feat: add hostNetwork option for controller/certController in helm chart (#2269)

Signed-off-by: Moritz Johner <Moritz.Johner@form3.tech>

deploy/charts/external-secrets/README.md

@@ -43,6 +43,7 @@ The command removes all the Kubernetes components associated with the chart and
 | certController.extraVolumeMounts | list | `[]` |  |
 | certController.extraVolumes | list | `[]` |  |
 | certController.fullnameOverride | string | `""` |  |
+| certController.hostNetwork | bool | `false` | Run the certController on the host network |
 | certController.image.pullPolicy | string | `"IfNotPresent"` |  |
 | certController.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` |  |
 | certController.image.tag | string | `""` |  |
@@ -98,6 +99,7 @@ The command removes all the Kubernetes components associated with the chart and
 | extraVolumeMounts | list | `[]` |  |
 | extraVolumes | list | `[]` |  |
 | fullnameOverride | string | `""` |  |
+| hostNetwork | bool | `false` | Run the controller on the host network |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"ghcr.io/external-secrets/external-secrets"` |  |
 | image.tag | string | `""` | The image tag to use. The default is the chart appVersion. There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default the distroless image is used. |

deploy/charts/external-secrets/templates/cert-controller-deployment.yaml

@@ -38,6 +38,7 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      hostNetwork: {{ .Values.certController.hostNetwork }}
       containers:
         - name: cert-controller
           {{- with .Values.certController.securityContext }}

deploy/charts/external-secrets/templates/deployment.yaml

@@ -38,6 +38,7 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      hostNetwork: {{ .Values.hostNetwork }}
       containers:
         - name: {{ .Chart.Name }}
           {{- with .Values.securityContext }}

deploy/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap

@@ -0,0 +1,60 @@
+should match snapshot of default values:
+  1: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      labels:
+        app.kubernetes.io/instance: RELEASE-NAME
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: external-secrets-cert-controller
+        app.kubernetes.io/version: v0.8.1
+        helm.sh/chart: external-secrets-0.8.1
+      name: RELEASE-NAME-external-secrets-cert-controller
+      namespace: NAMESPACE
+    spec:
+      replicas: 1
+      revisionHistoryLimit: 10
+      selector:
+        matchLabels:
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: external-secrets-cert-controller
+      template:
+        metadata:
+          labels:
+            app.kubernetes.io/instance: RELEASE-NAME
+            app.kubernetes.io/name: external-secrets-cert-controller
+        spec:
+          automountServiceAccountToken: true
+          containers:
+            - args:
+                - certcontroller
+                - --crd-requeue-interval=5m
+                - --service-name=RELEASE-NAME-external-secrets-webhook
+                - --service-namespace=NAMESPACE
+                - --secret-name=RELEASE-NAME-external-secrets-webhook
+                - --secret-namespace=NAMESPACE
+              image: ghcr.io/external-secrets/external-secrets:v0.8.1
+              imagePullPolicy: IfNotPresent
+              name: cert-controller
+              ports:
+                - containerPort: 8080
+                  name: metrics
+                  protocol: TCP
+              readinessProbe:
+                httpGet:
+                  path: /readyz
+                  port: 8081
+                initialDelaySeconds: 20
+                periodSeconds: 5
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
+                readOnlyRootFilesystem: true
+                runAsNonRoot: true
+                runAsUser: 1000
+                seccompProfile:
+                  type: RuntimeDefault
+          hostNetwork: false
+          serviceAccountName: external-secrets-cert-controller

deploy/charts/external-secrets/tests/__snapshot__/controller_test.yaml.snap

@@ -45,4 +45,5 @@ should match snapshot of default values:
                 runAsUser: 1000
                 seccompProfile:
                   type: RuntimeDefault
+          hostNetwork: false
           serviceAccountName: RELEASE-NAME-external-secrets

deploy/charts/external-secrets/tests/__snapshot__/webhook_test.yaml.snap

@@ -0,0 +1,72 @@
+should match snapshot of default values:
+  1: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      labels:
+        app.kubernetes.io/instance: RELEASE-NAME
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: external-secrets-webhook
+        app.kubernetes.io/version: v0.8.1
+        helm.sh/chart: external-secrets-0.8.1
+      name: RELEASE-NAME-external-secrets-webhook
+      namespace: NAMESPACE
+    spec:
+      replicas: 1
+      revisionHistoryLimit: 10
+      selector:
+        matchLabels:
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: external-secrets-webhook
+      template:
+        metadata:
+          labels:
+            app.kubernetes.io/instance: RELEASE-NAME
+            app.kubernetes.io/name: external-secrets-webhook
+        spec:
+          automountServiceAccountToken: true
+          containers:
+            - args:
+                - webhook
+                - --port=10250
+                - --dns-name=RELEASE-NAME-external-secrets-webhook.NAMESPACE.svc
+                - --cert-dir=/tmp/certs
+                - --check-interval=5m
+                - --metrics-addr=:8080
+                - --healthz-addr=:8081
+              image: ghcr.io/external-secrets/external-secrets:v0.8.1
+              imagePullPolicy: IfNotPresent
+              name: webhook
+              ports:
+                - containerPort: 8080
+                  name: metrics
+                  protocol: TCP
+                - containerPort: 10250
+                  name: webhook
+                  protocol: TCP
+              readinessProbe:
+                httpGet:
+                  path: /readyz
+                  port: 8081
+                initialDelaySeconds: 20
+                periodSeconds: 5
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
+                readOnlyRootFilesystem: true
+                runAsNonRoot: true
+                runAsUser: 1000
+                seccompProfile:
+                  type: RuntimeDefault
+              volumeMounts:
+                - mountPath: /tmp/certs
+                  name: certs
+                  readOnly: true
+          hostNetwork: false
+          serviceAccountName: external-secrets-webhook
+          volumes:
+            - name: certs
+              secret:
+                secretName: RELEASE-NAME-external-secrets-webhook

