ENG-13649: Add initial Helm template (#1)

* Add initial Helm template * Update ports to use map instead of list of int * Update Snowflake values * Some fixes after testing * Update README and add pre-commit script (#2) * Add deployment properties (#3) * Bump sidecar version & fix typo * Add Role and RoleBinding * Delete templates/ingress.yaml * Set CYRAL_SIDECAR_DEPLOYMENT_PROPERTIES env * Add license to missing files * Fix typo on error msg * Keep existing certs on updates * Use same index pattern for all ports * Place Cyral parameters docs close to helm values * Remove support for old K8s versions * Add permissions to get/watch secrets * Add newline at end of files * Update default registry and repository * Update docs with required secret keys * Simplify Snowflake envs --------- Co-authored-by: Wilson de Carvalho <[email protected]>
cyralinc · Jun 26, 2024 · 2fdf66a · 2fdf66a
1 parent 7ef6945
commit 2fdf66a
Show file tree

Hide file tree

Showing 20 changed files with 1,337 additions and 30 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,13 @@
+# Copyright Cyral, Inc.
+# SPDX-License-Identifier: APACHE-2.0
+
+repos:
+- repo: https://github.com/bitnami/readme-generator-for-helm
+  rev: "main"
+  hooks:
+    - id: helm-readme-generator
+      # in order to run helm-readme-generator only once
+      pass_filenames: false
+      always_run: true
+      # default args are [--readme=chart/README.md, --values=chart/values.yaml]
+      args: [--readme=README.md, --values=values.yaml]
diff --git a/Chart.yaml b/Chart.yaml
@@ -0,0 +1,20 @@
+# Copyright Cyral, Inc.
+# SPDX-License-Identifier: APACHE-2.0
+
+annotations:
+  licenses: Apache-2.0
+apiVersion: v2
+appVersion: 4.13.9
+description: Cyral Sidecar.
+home: https://cyral.com
+keywords:
+- cyral
+- sidecar
+- database security
+maintainers:
+- name: Cyral, Inc.
+  url: https://github.com/cyralinc/helm-sidecar
+name: cyral-sidecar
+sources:
+- https://github.com/cyralinc/helm-sidecar
+version: 4.13.9
diff --git a/README.md b/README.md
diff --git a/templates/NOTES.txt b/templates/NOTES.txt
@@ -0,0 +1,14 @@
+{{- /*
+Copyright Cyral, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/ -}}
+
+CHART NAME: {{ .Chart.Name }}
+CHART VERSION: {{ .Chart.Version }}
+APP VERSION: {{ .Chart.AppVersion }}
+
+** Please be patient while the chart is being deployed **
+
+Cyral Sidecar can be accessed through the following DNS name from within your cluster:
+
+    {{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -0,0 +1,84 @@
+{{/*
+Copyright Cyral, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/*
+Return the proper Cyral Sidecar image name
+*/}}
+{{- define "cyral.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names
+*/}}
+{{- define "cyral.imagePullSecrets" -}}
+{{- include "common.images.pullSecrets" (dict "images" (list .Values.image) "global" .Values.global) -}}
+{{- end -}}
+
+{{/*
+ Create the name of the service account to use
+ */}}
+{{- define "cyral.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if a secret for Cyral Sidecar credentials should be created
+*/}}
+{{- define "cyral.createCredentialsSecret" -}}
+{{- if and (not .Values.cyral.credentials.existingSecret) .Values.cyral.credentials.clientId .Values.cyral.credentials.clientSecret -}}
+  {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get Cyral Sidecar credentials secret
+*/}}
+{{- define "cyral.credentials.secretName" -}}
+{{- if (include "cyral.createCredentialsSecret" .) -}}
+    {{- printf "%s-credentials-secret" (include "common.names.fullname" .) -}}
+{{- else if not (empty .Values.cyral.credentials.existingSecret) -}}
+    {{- tpl .Values.cyral.credentials.existingSecret $ -}}
+{{- else -}}
+    {{- fail "cyral.credentials.clientId and cyral.credentials.clientSecret are required if cyral.credentials.existingSecret is empty." -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get Cyral Sidecar TLS cert secret
+*/}}
+{{- define "cyral.certificates.tls.secretName" -}}
+{{- if not .Values.cyral.sidecar.certificates.tls.existingSecret -}}
