From 7a226f595e2fbb75d3237a9eeca57832a657dfd7 Mon Sep 17 00:00:00 2001 From: Stephen Tollenaar Date: Thu, 5 Jun 2025 18:59:01 -0230 Subject: [PATCH 1/2] change to load custom certs through a secret rather than configmap --- snyk-monitor/README.md | 5 +++-- snyk-monitor/templates/deployment.yaml | 4 ++-- snyk-monitor/values.yaml | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/snyk-monitor/README.md b/snyk-monitor/README.md index 8890f22e6..8ab5ced5a 100644 --- a/snyk-monitor/README.md +++ b/snyk-monitor/README.md @@ -105,9 +105,10 @@ Finally, create the secret in Kubernetes by running the following command: kubectl create secret generic snyk-monitor -n snyk-monitor --from-file=./dockercfg.json --from-literal=integrationId=abcd1234-abcd-1234-abcd-1234abcd1234 --from-literal=serviceAccountApiToken=aabb1212-abab-1212-dcba-4321abcd4321 ``` -5. (Optional) If your private registry requires installing certificates (*.crt, *.cert, *.key only) please put them in a folder and create the following ConfigMap: +5. (Optional) If your private registry requires installing certificates (_.crt,_.cert, *.key only) please put them in a folder and create the following Secret: + ```shell -kubectl create configmap snyk-monitor-certs -n snyk-monitor --from-file= +kubectl create secret tls snyk-monitor-certs -n snyk-monitor --cert=path/to/tls.crt --key=path/to/tls.key ``` 6. (Optional) If you are using an insecure registry or your registry is using unqualified images, you can provide a `registries.conf` file. See [the documentation](https://github.com/containers/image/blob/master/docs/containers-registries.conf.5.md) for information on the format and examples. diff --git a/snyk-monitor/templates/deployment.yaml b/snyk-monitor/templates/deployment.yaml index 84702271e..721d248df 100644 --- a/snyk-monitor/templates/deployment.yaml +++ b/snyk-monitor/templates/deployment.yaml @@ -283,8 +283,8 @@ spec: sizeLimit: {{ .Values.temporaryStorageSize }} {{- end }} - name: ssl-certs - configMap: - name: {{ .Values.certsConfigMap }} + secret: + secretName: {{ .Values.certsSecret }} optional: true - name: workload-policies configMap: diff --git a/snyk-monitor/values.yaml b/snyk-monitor/values.yaml index b7ad4b222..da29835b6 100644 --- a/snyk-monitor/values.yaml +++ b/snyk-monitor/values.yaml @@ -5,7 +5,7 @@ # The secrets should be created externally, before applying this Helm chart. # The currently used keys within the secret are: "dockercfg.json", "integrationId". monitorSecrets: snyk-monitor -certsConfigMap: snyk-monitor-certs +certsSecret: snyk-monitor-certs registriesConfConfigMap: snyk-monitor-registries-conf # An external ConfigMap to use for loading policies into snyk-monitor. From 849c1bb5d9f76401843e0c33b4fc5b3c8fd216c0 Mon Sep 17 00:00:00 2001 From: Stephen Tollenaar Date: Fri, 11 Jul 2025 19:34:55 -0230 Subject: [PATCH 2/2] update deployment to use a projected volume instead --- snyk-monitor/templates/deployment.yaml | 11 ++++++++--- snyk-monitor/values.yaml | 4 ++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/snyk-monitor/templates/deployment.yaml b/snyk-monitor/templates/deployment.yaml index 721d248df..490813f03 100644 --- a/snyk-monitor/templates/deployment.yaml +++ b/snyk-monitor/templates/deployment.yaml @@ -283,9 +283,14 @@ spec: sizeLimit: {{ .Values.temporaryStorageSize }} {{- end }} - name: ssl-certs - secret: - secretName: {{ .Values.certsSecret }} - optional: true + projected: + sources: + - configMap: + name: {{.Values.certsConfigMap}} + optional: true + - secret: + name: {{ .Values.certsSecret }} + optional: true - name: workload-policies configMap: {{- if .Values.workloadPoliciesMap }} diff --git a/snyk-monitor/values.yaml b/snyk-monitor/values.yaml index da29835b6..65873b5fb 100644 --- a/snyk-monitor/values.yaml +++ b/snyk-monitor/values.yaml @@ -6,6 +6,10 @@ # The currently used keys within the secret are: "dockercfg.json", "integrationId". monitorSecrets: snyk-monitor certsSecret: snyk-monitor-certs + +# Deprecated, use the certsSecret instead +certsConfigMap: snyk-monitor-certs + registriesConfConfigMap: snyk-monitor-registries-conf # An external ConfigMap to use for loading policies into snyk-monitor.