Add: support common labels for all resources

Usefull when we have a policies manager as Kyverno.

Signed-off-by: Thibault <mary.thibault2@gmail.com>

manifest_staging/charts/secrets-store-csi-driver/README.md

@@ -29,6 +29,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p
 | Parameter                               | Description                                                                                                                                                                    | Default                                                 |
 | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------- |
 | `nameOverride`                          | String to partially override secrets-store-csi-driver.fullname template with a string (will prepend the release name)                                                          | `""`                                                    |
+| `commonLabels`                          | Labels to apply to all resources                                                                                                                                               | `""`                                                    |
 | `fullnameOverride`                      | String to fully override secrets-store-csi-driver.fullname template with a string                                                                                              | `""`                                                    |
 | `linux.image.repository`                | Linux image repository                                                                                                                                                         | `k8s.gcr.io/csi-secrets-store/driver`                   |
 | `linux.image.pullPolicy`                | Linux image pull policy                                                                                                                                                        | `IfNotPresent`                                          |

manifest_staging/charts/secrets-store-csi-driver/templates/_helpers.tpl

@@ -28,13 +28,15 @@ If release name contains chart name it will be used as a full name.
 Standard labels for helm resources
 */}}
 {{- define "sscd.labels" -}}
-labels:
-  app.kubernetes.io/instance: "{{ .Release.Name }}"
-  app.kubernetes.io/managed-by: "{{ .Release.Service }}"
-  app.kubernetes.io/name: "{{ template "sscd.name" . }}"
-  app.kubernetes.io/version: "{{ .Chart.AppVersion }}"
-  app: {{ template "sscd.name" . }}
-  helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+app.kubernetes.io/instance: "{{ .Release.Name }}"
+app.kubernetes.io/managed-by: "{{ .Release.Service }}"
+app.kubernetes.io/name: "{{ template "sscd.name" . }}"
+app.kubernetes.io/version: "{{ .Chart.AppVersion }}"
+app: {{ template "sscd.name" . }}
+helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+{{- if .Values.commonLabels}}
+{{ toYaml .Values.commonLabels }}
+{{- end }}
 {{- end -}}
 
 {{- define "sscd-psp.fullname" -}}

manifest_staging/charts/secrets-store-csi-driver/templates/crds-upgrade-hook.yaml

@@ -2,7 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ template "sscd.fullname" . }}-upgrade-crds
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
@@ -23,7 +24,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ template "sscd.fullname" . }}-upgrade-crds
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
@@ -42,6 +44,8 @@ apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: allow-upgrade-crds
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
@@ -64,7 +68,8 @@ kind: ServiceAccount
 metadata:
   name: {{ template "sscd.fullname" . }}-upgrade-crds
   namespace: {{ .Release.Namespace }}
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
@@ -75,7 +80,8 @@ kind: Job
 metadata:
   name: secrets-store-csi-driver-upgrade-crds
   namespace: {{ .Release.Namespace }}
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-weight: "10"

manifest_staging/charts/secrets-store-csi-driver/templates/csidriver.yaml

@@ -2,6 +2,8 @@ apiVersion: {{ template "csidriver.apiVersion" . }}
 kind: CSIDriver
 metadata:
   name: secrets-store.csi.k8s.io
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 spec:
   podInfoOnMount: true
   attachRequired: false

manifest_staging/charts/secrets-store-csi-driver/templates/keep-crds-upgrade-hook.yaml

@@ -2,7 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ template "sscd.fullname" . }}-keep-crds
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-upgrade
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
@@ -23,7 +24,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ template "sscd.fullname" . }}-keep-crds
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-upgrade
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
@@ -42,6 +44,8 @@ apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: allow-keep-crds
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-upgrade
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
@@ -64,7 +68,8 @@ kind: ServiceAccount
 metadata:
   name: {{ template "sscd.fullname" . }}-keep-crds
   namespace: {{ .Release.Namespace }}
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-upgrade
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
@@ -75,7 +80,8 @@ kind: Job
 metadata:
   name: secrets-store-csi-driver-keep-crds
   namespace: {{ .Release.Namespace }}
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-upgrade
     helm.sh/hook-weight: "20"

manifest_staging/charts/secrets-store-csi-driver/templates/podsecuritypolicy.yaml

@@ -3,7 +3,8 @@ apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "sscd-psp.fullname" . }}
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 spec:
   seLinux:
     rule: RunAsAny

manifest_staging/charts/secrets-store-csi-driver/templates/role-rotation.yaml

@@ -5,6 +5,8 @@ kind: ClusterRole
 metadata:
   creationTimestamp: null
   name: secretproviderrotation-role
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 rules:
 - apiGroups:
   - ""

manifest_staging/charts/secrets-store-csi-driver/templates/role-rotation_binding.yaml

