feat: Venafi Enhanced Issuer config + chart docs update

Signed-off-by: Peter Fiddes <[email protected]>

Author: hawksight

deploy/charts/jetstack-agent/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: jetstack-agent
 description: Jetstack Secure Agent
 type: application
-version: 0.1.0
-appVersion: "v1.38.0"
+version: 0.2.0
+appVersion: "v1.39.0"
 home: https://github.com/jetstack/jetstack-secure
 maintainers:
 - name: JSCP and CRE Team

deploy/charts/jetstack-agent/templates/NOTES.txt

@@ -1,4 +1,7 @@
-1. Please make sure you have the secret "{{ .Values.authentication.secretName }}" available
+1. Please make sure you have the credentials secret: "{{ .Values.authentication.secretName }}" available
 
-2. Check the application if running with the following:
+2. Check the application is running with the following:
 > kubectl get pods -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
+
+3. Check the application logs for successful connection to the platform:
+> kubectl logs -n {{ .Release.Namespace }} $(kubectl get pod -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}-o jsonpath='{.items[0].metadata.name}')

deploy/charts/jetstack-agent/templates/configmap.yaml

@@ -189,3 +189,19 @@ data:
           group: route.openshift.io
           resource: routes
 {{- end }}
+{{- if or .Values.config.dataGatherers.default (has "venafienhancedissuer" .Values.config.dataGatherers.custom) }}
+    - kind: "k8s-dynamic"
+      name: "k8s/venaficlusterissuers"
+      config:
+        resource-type:
+          group: jetstack.io
+          version: v1alpha1
+          resource: venaficlusterissuers
+    - kind: "k8s-dynamic"
+      name: "k8s/venafiissuers"
+      config:
+        resource-type:
+          group: jetstack.io
+          version: v1alpha1
+          resource: venafiissuers
+{{- end }}

deploy/charts/jetstack-agent/templates/deployment.yaml

@@ -77,6 +77,8 @@ spec:
         - name: config
           configMap:
             name: agent-config
+            options: false
         - name: credentials
           secret:
             secretName: {{ default "agent-credentials" .Values.authentication.secretName }}
+            optional: false

deploy/charts/jetstack-agent/templates/rbac.yaml

@@ -250,3 +250,29 @@ subjects:
     name: {{ include "jetstack-agent.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
 {{- end }}
+{{- if or .Values.config.dataGatherers.default (has "venafienhancedissuer" .Values.config.dataGatherers.custom) }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "jetstack-agent.fullname" . }}-venafi-enhanced-reader
+rules:
+  - apiGroups: ["jetstack.io"]
+    resources:
+      - venafiissuers
+      - venaficlusterissuers
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "jetstack-agent.fullname" . }}-venafi-enhanced-reader
+roleRef:
+  kind: ClusterRole
+  name: {{ include "jetstack-agent.fullname" . }}-venafi-enhanced-reader
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "jetstack-agent.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}

deploy/charts/jetstack-agent/values.yaml

@@ -10,7 +10,7 @@ image:
   repository: quay.io/jetstack/preflight
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "v0.1.38"
+  tag: "v0.1.39"
 
 # -- specify credentials if pulling from a customer registry
 imagePullSecrets: []
@@ -92,3 +92,4 @@ config:
     # - webhook
     # - openshift
     # - istio
+    # - venafienhancedissuer