add option for both secret and config map and template imagePullPolicy

kubecost · Dec 10, 2024 · 04b80aa · 04b80aa
1 parent 331fdfd
commit 04b80aa
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 1 deletion.
diff --git a/cost-analyzer/templates/NOTES.txt b/cost-analyzer/templates/NOTES.txt
@@ -10,6 +10,7 @@
 {{- include "prometheusRetentionCheck" . -}}
 {{- include "clusterIDCheck" . -}}
 {{- include "kubeRBACProxyBearerTokenCheck" . -}}
+{{- include "caCertsSecretConfigCheck" . -}}
 
 {{- $servicePort := .Values.service.port | default 9090 }}
 Kubecost {{ .Chart.Version }} has been successfully installed.

diff --git a/cost-analyzer/templates/_helpers.tpl b/cost-analyzer/templates/_helpers.tpl
@@ -1447,6 +1447,16 @@ for more information
 {{- end }}
 {{- end }}
 
+{{- define "caCertsSecretConfigCheck" }}
+  {{- if .Values.kubecostModel.updateCaTrust.enabled }}
+    {{- if and .Values.kubecostModel.updateCaTrust.caCertsSecret .Values.kubecostModel.updateCaTrust.caCertsConfig }}
+      {{- fail "Both caCertsSecret and caCertsConfig are defined. Please specify only one." }}
+    {{- else if and (not .Values.kubecostModel.updateCaTrust.caCertsSecret) (not .Values.kubecostModel.updateCaTrust.caCertsConfig) }}
+      {{- fail "Neither caCertsSecret nor caCertsConfig is defined, but updateCaTrust is enabled. Please specify one." }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
 {{- define "clusterControllerEnabled" }}
 {{- if (.Values.clusterController).enabled }}
 {{- printf "true" -}}

diff --git a/cost-analyzer/templates/cost-analyzer-deployment-template.yaml b/cost-analyzer/templates/cost-analyzer-deployment-template.yaml
@@ -128,9 +128,14 @@ spec:
         {{- end }}
         {{- if .Values.kubecostModel.updateCaTrust.enabled }}
         - name: ca-certs-secret
+          {{- if .Values.kubecostModel.updateCaTrust.caCertsSecret }}
           secret:
             defaultMode: 420
             secretName: {{ .Values.kubecostModel.updateCaTrust.caCertsSecret }}
+          {{- else }}
+          configMap:
+            name: {{ .Values.kubecostModel.updateCaTrust.caCertsConfig }}
+          {{- end }}
         - name: ssl-path
           emptyDir: {}
         {{- end }}
@@ -356,7 +361,11 @@ spec:
         {{- if .Values.kubecostModel.updateCaTrust.enabled }}
         - name: update-ca-trust
           image: {{ include "cost-model.image" . | trim | quote}}
-          imagePullPolicy: IfNotPresent
+          {{- if .Values.kubecostModel.imagePullPolicy }}
+          imagePullPolicy: {{ .Values.kubecostModel.imagePullPolicy }}
+          {{- else }}
+          imagePullPolicy: Always
+          {{- end }}
           {{- with .Values.kubecostModel.updateCaTrust.securityContext }}
           securityContext: {{- toYaml . | nindent 12 }}
           {{- end }}

diff --git a/cost-analyzer/values.yaml b/cost-analyzer/values.yaml
@@ -589,6 +589,7 @@ kubecostModel:
       seccompProfile:
         type: RuntimeDefault
     caCertsSecret: ca-certs-secret  # The name of the Secret containing custom CA certificates to mount to the cost-model container.
+    # caCertsConfig: ca-certs-config  # The name of the ConfigMap containing the CA trust configuration.
     resources: {}  # Resource requests and limits for the init container.
     caCertsMountPath: /etc/pki/ca-trust/source/anchors  # The path where the custom CA certificates will be mounted in the init container