deploy/charts/external-secrets/tests/cert_controller_test.yaml

@@ -0,0 +1,49 @@
+suite: test cert controller deployment
+templates:
+  - cert-controller-deployment.yaml
+tests:
+  - it: should match snapshot of default values
+    asserts:
+      - matchSnapshot: {}
+  - it: should set imagePullPolicy to Always
+    set:
+      certController.image.pullPolicy: Always
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].imagePullPolicy
+          value: Always
+  - it: should imagePullPolicy to be default value IfNotPresent
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].imagePullPolicy
+          value: IfNotPresent
+  - it: should override securityContext
+    set:
+      certController.podSecurityContext:
+        runAsUser: 2000
+      certController.securityContext:
+        runAsUser: 3000
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext
+          value:
+            runAsUser: 2000
+      - equal:
+          path: spec.template.spec.containers[0].securityContext
+          value:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 3000
+            seccompProfile:
+              type: RuntimeDefault
+  - it: should override hostNetwork
+    set:
+      certController.hostNetwork: true
+    asserts:
+      - equal:
+          path: spec.template.spec.hostNetwork
+          value: true

deploy/charts/external-secrets/tests/controller_test.yaml

@@ -40,3 +40,10 @@ tests:
             runAsUser: 3000
             seccompProfile:
               type: RuntimeDefault
+  - it: should override hostNetwork
+    set:
+      hostNetwork: true
+    asserts:
+      - equal:
+          path: spec.template.spec.hostNetwork
+          value: true

deploy/charts/external-secrets/tests/webhook_test.yaml

@@ -0,0 +1,49 @@
+suite: test webhook deployment
+templates:
+  - webhook-deployment.yaml
+tests:
+  - it: should match snapshot of default values
+    asserts:
+      - matchSnapshot: {}
+  - it: should set imagePullPolicy to Always
+    set:
+      webhook.image.pullPolicy: Always
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].imagePullPolicy
+          value: Always
+  - it: should imagePullPolicy to be default value IfNotPresent
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].imagePullPolicy
+          value: IfNotPresent
+  - it: should override securityContext
+    set:
+      webhook.podSecurityContext:
+        runAsUser: 2000
+      webhook.securityContext:
+        runAsUser: 3000
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext
+          value:
+            runAsUser: 2000
+      - equal:
+          path: spec.template.spec.containers[0].securityContext
+          value:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 3000
+            seccompProfile:
+              type: RuntimeDefault
+  - it: should override hostNetwork
+    set:
+      webhook.hostNetwork: true
+    asserts:
+      - equal:
+          path: spec.template.spec.hostNetwork
+          value: true

deploy/charts/external-secrets/values.yaml

@@ -194,6 +194,9 @@ podDisruptionBudget:
   minAvailable: 1
   # maxUnavailable: 1
 
+# -- Run the controller on the host network
+hostNetwork: false
+
 webhook:
   # -- Specifies whether a webhook deployment be created.
   create: true
@@ -372,6 +375,9 @@ certController:
 
   affinity: {}
 
+  # -- Run the certController on the host network
+  hostNetwork: false
+
     # -- Pod priority class name.
   priorityClassName: ""
 

hack/helm.generate.sh

@@ -33,7 +33,7 @@ for i in "${HELM_DIR}"/templates/crds/*.yml; do
   $SEDPRG -i 's/namespace: default/namespace: {{ .Release.Namespace | quote }}/g' "$i"
   $SEDPRG -i '0,/annotations/!b;//a\    {{- with .Values.crds.annotations }}\n    {{- toYaml . | nindent 4}}\n    {{- end }}' "$i"
 
-  sed -i '/  conversion:/i{{- if .Values.crds.conversion.enabled }}' "$i"
+  $SEDPRG -i '/  conversion:/i{{- if .Values.crds.conversion.enabled }}' "$i"
   echo "{{- end }}" >> "$i"
   mv "$i" "${i%.yml}.yaml"
 done