Merge pull request #2 from ldornele/HYPERFLEET-273

[HYPERFLEET-273]: Implement MVP pull-secret job for GCP Secret Manager with Helm deployment

Author: ciaranRoche

charts/pull-secret/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/pull-secret/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: pull-secret
+description: HyperFleet Pull Secret Adapter - Manages pull secrets in GCP Secret Manager
+type: application
+version: 0.1.0
+appVersion: "1.0"
+keywords:
+  - hyperfleet
+  - pull-secret
+  - gcp
+  - secret-manager
+maintainers:
+  - name: HyperFleet Team

charts/pull-secret/README.md

@@ -0,0 +1,193 @@
+# Pull Secret Adapter Helm Chart
+
+This Helm chart deploys the HyperFleet Pull Secret Adapter as a Kubernetes Job on GKE.
+
+## Prerequisites
+
+1. **Helm 3.x installed**
+   ```bash
+   curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+   ```
+
+2. **kubectl configured for your GKE cluster**
+   ```bash
+   gcloud container clusters get-credentials YOUR_CLUSTER_NAME \
+     --zone=YOUR_ZONE \
+     --project=YOUR_PROJECT_ID
+   ```
+
+3. **Workload Identity configured**
+   - Service Account: `your-service-account@your-project.iam.gserviceaccount.com`
+   - Workload Pool: `your-project.svc.id.goog`
+
+## Installation
+
+### Quick Start
+
+Deploy with default values:
+
+```bash
+helm install pullsecret-job ./charts/pull-secret \
+  --namespace hyperfleet-system \
+  --create-namespace
+```
+
+### Custom Values
+
+Deploy with custom configuration:
+
+```bash
+helm install pullsecret-job ./charts/pull-secret \
+  --namespace hyperfleet-system \
+  --create-namespace \
+  --set env.gcpProjectId=my-project \
+  --set env.clusterId=my-cluster-123 \
+  --set env.pullSecretData='{"auths":{...}}' \
+  --set image.tag=latest
+```
+
+### Using a Values File
+
+Create a custom values file (`my-values.yaml`):
+
+```yaml
+env:
+  gcpProjectId: "my-gcp-project"
+  clusterId: "my-cluster-123"
+  secretName: "hyperfleet-my-cluster-123-pull-secret"
+  pullSecretData: '{"auths":{"registry.example.com":{"auth":"...","email":"user@example.com"}}}'
+
+serviceAccount:
+  gcpServiceAccount: "my-service-account@my-project.iam.gserviceaccount.com"
+
+image:
+  tag: "v1.0.0"
+```
+
+Then install:
+
+```bash
+helm install pullsecret-job ./charts/pull-secret \
+  --namespace hyperfleet-system \
+  --create-namespace \
+  -f my-values.yaml
+```
+
+## Configuration
+
+The following table lists the configurable parameters:
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `namespace` | Kubernetes namespace | `hyperfleet-system` |
+| `job.name` | Job name | `pullsecret-job` |
+| `job.backoffLimit` | Number of retries on failure | `3` |
+| `job.ttlSecondsAfterFinished` | Cleanup delay after completion | `3600` (1 hour) |
+| `image.repository` | Container image repository | `quay.io/hyperfleet/pull-secret` |
+| `image.tag` | Container image tag | `latest` |
+| `image.pullPolicy` | Image pull policy | `Always` |
+| `serviceAccount.name` | Kubernetes ServiceAccount name | `pullsecret-adapter` |
+| `serviceAccount.gcpServiceAccount` | GCP service account for Workload Identity | `your-service-account@your-project.iam.gserviceaccount.com` |
+| `env.gcpProjectId` | GCP project ID | `your-gcp-project` |
+| `env.clusterId` | Cluster identifier | `your-cluster-id` |
+| `env.secretName` | Secret name in GCP Secret Manager | `hyperfleet-your-cluster-id-pull-secret` |
+| `env.pullSecretData` | Pull secret JSON data (required) | `{"auths":{...}}` |
+| `resources.requests.cpu` | CPU request | `100m` |
+| `resources.requests.memory` | Memory request | `128Mi` |
+| `resources.limits.cpu` | CPU limit | `500m` |
+| `resources.limits.memory` | Memory limit | `512Mi` |
+
+## Usage
+
+### Monitoring
+
+Check job status:
+```bash
+helm status pullsecret-job -n hyperfleet-system
+kubectl get job pullsecret-job -n hyperfleet-system
+```
+
+View logs:
+```bash
+kubectl logs -f job/pullsecret-job -n hyperfleet-system
+```
+
