Merge pull request #10 from Blockdaemon/MHS-4208

feat(MHS-4208): add CSISecretStore examples and templating
Blockdaemon · Nov 7, 2024 · 4d01ee1 · 4d01ee1
2 parents a23c7e4 + 9b4a820
commit 4d01ee1
Show file tree

Hide file tree

Showing 25 changed files with 546 additions and 302 deletions.
diff --git a/.github/helm-docs.sh b/.github/helm-docs.sh
@@ -5,7 +5,7 @@ export PATH="./.bin:$PATH"
 
 set -euxo pipefail
 
-HELM_DOCS_VERSION=1.12.0
+HELM_DOCS_VERSION=1.14.2
 
 # install helm-docs
 curl --silent --show-error --fail --location --output /tmp/helm-docs.tar.gz https://github.com/norwoodj/helm-docs/releases/download/v"${HELM_DOCS_VERSION}"/helm-docs_"${HELM_DOCS_VERSION}"_Linux_x86_64.tar.gz

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -54,7 +54,6 @@ jobs:
       matrix:
         k8s:
           # from https://github.com/yannh/kubernetes-json-schema
-          - v1.26.12
           - v1.27.9
           - v1.28.5
           - v1.29.0
@@ -81,7 +80,6 @@ jobs:
       matrix:
         k8s:
           # from https://hub.docker.com/r/kindest/node/tags
-          - v1.26.13
           - v1.27.10
           - v1.28.6
           - v1.29.1

diff --git a/charts/tsm-audit-server/Chart.yaml b/charts/tsm-audit-server/Chart.yaml
@@ -5,7 +5,7 @@ maintainers:
   - name: Blockdaemon
     email: [email protected]
 type: application
-version: 0.1.0
+version: 0.1.1
 appVersion: "v1.1.0"
 dependencies:
   - name: mongodb

diff --git a/charts/tsm-audit-server/README.md b/charts/tsm-audit-server/README.md
@@ -1,6 +1,6 @@
 # tsm-audit-server
 
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.1.0](https://img.shields.io/badge/AppVersion-v1.1.0-informational?style=flat-square)
+![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.1.0](https://img.shields.io/badge/AppVersion-v1.1.0-informational?style=flat-square)
 
 A Helm chart to deploy a Blockdaemon TSM audit server to kubernetes
 
@@ -60,4 +60,4 @@ A Helm chart to deploy a Blockdaemon TSM audit server to kubernetes
 | volumes | list | `[]` |  |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
diff --git a/charts/tsm-node/Chart.yaml b/charts/tsm-node/Chart.yaml
@@ -5,5 +5,5 @@ maintainers:
   - name: Blockdaemon
     email: [email protected]
 type: application
-version: 0.1.5
-appVersion: "61.0.2"
+version: 0.1.6
+appVersion: "62.2.4"
diff --git a/charts/tsm-node/README.md b/charts/tsm-node/README.md
@@ -1,6 +1,6 @@
 # tsm-node
 
-![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 61.0.2](https://img.shields.io/badge/AppVersion-61.0.2-informational?style=flat-square)
+![Version: 0.1.6](https://img.shields.io/badge/Version-0.1.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 62.2.4](https://img.shields.io/badge/AppVersion-62.2.4-informational?style=flat-square)
 
 A Helm chart to deploy a Blockdaemon TSM node to kubernetes
 
@@ -15,8 +15,6 @@ A Helm chart to deploy a Blockdaemon TSM node to kubernetes
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` |  |
-| config.configFile | string | `""` | the TSM configuration file that will be mounted into the TSM node.  MUTUALLY EXCLUSIVE with configSecretName |
-| config.configSecretName | string | `""` | The name of the secret containing the TSM configuration file. MUTUALLY EXCLUSIVE with configFile |
 | env | object | `{}` | Environment variables to be passed to the TSM node deployment |
 | fullnameOverride | string | `""` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
@@ -33,6 +31,9 @@ A Helm chart to deploy a Blockdaemon TSM node to kubernetes
 | ingress.tls | list | `[]` |  |
 | mpcService | object | `{}` | Optional. Only used for flexibility to expose the mpc port outside of the cluster. |
 | nameOverride | string | `""` |  |
+| nodeConfig.configCSISecretStore | object | `{}` | The name of the CSI Secret-Store secret containing the TSM configuration file. Secret is to be deployed separately from the chart. MUTUALLY EXCLUSIVE with configFile and configSecretName |
+| nodeConfig.configFile | string | `""` | The TSM configuration that will be mounted into the TSM node via a ConfigMap. Not recommended for production use. MUTUALLY EXCLUSIVE with configSecretName and configCSISecretStore |
+| nodeConfig.configSecretName | string | `""` | The name of the kubernetes generic secret containing the TSM configuration file. Secret is to be deployed separately from the chart. MUTUALLY EXCLUSIVE with configFile and configCSISecretStore |
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
 | podLabels | object | `{}` |  |
@@ -50,4 +51,4 @@ A Helm chart to deploy a Blockdaemon TSM node to kubernetes
 | volumes | list | `[]` | Additional volumes on the output Deployment definition. |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
diff --git a/charts/tsm-node/ci/configFile-values.yaml b/charts/tsm-node/ci/configFile-values.yaml
@@ -1,7 +1,7 @@
 replicaCount: 1
 index: 0
 
