diff --git a/mozcloud/application/Chart.yaml b/mozcloud/application/Chart.yaml index 3d7b34a..f6260fb 100644 --- a/mozcloud/application/Chart.yaml +++ b/mozcloud/application/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: mozcloud description: Opinionated application chart used to deploy MozCloud Kubernetes resources supporting resources -version: 0.15.0 +version: 0.16.0 type: application dependencies: - name: mozcloud-gateway-lib diff --git a/mozcloud/application/README.md b/mozcloud/application/README.md index 29daf35..a894bce 100644 --- a/mozcloud/application/README.md +++ b/mozcloud/application/README.md @@ -1,6 +1,6 @@ # mozcloud -![Version: 0.15.0](https://img.shields.io/badge/Version-0.15.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 0.16.0](https://img.shields.io/badge/Version-0.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Opinionated application chart used to deploy MozCloud Kubernetes resources supporting resources @@ -19,7 +19,7 @@ version: 0.1.0 type: application dependencies: - name: mozcloud - version: ~0.15.0 + version: ~0.16.0 repository: oci://us-west1-docker.pkg.dev/moz-fx-platform-artifacts/mozcloud-charts ``` @@ -65,10 +65,10 @@ Next, update your tenant's values. Shared charts are meant to be self-documented | tasks.common.container.command | list | `[]` | | | tasks.common.container.configMaps | list | `[]` | | | tasks.common.container.envVars | object | `{}` | | -| tasks.common.container.externalSecrets | list | `[]` | | | tasks.common.container.image | object | `{}` | | | tasks.common.container.resources.cpu | string | `"100m"` | | | tasks.common.container.resources.memory | string | `"128Mi"` | | +| tasks.common.container.secrets | list | `[]` | | | tasks.common.container.security | object | `{}` | | | tasks.common.container.volumes | list | `[]` | | | tasks.common.cronJob.jobHistory | object | `{}` | | @@ -90,10 +90,10 @@ Next, update your tenant's values. Shared charts are meant to be self-documented | tasks.jobs.default.containers.default.command | list | `[]` | | | tasks.jobs.default.containers.default.configMaps | list | `[]` | | | tasks.jobs.default.containers.default.envVars | object | `{}` | | -| tasks.jobs.default.containers.default.externalSecrets | list | `[]` | | | tasks.jobs.default.containers.default.image.repository | string | `""` | | | tasks.jobs.default.containers.default.image.tag | string | `""` | | | tasks.jobs.default.containers.default.resources | object | `{}` | | +| tasks.jobs.default.containers.default.secrets | list | `[]` | | | tasks.jobs.default.containers.default.security | object | `{}` | | | tasks.jobs.default.containers.default.volumes | list | `[]` | | | tasks.jobs.default.generateName | bool | `false` | | @@ -114,7 +114,6 @@ Next, update your tenant's values. Shared charts are meant to be self-documented | workloads.default.containers.default.command | list | `[]` | | | workloads.default.containers.default.configMaps | list | `[]` | | | workloads.default.containers.default.envVars | object | `{}` | | -| workloads.default.containers.default.externalSecrets | list | `[]` | | | workloads.default.containers.default.healthCheck.liveness.enabled | bool | `true` | | | workloads.default.containers.default.healthCheck.liveness.httpHeaders | list | `[]` | | | workloads.default.containers.default.healthCheck.liveness.path | string | `"/__lbheartbeat__"` | | @@ -136,6 +135,7 @@ Next, update your tenant's values. Shared charts are meant to be self-documented | workloads.default.containers.default.port | int | `8000` | | | workloads.default.containers.default.resources.cpu | string | `"100m"` | | | workloads.default.containers.default.resources.memory | string | `"128Mi"` | | +| workloads.default.containers.default.secrets | list | `[]` | | | workloads.default.containers.default.security | object | `{}` | | | workloads.default.enabled | bool | `true` | | | workloads.default.hosts.default.addresses | list | `[]` | | @@ -151,11 +151,11 @@ Next, update your tenant's values. Shared charts are meant to be self-documented | workloads.default.initContainers.default.command | list | `[]` | | | workloads.default.initContainers.default.configMaps | list | `[]` | | | workloads.default.initContainers.default.envVars | object | `{}` | | -| workloads.default.initContainers.default.externalSecrets | list | `[]` | | | workloads.default.initContainers.default.image.repository | string | `""` | | | workloads.default.initContainers.default.image.tag | string | `""` | | | workloads.default.initContainers.default.resources.cpu | string | `"100m"` | | | workloads.default.initContainers.default.resources.memory | string | `"128Mi"` | | +| workloads.default.initContainers.default.secrets | list | `[]` | | | workloads.default.initContainers.default.security | object | `{}` | | | workloads.default.initContainers.default.sidecar | bool | `false` | | | workloads.default.labels | object | `{}` | | diff --git a/mozcloud/application/templates/_annotations.yaml b/mozcloud/application/templates/_annotations.yaml