Support more helm environment variables (#30451)

## Summary This PR adds support for Windows MDM WSTEP (Simple Certificate Enrollment Protocol) identity certificates and fixes S3 configuration for carving and software installers in the Fleet Helm chart. ## Changes ### Windows MDM WSTEP Support - **Deployment Template (`charts/fleet/templates/deployment.yaml`)**: - Added `FLEET_MDM_WINDOWS_WSTEP_IDENTITY_CERT_BYTES` environment variable - Added `FLEET_MDM_WINDOWS_WSTEP_IDENTITY_KEY_BYTES` environment variable - Both variables load certificate data from Kubernetes secrets using `valueFrom.secretKeyRef` - Added conditional logic to only set variables when `fleet.mdm.windows.wstepIdentityCertKey` is non-empty - **Values Configuration (`charts/fleet/values.yaml`)**: - Added `fleet.mdm.windows.wstepIdentityCertKey: ""` configuration key - Added `fleet.mdm.windows.wstepIdentityKeyKey: ""` configuration key - Both default to empty strings for backward compatibility ### S3 Configuration Fixes - **Fixed S3 support for custom buckets**: Added support for S3 Endpoint URL & Force S3 Path style environemtal variables. - **Added S3 support for software installers**: Added complete S3 configuration structure under `fleet.softwareInstallers.s3` ## Configuration ### Windows MDM WSTEP ```yaml fleet: # New mdm: windows: wstepIdentityCertKey: "wstep-identity-cert" # Secret key containing the certificate wstepIdentityKeyKey: "wstep-identity-key" # Secret key containing the private key fleet: carving: s3: ... endpointURL: "" # New forceS3PathStyle: false # New softwareInstallers: # New s3: bucketName: "fleet-installers-bucket" prefix: "installers/" accessKeyID: "your-access-key" secretKey: "software-installers" endpointURL: "" forceS3PathStyle: false stsAssumeRoleARN: "" ```
2026-04-21 13:37:30 +00:00 · 2025-07-01 16:19:37 +02:00 · 2025-07-01 16:19:37 +02:00 · 324a40d28c
commit 324a40d28c
parent 306b1e8dec
2 changed files with 55 additions and 0 deletions
--- a/charts/fleet/templates/deployment.yaml
+++ b/charts/fleet/templates/deployment.yaml
@ -70,6 +70,18 @@ spec:
            value: "{{ .Values.fleet.logging.json }}"
          - name: FLEET_LOGGING_DISABLE_BANNER
            value: "{{ .Values.fleet.logging.disableBanner }}"
+          {{- if ne .Values.fleet.mdm.windows.wstepIdentityCertKey "" }}
+          - name: FLEET_MDM_WINDOWS_WSTEP_IDENTITY_CERT_BYTES
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.fleet.secretName }}"
+                key: "{{ .Values.fleet.mdm.windows.wstepIdentityCertKey }}"
+          - name: FLEET_MDM_WINDOWS_WSTEP_IDENTITY_KEY_BYTES
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.fleet.secretName }}"
+                key: "{{ .Values.fleet.mdm.windows.wstepIdentityKeyKey }}"
+          {{- end }}
          - name: FLEET_SERVER_TLS
            value: "{{ .Values.fleet.tls.enabled }}"
          {{- if .Values.fleet.tls.enabled }}
@ -80,11 +92,16 @@ spec:
          - name: FLEET_SERVER_KEY
            value: "/secrets/tls/{{ .Values.fleet.tls.keySecretKey }}"
          {{- end }}
+          ### Carving S3 Configuration
          {{- if ne .Values.fleet.carving.s3.bucketName "" }}
          - name: FLEET_S3_BUCKET
            value: "{{ .Values.fleet.carving.s3.bucketName }}"
          - name: FLEET_S3_PREFIX
            value: "{{ .Values.fleet.carving.s3.prefix }}"
+          - name: FLEET_S3_ENDPOINT_URL
+            value: "{{ .Values.fleet.carving.s3.endpointURL }}"
+          - name: FLEET_S3_FORCE_S3_PATH_STYLE
+            value: "{{ .Values.fleet.carving.s3.forceS3PathStyle }}"
          {{- if ne .Values.fleet.carving.s3.accessKeyID "" }}
          - name: FLEET_S3_ACCESS_KEY_ID
            value: "{{ .Values.fleet.carving.s3.accessKeyID }}"
@ -98,6 +115,29 @@ spec:
            value: "{{ .Values.fleet.carving.s3.stsAssumeRoleARN }}"
          {{- end }}
          {{- end }}
+          ### Software Installers S3 Configuration
+          {{- if ne .Values.fleet.softwareInstallers.s3.bucketName "" }}
+          - name: FLEET_S3_SOFTWARE_INSTALLERS_BUCKET
+            value: "{{ .Values.fleet.softwareInstallers.s3.bucketName }}"
+          - name: FLEET_S3_SOFTWARE_INSTALLERS_PREFIX
+            value: "{{ .Values.fleet.softwareInstallers.s3.prefix }}"
+          - name: FLEET_S3_SOFTWARE_INSTALLERS_ENDPOINT_URL
+            value: "{{ .Values.fleet.softwareInstallers.s3.endpointURL }}"
+          - name: FLEET_S3_SOFTWARE_INSTALLERS_FORCE_S3_PATH_STYLE
+            value: "{{ .Values.fleet.softwareInstallers.s3.forceS3PathStyle }}"
+          {{- if ne .Values.fleet.softwareInstallers.s3.accessKeyID "" }}
+          - name: FLEET_S3_SOFTWARE_INSTALLERS_ACCESS_KEY_ID
+            value: "{{ .Values.fleet.softwareInstallers.s3.accessKeyID }}"
+          - name: FLEET_S3_SOFTWARE_INSTALLERS_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.fleet.secretName }}"
+                key: "{{ .Values.fleet.softwareInstallers.s3.secretKey }}"
+          {{- else }}
+          - name: FLEET_S3_SOFTWARE_INSTALLERS_STS_ASSUME_ROLE_ARN
+            value: "{{ .Values.fleet.softwareInstallers.s3.stsAssumeRoleARN }}"
+          {{- end }}
+          {{- end }}
          {{- if .Values.fleet.license.secretName }}
          - name: FLEET_LICENSE_KEY
            valueFrom:
--- a/charts/fleet/values.yaml
+++ b/charts/fleet/values.yaml
@ -95,12 +95,27 @@ fleet:
    debug: false
    json: false
    disableBanner: false
+  mdm:
+    windows:
+      wstepIdentityCertKey: ""
+      wstepIdentityKeyKey: ""
  carving:
    s3:
      bucketName: ""
      prefix: ""
      accessKeyID: ""
      secretKey: s3-bucket
+      endpointURL: ""
+      forceS3PathStyle: false
+      stsAssumeRoleARN: ""
+  softwareInstallers:
+    s3:
+      bucketName: ""
+      prefix: ""
+      accessKeyID: ""
+      secretKey: software-installers
+      endpointURL: ""
+      forceS3PathStyle: false
      stsAssumeRoleARN: ""
  license:
    secretName: ""