feat: add extraManifests, extraEnv, and configurable secret keys (#137)

Author: oliverisaac

.github/pull_request_template.md

@@ -19,5 +19,6 @@
 
 - [ ] Bump the chart version (`Chart.yaml` -> `version`)
 - [ ] JSON Schema updated (`values.schema.json`)
-- [ ] Update `README.md` via helm-docs
+- [ ] Update `README.md` via [helm-docs](https://github.com/norwoodj/helm-docs) (or `make prep`)
+- [ ] Run `pre-commit run --all-files` via [pre-commit](https://pre-commit.com/) (or `make prep`)
 - [ ] Update Artifacthub annotation (`Chart.yaml` -> `artifacthub.io/changes`, `artifacthub.io/images`)

Makefile

@@ -0,0 +1,17 @@
+
+.PHONY: pre-commit
+pre-commit:
+	pre-commit run --all-files
+
+
+.PHONY: helm-docs
+helm-docs:
+	helm-docs
+
+
+.PHONY: tools-macos
+tools-macos:
+	brew install pre-commit norwoodj/tap/helm-docs
+
+.PHONY: prep
+prep: helm-docs pre-commit

charts/k8s-image-swapper/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: k8s-image-swapper
 description: Mirror images into your own registry and swap image references automatically.
 type: application
-version: 1.7.0
+version: 1.8.0
 appVersion: 1.4.1
 home: https://github.com/estahn/charts/tree/main/charts/k8s-image-swapper
 keywords:
@@ -15,7 +15,7 @@ maintainers:
     name: estahn
 annotations:
   artifacthub.io/changes: |
-    - "Allow to set annotations for deployment"
+    - "Allow configure AWS secret and deploy extraManifests"
   artifacthub.io/images: |
     - name: k8s-image-webhook
       image: ghcr.io/estahn/k8s-image-swapper:1.4.1

charts/k8s-image-swapper/README.md

@@ -1,6 +1,6 @@
 # k8s-image-swapper
 
-![Version: 1.7.0](https://img.shields.io/badge/Version-1.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.4.1](https://img.shields.io/badge/AppVersion-1.4.1-informational?style=flat-square)
+![Version: 1.8.0](https://img.shields.io/badge/Version-1.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.4.1](https://img.shields.io/badge/AppVersion-1.4.1-informational?style=flat-square)
 
 Mirror images into your own registry and swap image references automatically.
 
@@ -21,7 +21,10 @@ Mirror images into your own registry and swap image references automatically.
 | autoscaling.maxReplicas | int | `100` |  |
 | autoscaling.minReplicas | int | `1` |  |
 | autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
-| awsSecretName | string | `""` |  |
+| awsSecretKeys | object | `{"accessKeyID":"aws_access_key_id","secretAccessKey":"aws_secret_access_key"}` | Specify which keys to pull from the .awsSecretName secret for the associated environment variables. |
+| awsSecretKeys.accessKeyID | string | `"aws_access_key_id"` | If using Hashicorp Vault Operator w/ AWS engine, use `access_key` |
+| awsSecretKeys.secretAccessKey | string | `"aws_secret_access_key"` | If using Hashicorp Vault Operator w/ AWS engine, use `secret_key` |
+| awsSecretName | string | `""` | If set, the secret will be used as environment variables, see awsSecretKeys. |
 | certmanager.enabled | bool | `false` |  |
 | commonLabels | object | `{}` | Labels that will be added on all the resources (not in selectors) |
 | config.dryRun | bool | `true` |  |
@@ -34,6 +37,9 @@ Mirror images into your own registry and swap image references automatically.
 | deployment.annotations | object | `{}` |  |
 | dev.enabled | bool | `false` |  |
 | dev.webhookURL | string | `"https://xxx.ngrok.io"` |  |
+| extraEnv | list | `[]` | Additional environment variables to be defined on the container Follows the same syntax as containers.env in a Pod v1 API |
+| extraManifests | list | `[]` | Additional manifests to be deployed Can be either a full object OR a string containing valid YAML |
+| extraManifestsTemplated | list | `[]` | Additional manifests to be deployed. These will be passed through the templating engine Useful if you need to use values from this chart in your manifests |
 | fullnameOverride | string | `""` |  |
 | hostNetwork | bool | `false` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |

charts/k8s-image-swapper/templates/deployment.yaml

@@ -41,18 +41,23 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          {{- if .Values.awsSecretName }}
+          {{- if or .Values.awsSecretName .Values.extraEnv }}
           env:
+            {{- if .Values.awsSecretName }}
             - name: AWS_ACCESS_KEY_ID
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.awsSecretName }}
-                  key: aws_access_key_id
+                  key: {{ .Values.awsSecretKeys.accessKeyID }}
             - name: AWS_SECRET_ACCESS_KEY
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.awsSecretName }}
-                  key: aws_secret_access_key
+                  key: {{ .Values.awsSecretKeys.secretAccessKey }}
+            {{- end }}
+            {{- with .Values.extraEnv }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
           {{- end }}
           args:
             - --config=/.k8s-image-swapper.yaml

charts/k8s-image-swapper/templates/extraManifests.yaml

@@ -0,0 +1,18 @@
+{{ range .Values.extraManifests }}
+    {{- if eq "string" ( kindOf . ) }}
+        {{/* If manifest is a string, convert it back and forth from yaml to ensure good syntax */}}
+        {{- . | fromYaml | toYaml }}
+    {{- else }}
+        {{- . | toYaml }}
+    {{- end }}
+---
+{{ end }}
+
+{{ range .Values.extraManifestsTemplated }}
+    {{- if eq "string" ( kindOf . ) }}
+        {{- tpl . $ }}
+    {{- else }}
+        {{- tpl ( . | toYaml ) $ }}
+    {{- end }}
+---
+{{ end }}

charts/k8s-image-swapper/values.schema.json

@@ -22,6 +22,21 @@
         }
       }
     },
+    "awsSecretKeys": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Specify which keys to pull from the .awsSecretName secret for the associated environment variables.",
+      "properties": {
+        "accessKeyID": {
+          "type": "string",
+          "default": "aws_access_key_id"
+        },
+        "secretAccessKey": {
+          "type": "string",
+          "default": "aws_secret_access_key"
+        }
+      }
+    },
     "awsSecretName": {
       "type": "string"
     },
@@ -104,6 +119,36 @@
         }
       }
     },
+    "extraEnv": {
+      "type": "array",
+      "items": {}
+    },
+    "extraManifests": {
+      "type": "array",
+      "items": {
+        "anyOf": [
+          {
+            "type": "object"
+          },
+          {
+            "type": "string"
+          }
+        ]
+      }
+    },
+    "extraManifestsTemplated": {
+      "type": "array",
+      "items": {
+        "anyOf": [
+          {
+            "type": "object"
+          },
+          {
+            "type": "string"
+          }
+        ]
+      }
+    },
     "fullnameOverride": {
       "type": "string"
     },

charts/k8s-image-swapper/values.yaml

@@ -44,10 +44,12 @@ podSecurityPolicy:
 
 podAnnotations: {}
 
-podSecurityContext: {}
+podSecurityContext:
+  {}
   # fsGroup: 2000
 
-securityContext: {}
+securityContext:
+  {}
   # capabilities:
   #   drop:
   #   - ALL
@@ -59,7 +61,8 @@ service:
   type: ClusterIP
   port: 443
 
-resources: {}
+resources:
+  {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
@@ -112,7 +115,14 @@ webhook:
   namespaceSelector: {}
   objectSelector: {}
 
+# -- If set, the secret will be used as environment variables, see awsSecretKeys.
 awsSecretName: ""
+# -- Specify which keys to pull from the .awsSecretName secret for the associated environment variables.
+awsSecretKeys:
+  # -- If using Hashicorp Vault Operator w/ AWS engine, use `access_key`
+  accessKeyID: "aws_access_key_id"
+  # -- If using Hashicorp Vault Operator w/ AWS engine, use `secret_key`
+  secretAccessKey: "aws_secret_access_key"
 
 # Private registries are supported via imagePullSecrets on Pods and ServiceAccounts.
 # k8s-image-swapper requires to read the secret containing the docker authentication details
@@ -144,3 +154,20 @@ config:
 dev:
   enabled: false
   webhookURL: https://xxx.ngrok.io
+
+# -- Additional environment variables to be defined on the container
+# Follows the same syntax as containers.env in a Pod v1 API
+extraEnv: []
+
+# -- Additional manifests to be deployed
+# Can be either a full object OR a string containing valid YAML
+extraManifests: []
+
+# -- Additional manifests to be deployed. These will be passed through the templating engine
+# Useful if you need to use values from this chart in your manifests
+extraManifestsTemplated: []
+#  - kind: ConfigMap
+#    metadata:
+#      name: "{{ .Release.Name }}-extra-config"
+#    data:
+#      key: value