feat: add the ability to install the agent and control plane without …

…secrets (#189)
kubeshop · Jul 10, 2024 · 15b4c33 · 15b4c33
1 parent 0b5eae0
commit 15b4c33
Show file tree

Hide file tree

Showing 82 changed files with 7,698 additions and 15 deletions.
diff --git a/charts/testkube-cloud-api/templates/deployment.yaml b/charts/testkube-cloud-api/templates/deployment.yaml
@@ -44,8 +44,11 @@ spec:
             {{- if .Values.global.enterpriseMode }}
             - name: ENTERPRISE_OFFLINE_ACTIVATION
               value: "{{ .Values.global.enterpriseOfflineAccess }}"
-            {{- end }}
-            {{- if .Values.global.enterpriseMode }}
+            - name: ENTERPRISE_LICENSE_KEY_PATH
+              value: "{{ .Values.enterpriseLicenseKeyPath }}"
+            - name: ENTERPRISE_LICENSE_FILE_PATH
+              value: "{{ .Values.enterpriseLicenseFilePath }}"
+            {{ if or .Values.global.enterpriseLicenseSecretRef .Values.global.enterpriseLicenseKey }}
             - name: ENTERPRISE_LICENSE_KEY
               {{- if .Values.global.enterpriseLicenseSecretRef }}
               valueFrom:
@@ -56,6 +59,7 @@ spec:
               value: "{{ .Values.global.enterpriseLicenseKey }}"
               {{- end }}
             {{- end }}
+            {{- end }}
             {{- if .Values.global.enterpriseLicenseFile }}
             - name: ENTERPRISE_LICENSE_FILE
               value: "{{ .Values.global.enterpriseLicenseFile }}"
@@ -281,9 +285,10 @@ spec:
               value: "{{ .Values.api.tls.certPath }}"
             - name: TLS_KEY
               value: "{{ .Values.api.tls.keyPath }}"
-            {{- if .Values.global.customCaSecretRef }}
+            {{- if or .Values.global.customCaSecretRef .Values.customCaDirPath }}
+            {{- $certsDir := .Values.customCaDirPath | default "/etc/testkube/certs" }}
             - name: SSL_CERT_DIR
-              value: /etc/testkube/certs
+              value: "{{ $certsDir }}"
             {{- end }}
             {{- $outputsBucket := .Values.global.storage.outputsBucket | default .Values.api.outputsBucket }}
             - name: OUTPUTS_BUCKET
@@ -302,6 +307,10 @@ spec:
               value: "{{ $minioSkipVerify }}"
             - name: MINIO_EXPIRATION
               value: "{{ .Values.api.minio.expirationPeriod }}"
+            {{- if .Values.api.minio.credsFilePath }}
+            - name: MINIO_SHARED_CREDENTIALS_FILE
+              value: "{{ .Values.api.minio.credsFilePath }}"
+            {{- else }}
             {{- $minioCredsSecretRef := .Values.global.storage.credsSecretRef | default .Values.api.minio.credsSecretRef }}
             {{- $minioAccessKeyId := .Values.global.storage.accessKeyId | default .Values.api.minio.accessKeyId }}
             {{- $minioSecretAccessKey := .Values.global.storage.secretAccessKey | default .Values.api.minio.secretAccessKey }}
@@ -333,6 +342,7 @@ spec:
               {{- else }}
               value: "{{ $minioToken }}"
               {{- end }}
+            {{- end }}
             - name: LOG_SERVER_GRPC_ADDRESS
               value: "{{ .Values.api.logServer.grpcAddress }}"
             - name: LOG_SERVER_SECURE
@@ -428,13 +438,14 @@ spec:
               subPath: tls.key
             {{- end }}
             {{- if and .Values.global.enterpriseLicenseSecretRef .Values.global.enterpriseOfflineAccess }}
-            - mountPath: /testkube/license.lic
+            - mountPath: {{ .Values.enterpriseLicenseFilePath }}
               readOnly: true
               name: license-file
               subPath: license.lic
             {{- end }}
             {{- if .Values.global.customCaSecretRef }}
-            - mountPath: /etc/testkube/certs/testkube-custom-ca.pem
+            {{- $certsDir := .Values.customCaDirPath | default "/etc/testkube/certs" }}
+            - mountPath: {{ $certsDir }}/testkube-custom-ca.pem
               name: {{ .Values.global.customCaSecretRef }}
               readOnly: true
               subPath: ca.crt