index 9abcc18..0ec6e92 100644 --- a/mozcloud/application/templates/_annotations.yaml +++ b/mozcloud/application/templates/_annotations.yaml @@ -19,9 +19,9 @@ Returns: (string) YAML-encoded dict of merged annotations. */ -}} {{- define "mozcloud.annotations" -}} -{{- $annotations := default (dict) .annotations -}} +{{- $annotations := default dict .annotations -}} {{- $context := .context -}} -{{- $otel := default (dict) .otel -}} +{{- $otel := default dict .otel -}} {{- $type := .type -}} {{- $params := dict "annotations" $annotations "type" $type "otel" $otel -}} {{- if $otel -}} @@ -126,7 +126,7 @@ Returns: {{ include "mozcloud.annotations.otel.resources" (dict "labels" $labels) }} {{- /* Auto instrumentation */}} {{- $autoInstrumentationAnnotations := dict }} - {{- $containers := default (list) $config.containers }} + {{- $containers := default list $config.containers }} {{- $autoInstrumentationEnabled := and $containers (dig "autoInstrumentation" "enabled" false $config) ($config.autoInstrumentation).language }} {{- if $autoInstrumentationEnabled }} {{- $params := dict "containers" $containers "language" $config.autoInstrumentation.language }} diff --git a/mozcloud/application/templates/_formatter.yaml b/mozcloud/application/templates/_formatter.yaml index 5027f39..74c3590 100644 --- a/mozcloud/application/templates/_formatter.yaml +++ b/mozcloud/application/templates/_formatter.yaml @@ -250,7 +250,7 @@ Example: {{- /* Merge host configs with defaults */}} {{- $hostValues := $defaultWorkload.hosts -}} {{- $hosts := dict -}} - {{- $configHosts := default (dict) $config.hosts -}} + {{- $configHosts := default dict $config.hosts -}} {{- range $hostName, $hostConfig := $configHosts -}} {{- $_ := set $hosts $hostName (mergeOverwrite ($hostValues.default | deepCopy) $hostConfig) -}} {{- end -}} diff --git a/mozcloud/application/templates/_labels.yaml b/mozcloud/application/templates/_labels.yaml index f8bdfc3..3b19213 100644 --- a/mozcloud/application/templates/_labels.yaml +++ b/mozcloud/application/templates/_labels.yaml @@ -55,7 +55,7 @@ Returns: {{- /* Generate labels */ -}} {{- $params := mergeOverwrite .context (dict "labels" .labels) -}} {{- $labels := include "mozcloud-labels-lib.labels" $params | fromYaml -}} -{{- $labels = mergeOverwrite (default (dict) .labels) $labels -}} +{{- $labels = mergeOverwrite (default dict .labels) $labels -}} {{- $_ := set $output "labels" $labels -}} {{- /* Generate selector labels */ -}} {{- $selectorLabels := include "mozcloud-labels-lib.selectorLabels" $params | fromYaml -}} diff --git a/mozcloud/application/templates/_pod.yaml b/mozcloud/application/templates/_pod.yaml index c32b41c..3040db3 100644 --- a/mozcloud/application/templates/_pod.yaml +++ b/mozcloud/application/templates/_pod.yaml @@ -41,7 +41,7 @@ Example: */ -}} {{- define "pod.container.resources" -}} {{- $requests := .requests -}} -{{- $limits := default (dict) .limits -}} +{{- $limits := default dict .limits -}} {{- $resources := dict "requests" .requests "limits" $limits -}} {{- /* Validate CPU requests and limits */ -}} {{- $requestSuffix := "" -}} @@ -159,7 +159,7 @@ Returns: {{- define "pod.container.securityContext" -}} allowPrivilegeEscalation: false capabilities: - {{- if gt (len (default (list) .addCapabilities)) 0 }} + {{- if gt (len (default list .addCapabilities)) 0 }} add: {{- range $capability := .addCapabilities }} - {{ $capability }} diff --git a/mozcloud/application/templates/gateway/backend.yaml b/mozcloud/application/templates/gateway/backend.yaml index fee1da4..ba6b266 100644 --- a/mozcloud/application/templates/gateway/backend.yaml +++ b/mozcloud/application/templates/gateway/backend.yaml @@ -25,9 +25,9 @@ Returns: {{- $provider := index (index .Values "cloud" | default dict) "provider" | default "gke" -}} backends: {{- range $workloadName, $workloadConfig := $workloads }} - {{- range $hostName, $hostConfig := default (dict) $workloadConfig.hosts }} + {{- range $hostName, $hostConfig := default dict $workloadConfig.hosts }} {{- if $hostConfig.backends }} - {{- range $backend := (default (list) $hostConfig.backends) }} + {{- range $backend := (default list $hostConfig.backends) }} {{ $backend.name }}: component: {{ $workloadConfig.component }} api: {{ default "gateway" $hostConfig.api }} diff --git a/mozcloud/application/templates/gateway/gateway.yaml b/mozcloud/application/templates/gateway/gateway.yaml index 5a2998b..8e5e818 100644 --- a/mozcloud/application/templates/gateway/gateway.yaml +++ b/mozcloud/application/templates/gateway/gateway.yaml @@ -48,7 +48,7 @@ Returns: {{- /* Collect all unique gateway configurations */}} {{- $gatewayConfigs := dict }} {{- range $workloadName, $workloadConfig := $workloads }} - {{- range $hostName, $hostConfig := default (dict) $workloadConfig.hosts }} + {{- range $hostName, $hostConfig := default dict $workloadConfig.hosts }} {{- /* Skip if using a shared gateway */}} {{- if not ($hostConfig).sharedGateway }} {{- /* Build gateway configuration key based on unique attributes */}} @@ -73,7 +73,7 @@ Returns: {{- end }} {{- $certs := list }} {{- if eq $hostConfig.type "external" }} - {{- if gt (len (default (list) $hostConfig.tls.certs)) 0 }} + {{- if gt (len (default list $hostConfig.tls.certs)) 0 }} {{- $certs = $hostConfig.tls.certs }} {{- else }} {{- $certs = list (printf "%s-%s-%s" $globals.app_code $globals.realm $globals.env_code) }} diff --git a/mozcloud/application/templates/gateway/httproute.yaml b/mozcloud/application/templates/gateway/httproute.yaml index 3479594..0c1aade 100644 --- a/mozcloud/application/templates/gateway/httproute.yaml +++ b/mozcloud/application/templates/gateway/httproute.yaml @@ -27,7 +27,7 @@ Returns: {{- $workloads := .workloads -}} httpRoutes: {{- range $workloadName, $workloadConfig := $workloads }} - {{- range $hostName, $hostConfig := default (dict) $workloadConfig.hosts }} + {{- range $hostName, $hostConfig := default dict $workloadConfig.hosts }} {{- if (($hostConfig).httpRoutes).createHttpRoutes }} {{ $hostName }}: component: {{ $workloadConfig.component }} @@ -45,7 +45,7 @@ httpRoutes: {{- $hasMultipleTypes := false }} {{- $types := dict }} {{- range $wlName, $wlConfig := $workloads }} - {{- range $hName, $hConfig := default (dict) $wlConfig.hosts }} + {{- range $hName, $hConfig := default dict $wlConfig.hosts }} {{- if not ($hConfig).sharedGateway }} {{- $_ := set $types $hConfig.type true }} {{- end }} diff --git a/mozcloud/application/templates/gke/frontendconfig.yaml b/mozcloud/application/templates/gke/frontendconfig.yaml index dde9a0c..a0f875c 100644 --- a/mozcloud/application/templates/gke/frontendconfig.yaml +++ b/mozcloud/application/templates/gke/frontendconfig.yaml @@ -24,7 +24,7 @@ Returns: {{- $workloads := .workloads }} frontendConfigs: {{- range $workloadName, $workloadConfig := $workloads }} - {{- range $hostName, $hostConfig := default (dict) $workloadConfig.hosts }} + {{- range $hostName, $hostConfig := default dict $workloadConfig.hosts }} {{- if eq $hostConfig.type "external" }} {{ $hostName }}: component: {{ $workloadConfig.component }} diff --git a/mozcloud/application/templates/ingress/ingress.yaml b/mozcloud/application/templates/ingress/ingress.yaml index 616863d..cbbb24b 100644 --- a/mozcloud/application/templates/ingress/ingress.yaml +++ b/mozcloud/application/templates/ingress/ingress.yaml @@ -30,7 +30,7 @@ Returns: {{- $workloads := .workloads }} ingresses: {{- range $workloadName, $workloadConfig := $workloads }} - {{- range $hostName, $hostConfig := default (dict) $workloadConfig.hosts }} + {{- range $hostName, $hostConfig := default dict $workloadConfig.hosts }} {{- if eq $hostConfig.type "external" }} {{ $hostName }}: component: {{ $workloadConfig.component }} diff --git a/mozcloud/application/templates/task/_jobTemplate.yaml b/mozcloud/application/templates/task/_jobTemplate.yaml index 39ab34d..be643a6 100644 --- a/mozcloud/application/templates/task/_jobTemplate.yaml +++ b/mozcloud/application/templates/task/_jobTemplate.yaml @@ -32,13 +32,13 @@ Returns: {{- define "mozcloud.job.jobTemplate" -}} {{- $common := deepCopy .common }} {{- $context := .context }} -{{- $jobConfig := mergeOverwrite (default (dict) $common.job) .config }} +{{- $jobConfig := mergeOverwrite (default dict $common.job) .config }} {{- $prefix := include "mozcloud.preview.prefix" $context }} {{- $volumes := dict }} {{- /* Compute labels for the pod template using the mozcloud-labels library */ -}} {{- $chartMetadata := dict "Chart" $context.Chart "Release" $context.Release }} {{- $labelParams := mergeOverwrite $chartMetadata (include "mozcloud.labelParams" $context | fromYaml) }} -{{- $labelsParams := dict "context" (mergeOverwrite (deepCopy $context) $labelParams) "labels" (default (dict) $jobConfig.labels) }} +{{- $labelsParams := dict "context" (mergeOverwrite (deepCopy $context) $labelParams) "labels" (default dict $jobConfig.labels) }} {{- $podLabels := (include "mozcloud.labels" $labelsParams | fromYaml).labels }} {{- if $jobConfig.activeDeadlineSeconds }} activeDeadlineSeconds: {{ $jobConfig.activeDeadlineSeconds }} @@ -75,9 +75,9 @@ template: {{- $params = dict "containers" $jobConfig.containers "type" "containers" }} {{- $containers := include "mozcloud.formatter.containers" $params | fromYaml }} {{- range $containerName, $containerConfig := $containers }} - {{- $containerConfig = mergeOverwrite (deepCopy (default (dict) $common.container)) $containerConfig }} + {{- $containerConfig = mergeOverwrite (deepCopy (default dict $common.container)) $containerConfig }} - name: {{ $containerName }} - {{- $globalImage := default (dict) $context.Values.global.mozcloud.image }} + {{- $globalImage := default dict $context.Values.global.mozcloud.image }} {{- $imageRepo := default (($globalImage).repository) ($containerConfig.image).repository }} {{- $imageTag := default (($globalImage).tag) ($containerConfig.image).tag }} {{- if not $imageRepo }} @@ -119,13 +119,13 @@ template: value: {{ $envVarValue | quote }} {{- end }} {{- end }} - {{- if or $containerConfig.configMaps $containerConfig.externalSecrets }} + {{- if or $containerConfig.configMaps $containerConfig.secrets }} envFrom: - {{- range $configMap := default (list) $containerConfig.configMaps }} + {{- range $configMap := default list $containerConfig.configMaps }} - configMapRef: name: {{ printf "%s%s" $prefix $configMap }} {{- end }} - {{- range $secret := default (list) $containerConfig.externalSecrets }} + {{- range $secret := default list $containerConfig.secrets }} - secretRef: name: {{ printf "%s%s" $prefix $secret }} {{- end }} diff --git a/mozcloud/application/templates/task/cronjob.yaml b/mozcloud/application/templates/task/cronjob.yaml index ad44d10..aea0034 100644 --- a/mozcloud/application/templates/task/cronjob.yaml +++ b/mozcloud/application/templates/task/cronjob.yaml @@ -3,7 +3,7 @@ {{- $context := deepCopy . }} {{- $globals := .Values.global.mozcloud }} {{- $labelParams := mergeOverwrite $chartMetadata (include "mozcloud.labelParams" . | fromYaml) }} -{{- $formatterParams := mergeOverwrite (. | deepCopy) (dict "common" $common "cronJobs" (default (dict) .Values.tasks.cronJobs)) }} +{{- $formatterParams := mergeOverwrite (. | deepCopy) (dict "common" $common "cronJobs" (default dict .Values.tasks.cronJobs)) }} {{- $cronJobs := include "mozcloud.task.formatter.cronJob" $formatterParams | fromYaml }} {{- if $cronJobs }} {{- $_ := set $context "component_code" "cronjob" -}} @@ -15,10 +15,10 @@ kind: CronJob metadata: name: {{ $name }} labels: - {{- $params := dict "context" (mergeOverwrite (deepCopy $context) $labelParams) "labels" (default (dict) $config.labels) }} + {{- $params := dict "context" (mergeOverwrite (deepCopy $context) $labelParams) "labels" (default dict $config.labels) }} {{- $labels := include "mozcloud.labels" $params | fromYaml }} {{- $labels.labels | toYaml | nindent 4 }} - {{- $params = dict "annotations" (default (dict) $config.annotations) "context" ($context | deepCopy) "otel" ($config.otel) "type" "cronJob" }} + {{- $params = dict "annotations" (default dict $config.annotations) "context" ($context | deepCopy) "otel" ($config.otel) "type" "cronJob" }} {{- $annotations := include "mozcloud.annotations" $params | fromYaml }} {{- if $annotations }} annotations: diff --git a/mozcloud/application/templates/task/job.yaml b/mozcloud/application/templates/task/job.yaml index c7807eb..e608e46 100644 --- a/mozcloud/application/templates/task/job.yaml +++ b/mozcloud/application/templates/task/job.yaml @@ -3,7 +3,7 @@ {{- $context := deepCopy . }} {{- $globals := .Values.global.mozcloud }} {{- $labelParams := mergeOverwrite $chartMetadata (include "mozcloud.labelParams" . | fromYaml) }} -{{- $formatterParams := mergeOverwrite (. | deepCopy) (dict "common" $common "jobs" (default (dict) .Values.tasks.jobs)) }} +{{- $formatterParams := mergeOverwrite (. | deepCopy) (dict "common" $common "jobs" (default dict .Values.tasks.jobs)) }} {{- $jobs := include "mozcloud.task.formatter.job" $formatterParams | fromYaml }} {{- if $jobs }} {{- $_ := set $context "component_code" "job" -}} @@ -21,7 +21,7 @@ metadata: {{- end }} name: {{ $name }} labels: - {{- $params := dict "context" (mergeOverwrite (deepCopy $context) $labelParams) "labels" (default (dict) $config.labels) }} + {{- $params := dict "context" (mergeOverwrite (deepCopy $context) $labelParams) "labels" (default dict $config.labels) }} {{- $labels := include "mozcloud.labels" $params | fromYaml }} {{- $labels.labels | toYaml | nindent 4 }} {{- $type := "" }} @@ -32,7 +32,7 @@ metadata: {{- end }} {{- $params = dict "syncWave" (($config.argo).syncWave) "type" $type }} {{- $argoAnnotations := include "mozcloud.annotations.argo" $params | fromYaml }} - {{- $params = dict "annotations" (mergeOverwrite $argoAnnotations (default (dict) $config.annotations)) "context" ($context | deepCopy) "type" "job" }} + {{- $params = dict "annotations" (mergeOverwrite $argoAnnotations (default dict $config.annotations)) "context" ($context | deepCopy) "type" "job" }} {{- $annotations := include "mozcloud.annotations" $params | fromYaml }} {{- if $annotations }} annotations: diff --git a/mozcloud/application/templates/workload/deployment.yaml b/mozcloud/application/templates/workload/deployment.yaml index 6156040..edde36a 100644 --- a/mozcloud/application/templates/workload/deployment.yaml +++ b/mozcloud/application/templates/workload/deployment.yaml @@ -76,7 +76,7 @@ spec: {{- if gt (keys $volumes | len) 0 }} {{- range $volumeName, $volumeConfig := $volumes }} {{- if eq $volumeConfig.type "configMap" }} - {{- $configMapData := index (default (dict) $context.Values.configMaps) $volumeName }} + {{- $configMapData := index (default dict $context.Values.configMaps) $volumeName }} {{- if $configMapData }} {{- $checksumKey := printf "checksum/configmap-%s" $volumeName }} {{- $_ := set $configMapChecksums $checksumKey ($configMapData | toYaml | sha256sum) }} @@ -208,7 +208,7 @@ spec: value: {{ $envVarValue | quote }} {{- end }} {{- end }} - {{- if or $containerConfig.configMaps $defaultSecretEnabled $containerConfig.externalSecrets }} + {{- if or $containerConfig.configMaps $defaultSecretEnabled $containerConfig.secrets }} envFrom: {{- if $containerConfig.configMaps }} {{- range $configMap := $containerConfig.configMaps }} @@ -220,10 +220,10 @@ spec: - secretRef: name: {{ $defaultSecretName }} {{- end }} - {{- if $containerConfig.externalSecrets }} - {{- range $externalSecret := $containerConfig.externalSecrets }} + {{- if $containerConfig.secrets }} + {{- range $secret := $containerConfig.secrets }} - secretRef: - name: {{ printf "%s%s" $prefix $externalSecret }} + name: {{ printf "%s%s" $prefix $secret }} {{- end }} {{- end }} {{- end }} @@ -357,7 +357,7 @@ spec: value: {{ $envVarValue | quote }} {{- end }} {{- end }} - {{- if or $containerConfig.configMaps $defaultSecretEnabled $containerConfig.externalSecrets }} + {{- if or $containerConfig.configMaps $defaultSecretEnabled $containerConfig.secrets }} envFrom: {{- if $containerConfig.configMaps }} {{- range $configMap := $containerConfig.configMaps }} @@ -369,10 +369,10 @@ spec: - secretRef: name: {{ $defaultSecretName }} {{- end }} - {{- if $containerConfig.externalSecrets }} - {{- range $externalSecret := $containerConfig.externalSecrets }} + {{- if $containerConfig.secrets }} + {{- range $secret := $containerConfig.secrets }} - secretRef: - name: {{ printf "%s%s" $prefix $externalSecret }} + name: {{ printf "%s%s" $prefix $secret }} {{- end }} {{- end }} {{- end }} diff --git a/mozcloud/application/templates/workload/rollout.yaml b/mozcloud/application/templates/workload/rollout.yaml index 728b5c5..51516fa 100644 --- a/mozcloud/application/templates/workload/rollout.yaml +++ b/mozcloud/application/templates/workload/rollout.yaml @@ -82,7 +82,7 @@ spec: {{- if gt (keys $volumes | len) 0 }} {{- range $volumeName, $volumeConfig := $volumes }} {{- if eq $volumeConfig.type "configMap" }} - {{- $configMapData := index (default (dict) $context.Values.configMaps) $volumeName }} + {{- $configMapData := index (default dict $context.Values.configMaps) $volumeName }} {{- if $configMapData }} {{- $checksumKey := printf "checksum/configmap-%s" $volumeName }} {{- $_ := set $configMapChecksums $checksumKey ($configMapData | toYaml | sha256sum) }} @@ -214,7 +214,7 @@ spec: value: {{ $envVarValue | quote }} {{- end }} {{- end }} - {{- if or $containerConfig.configMaps $defaultSecretEnabled $containerConfig.externalSecrets }} + {{- if or $containerConfig.configMaps $defaultSecretEnabled $containerConfig.secrets }} envFrom: {{- if $containerConfig.configMaps }} {{- range $configMap := $containerConfig.configMaps }} @@ -226,10 +226,10 @@ spec: - secretRef: name: {{ $defaultSecretName }} {{- end }} - {{- if $containerConfig.externalSecrets }} - {{- range $externalSecret := $containerConfig.externalSecrets }} + {{- if $containerConfig.secrets }} + {{- range $secret := $containerConfig.secrets }} - secretRef: - name: {{ printf "%s%s" $prefix $externalSecret }} + name: {{ printf "%s%s" $prefix $secret }} {{- end }} {{- end }} {{- end }} @@ -363,7 +363,7 @@ spec: value: {{ $envVarValue | quote }} {{- end }} {{- end }} - {{- if or $containerConfig.configMaps $defaultSecretEnabled $containerConfig.externalSecrets }} + {{- if or $containerConfig.configMaps $defaultSecretEnabled $containerConfig.secrets }} envFrom: {{- if $containerConfig.configMaps }} {{- range $configMap := $containerConfig.configMaps }} @@ -375,10 +375,10 @@ spec: - secretRef: name: {{ $defaultSecretName }} {{- end }} - {{- if $containerConfig.externalSecrets }} - {{- range $externalSecret := $containerConfig.externalSecrets }} + {{- if $containerConfig.secrets }} + {{- range $secret := $containerConfig.secrets }} - secretRef: - name: {{ printf "%s%s" $prefix $externalSecret }} + name: {{ printf "%s%s" $prefix $secret }} {{- end }} {{- end }} {{- end }} diff --git a/mozcloud/application/tests/__snapshot__/external-secrets_test.yaml.snap b/mozcloud/application/tests/__snapshot__/external-secrets_test.yaml.snap index 5329972..3826426 100644 --- a/mozcloud/application/tests/__snapshot__/external-secrets_test.yaml.snap +++ b/mozcloud/application/tests/__snapshot__/external-secrets_test.yaml.snap @@ -66,6 +66,151 @@ Configuration matches entire snapshot: creationPolicy: Owner name: test-k8s-secret 3: | + apiVersion: batch/v1 + kind: CronJob + metadata: + labels: + app.kubernetes.io/component: cronjob + app.kubernetes.io/managed-by: argocd + app.kubernetes.io/name: mozcloud-test + app_code: mozcloud-test + component_code: cronjob + env_code: dev + helm.sh/chart: test-chart + mozcloud_chart: mozcloud + mozcloud_chart_version: 1.0.0 + realm: nonprod + name: test-cronjob + spec: + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + backoffLimit: 6 + parallelism: 1 + template: + metadata: + annotations: + resource.opentelemetry.io/app_code: mozcloud-test + resource.opentelemetry.io/component_code: cronjob + resource.opentelemetry.io/env_code: dev + resource.opentelemetry.io/realm: nonprod + labels: + app.kubernetes.io/component: cronjob + app.kubernetes.io/managed-by: argocd + app.kubernetes.io/name: mozcloud-test + app_code: mozcloud-test + component_code: cronjob + env_code: dev + helm.sh/chart: test-chart + mozcloud_chart: mozcloud + mozcloud_chart_version: 1.0.0 + realm: nonprod + spec: + containers: + - envFrom: + - secretRef: + name: test-k8s-secret + - secretRef: + name: externally-managed-secret + image: test-repo/test-image:1.0.0 + imagePullPolicy: Always + name: job + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + restartPolicy: Never + securityContext: + runAsGroup: 10001 + runAsNonRoot: true + runAsUser: 10001 + seccompProfile: + type: RuntimeDefault + schedule: 0 * * * * + successfulJobsHistoryLimit: 1 + 4: | + apiVersion: batch/v1 + kind: Job + metadata: + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation,HookSucceeded + argocd.argoproj.io/sync-wave: "-1" + labels: + app.kubernetes.io/component: job + app.kubernetes.io/managed-by: argocd + app.kubernetes.io/name: mozcloud-test + app_code: mozcloud-test + component_code: job + env_code: dev + helm.sh/chart: test-chart + mozcloud_chart: mozcloud + mozcloud_chart_version: 1.0.0 + realm: nonprod + name: test-job + spec: + backoffLimit: 6 + parallelism: 1 + template: + metadata: + annotations: + resource.opentelemetry.io/app_code: mozcloud-test + resource.opentelemetry.io/component_code: job + resource.opentelemetry.io/env_code: dev + resource.opentelemetry.io/realm: nonprod + labels: + app.kubernetes.io/component: job + app.kubernetes.io/managed-by: argocd + app.kubernetes.io/name: mozcloud-test + app_code: mozcloud-test + component_code: job + env_code: dev + helm.sh/chart: test-chart + mozcloud_chart: mozcloud + mozcloud_chart_version: 1.0.0 + realm: nonprod + spec: + containers: + - envFrom: + - secretRef: + name: test-k8s-secret + - secretRef: + name: externally-managed-secret + image: test-repo/test-image:1.0.0 + imagePullPolicy: Always + name: job + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + restartPolicy: Never + securityContext: + runAsGroup: 10001 + runAsNonRoot: true + runAsUser: 10001 + seccompProfile: + type: RuntimeDefault + 5: | apiVersion: apps/v1 kind: Deployment metadata: @@ -193,6 +338,74 @@ Configuration matches entire snapshot: - ALL seccompProfile: type: RuntimeDefault + - envFrom: + - secretRef: + name: test-chart-secrets + - secretRef: + name: externally-managed-secret + image: test-repo/test-image:1.0.0 + imagePullPolicy: Always + livenessProbe: + failureThreshold: 5 + httpGet: + path: /__lbheartbeat__ + port: external + initialDelaySeconds: 10 + periodSeconds: 6 + successThreshold: 1 + timeoutSeconds: 5 + name: external + ports: + - containerPort: 8000 + name: external + readinessProbe: + failureThreshold: 3 + httpGet: + path: /__lbheartbeat__ + port: external + initialDelaySeconds: 10 + periodSeconds: 6 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - envFrom: + - secretRef: + name: test-chart-secrets + - secretRef: + name: test-k8s-secret + - secretRef: + name: externally-managed-secret + image: test-repo/test-image:1.0.0 + imagePullPolicy: Always + name: init + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault securityContext: runAsGroup: 10001 runAsNonRoot: true diff --git a/mozcloud/application/tests/external-secrets_test.yaml b/mozcloud/application/tests/external-secrets_test.yaml index 3d9444b..59964a1 100644 --- a/mozcloud/application/tests/external-secrets_test.yaml +++ b/mozcloud/application/tests/external-secrets_test.yaml @@ -14,6 +14,8 @@ values: templates: - externalsecret/externalsecret.yaml - workload/deployment.yaml + - task/job.yaml + - task/cronjob.yaml tests: - it: Ensure no failures occur asserts: @@ -63,7 +65,7 @@ tests: - lengthEqual: path: spec.template.spec.containers[?(@.name=="app")].envFrom count: 1 - - it: Default and custom secrets in custom container + - it: Default and chart-managed secrets in custom container template: workload/deployment.yaml documentSelector: path: $[?(@.kind == "Deployment")].metadata.name @@ -78,3 +80,66 @@ tests: - lengthEqual: path: spec.template.spec.containers[?(@.name=="custom")].envFrom count: 2 + - it: Default and externally-managed secrets in external container + template: workload/deployment.yaml + documentSelector: + path: $[?(@.kind == "Deployment")].metadata.name + value: test-service + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=="external")].envFrom[0].secretRef.name + value: test-chart-secrets + - equal: + path: spec.template.spec.containers[?(@.name=="external")].envFrom[1].secretRef.name + value: externally-managed-secret + - lengthEqual: + path: spec.template.spec.containers[?(@.name=="external")].envFrom + count: 2 + - it: Init container mounts default, chart-managed, and externally-managed secrets + template: workload/deployment.yaml + documentSelector: + path: $[?(@.kind == "Deployment")].metadata.name + value: test-service + asserts: + - equal: + path: spec.template.spec.initContainers[?(@.name=="init")].envFrom[0].secretRef.name + value: test-chart-secrets + - equal: + path: spec.template.spec.initContainers[?