deployment.yaml @@ -4,6 +4,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "django-app.fullname" . }}-api + {{- with (include "django-app.appDefaultDeploymentAnnotations" $) -}}{{ . | nindent 2 }}{{- end }} labels: app: {{ include "django-app.fullname" . }} component: api @@ -22,7 +23,12 @@ spec: labels: app: {{ include "django-app.fullname" . }} component: api + {{- with (include "django-app.appDefaultLabels" $) -}}{{ . | nindent 8 }}{{- end }} spec: + {{- with (include "django-app.appDefaultVolumes" $) -}}{{ . | nindent 6 }}{{- end }} + {{- if .Values.serviceAccount.create }} + serviceAccountName: {{ include "django-app.serviceAccountName" $ }} + {{- end }} containers: - name: api {{- include "django-app.imageConfig" @@ -45,5 +51,6 @@ spec: (dict "Values" $.Values "Type" "web" ) | nindent 12 }} + {{- with (include "django-app.appDefaultVolumeMounts" $) -}}{{ . | nindent 10 }}{{- end }} {{- end }} diff --git a/toggle-django-helm/templates/api/secrets-provider-class.yaml b/toggle-django-helm/templates/api/secrets-provider-class.yaml new file mode 100644 index 0000000..d42524e --- /dev/null +++ b/toggle-django-helm/templates/api/secrets-provider-class.yaml @@ -0,0 +1,29 @@ +{{- if .Values.secretsStoreCsiDriver.create -}} + +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: {{ template "django-app.secretProviderName" . }} +spec: + provider: {{ .Values.secretsStoreCsiDriver.provider }} + parameters: + {{- with .Values.secretsStoreCsiDriver.parameters -}} + {{ toYaml . | nindent 4 }} + {{- end }} + objects: | + array: + {{- range $secret_key, $object_key := .Values.secretsStoreCsiDriver.secretsKeyMap }} + - | + objectName: {{ $object_key }} + objectType: secret + {{- end }} + secretObjects: + - secretName: {{ template "django-app.secretname" . }} + type: Opaque + data: + {{- range $secret_key, $object_key := .Values.secretsStoreCsiDriver.secretsKeyMap }} + - objectName: {{ $object_key }} + key: {{ $secret_key }} + {{- end }} + +{{- end }} diff --git a/toggle-django-helm/templates/api/service-account.yaml b/toggle-django-helm/templates/api/service-account.yaml new file mode 100644 index 0000000..cc7a511 --- /dev/null +++ b/toggle-django-helm/templates/api/service-account.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "django-app.serviceAccountName" . }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{ toYaml . | nindent 4}} + {{- end }} + {{- with .Values.serviceAccount.labels }} + labels: + {{ toYaml . | nindent 4}} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} + +{{- end }} diff --git a/toggle-django-helm/templates/argo-hooks/hook-job.yaml b/toggle-django-helm/templates/argo-hooks/hook-job.yaml index ddebbc3..52838d0 100644 --- a/toggle-django-helm/templates/argo-hooks/hook-job.yaml +++ b/toggle-django-helm/templates/argo-hooks/hook-job.yaml @@ -17,8 +17,19 @@ metadata: argocd.argoproj.io/hook: {{ $hook.hook }} spec: template: + metadata: + annotations: + {{- include "django-app.appDefaultAnnotations" $ | nindent 8 }} + labels: + app: {{ include "django-app.fullname" $ }} + component: argo-hooks + {{- with (include "django-app.appDefaultLabels" $) -}}{{ . | nindent 8 }}{{- end }} spec: restartPolicy: "Never" + {{- with (include "django-app.appDefaultVolumes" $) -}}{{ . | nindent 6 }}{{- end }} + {{- if $.Values.serviceAccount.create }} + serviceAccountName: {{ include "django-app.serviceAccountName" $ }} + {{- end }} containers: - name: {{ $hookName }} {{- include "django-app.imageConfig" @@ -41,6 +52,7 @@ spec: (dict "Values" $.Values "Type" "hook" ) | nindent 12 }} + {{- with (include "django-app.appDefaultVolumeMounts" $) -}}{{ . | nindent 10 }}{{- end }} {{- end }} diff --git a/toggle-django-helm/templates/celery-flower/deployment.yaml b/toggle-django-helm/templates/celery-flower/deployment.yaml index f4884d2..a14dcb0 100644 --- a/toggle-django-helm/templates/celery-flower/deployment.yaml +++ b/toggle-django-helm/templates/celery-flower/deployment.yaml @@ -5,6 +5,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "django-app.fullname" . }}-celery-flower + {{- with (include "django-app.appDefaultDeploymentAnnotations" $) -}}{{ . | nindent 2 }}{{- end }} labels: app: {{ include "django-app.fullname" . }} component: worker-flower @@ -23,7 +24,12 @@ spec: labels: app: {{ include "django-app.fullname" . }} component: worker-flower + {{- with (include "django-app.appDefaultLabels" $) -}}{{ . | nindent 8 }}{{- end }} spec: + {{- with (include "django-app.appDefaultVolumes" $) -}}{{ . | nindent 6 }}{{- end }} + {{- if .Values.serviceAccount.create }} + serviceAccountName: {{ include "django-app.serviceAccountName" $ }} + {{- end }} containers: - name: worker {{- include "django-app.imageConfig" @@ -42,6 +48,7 @@ spec: (dict "Values" $.Values "Type" "worker" ) | nindent 12 }} + {{- with (include "django-app.appDefaultVolumeMounts" $) -}}{{ . | nindent 10 }}{{- end }} {{- end }} {{- end }} diff --git a/toggle-django-helm/templates/config/secret.yaml b/toggle-django-helm/templates/config/secret.yaml index 4e60893..dd4054c 100644 --- a/toggle-django-helm/templates/config/secret.yaml +++ b/toggle-django-helm/templates/config/secret.yaml @@ -1,3 +1,5 @@ +{{- if not .Values.secretsStoreCsiDriver.create -}} + kind: Secret apiVersion: v1 metadata: @@ -12,3 +14,5 @@ stringData: {{- range $name, $value := .Values.secrets }} {{ $name }}: {{ tpl $value $ | quote }} {{- end }} + +{{- end }} diff --git a/toggle-django-helm/templates/cronjobs/deployment.yaml b/toggle-django-helm/templates/cronjobs/deployment.yaml index 27482e7..c485f20 100644 --- a/toggle-django-helm/templates/cronjobs/deployment.yaml +++ b/toggle-django-helm/templates/cronjobs/deployment.yaml @@ -24,9 +24,22 @@ spec: jobTemplate: spec: activeDeadlineSeconds: {{ default 7200 $job.timeLimit }} # 2 hours default + metadata: + {{- with $.Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 10 }} + {{- end }} + labels: + app: {{ include "django-app.fullname" $ }} + component: cronjob + {{- with (include "django-app.appDefaultLabels" $) -}}{{ . | nindent 10 }}{{- end }} template: spec: restartPolicy: "Never" + {{- with (include "django-app.appDefaultVolumes" $) -}}{{ . | nindent 10 }}{{- end }} + {{- if $.Values.serviceAccount.create }} + serviceAccountName: {{ include "django-app.serviceAccountName" $ }} + {{- end }} containers: - name: cronjob command: @@ -47,6 +60,7 @@ spec: (dict "Values" $.Values "Type" "cronjob" ) | nindent 16 }} + {{- with (include "django-app.appDefaultVolumeMounts" $) -}}{{ . | nindent 14 }}{{- end }} {{- end }} diff --git a/toggle-django-helm/templates/worker-beat/deployment.yaml b/toggle-django-helm/templates/worker-beat/deployment.yaml index 1991305..3a8acf4 100644 --- a/toggle-django-helm/templates/worker-beat/deployment.yaml +++ b/toggle-django-helm/templates/worker-beat/deployment.yaml @@ -4,6 +4,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "django-app.fullname" . }}-worker-beat + {{- with (include "django-app.appDefaultDeploymentAnnotations" $) -}}{{ . | nindent 2 }}{{- end }} labels: app: {{ include "django-app.fullname" . }} component: worker-beat @@ -22,7 +23,12 @@ spec: labels: app: {{ include "django-app.fullname" . }} component: worker-beat + {{- with (include "django-app.appDefaultLabels" $) -}}{{ . | nindent 8 }}{{- end }} spec: + {{- with (include "django-app.appDefaultVolumes" $) -}}{{ . | nindent 6 }}{{- end }} + {{- if .Values.serviceAccount.create }} + serviceAccountName: {{ include "django-app.serviceAccountName" $ }} + {{- end }} containers: - name: worker-beat {{- include "django-app.imageConfig" @@ -41,5 +47,6 @@ spec: (dict "Values" $.Values "Type" "worker" ) | nindent 12 }} + {{- with (include "django-app.appDefaultVolumeMounts" $) -}}{{ . | nindent 10 }}{{- end }} {{- end }} diff --git a/toggle-django-helm/templates/worker/deployment.yaml b/toggle-django-helm/templates/worker/deployment.yaml index 69f3bfe..b2444a4 100644 --- a/toggle-django-helm/templates/worker/deployment.yaml +++ b/toggle-django-helm/templates/worker/deployment.yaml @@ -7,6 +7,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "django-app.fullname" $ }}-worker-{{ $queue_name }} + {{- with (include "django-app.appDefaultDeploymentAnnotations" $) -}}{{ . | nindent 2 }}{{- end }} labels: app: {{ include "django-app.fullname" $ }} component: worker @@ -28,7 +29,12 @@ spec: app: {{ include "django-app.fullname" $ }} component: worker queue: {{ $queue_name }} + {{- with (include "django-app.appDefaultLabels" $) -}}{{ . | nindent 8 }}{{- end }} spec: + {{- with (include "django-app.appDefaultVolumes" $) -}}{{ . | nindent 6 }}{{- end }} + {{- if $.Values.serviceAccount.create }} + serviceAccountName: {{ include "django-app.serviceAccountName" $ }} + {{- end }} containers: - name: worker command: @@ -51,6 +57,7 @@ spec: (dict "Values" $.Values "Type" "worker" ) | nindent 12 }} + {{- with (include "django-app.appDefaultVolumeMounts" $) -}}{{ . | nindent 10 }}{{- end }} {{- end }} diff --git a/toggle-django-helm/tests/values-1.yaml b/toggle-django-helm/tests/values-1.yaml index e80faee..88913ca 100644 --- a/toggle-django-helm/tests/values-1.yaml +++ b/toggle-django-helm/tests/values-1.yaml @@ -89,6 +89,15 @@ secrets: AWS_S3_BUCKET_STATIC_NAME: static-data AWS_S3_BUCKET_MEDIA_NAME: media-data +serviceAccountName: "secret-account" +serviceAccount: + create: true + annotations: + azure.workload.identity/client-id : "XXXXXXXX-YYYYYYYY" + labels: + azure.workload.identity/use: "true" + automountServiceAccountToken: true + extraManifests: - apiVersion: postgresql.cnpg.io/v1 kind: ScheduledBackup diff --git a/toggle-django-helm/tests/values-2.yaml b/toggle-django-helm/tests/values-2.yaml index 48b0c6f..dc30be9 100644 --- a/toggle-django-helm/tests/values-2.yaml +++ b/toggle-django-helm/tests/values-2.yaml @@ -1,9 +1,31 @@ environment: ALPHA +podLabels: + azure.workload.identity/use: "true" +podAnnotations: + aws.workload.identity/use: "true" + aws.workload.identity/use2: "true" + aws.workload.identity/use3: "true" + +podVolumes: + - name: my-stuff + csi: + driver: "secrets-store.csi.k8s.io" + readOnly: "true" + volumeAttributes: + secretProviderClass: my-secret-provider + +podVolumeMounts: + - name: my-secret + mountPath: /mnt/secrets-store + readOnly: true + image: name: ghcr.io/example/example tag: v1.0.1 imagePullPolicy: IfNotPresent + imagePullSecrets: + - name: regcred ingress: enabled: true @@ -137,6 +159,23 @@ secrets: AWS_S3_BUCKET_MEDIA_NAME: media-data +# Azure configurations +secretsStoreCsiDriver: + create: true + parameters: + usePodIdentity: "false" + clientID: "sample" + keyvaultName: "sample" + tenantId: "" + secretsKeyMap: + CACHE_REDIS_URL: CACHE-REDIS-URL + CELERY_BROKER_URL: CELERY-BROKER-URL + +serviceAccountName: "" +serviceAccount: + create: true + automountServiceAccountToken: true + extraEnvVars: - name: SPECIAL_LEVEL_KEY valueFrom: diff --git a/toggle-django-helm/tests/values-3.yaml b/toggle-django-helm/tests/values-3.yaml index 8f5fd50..5205a62 100644 --- a/toggle-django-helm/tests/values-3.yaml +++ b/toggle-django-helm/tests/values-3.yaml @@ -1,5 +1,10 @@ environment: ALPHA +podLabels: + azure.workload.identity/use: "true" +podAnnotations: + aws.workload.identity/use: "true" + image: name: ghcr.io/example/example tag: v1.0.1 diff --git a/toggle-django-helm/values.yaml b/toggle-django-helm/values.yaml index 8e441be..f1f5365 100644 --- a/toggle-django-helm/values.yaml +++ b/toggle-django-helm/values.yaml @@ -1,10 +1,17 @@ environment: PROD appTypeEnvName: "DJANGO_APP_TYPE" + +podLabels: {} +podAnnotations: {} +podVolumes: [] +podVolumeMounts: [] + image: {} # name: # tag: # imagePullPolicy: IfNotPresent + # imagePullSecrets: ingress: enabled: false @@ -96,11 +103,12 @@ rabbitmq: storageClass: api: - # Not required if global image are set + # Not required if root image are set image: {} # name: WORKER-SET-BY-CICD-IMAGE # tag: WORKER-SET-BY-CICD-TAG # imagePullPolicy: IfNotPresent + # imagePullSecrets: enabled: true replicaCount: 1 containerPort: 80 @@ -114,17 +122,19 @@ api: memory: 1Gi worker: - # Not required if global image are set + # Not required if root image are set image: {} # name: WORKER-SET-BY-CICD-IMAGE # tag: WORKER-SET-BY-CICD-TAG # imagePullPolicy: IfNotPresent + # imagePullSecrets: enabled: true beat: image: {} # name: WORKER-SET-BY-CICD-IMAGE # tag: WORKER-SET-BY-CICD-TAG # imagePullPolicy: IfNotPresent + # imagePullSecrets: command: ["celery", "-A", "myapp", "beat", "-l", "INFO"] resources: requests: @@ -138,6 +148,7 @@ worker: # name: WORKER-SET-BY-CICD-IMAGE # tag: WORKER-SET-BY-CICD-TAG # imagePullPolicy: IfNotPresent + # imagePullSecrets: enabled: false # Install flower package first command: ["celery", "-A", "myapp", "flower", "--port=8000"] resources: @@ -187,6 +198,7 @@ cronjobs: # name: CRONJOB-SET-BY-CICD-IMAGE # tag: CRONJOB-SET-BY-CICD-TAG # imagePullPolicy: IfNotPresent + # imagePullSecrets: defaultResources: requests: cpu: "1" @@ -202,13 +214,14 @@ cronjobs: # enabled: false # command: ["./manage.py", "run-dummy-command"] -# Not required if global image are set +# Not required if root image are set argoHook: enabled: true image: {} # name: WORKER-SET-BY-CICD-IMAGE # tag: WORKER-SET-BY-CICD-TAG # imagePullPolicy: IfNotPresent + # imagePullSecrets: resources: requests: cpu: "0.1" @@ -253,4 +266,23 @@ secrets: {} # AWS_S3_BUCKET_STATIC_NAME: static-data # AWS_S3_BUCKET_MEDIA_NAME: media-data +serviceAccountName: "" +serviceAccount: + create: false + annotations: {} + labels: {} + automountServiceAccountToken: true + +# Azure configurations +secretsStoreCsiDriverProviderName: "" +secretsStoreCsiDriver: + create: false + provider: azure # Only azure is supported + parameters: + usePodIdentity: "false" + clientID: "" + keyvaultName: "" + tenantId: "" + secretsKeyMap: {} # k8s Secret Key -> VaultKey + # extraManifests: [] or {}