+    {{- printf "%s-selfsigned-certificate" (include "common.names.fullname" .) -}}
+{{- else -}}
+    {{- tpl .Values.cyral.sidecar.certificates.tls.existingSecret $ -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get Cyral Sidecar CA cert secret
+*/}}
+{{- define "cyral.certificates.ca.secretName" -}}
+{{- if not .Values.cyral.sidecar.certificates.ca.existingSecret -}}
+    {{- printf "%s-ca-certificate" (include "common.names.fullname" .) -}}
+{{- else -}}
+    {{- tpl .Values.cyral.sidecar.certificates.ca.existingSecret $ -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get the DNS name to access Cyral Sidecar
+*/}}
+{{- define "cyral.dnsName" -}}
+{{- if .Values.cyral.sidecar.dnsName -}}
+    {{- tpl .Values.cyral.sidecar.dnsName $ -}}
+{{- else -}}
+    {{- include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain -}}
+{{- end -}}
+{{- end -}}
diff --git a/templates/ca-cert-secret.yaml b/templates/ca-cert-secret.yaml
@@ -0,0 +1,23 @@
+{{/*
+Copyright Cyral, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if not .Values.cyral.sidecar.certificates.ca.existingSecret -}}
+{{- $secretName := printf "%s-ca-certificate" (include "common.names.fullname" .) }}
+{{- $hostname := .Values.cyral.sidecar.dnsName | default "sidecar.app.cyral.com" }}
+{{- $ca := genCA $hostname 3650 }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  namespace: {{ $.Release.Namespace }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }}
+  {{- if $.Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $ca.Cert "context" $) }}
+  tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $ca.Key "context" $) }}
+{{- end -}}
diff --git a/templates/common/_affinities.tpl b/templates/common/_affinities.tpl
@@ -0,0 +1,137 @@
+{{/*
+Copyright Cyral, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/*
+Return a soft nodeAffinity definition
+{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.nodes.soft" -}}
+preferredDuringSchedulingIgnoredDuringExecution:
+  - preference:
+      matchExpressions:
+        - key: {{ .key }}
+          operator: In
+          values:
+            {{- range .values }}
+            - {{ . | quote }}
+            {{- end }}
+    weight: 1
+{{- end -}}
+
+{{/*
+Return a hard nodeAffinity definition
+{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.nodes.hard" -}}
+requiredDuringSchedulingIgnoredDuringExecution:
+  nodeSelectorTerms:
+    - matchExpressions:
+        - key: {{ .key }}
+          operator: In
+          values:
+            {{- range .values }}
+            - {{ . | quote }}
+            {{- end }}
+{{- end -}}
+
+{{/*
+Return a nodeAffinity definition
+{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.nodes" -}}
+  {{- if eq .type "soft" }}
+    {{- include "common.affinities.nodes.soft" . -}}
+  {{- else if eq .type "hard" }}
+    {{- include "common.affinities.nodes.hard" . -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Return a topologyKey definition
+{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}}
+*/}}
+{{- define "common.affinities.topologyKey" -}}
+{{ .topologyKey | default "kubernetes.io/hostname" -}}
+{{- end -}}
+
+{{/*
+Return a soft podAffinity/podAntiAffinity definition
+{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}}
+*/}}
+{{- define "common.affinities.pods.soft" -}}
+{{- $component := default "" .component -}}
+{{- $customLabels := default (dict) .customLabels -}}
+{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
+{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}}
+preferredDuringSchedulingIgnoredDuringExecution:
+  - podAffinityTerm:
+      labelSelector:
+        matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 10 }}
+          {{- if not (empty $component) }}
+          {{ printf "app.kubernetes.io/component: %s" $component }}
+          {{- end }}
+          {{- range $key, $value := $extraMatchLabels }}
+          {{ $key }}: {{ $value | quote }}
+          {{- end }}
+      topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+    weight: 1