(@.name=="init")].envFrom[1].secretRef.name + value: test-k8s-secret + - equal: + path: spec.template.spec.initContainers[?(@.name=="init")].envFrom[2].secretRef.name + value: externally-managed-secret + - lengthEqual: + path: spec.template.spec.initContainers[?(@.name=="init")].envFrom + count: 3 + - it: Job container mounts chart-managed and externally-managed secrets + template: task/job.yaml + documentSelector: + path: $[?(@.kind == "Job")].metadata.name + value: test-job + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=="job")].envFrom[0].secretRef.name + value: test-k8s-secret + - equal: + path: spec.template.spec.containers[?(@.name=="job")].envFrom[1].secretRef.name + value: externally-managed-secret + - lengthEqual: + path: spec.template.spec.containers[?(@.name=="job")].envFrom + count: 2 + - it: CronJob container mounts chart-managed and externally-managed secrets + template: task/cronjob.yaml + documentSelector: + path: $[?(@.kind == "CronJob")].metadata.name + value: test-cronjob + asserts: + - equal: + path: spec.jobTemplate.spec.template.spec.containers[?(@.name=="job")].envFrom[0].secretRef.name + value: test-k8s-secret + - equal: + path: spec.jobTemplate.spec.template.spec.containers[?(@.name=="job")].envFrom[1].secretRef.name + value: externally-managed-secret + - lengthEqual: + path: spec.jobTemplate.spec.template.spec.containers[?(@.name=="job")].envFrom + count: 2 diff --git a/mozcloud/application/tests/values/external-secrets.yaml b/mozcloud/application/tests/values/external-secrets.yaml index 42ca6cc..89dfcd4 100644 --- a/mozcloud/application/tests/values/external-secrets.yaml +++ b/mozcloud/application/tests/values/external-secrets.yaml @@ -13,7 +13,47 @@ workloads: repository: test-repo/test-image tag: 1.0.0 custom: - externalSecrets: ["test-k8s-secret"] + secrets: + - test-k8s-secret image: repository: test-repo/test-image tag: 1.0.0 + external: + secrets: + - externally-managed-secret + image: + repository: test-repo/test-image + tag: 1.0.0 + initContainers: + init: + image: + repository: test-repo/test-image + tag: 1.0.0 + secrets: + - test-k8s-secret + - externally-managed-secret + +tasks: + jobs: + test-job: + type: preDeployment + containers: + job: + image: + repository: test-repo/test-image + tag: 1.0.0 + secrets: + - test-k8s-secret + - externally-managed-secret + cronJobs: + test-cronjob: + schedule: "0 * * * *" + jobConfig: + containers: + job: + image: + repository: test-repo/test-image + tag: 1.0.0 + secrets: + - test-k8s-secret + - externally-managed-secret diff --git a/mozcloud/application/tests/values/preview-all-resources.yaml b/mozcloud/application/tests/values/preview-all-resources.yaml index 71218e0..d68de99 100644 --- a/mozcloud/application/tests/values/preview-all-resources.yaml +++ b/mozcloud/application/tests/values/preview-all-resources.yaml @@ -31,7 +31,7 @@ tasks: tag: 1.0.0 configMaps: - app-config - externalSecrets: + secrets: - app-external-secret # Workload @@ -45,7 +45,7 @@ workloads: tag: 1.0.0 configMaps: - app-config - externalSecrets: + secrets: - app-external-secret hosts: api-host: diff --git a/mozcloud/application/values.schema.json b/mozcloud/application/values.schema.json index 9ddac00..882eec5 100644 --- a/mozcloud/application/values.schema.json +++ b/mozcloud/application/values.schema.json @@ -1059,12 +1059,6 @@ "type": "string" } }, - "externalSecrets": { - "type": "array", - "items": { - "type": "string" - } - }, "image": { "type": "object", "additionalProperties": false, @@ -1095,6 +1089,12 @@ } } }, + "secrets": { + "type": "array", + "items": { + "type": "string" + } + }, "security": { "type": "object", "additionalProperties": false, diff --git a/mozcloud/application/values.yaml b/mozcloud/application/values.yaml index 8690f5f..471246f 100644 --- a/mozcloud/application/values.yaml +++ b/mozcloud/application/values.yaml @@ -90,15 +90,19 @@ preview: # ORIGIN: "https://{{ .Values.global.hostname }}/" configMaps: {} -# External secret names and versions to mount in containers. +# External secrets to sync from Google Secret Manager (GSM) into Kubernetes +# secrets. Each entry here creates an ExternalSecret resource that produces a +# Kubernetes secret. The key name (e.g. "kubernetes-secret-name") becomes the +# name of the resulting Kubernetes secret. Use that same name in the `secrets` +# list within container and init container configurations to mount the contents +# of that secret as environment variables. # # Format: # # externalSecrets: -# # This is the name of the Kubernetes secret you will be mounting to -# # workload and/or job containers as environment variables. This is the -# # name you will reference in `externalSecrets` sections in container -# # configurations. +# # This is the name of the resulting Kubernetes secret. Reference this +# # same name in the `secrets` list of any container or init container +# # configuration to have it mounted as environment variables. # kubernetes-secret-name: # # This should be the name of the secret in