Update helm chart to work with shared infra (#5621)

* Update helm chart to work with shared infra * Update helm chart README to reflect changes.
2026-05-24 01:18:42 +00:00 · 2022-05-11 20:22:42 -05:00 · 2022-05-11 20:22:42 -05:00 · 610bbd1c00
commit 610bbd1c00
parent 90d743d479
11 changed files with 74 additions and 18 deletions
--- a/charts/fleet/README.md
+++ b/charts/fleet/README.md
@ -6,11 +6,11 @@ This directory contains a Helm Chart that makes deploying Fleet on Kubernetes ea

 #### 1. Create namespace

-This Helm chart does not auto-provision a namespace. You can add one with `kubectl create namespace <name>` or by creating a YAML file containing a service and applying it to your cluster.
+This Helm chart optionally provisions a Kubernetes namespace. Alternatively, you can add one with `kubectl create namespace <name>` or by creating a YAML file containing the namespace and applying it to your cluster.

 #### 2. Create the necessary secrets

-This Helm chart does not create the Kubernetes `Secret`s necessary for Fleet to operate. At a minimum, secrets for the MySQL password must be created. For example, if you are deploying into a namespace called `fleet`:
+This Helm chart optionally creates Kubernetes `Secret`s for MySQL and Redis necessary for Fleet to operate. If you manually create them instead, at a minimum, secrets for the MySQL password must be created. For example, if you are deploying into a namespace called `fleet`:

 ```yaml
 ---
--- a/charts/fleet/templates/deployment.yaml
+++ b/charts/fleet/templates/deployment.yaml
@ -7,7 +7,7 @@ metadata:
    chart: fleet
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
-  name: fleet
+  name: {{ .Values.fleetName }}
  namespace: {{ .Release.Namespace }}
 spec:
  replicas: {{ .Values.replicas }}
@ -24,18 +24,21 @@ spec:
 {{- toYaml . | trim | nindent 8 }}
 {{- end }}
      labels:
+{{- with .Values.podLabels }}
+{{- toYaml . | trim | nindent 8 }}
+{{- end }}
        app: fleet
        chart: fleet
        heritage: {{ .Release.Service }}
        release: {{ .Release.Name }}
    spec:
      containers:
-      - name: fleet
+      - name: {{ .Values.fleetName }}
        command: [/usr/bin/fleet]
        args: ["serve"]
        image: fleetdm/fleet:{{ .Values.imageTag }}
        ports:
-        - name: fleet
+        - name: {{ .Values.fleetName }}
          containerPort: {{ .Values.fleet.listenPort }}
        resources:
          limits:
@ -274,7 +277,7 @@ spec:
        {{- if or (.Values.fleet.tls.enabled) (.Values.mysql.tls.enabled) (eq .Values.osquery.logging.statusPlugin "filesystem") (eq .Values.osquery.logging.resultPlugin "filesystem") }}
        volumeMounts:
          {{- if .Values.fleet.tls.enabled }}
-          - name: fleet-tls
+          - name: {{ .Values.fleetName }}-tls
            readOnly: true
            mountPath: /secrets/tls
          {{- end }}
@ -319,7 +322,7 @@ spec:
      {{- if or (.Values.fleet.tls.enabled) (.Values.mysql.tls.enabled) (eq .Values.osquery.logging.statusPlugin "filesystem") (eq .Values.osquery.logging.resultPlugin "filesystem") }}
      volumes:
        {{- if .Values.fleet.tls.enabled }}
-        - name: fleet-tls
+        - name: {{ .Values.fleetName }}-tls
          secret:
            secretName: "{{ .Values.fleet.secretName }}"
        {{- end }}
--- a/charts/fleet/templates/gke-managedcertificate.yaml
+++ b/charts/fleet/templates/gke-managedcertificate.yaml
@ -2,7 +2,7 @@
 apiVersion: networking.gke.io/v1
 kind: ManagedCertificate
 metadata:
-  name: fleet
+  name: {{ .Values.fleetName }}
 spec:
  domains:
  - {{ .Values.hostName }}
--- a/charts/fleet/templates/ingress.yaml
+++ b/charts/fleet/templates/ingress.yaml
@ -20,7 +20,7 @@ metadata:
    chart: fleet
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
-  name: fleet
+  name: {{ .Values.fleetName }}
  namespace: {{ .Release.Namespace }}
 spec:
  rules:
--- a/charts/fleet/templates/job-migration.yaml
+++ b/charts/fleet/templates/job-migration.yaml
@ -7,7 +7,7 @@ metadata:
    chart: fleet
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
-  name: fleet-migration
+  name: {{ .Values.fleetName }}-migration
  namespace: {{ .Release.Namespace }}
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
@ -28,7 +28,7 @@ spec:
    spec:
      restartPolicy: Never
      containers:
-      - name: fleet-migration