-config:
+nodeConfig:
   configFile: |
     [Player]
       Index = 0
@@ -17,7 +17,7 @@ config:
 image:
   repository: <the name of the repository where tsm-node is stored>
   pullPolicy: IfNotPresent
-  tag: "61.0.2"
+  tag: "62.2.4"
 sdkService:
   type: NodePort
   ports:

diff --git a/charts/tsm-node/ci/envvars-values.yaml b/charts/tsm-node/ci/envvars-values.yaml
@@ -9,7 +9,7 @@ env:
   - name: tsm
     value: node
 
-config:
+nodeConfig:
   configFile: |
     [Player]
       Index = 0
@@ -25,7 +25,7 @@ config:
 image:
   repository: <the name of the repository where tsm-node is stored>
   pullPolicy: IfNotPresent
-  tag: "61.0.2"
+  tag: "62.2.4"
 sdkService:
   type: NodePort
   ports:

diff --git a/charts/tsm-node/ci/ingress-multi.yaml b/charts/tsm-node/ci/ingress-multi.yaml
@@ -1,7 +1,7 @@
 replicaCount: 1
 index: 0
 
-config:
+nodeConfig:
   configFile: |
     [Player]
       Index = 0
@@ -17,7 +17,7 @@ config:
 image:
   repository: <the name of the repository where tsm-node is stored>
   pullPolicy: IfNotPresent
-  tag: "61.0.2"
+  tag: "62.2.4"
 sdkService:
   ports:
     - port: 8080

diff --git a/charts/tsm-node/ci/ingress.yaml b/charts/tsm-node/ci/ingress.yaml
@@ -1,7 +1,7 @@
 replicaCount: 1
 index: 0
 
-config:
+nodeConfig:
   configFile: |
     [Player]
       Index = 0
@@ -17,7 +17,7 @@ config:
 image:
   repository: <the name of the repository where tsm-node is stored>
   pullPolicy: IfNotPresent
-  tag: "61.0.2"
+  tag: "62.2.4"
 sdkService:
   type: NodePort
   ports:

diff --git a/charts/tsm-node/ci/securityContext-values.yaml b/charts/tsm-node/ci/securityContext-values.yaml
@@ -1,7 +1,7 @@
 replicaCount: 1
 index: 0
 
-config:
+nodeConfig:
   configFile: |
     [Player]
       Index = 0
@@ -16,7 +16,7 @@ config:
 image:
   repository: <the name of the repository where tsm-node is stored>
   pullPolicy: IfNotPresent
-  tag: "61.0.2"
+  tag: "62.2.4"
 sdkService:
   type: NodePort
   ports:

diff --git a/charts/tsm-node/ci/skip_configCSISecretStore-values.skip b/charts/tsm-node/ci/skip_configCSISecretStore-values.skip
@@ -0,0 +1,30 @@
+replicaCount: 1
+index: 0
+
+nodeConfig:
+  configCSISecretStore:
+    csi:
+      driver: secrets-store.csi.k8s.io
+      readOnly: true
+      volumeAttributes:
+        secretProviderClass: "tsm0-tsm-node"
+
+image:
+  repository: <the name of the repository where tsm-node is stored>
+  pullPolicy: IfNotPresent
+  tag: "62.2.4"
+sdkService:
+  type: NodePort
+  ports:
+    - port: 8080
+      name: sdk
+      targetPort: 8080
+    - port: 9000
+      name: mpc
+      targetPort: 9000
+
+mpcService:
+  enabled: false
+
+ingress:
+  enabled: false
diff --git a/charts/tsm-node/ci/skip_configSecretName-values.skip b/charts/tsm-node/ci/skip_configSecretName-values.skip
@@ -0,0 +1,24 @@
+replicaCount: 1
+index: 0
+
+nodeConfig:
+  configSecretName: "tsm0-tsm-node"
+image:
+  repository: <the name of the repository where tsm-node is stored>
+  pullPolicy: IfNotPresent
+  tag: "62.2.4"
+sdkService:
+  type: NodePort
+  ports:
+    - port: 8080
+      name: sdk
+      targetPort: 8080
+    - port: 9000
+      name: mpc
+      targetPort: 9000
+
+mpcService:
+  enabled: false
+
+ingress:
+  enabled: false
diff --git a/charts/tsm-node/templates/configmap.yaml b/charts/tsm-node/templates/configmap.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.nodeConfig.configFile }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -6,4 +7,5 @@ metadata:
     {{- include "tsm-node.labels" . | nindent 4 }}
 data:
   config.toml: |
-    {{- .Values.config.configFile | nindent 4 }}
+    {{- .Values.nodeConfig.configFile | nindent 4 }}
+{{- end }}
diff --git a/charts/tsm-node/templates/deployment.yaml b/charts/tsm-node/templates/deployment.yaml
@@ -13,10 +13,20 @@ spec:
       {{- include "tsm-node.selectorLabels" . | nindent 6 }}
   template:
     metadata:
+      {{- if and (.Values.podAnnotations) (.Values.nodeConfig.configFile) }}
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        {{- with .Values.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+          {{- end }}
+      {{- else if .Values.podAnnotations }}
+      annotations:
+        {{- with .Values.podAnnotations }}
+          {{- toYaml . | nindent 8 }}
+          {{- end }}
+      {{- else if .Values.nodeConfig.configFile }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
-      {{- with .Values.podAnnotations }}
-        {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
         {{- include "tsm-node.labels" . | nindent 8 }}
@@ -70,24 +80,25 @@ spec:
               port: sdk
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-
           volumeMounts:
           - name: config-volume
             mountPath: /config
           {{- with .Values.volumeMounts }}
             {{- toYaml . | nindent 12 }}
           {{- end }}
-
       volumes:
       - name: config-volume
-        {{- if and .Values.config.configFile .Values.config.configSecretName }}
-        {{- fail "config.configFile and config.configSecretName are mutually exclusive" }}
-        {{- else if .Values.config.configFile }}
+        {{- if or (and .Values.nodeConfig.configFile .Values.nodeConfig.configSecretName) (and .Values.nodeConfig.configFile .Values.nodeConfig.configCSISecretStore) (and .Values.nodeConfig.configSecretName .Values.nodeConfig.configCSISecretStore) (and .Values.nodeConfig.configFile .Values.nodeConfig.configSecretName .Values.cconfig.onfigCSISecretStore) }}
+        {{- fail "config.configFile and config.configSecretName and config.configCSISecretStore are mutually exclusive" }}
+        {{- else if .Values.nodeConfig.configFile }}
         configMap:
           name: {{ template "tsm-node.fullname" . }}
-        {{- else if .Values.config.configSecretName }}
+        {{- else if .Values.nodeConfig.configSecretName }}
         secret:
-          secretName: {{ .Values.config.configSecretName }}
+          secretName: {{ .Values.nodeConfig.configSecretName }}
+        {{- else if .Values.nodeConfig.configCSISecretStore.csi }}
+        csi:
+          {{- toYaml .Values.nodeConfig.configCSISecretStore.csi | nindent 10 }}
         {{- end }}
       {{- with .Values.volumes }}
         {{- toYaml . | nindent 8 }}

diff --git a/charts/tsm-node/values.yaml b/charts/tsm-node/values.yaml
@@ -8,11 +8,20 @@ index: 0
 # -- Environment variables to be passed to the TSM node deployment
 env: {}
 
-config:
-  # -- the TSM configuration file that will be mounted into the TSM node.  MUTUALLY EXCLUSIVE with configSecretName
+nodeConfig:
+  # -- The name of the kubernetes generic secret containing the TSM configuration file. Secret is to be deployed separately from the chart. MUTUALLY EXCLUSIVE with configFile and configCSISecretStore
+  configSecretName: ""    # Set a unique value relevant TSM node index
+
+  # -- The name of the CSI Secret-Store secret containing the TSM configuration file. Secret is to be deployed separately from the chart. MUTUALLY EXCLUSIVE with configFile and configSecretName
+  configCSISecretStore: {}
+  # csi:
+  #   driver: secrets-store.csi.k8s.io
+  #   readOnly: true
+  #   volumeAttributes:
+  #     secretProviderClass: "tsm0-tsm-node"      # Set a unique value relevant TSM node index
+
+  # -- The TSM configuration that will be mounted into the TSM node via a ConfigMap. Not recommended for production use. MUTUALLY EXCLUSIVE with configSecretName and configCSISecretStore
   configFile: ""
-  # -- The name of the secret containing the TSM configuration file. MUTUALLY EXCLUSIVE with configFile
-  configSecretName: ""
 
 image:
   # -- Image to use for deploying the TSM node