diff --git a/charts/testkube-cloud-api/templates/migrations-job.yaml b/charts/testkube-cloud-api/templates/migrations-job.yaml
@@ -15,6 +15,14 @@ spec:
   ttlSecondsAfterFinished: {{ .Values.api.migrations.ttlSecondsAfterFinished }}
   {{- end }}
   template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+        {{- if hasKey . "vault.hashicorp.com/agent-inject" }}
+        vault.hashicorp.com/agent-pre-populate-only: "true"
+        {{- end }}
+      {{- end }}
     spec:
       {{- if .Values.global.imagePullSecrets }}
       imagePullSecrets:
@@ -23,6 +31,9 @@ spec:
       imagePullSecrets:
         {{- toYaml .Values.imagePullSecrets | nindent 8 }}
       {{- end }}
+      serviceAccountName: {{ include "testkube-cloud-api.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
         - name: migrations
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
@@ -33,8 +44,11 @@ spec:
             {{- if .Values.global.enterpriseMode }}
             - name: ENTERPRISE_OFFLINE_ACTIVATION
               value: "{{ .Values.global.enterpriseOfflineAccess }}"
-            {{- end }}
-            {{- if .Values.global.enterpriseMode }}
+            - name: ENTERPRISE_LICENSE_KEY_PATH
+              value: "{{ .Values.enterpriseLicenseKeyPath }}"
+            - name: ENTERPRISE_LICENSE_FILE_PATH
+              value: "{{ .Values.enterpriseLicenseFilePath }}"
+            {{ if or .Values.global.enterpriseLicenseSecretRef .Values.global.enterpriseLicenseKey }}
             - name: ENTERPRISE_LICENSE_KEY
               {{- if .Values.global.enterpriseLicenseSecretRef }}
               valueFrom:
@@ -45,6 +59,7 @@ spec:
               value: "{{ .Values.global.enterpriseLicenseKey }}"
               {{- end }}
             {{- end }}
+            {{- end }}
             {{- if .Values.global.enterpriseLicenseFile }}
             - name: ENTERPRISE_LICENSE_FILE
               value: "{{ .Values.global.enterpriseLicenseFile }}"
@@ -89,6 +104,19 @@ spec:
               {{- end }}
             - name: API_MONGO_DB
               value: {{ .Values.api.mongo.database }}
+          {{- if and .Values.global.enterpriseLicenseSecretRef .Values.global.enterpriseOfflineAccess }}
+          volumeMounts:
+            - mountPath: {{ .Values.enterpriseLicenseFilePath }}
+              readOnly: true
+              name: license-file
+              subPath: license.lic
+          {{- end }}
+      {{- if and .Values.global.enterpriseLicenseSecretRef .Values.global.enterpriseOfflineAccess }}
+      volumes:
+        - name: license-file
+          secret:
+            secretName: {{ .Values.global.enterpriseLicenseSecretRef }}
+      {{- end }}
       restartPolicy: Never
   backoffLimit: 3
 {{- end }}
diff --git a/charts/testkube-cloud-api/values.yaml b/charts/testkube-cloud-api/values.yaml
@@ -92,6 +92,14 @@ fullnameOverride: ""
 additionalEnv: {}
 # FOO: bar
 