+      - name: {{ .Values.fleetName }}-migration
        command: [/usr/bin/fleet]
        args: ["prepare","db","--no-prompt"]
        image: fleetdm/fleet:{{ .Values.imageTag }}
--- a/charts/fleet/templates/namespace.yaml
+++ b/charts/fleet/templates/namespace.yaml
@ -0,0 +1,11 @@
+{{- if .Values.createNamespace }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app: fleet
+    chart: fleet
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ .Release.Namespace }}
+{{- end }}
--- a/charts/fleet/templates/rbac.yaml
+++ b/charts/fleet/templates/rbac.yaml
@ -6,7 +6,7 @@ metadata:
    chart: fleet
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
-  name: fleet
+  name: {{ .Values.fleetName }}
  namespace: {{ .Release.Namespace }}
 rules:
 - apiGroups:
@ -29,14 +29,14 @@ metadata:
    chart: fleet
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
-  name: fleet
+  name: {{ .Values.fleetName }}
  namespace: {{ .Release.Namespace }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
-  name: fleet
+  name: {{ .Values.fleetName }}
 subjects:
 - apiGroup: ""
  kind: ServiceAccount
-  name: fleet
+  name: {{ .Values.fleetName }}
  namespace: {{ .Release.Namespace }}
--- a/charts/fleet/templates/sa.yaml
+++ b/charts/fleet/templates/sa.yaml
@ -15,5 +15,5 @@ metadata:
    chart: fleet
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
-  name: fleet
+  name: {{ .Values.fleetName }}
  namespace: {{ .Release.Namespace }}
--- a/charts/fleet/templates/secrets.yaml
+++ b/charts/fleet/templates/secrets.yaml
@ -0,0 +1,31 @@
+{{- if .Values.mysql.createSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app: fleet
+    chart: fleet
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ .Values.mysql.secretName }}
+  namespace: {{ .Release.Namespace }}
+stringData:
+  {{ .Values.mysql.passwordKey }}: {{ .Values.mysql.password }}
+type: Opaque
+---
+{{- end }}
+{{- if .Values.redis.createSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app: fleet
+    chart: fleet
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ .Values.redis.secretName }}
+  namespace: {{ .Release.Namespace }}
+stringData:
+  {{ .Values.redis.passwordKey }}: {{ .Values.redis.password }}
+type: Opaque
+{{- end }}
--- a/charts/fleet/templates/service.yaml
+++ b/charts/fleet/templates/service.yaml
@ -6,7 +6,7 @@ metadata:
    chart: fleet
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
-  name: fleet
+  name: {{ .Values.fleetName }}
  namespace: {{ .Release.Namespace }}
 spec:
  selector:
@ -15,7 +15,7 @@ spec:
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
  ports:
-  - name: fleet
+  - name: {{ .Values.fleetName }}
    port: {{ .Values.fleet.listenPort }}
  {{- if .Values.gke.ingress.useGKEIngress }}
  type: NodePort
--- a/charts/fleet/values.yaml
+++ b/charts/fleet/values.yaml
@ -1,10 +1,15 @@
 ## Section: Kubernetes
 # All settings related to how Fleet is deployed in Kubernetes
+# The name used for deployment/role/sa/etc.  Useful for when deploying multiple separate
+# fleet instances into the same Namespace.
+fleetName: fleet
 hostName: fleet.localhost
 replicas: 3 # The number of Fleet instances to deploy
 imageTag: v4.12.0 # Version of Fleet to deploy
+createNamespace: false # Whether or not to automatically create the Namespace
 createIngress: true # Whether or not to automatically create an Ingress
 ingressAnnotations: {} # Additional annotation to add to the Ingress
+podLabels: {} # Additional labels to add to the Fleet pod
 podAnnotations: {} # Additional annotations to add to the Fleet pod
 serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account
 resources:
@ -129,11 +134,14 @@ osquery:
 ## Section: MySQL
 # All of the connection settings for MySQL
 mysql:
+  createSecret: false
  # Name of the Secret resource containing MySQL password and TLS secrets
  secretName: mysql
  address: 127.0.0.1:3306
  database: fleet
  username: fleet
+  # Only needed if creating secret.
+  password: default
  passwordKey: mysql-password
  maxOpenConns: 50
  maxIdleConns: 50
@ -149,10 +157,13 @@ mysql:
 ## Section: Redis
 # All of the connection settings for Redis
 redis:
+  createSecret: false
  address: 127.0.0.1:6379
  database: "0"
  usePassword: false
  secretName: redis
+  # Only needed if creating secret.
+  password: default
  passwordKey: redis-password

 ## Section: GKE