+  {{- range $extraPodAffinityTerms }}
+  - podAffinityTerm:
+      labelSelector:
+        matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 10 }}
+          {{- if not (empty $component) }}
+          {{ printf "app.kubernetes.io/component: %s" $component }}
+          {{- end }}
+          {{- range $key, $value := .extraMatchLabels }}
+          {{ $key }}: {{ $value | quote }}
+          {{- end }}
+      topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+    weight: {{ .weight | default 1 -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Return a hard podAffinity/podAntiAffinity definition
+{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "context" $) -}}
+*/}}
+{{- define "common.affinities.pods.hard" -}}
+{{- $component := default "" .component -}}
+{{- $customLabels := default (dict) .customLabels -}}
+{{- $extraMatchLabels := default (dict) .extraMatchLabels -}}
+{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}}
+requiredDuringSchedulingIgnoredDuringExecution:
+  - labelSelector:
+      matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }}
+        {{- if not (empty $component) }}
+        {{ printf "app.kubernetes.io/component: %s" $component }}
+        {{- end }}
+        {{- range $key, $value := $extraMatchLabels }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
+    topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+  {{- range $extraPodAffinityTerms }}
+  - labelSelector:
+      matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 8 }}
+        {{- if not (empty $component) }}
+        {{ printf "app.kubernetes.io/component: %s" $component }}
+        {{- end }}
+        {{- range $key, $value := .extraMatchLabels }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
+    topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Return a podAffinity/podAntiAffinity definition
+{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}}
+*/}}
+{{- define "common.affinities.pods" -}}
+  {{- if eq .type "soft" }}
+    {{- include "common.affinities.pods.soft" . -}}
+  {{- else if eq .type "hard" }}
+    {{- include "common.affinities.pods.hard" . -}}
+  {{- end -}}
+{{- end -}}
diff --git a/templates/common/_images.tpl b/templates/common/_images.tpl
@@ -0,0 +1,64 @@
+{{/*
+Copyright Cyral, Inc.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/*
+Return the proper image name
+{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }}
+*/}}
+{{- define "common.images.image" -}}
+{{- $registryName := .imageRoot.registry -}}
+{{- $repositoryName := .imageRoot.repository -}}
+{{- $separator := ":" -}}
+{{- $termination := .imageRoot.tag | toString -}}
+{{- if .global }}
+    {{- if .global.imageRegistry }}
+     {{- $registryName = .global.imageRegistry -}}
+    {{- end -}}
+{{- end -}}
+{{- if .imageRoot.digest }}
+    {{- $separator = "@" -}}
+    {{- $termination = .imageRoot.digest | toString -}}
+{{- end -}}
+{{- if $registryName }}
+    {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}}
+{{- else -}}
+    {{- printf "%s%s%s"  $repositoryName $separator $termination -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead)
+{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }}
+*/}}
+{{- define "common.images.pullSecrets" -}}
+  {{- $pullSecrets := list }}
+
+  {{- if .global }}
+    {{- range .global.imagePullSecrets -}}
+      {{- if kindIs "map" . -}}
+        {{- $pullSecrets = append $pullSecrets .name -}}
+      {{- else -}}
+        {{- $pullSecrets = append $pullSecrets . -}}
+      {{- end }}
+    {{- end -}}
+  {{- end -}}
+
+  {{- range .images -}}
+    {{- range .pullSecrets -}}
+      {{- if kindIs "map" . -}}
+        {{- $pullSecrets = append $pullSecrets .name -}}
+      {{- else -}}
+        {{- $pullSecrets = append $pullSecrets . -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- if (not (empty $pullSecrets)) }}
+imagePullSecrets:
+    {{- range $pullSecrets | uniq }}
+  - name: {{ . }}
+    {{- end }}
+  {{- end }}
+{{- end -}}