+# -- Specifies the path to the directory (skip the trailing slash) where CA certificates should be mounted. The mounted file should container a PEM encoded CA certificate.
+customCaDirPath: ""
+
+# -- Specifies the path where the license key should be mounted.
+enterpriseLicenseKeyPath: /testkube/license.key
+# -- Specifies the path where the license file should be mounted.
+enterpriseLicenseFilePath: /testkube/license.lic
+
 # -- Api can allow to set demo organization id where user who don't have Kubernetes cluster can play around
 demoOrganizationId: ""
 analytics:
@@ -221,6 +229,8 @@ api:
     token: ""
     # -- Credentials secret ref (secret should contain keys: root-user, root-password, token) (default is `testkube-cloud-minio-secret`)
     credsSecretRef: ""
+    # -- Path to where a Minio credential file should be mounted
+    credsFilePath: ""
     # -- Expiration period in days
     expirationPeriod: 0
     # -- Should be set to `true` if MinIO is behind

diff --git a/charts/testkube-enterprise/Chart.lock b/charts/testkube-enterprise/Chart.lock
@@ -15,7 +15,7 @@ dependencies:
   repository: https://kubeshop.github.io/helm-charts
   version: 2.0.10
 - name: dex
-  repository: https://charts.dexidp.io
+  repository: file://./charts/dex
   version: 0.18.0
 - name: mongodb
   repository: https://charts.bitnami.com/bitnami
@@ -24,7 +24,7 @@ dependencies:
   repository: https://nats-io.github.io/k8s/helm/charts/
   version: 1.2.0
 - name: minio
-  repository: https://charts.bitnami.com/bitnami
+  repository: file://./charts/minio
   version: 14.6.16
-digest: sha256:08d3a617724e120402977d24d1034aa259d771d523d81d224a583d6e5a0b15a5
-generated: "2024-07-10T08:01:37.21523251Z"
+digest: sha256:79529ff68544f0ed14d5a8f4b08d33e7690ea8edea0e3c5bd466ff0c898e31af
+generated: "2024-07-10T11:18:58.542311+02:00"
diff --git a/charts/testkube-enterprise/Chart.yaml b/charts/testkube-enterprise/Chart.yaml
@@ -23,7 +23,7 @@ dependencies:
     condition: testkube-agent.enabled
   - name: dex
     version: 0.18.0
-    repository: https://charts.dexidp.io
+    repository: file://./charts/dex
     condition: dex.enabled
   - name: mongodb
     version: 14.11.1
@@ -35,7 +35,7 @@ dependencies:
     condition: nats.enabled
   - name: minio
     version: 14.6.16
-    repository: https://charts.bitnami.com/bitnami
+    repository: file://./charts/minio
     condition: minio.enabled
 maintainers:
   - name: testkube

diff --git a/charts/testkube-enterprise/charts/dex/.helmignore b/charts/testkube-enterprise/charts/dex/.helmignore
@@ -0,0 +1,25 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+
+README.md.gotmpl
diff --git a/charts/testkube-enterprise/charts/dex/Chart.yaml b/charts/testkube-enterprise/charts/dex/Chart.yaml
@@ -0,0 +1,29 @@
+annotations:
+  artifacthub.io/changes: |
+    - kind: changed
+      description: "Dex 2.40.0 release"
+  artifacthub.io/images: |
+    - name: dex
+      image: ghcr.io/dexidp/dex:v2.40.0
+apiVersion: v2
+appVersion: 2.40.0
+description: OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable
+  connectors.
+home: https://dexidp.io/
+icon: https://dexidp.io/favicon.png
+keywords:
+- oidc
+- oauth
+- identity-provider
+- saml
+kubeVersion: '>=1.14.0-0'
+maintainers:
+- email: [email protected]
+  name: sagikazarmark
+  url: https://sagikazarmark.hu
+name: dex
+sources:
+- https://github.com/dexidp/dex
+- https://github.com/dexidp/helm-charts/tree/master/charts/dex
+type: application
+version: 0.18.0