Merge pull request #119 from 1Password/kubernetes-secrets-injector-chart

Add kubernetes-secrets-injector chart

charts/secrets-injector/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/secrets-injector/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: secrets-injector
+description: A Helm chart for deploying 1Password Sercrets Injector
+type: application
+home: https://1password.com/secrets/
+keywords:
+  - "1Password"
+  - "1Password Secrets Injector"
+  - "Secrets Injector"
+maintainers:
+  - name: 1Password Secrets Integrations Team
+    email: [email protected]
+icon: https://avatars.githubusercontent.com/u/38230737
+appVersion: "1.0.0"
+version: 1.0.0

charts/secrets-injector/README.md

@@ -0,0 +1,35 @@
+# 1Password Kubernetes Secrets Injector Helm chart
+
+## Installation
+Installing the Helm Chart with default configurations will deploy 1Password Kubernetes Secrets Injector in your default Namespace.
+```
+helm install --generate-name 1password/secrets-injector
+```
+
+## Configuration Values
+The 1Password Kubernetes Secrets Injector Helm chart offers many configuration options for deployment. Please refer to the list below for information on what configuration options are available as well as what the default configuration options are.
+
+[From the Official Helm Install Guide](https://helm.sh/docs/helm/helm_install/#helm-install):
+
+>To override values in a chart, use either the '--values' flag and pass in a file or use the '--set' flag and pass configuration from the command line, to force a string value use '--set-string'. In case a value is large and therefore you want not to use neither '--values' nor '--set', use '--set-file' to read the single large value from file.
+
+For example: 
+```bash
+$ helm install -f myvalues.yaml injector ./secrets-injector
+```
+
+or 
+
+```bash
+$ helm install --set injector.applicationName=injector injector ./secrets-injector
+```
+
+### Values
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| injector.applicationName | string | `"secrets-injector"` | The name of 1Password Kubernetes Secrets Injector Application |
+| injector.imagePullPolicy | string | `"IfNotPresent"` | The 1Password Secrets Injector docker image policy. `"IfNotPresent"` means the image is pulled only if it is not already present locally. |
+| injector.imageRepository | string | `"1password/kubernetes-secrets-injector"` | The 1Password Secrets Injector docker image repository |
+| injector.port | string | `443` | The port the Secrets Injector exposes |
+| injector.targetPort | integer | `8443` | The port the Secrets Injector API sends requests to the pod |
+| injector.version         | string | `{{.Chart.AppVersion}}` | The 1Password Secrets Injector version to pull. |

charts/secrets-injector/templates/deployment.yaml

@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.injector.applicationName }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Values.injector.applicationName }}
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-weight: "1"
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Values.injector.applicationName }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.injector.applicationName }}
+    spec:
+      serviceAccountName: {{ .Values.injector.applicationName }}
+      containers:
+        - name: {{ .Values.injector.applicationName }}
+          image: {{ .Values.injector.imageRepository }}:{{ tpl .Values.injector.version . }}
+          imagePullPolicy: {{ .Values.injector.imagePullPolicy }}
+          args:
+          - -service-name={{ .Values.injector.applicationName }}
+          - -alsologtostderr
+          - -v=4
+          - 2>&1
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          lifecycle:
+            preStop:
+              exec:
+                command: [ "/bin/sh", "-c", "/prestop.sh" ]

charts/secrets-injector/templates/permissions.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.injector.applicationName }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Values.injector.applicationName }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Values.injector.applicationName }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Values.injector.applicationName }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.injector.applicationName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.injector.applicationName }}
+    namespace: {{ .Release.Namespace }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Values.injector.applicationName }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Values.injector.applicationName }}
+rules:
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["mutatingwebhookconfigurations"]
+    verbs: ["create", "get", "delete", "list", "patch", "update", "watch"]

charts/secrets-injector/templates/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.injector.applicationName }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Values.injector.applicationName }}
+  annotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-weight: "2"
+spec:
+  ports:
+    - port: {{ .Values.injector.port }}
+      targetPort: {{ .Values.injector.targetPort }}
+  selector:
+    app: {{ .Values.injector.applicationName }}

charts/secrets-injector/values.yaml

@@ -0,0 +1,7 @@
+injector:
+  applicationName: secrets-injector
+  imagePullPolicy: IfNotPresent
+  imageRepository: 1password/kubernetes-secrets-injector
+  port: 443
+  targetPort: 8443
+  version: "{{ .Chart.AppVersion }}"

ct.yaml

@@ -5,3 +5,4 @@ debug: true
 helm-extra-args: --timeout 120s
 charts:
   - charts/connect
+  - charts/secrets-injector