From 34e659e397d59821c99c33e6b6d99f9cfd514ac1 Mon Sep 17 00:00:00 2001 From: "y.bodrievskiy" Date: Fri, 7 Nov 2025 18:11:19 +0300 Subject: [PATCH] add CRD templates for vaultstaticsecret and vault auth --- charts/statefull/Chart.yaml | 2 +- charts/statefull/templates/vaultauth.yaml | 24 ++++++++++++++ .../templates/vaultstaticsecret.yaml | 30 +++++++++++++++++ charts/statefull/values.yaml | 32 +++++++++++++++++++ charts/stateless/Chart.yaml | 2 +- charts/stateless/templates/vaultauth.yaml | 24 ++++++++++++++ .../templates/vaultstaticsecret.yaml | 30 +++++++++++++++++ charts/stateless/values.yaml | 32 +++++++++++++++++++ 8 files changed, 174 insertions(+), 2 deletions(-) create mode 100644 charts/statefull/templates/vaultauth.yaml create mode 100644 charts/statefull/templates/vaultstaticsecret.yaml create mode 100644 charts/stateless/templates/vaultauth.yaml create mode 100644 charts/stateless/templates/vaultstaticsecret.yaml diff --git a/charts/statefull/Chart.yaml b/charts/statefull/Chart.yaml index fa9fb08..cbefa6a 100644 --- a/charts/statefull/Chart.yaml +++ b/charts/statefull/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v1 appVersion: "1.0" description: A Helm chart for statefull vality services name: statefull -version: 1.0.26 \ No newline at end of file +version: 1.0.27 \ No newline at end of file diff --git a/charts/statefull/templates/vaultauth.yaml b/charts/statefull/templates/vaultauth.yaml new file mode 100644 index 0000000..a8a5cca --- /dev/null +++ b/charts/statefull/templates/vaultauth.yaml @@ -0,0 +1,24 @@ +{{- if .Values.vaultSecret.enabled }} +{{- $fullName := include "statefull.fullname" . -}} +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + {{- with .Values.vaultSecret.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: +{{ include "statefull.labels" . | indent 4 }} + name: {{ $fullName }} + namespace: {{ .Release.Namespace }} +spec: + vaultConnectionRef: {{ .Values.vaultSecret.vaultConnectionRef | default "default" }} + method: {{ .Values.vaultSecret.vaultAuthMethodType | default "kubernetes" }} + mount: {{ .Values.vaultSecret.vaultAuthMethodMount | default "kubernetes" }} + {{- if eq (.Values.vaultSecret.vaultAuthMethodType | default "kubernetes") "kubernetes" }} + kubernetes: + role: {{ .Values.vaultSecret.vaultAuthRole | default (include "statefull.serviceAccountName" .) }} + serviceAccount: {{ .Values.vaultSecret.serviceAccount | default (include "statefull.serviceAccountName" .) }} + tokenExpirationSeconds: {{ .Values.vaultSecret.tokenExpirationSeconds | default 600 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/statefull/templates/vaultstaticsecret.yaml b/charts/statefull/templates/vaultstaticsecret.yaml new file mode 100644 index 0000000..0e8cfc3 --- /dev/null +++ b/charts/statefull/templates/vaultstaticsecret.yaml @@ -0,0 +1,30 @@ +{{- if .Values.vaultSecret.enabled }} +{{- $fullName := include "statefull.fullname" . -}} +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + {{- with .Values.vaultSecret.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: +{{ include "statefull.labels" . | indent 4 }} + name: {{ $fullName }} + namespace: {{ .Release.Namespace }} +spec: + vaultAuthRef: {{ .Values.vaultSecret.vaultAuthRef | default $fullName }} + type: {{ .Values.vaultSecret.vaultSecretType | default "kv-v2" }} + mount: {{ required "Required value .Values.vaultSecret.vaultSecretMount" .Values.vaultSecret.vaultSecretMount }} + path: {{ required "Required value .Values.vaultSecret.vaultSecretPath" .Values.vaultSecret.vaultSecretPath }} + refreshAfter: {{ .Values.vaultSecret.refreshAfter | default "60s" }} + destination: + create: true + name: {{ $fullName }}-vault-static-secret + {{- if .Values.vaultSecret.transformation }} + transformation: + templates: + {{ .Values.vaultSecret.transformationTemplateName | default "secret.yaml" | quote }}: + text: | + {{- .Values.vaultSecret.transformation | nindent 12 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/statefull/values.yaml b/charts/statefull/values.yaml index 26ae976..5e4854a 100644 --- a/charts/statefull/values.yaml +++ b/charts/statefull/values.yaml @@ -212,3 +212,35 @@ storage: {} # resources: # requests: # storage: 1Gi + +vaultSecret: + # Enables vault static secret for the service + enabled: false + # Annotations for VaultAuth and VaultStaticSecret resources + annotations: {} + # Reference to the vault connection CR + vaultConnectionRef: "" + # Type of the auth method (kubernetes, token, etc.) + vaultAuthMethodType: "" + # Mount point for the auth method + vaultAuthMethodMount: "" + # Role for the auth method (usually the service account name) + vaultAuthRole: "" + # Service account for kubernetes auth method + serviceAccount: "" + # Token expiration time in seconds for kubernetes auth method + tokenExpirationSeconds: "" + # Reference to the vault auth CR + vaultAuthRef: "" + # Mount point for secret in vault + vaultSecretMount: "" + # Type of the secret in vault (kv-v2, kv-v1, etc.) + vaultSecretType: "" + # Path to the vault secret + vaultSecretPath: "" + # Refresh interval for the secret (default is 60s) + refreshAfter: "" + # Name of the transformation template file + transformationTemplateName: "" + # Transformation for the secret (e.g. template https://developer.hashicorp.com/vault/docs/deploy/kubernetes/vso/secret-transformation#related-api-references) + transformation: "" \ No newline at end of file diff --git a/charts/stateless/Chart.yaml b/charts/stateless/Chart.yaml index 47aa0a1..5e6a28c 100644 --- a/charts/stateless/Chart.yaml +++ b/charts/stateless/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v1 appVersion: "1.0" description: A Helm chart for stateless vality services name: stateless -version: 1.0.39 +version: 1.0.40 diff --git a/charts/stateless/templates/vaultauth.yaml b/charts/stateless/templates/vaultauth.yaml new file mode 100644 index 0000000..3453d74 --- /dev/null +++ b/charts/stateless/templates/vaultauth.yaml @@ -0,0 +1,24 @@ +{{- if .Values.vaultSecret.enabled }} +{{- $fullName := include "stateless.fullname" . -}} +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + {{- with .Values.vaultSecret.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: +{{ include "stateless.labels" . | indent 4 }} + name: {{ $fullName }} + namespace: {{ .Release.Namespace }} +spec: + vaultConnectionRef: {{ .Values.vaultSecret.vaultConnectionRef | default "default" }} + method: {{ .Values.vaultSecret.vaultAuthMethodType | default "kubernetes" }} + mount: {{ .Values.vaultSecret.vaultAuthMethodMount | default "kubernetes" }} + {{- if eq (.Values.vaultSecret.vaultAuthMethodType | default "kubernetes") "kubernetes" }} + kubernetes: + role: {{ .Values.vaultSecret.vaultAuthRole | default (include "stateless.serviceAccountName" .) }} + serviceAccount: {{ .Values.vaultSecret.serviceAccount | default (include "stateless.serviceAccountName" .) }} + tokenExpirationSeconds: {{ .Values.vaultSecret.tokenExpirationSeconds | default 600 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/stateless/templates/vaultstaticsecret.yaml b/charts/stateless/templates/vaultstaticsecret.yaml new file mode 100644 index 0000000..21141b3 --- /dev/null +++ b/charts/stateless/templates/vaultstaticsecret.yaml @@ -0,0 +1,30 @@ +{{- if .Values.vaultSecret.enabled }} +{{- $fullName := include "stateless.fullname" . -}} +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + {{- with .Values.vaultSecret.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: +{{ include "stateless.labels" . | indent 4 }} + name: {{ $fullName }} + namespace: {{ .Release.Namespace }} +spec: + vaultAuthRef: {{ .Values.vaultSecret.vaultAuthRef | default $fullName }} + type: {{ .Values.vaultSecret.vaultSecretType | default "kv-v2" }} + mount: {{ required "Required value .Values.vaultSecret.vaultSecretMount" .Values.vaultSecret.vaultSecretMount }} + path: {{ required "Required value .Values.vaultSecret.vaultSecretPath" .Values.vaultSecret.vaultSecretPath }} + refreshAfter: {{ .Values.vaultSecret.refreshAfter | default "60s" }} + destination: + create: true + name: {{ $fullName }}-vault-static-secret + {{- if .Values.vaultSecret.transformation }} + transformation: + templates: + {{ .Values.vaultSecret.transformationTemplateName | default "secret.yaml" | quote }}: + text: | + {{- .Values.vaultSecret.transformation | nindent 12 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/stateless/values.yaml b/charts/stateless/values.yaml index 087af03..145db25 100644 --- a/charts/stateless/values.yaml +++ b/charts/stateless/values.yaml @@ -227,3 +227,35 @@ cronjob: tag: latest pullPolicy: IfNotPresent args: [] + +vaultSecret: + # Enables vault static secret for the service + enabled: false + # Annotations for VaultAuth and VaultStaticSecret resources + annotations: {} + # Reference to the vault connection CR + vaultConnectionRef: "" + # Type of the auth method (kubernetes, token, etc.) + vaultAuthMethodType: "" + # Mount point for the auth method + vaultAuthMethodMount: "" + # Role for the auth method (usually the service account name) + vaultAuthRole: "" + # Service account for kubernetes auth method + serviceAccount: "" + # Token expiration time in seconds for kubernetes auth method + tokenExpirationSeconds: "" + # Reference to the vault auth CR + vaultAuthRef: "" + # Mount point for secret in vault + vaultSecretMount: "" + # Type of the secret in vault (kv-v2, kv-v1, etc.) + vaultSecretType: "" + # Path to the vault secret + vaultSecretPath: "" + # Refresh interval for the secret (default is 60s) + refreshAfter: "" + # Name of the transformation template file + transformationTemplateName: "" + # Transformation for the secret (e.g. template https://developer.hashicorp.com/vault/docs/deploy/kubernetes/vso/secret-transformation#related-api-references) + transformation: "" \ No newline at end of file