Google Secret Manager (GSM). # gsmSecretName: '' @@ -247,7 +251,7 @@ tasks: command: [] configMaps: [] envVars: {} - externalSecrets: [] + secrets: [] image: {} resources: cpu: 100m @@ -446,24 +450,23 @@ tasks: # KEY2: VALUE2 envVars: {} - # A list of external secret names and versions to mount in containers. - # External secrets can be defined using the externalSecrets key above. + # A list of Kubernetes secret names to mount in this container as + # environment variables. Each entry is the name of a Kubernetes secret + # whose contents will be injected via envFrom. # - # By default an external secret called "app-secrets" will be created. This - # will map to a GSM secret called "xxxx-gke-app-secrets" where "xxxx" is - # the value defined in `.Values.global.mozcloud.env_code` (ie. "dev", - # "stage", "prod"). There will be a corresponding Kubernetes secret called - # "app-secrets" which will automatically be mounted in your app container - # using the "latest" version. + # Kubernetes secrets managed by this chart are defined in the top-level + # `externalSecrets` section. The key name you define there is the + # Kubernetes secret name to reference here. # - # Any secrets you define here will be created IN ADDITION to that secret. + # You may also reference any Kubernetes secret not managed by this + # chart (e.g. secrets created externally). # # Format: # - # externalSecrets: - # - external-secret-name - # - another-external-secret-name - externalSecrets: [] + # secrets: + # - kubernetes-secret-name + # - another-kubernetes-secret-name + secrets: [] # The image repo, name, and tag to use for the container. The format is: # @@ -820,25 +823,27 @@ workloads: # KEY2: VALUE2 envVars: {} - # A list of external secret names and versions to mount in containers. - # External secrets can be defined using the externalSecrets key above. + # A list of Kubernetes secret names to mount in this container as + # environment variables. Each entry is the name of a Kubernetes secret + # whose contents will be injected via envFrom. # - # By default an external secret called "app-secrets" will be created. - # This will map to a GSM secret called "xxxx-gke-app-secrets" where - # "xxxx" is the value defined in `.Values.global.mozcloud.env_code` - # (ie. "dev", "stage", "prod"). There will be a corresponding - # Kubernetes secret called "app-secrets" which will automatically - # be mounted in your app container using the "latest" version. + # Kubernetes secrets managed by this chart are defined in the top-level + # `externalSecrets` section. The key name you define there is the + # Kubernetes secret name to reference here. # - # Any secrets you define here will be created IN ADDITION to that - # secret. + # You may also reference any Kubernetes secret not managed by this + # chart (e.g. secrets created externally). + # + # Note: the default Kubernetes secret ("-secrets") is automatically + # mounted in all containers (if enabled) and does not need to be listed + # here. See the top-level `externalSecrets` section to disable it. # # Format: # - # externalSecrets: - # - external-secret-name - # - another-external-secret-name - externalSecrets: [] + # secrets: + # - kubernetes-secret-name + # - another-kubernetes-secret-name + secrets: [] # Health check configurations for the container. healthCheck: @@ -1358,25 +1363,27 @@ workloads: # KEY2: VALUE2 envVars: {} - # A list of external secret names and versions to mount in containers. - # External secrets can be defined using the externalSecrets key above. + # A list of Kubernetes secret names to mount in this init container as + # environment variables. Each entry is the name of a Kubernetes secret + # whose contents will be injected via envFrom. + # + # Kubernetes secrets managed by this chart are defined in the top-level + # `externalSecrets` section. The key name you define there is the + # Kubernetes secret name to reference here. # - # By default an external secret called "app-secrets" will be created. - # This will map to a GSM secret called "xxxx-gke-app-secrets" where - # "xxxx" is the value defined in `.Values.global.mozcloud.env_code` - # (ie. "dev", "stage", "prod"). There will be a corresponding - # Kubernetes secret called "app-secrets" which will automatically - # be mounted in your app container using the "latest" version. + # You may also reference any Kubernetes secret not managed by this + # chart (e.g. secrets created externally). # - # Any secrets you define here will be created IN ADDITION to that - # secret. + # Note: the default Kubernetes secret ("-secrets") is automatically + # mounted in all init containers (if enabled) and does not need to be + # listed here. See the top-level `externalSecrets` section to disable it. # # Format: # - # externalSecrets: - # - external-secret-name - # - another-external-secret-name - externalSecrets: [] + # secrets: + # - kubernetes-secret-name + # - another-kubernetes-secret-name + secrets: [] # The image repo, name, and tag to use for the container. The format is: #