From 610bbd1c00338620f6cc65fe2aff86139551f465 Mon Sep 17 00:00:00 2001 From: Robert Fairburn <8029478+rfairburn@users.noreply.github.com> Date: Wed, 11 May 2022 20:22:42 -0500 Subject: [PATCH] Update helm chart to work with shared infra (#5621) * Update helm chart to work with shared infra * Update helm chart README to reflect changes. --- charts/fleet/README.md | 4 +-- charts/fleet/templates/deployment.yaml | 13 +++++--- .../templates/gke-managedcertificate.yaml | 2 +- charts/fleet/templates/ingress.yaml | 2 +- charts/fleet/templates/job-migration.yaml | 4 +-- charts/fleet/templates/namespace.yaml | 11 +++++++ charts/fleet/templates/rbac.yaml | 8 ++--- charts/fleet/templates/sa.yaml | 2 +- charts/fleet/templates/secrets.yaml | 31 +++++++++++++++++++ charts/fleet/templates/service.yaml | 4 +-- charts/fleet/values.yaml | 11 +++++++ 11 files changed, 74 insertions(+), 18 deletions(-) create mode 100644 charts/fleet/templates/namespace.yaml create mode 100644 charts/fleet/templates/secrets.yaml diff --git a/charts/fleet/README.md b/charts/fleet/README.md index 37004ce5de..287e94b655 100644 --- a/charts/fleet/README.md +++ b/charts/fleet/README.md @@ -6,11 +6,11 @@ This directory contains a Helm Chart that makes deploying Fleet on Kubernetes ea #### 1. Create namespace -This Helm chart does not auto-provision a namespace. You can add one with `kubectl create namespace ` or by creating a YAML file containing a service and applying it to your cluster. +This Helm chart optionally provisions a Kubernetes namespace. Alternatively, you can add one with `kubectl create namespace ` or by creating a YAML file containing the namespace and applying it to your cluster. #### 2. Create the necessary secrets -This Helm chart does not create the Kubernetes `Secret`s necessary for Fleet to operate. At a minimum, secrets for the MySQL password must be created. For example, if you are deploying into a namespace called `fleet`: +This Helm chart optionally creates Kubernetes `Secret`s for MySQL and Redis necessary for Fleet to operate. If you manually create them instead, at a minimum, secrets for the MySQL password must be created. For example, if you are deploying into a namespace called `fleet`: ```yaml --- diff --git a/charts/fleet/templates/deployment.yaml b/charts/fleet/templates/deployment.yaml index 2b9ee2f8b8..2de2fbc161 100644 --- a/charts/fleet/templates/deployment.yaml +++ b/charts/fleet/templates/deployment.yaml @@ -7,7 +7,7 @@ metadata: chart: fleet heritage: {{ .Release.Service }} release: {{ .Release.Name }} - name: fleet + name: {{ .Values.fleetName }} namespace: {{ .Release.Namespace }} spec: replicas: {{ .Values.replicas }} @@ -24,18 +24,21 @@ spec: {{- toYaml . | trim | nindent 8 }} {{- end }} labels: +{{- with .Values.podLabels }} +{{- toYaml . | trim | nindent 8 }} +{{- end }} app: fleet chart: fleet heritage: {{ .Release.Service }} release: {{ .Release.Name }} spec: containers: - - name: fleet + - name: {{ .Values.fleetName }} command: [/usr/bin/fleet] args: ["serve"] image: fleetdm/fleet:{{ .Values.imageTag }} ports: - - name: fleet + - name: {{ .Values.fleetName }} containerPort: {{ .Values.fleet.listenPort }} resources: limits: @@ -274,7 +277,7 @@ spec: {{- if or (.Values.fleet.tls.enabled) (.Values.mysql.tls.enabled) (eq .Values.osquery.logging.statusPlugin "filesystem") (eq .Values.osquery.logging.resultPlugin "filesystem") }} volumeMounts: {{- if .Values.fleet.tls.enabled }} - - name: fleet-tls + - name: {{ .Values.fleetName }}-tls readOnly: true mountPath: /secrets/tls {{- end }} @@ -319,7 +322,7 @@ spec: {{- if or (.Values.fleet.tls.enabled) (.Values.mysql.tls.enabled) (eq .Values.osquery.logging.statusPlugin "filesystem") (eq .Values.osquery.logging.resultPlugin "filesystem") }} volumes: {{- if .Values.fleet.tls.enabled }} - - name: fleet-tls + - name: {{ .Values.fleetName }}-tls secret: secretName: "{{ .Values.fleet.secretName }}" {{- end }} diff --git a/charts/fleet/templates/gke-managedcertificate.yaml b/charts/fleet/templates/gke-managedcertificate.yaml index a7208e5c3f..51c84eb3b0 100644 --- a/charts/fleet/templates/gke-managedcertificate.yaml +++ b/charts/fleet/templates/gke-managedcertificate.yaml @@ -2,7 +2,7 @@ apiVersion: networking.gke.io/v1 kind: ManagedCertificate metadata: - name: fleet + name: {{ .Values.fleetName }} spec: domains: - {{ .Values.hostName }} diff --git a/charts/fleet/templates/ingress.yaml b/charts/fleet/templates/ingress.yaml index c3b6f974b3..450ce626a6 100644 --- a/charts/fleet/templates/ingress.yaml +++ b/charts/fleet/templates/ingress.yaml @@ -20,7 +20,7 @@ metadata: chart: fleet heritage: {{ .Release.Service }} release: {{ .Release.Name }} - name: fleet + name: {{ .Values.fleetName }} namespace: {{ .Release.Namespace }} spec: rules: diff --git a/charts/fleet/templates/job-migration.yaml b/charts/fleet/templates/job-migration.yaml index 7a3f2f2bec..cd966781d4 100644 --- a/charts/fleet/templates/job-migration.yaml +++ b/charts/fleet/templates/job-migration.yaml @@ -7,7 +7,7 @@ metadata: chart: fleet heritage: {{ .Release.Service }} release: {{ .Release.Name }} - name: fleet-migration + name: {{ .Values.fleetName }}-migration namespace: {{ .Release.Namespace }} annotations: "helm.sh/hook": pre-install,pre-upgrade @@ -28,7 +28,7 @@ spec: spec: restartPolicy: Never containers: - - name: fleet-migration + - name: {{ .Values.fleetName }}-migration command: [/usr/bin/fleet] args: ["prepare","db","--no-prompt"] image: fleetdm/fleet:{{ .Values.imageTag }} diff --git a/charts/fleet/templates/namespace.yaml b/charts/fleet/templates/namespace.yaml new file mode 100644 index 0000000000..f20ba781ce --- /dev/null +++ b/charts/fleet/templates/namespace.yaml @@ -0,0 +1,11 @@ +{{- if .Values.createNamespace }} +apiVersion: v1 +kind: Namespace +metadata: + labels: + app: fleet + chart: fleet + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/fleet/templates/rbac.yaml b/charts/fleet/templates/rbac.yaml index 2f2510bee1..affc259d86 100644 --- a/charts/fleet/templates/rbac.yaml +++ b/charts/fleet/templates/rbac.yaml @@ -6,7 +6,7 @@ metadata: chart: fleet heritage: {{ .Release.Service }} release: {{ .Release.Name }} - name: fleet + name: {{ .Values.fleetName }} namespace: {{ .Release.Namespace }} rules: - apiGroups: @@ -29,14 +29,14 @@ metadata: chart: fleet heritage: {{ .Release.Service }} release: {{ .Release.Name }} - name: fleet + name: {{ .Values.fleetName }} namespace: {{ .Release.Namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: fleet + name: {{ .Values.fleetName }} subjects: - apiGroup: "" kind: ServiceAccount - name: fleet + name: {{ .Values.fleetName }} namespace: {{ .Release.Namespace }} diff --git a/charts/fleet/templates/sa.yaml b/charts/fleet/templates/sa.yaml index 67fba2c97b..6282b00a25 100644 --- a/charts/fleet/templates/sa.yaml +++ b/charts/fleet/templates/sa.yaml @@ -15,5 +15,5 @@ metadata: chart: fleet heritage: {{ .Release.Service }} release: {{ .Release.Name }} - name: fleet + name: {{ .Values.fleetName }} namespace: {{ .Release.Namespace }} diff --git a/charts/fleet/templates/secrets.yaml b/charts/fleet/templates/secrets.yaml new file mode 100644 index 0000000000..c1725ba57f --- /dev/null +++ b/charts/fleet/templates/secrets.yaml @@ -0,0 +1,31 @@ +{{- if .Values.mysql.createSecret }} +apiVersion: v1 +kind: Secret +metadata: + labels: + app: fleet + chart: fleet + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ .Values.mysql.secretName }} + namespace: {{ .Release.Namespace }} +stringData: + {{ .Values.mysql.passwordKey }}: {{ .Values.mysql.password }} +type: Opaque +--- +{{- end }} +{{- if .Values.redis.createSecret }} +apiVersion: v1 +kind: Secret +metadata: + labels: + app: fleet + chart: fleet + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ .Values.redis.secretName }} + namespace: {{ .Release.Namespace }} +stringData: + {{ .Values.redis.passwordKey }}: {{ .Values.redis.password }} +type: Opaque +{{- end }} diff --git a/charts/fleet/templates/service.yaml b/charts/fleet/templates/service.yaml index 3003db6e9b..d4d848b2d1 100644 --- a/charts/fleet/templates/service.yaml +++ b/charts/fleet/templates/service.yaml @@ -6,7 +6,7 @@ metadata: chart: fleet heritage: {{ .Release.Service }} release: {{ .Release.Name }} - name: fleet + name: {{ .Values.fleetName }} namespace: {{ .Release.Namespace }} spec: selector: @@ -15,7 +15,7 @@ spec: heritage: {{ .Release.Service }} release: {{ .Release.Name }} ports: - - name: fleet + - name: {{ .Values.fleetName }} port: {{ .Values.fleet.listenPort }} {{- if .Values.gke.ingress.useGKEIngress }} type: NodePort diff --git a/charts/fleet/values.yaml b/charts/fleet/values.yaml index 8574de84e3..3ede79179b 100644 --- a/charts/fleet/values.yaml +++ b/charts/fleet/values.yaml @@ -1,10 +1,15 @@ ## Section: Kubernetes # All settings related to how Fleet is deployed in Kubernetes +# The name used for deployment/role/sa/etc. Useful for when deploying multiple separate +# fleet instances into the same Namespace. +fleetName: fleet hostName: fleet.localhost replicas: 3 # The number of Fleet instances to deploy imageTag: v4.12.0 # Version of Fleet to deploy +createNamespace: false # Whether or not to automatically create the Namespace createIngress: true # Whether or not to automatically create an Ingress ingressAnnotations: {} # Additional annotation to add to the Ingress +podLabels: {} # Additional labels to add to the Fleet pod podAnnotations: {} # Additional annotations to add to the Fleet pod serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account resources: @@ -129,11 +134,14 @@ osquery: ## Section: MySQL # All of the connection settings for MySQL mysql: + createSecret: false # Name of the Secret resource containing MySQL password and TLS secrets secretName: mysql address: 127.0.0.1:3306 database: fleet username: fleet + # Only needed if creating secret. + password: default passwordKey: mysql-password maxOpenConns: 50 maxIdleConns: 50 @@ -149,10 +157,13 @@ mysql: ## Section: Redis # All of the connection settings for Redis redis: + createSecret: false address: 127.0.0.1:6379 database: "0" usePassword: false secretName: redis + # Only needed if creating secret. + password: default passwordKey: redis-password ## Section: GKE