+### Upgrading
+
+Upgrade the deployment with new values:
+```bash
+helm upgrade pullsecret-job ./charts/pull-secret \
+  --namespace hyperfleet-system \
+  --set image.tag=v1.1.0
+```
+
+### Uninstalling
+
+Remove the job:
+```bash
+helm uninstall pullsecret-job -n hyperfleet-system
+```
+
+## Dry Run Mode
+
+Test without creating secrets:
+```bash
+helm install pullsecret-job ./charts/pull-secret \
+  --namespace hyperfleet-system \
+  --dry-run --debug
+```
+
+## Troubleshooting
+
+### View rendered templates
+```bash
+helm template pullsecret-job ./charts/pull-secret
+```
+
+### Check deployment issues
+```bash
+kubectl describe job pullsecret-job -n hyperfleet-system
+kubectl get events -n hyperfleet-system --sort-by='.lastTimestamp'
+```
+
+### Authentication errors
+
+Verify Workload Identity binding:
+```bash
+# Check ServiceAccount
+kubectl get sa pullsecret-adapter -n hyperfleet-system -o yaml
+
+# Check GCP IAM binding
+gcloud iam service-accounts get-iam-policy \
+  your-service-account@your-project.iam.gserviceaccount.com \
+  --project=your-project
+```
+
+## Development
+
+### Linting
+
+Lint the chart:
+```bash
+helm lint ./charts/pull-secret
+```
+
+### Testing
+
+Test template rendering:
+```bash
+helm template test-release ./charts/pull-secret --debug
+```
+
+### Packaging
+
+Package the chart:
+```bash
+helm package ./charts/pull-secret
+```
+
+## References
+
+- [Helm Documentation](https://helm.sh/docs/)
+- [GKE Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
+- [Kubernetes Jobs](https://kubernetes.io/docs/concepts/workloads/controllers/job/)

charts/pull-secret/templates/_helpers.tpl

@@ -0,0 +1,57 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "pull-secret.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "pull-secret.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "pull-secret.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "pull-secret.labels" -}}
+helm.sh/chart: {{ include "pull-secret.chart" . }}
+{{ include "pull-secret.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "pull-secret.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "pull-secret.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app: {{ .Values.labels.app }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "pull-secret.serviceAccountName" -}}
+{{- default "pullsecret-adapter" .Values.serviceAccount.name }}
+{{- end }}

charts/pull-secret/templates/job.yaml

@@ -0,0 +1,35 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Values.job.name }}
+  namespace: {{ .Values.namespace }}
+  labels:
+    {{- include "pull-secret.labels" . | nindent 4 }}
+    job-type: {{ .Values.labels.jobType }}
+spec:
+  backoffLimit: {{ .Values.job.backoffLimit }}
+  ttlSecondsAfterFinished: {{ .Values.job.ttlSecondsAfterFinished }}
+  template:
+    metadata:
+      labels:
+        {{- include "pull-secret.selectorLabels" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ include "pull-secret.serviceAccountName" . }}
+      restartPolicy: {{ .Values.job.restartPolicy }}
+      containers:
+      - name: pull-secret
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        env:
+        - name: GCP_PROJECT_ID
+          value: {{ .Values.env.gcpProjectId | quote }}
+        - name: CLUSTER_ID
+          value: {{ .Values.env.clusterId | quote }}
+        - name: SECRET_NAME
+          value: {{ .Values.env.secretName | quote }}
+        - name: PULL_SECRET_DATA
+          value: {{ .Values.env.pullSecretData | quote }}
+        resources:
+          {{- toYaml .Values.resources | nindent 10 }}
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 10 }}

charts/pull-secret/templates/serviceaccount.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "pull-secret.serviceAccountName" . }}
+  namespace: {{ .Values.namespace }}
+  labels:
+    {{- include "pull-secret.labels" . | nindent 4 }}
+  annotations:
+    iam.gke.io/gcp-service-account: {{ .Values.serviceAccount.gcpServiceAccount }}