@@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: secretproviderrotation-rolebinding
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

manifest_staging/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-admin.yaml

@@ -6,6 +6,7 @@ kind: ClusterRole
 metadata:
   creationTimestamp: null
   labels:
+{{ include "sscd.labels" . | indent 4 }}
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: secretproviderclasses-admin-role

manifest_staging/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-viewer.yaml

@@ -6,6 +6,7 @@ kind: ClusterRole
 metadata:
   creationTimestamp: null
   labels:
+{{ include "sscd.labels" . | indent 4 }}
     rbac.authorization.k8s.io/aggregate-to-view: "true"
   name: secretproviderclasses-viewer-role
 rules:

manifest_staging/charts/secrets-store-csi-driver/templates/role-syncsecret.yaml

@@ -5,6 +5,8 @@ kind: ClusterRole
 metadata:
   creationTimestamp: null
   name: secretprovidersyncing-role
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 rules:
 - apiGroups:
   - ""

manifest_staging/charts/secrets-store-csi-driver/templates/role-syncsecret_binding.yaml

@@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: secretprovidersyncing-rolebinding
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml

@@ -5,6 +5,8 @@ kind: ClusterRole
 metadata:
   creationTimestamp: null
   name: secretprovidertokenrequest-role
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 rules:
 - apiGroups:
   - ""

manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml

@@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: secretprovidertokenrequest-rolebinding
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

manifest_staging/charts/secrets-store-csi-driver/templates/role.yaml

@@ -5,6 +5,8 @@ kind: ClusterRole
 metadata:
   creationTimestamp: null
   name: secretproviderclasses-role
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 rules:
 - apiGroups:
   - ""

manifest_staging/charts/secrets-store-csi-driver/templates/role_binding.yaml

@@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: secretproviderclasses-rolebinding
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml

@@ -4,7 +4,8 @@ apiVersion: apps/v1
 metadata:
   name: {{ template "sscd.fullname" . }}-windows
   namespace: {{ .Release.Namespace }}
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 {{- if .Values.windows.daemonsetAnnotations }}
   annotations:
 {{ toYaml .Values.windows.daemonsetAnnotations | indent 4 }}
@@ -17,14 +18,15 @@ spec:
 {{ toYaml .Values.windows.updateStrategy | indent 4 }}
   template:
     metadata:
+      labels:
+{{ include "sscd.labels" . | indent 8 }}
+{{- if .Values.windows.podLabels }}
+{{- toYaml .Values.windows.podLabels | nindent 8 }}
+{{- end }}
       annotations:
         kubectl.kubernetes.io/default-container: secrets-store
 {{- if .Values.windows.podAnnotations }}
 {{ toYaml .Values.windows.podAnnotations | indent 8 }}
-{{- end }}
-{{ include "sscd.labels" . | indent 6 }}
-{{- if .Values.windows.podLabels }}
-{{- toYaml .Values.windows.podLabels | nindent 8 }}
 {{- end }}
     spec:
       serviceAccountName: secrets-store-csi-driver

manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml

@@ -4,7 +4,8 @@ apiVersion: apps/v1
 metadata:
   name: {{ template "sscd.fullname" . }}
   namespace: {{ .Release.Namespace }}
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 {{- if .Values.linux.daemonsetAnnotations }}
   annotations:
 {{ toYaml .Values.linux.daemonsetAnnotations | indent 4 }}
@@ -18,13 +19,14 @@ spec:
   template:
     metadata:
       annotations:
+      labels:
+{{ include "sscd.labels" . | indent 8 }}
+{{- if .Values.linux.podLabels }}
+{{- toYaml .Values.linux.podLabels | nindent 8 }}
+{{- end }}
         kubectl.kubernetes.io/default-container: secrets-store
 {{- if .Values.linux.podAnnotations }}
 {{ toYaml .Values.linux.podAnnotations | indent 8 }}
-{{- end }}
-{{ include "sscd.labels" . | indent 6 }}
-{{- if .Values.linux.podLabels }}
-{{- toYaml .Values.linux.podLabels | nindent 8 }}
 {{- end }}
     spec:
       serviceAccountName: secrets-store-csi-driver

manifest_staging/charts/secrets-store-csi-driver/templates/serviceaccount.yaml

@@ -4,5 +4,6 @@ kind: ServiceAccount
 metadata:
   name: secrets-store-csi-driver
   namespace: {{ .Release.Namespace }}
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 {{ end }}

manifest_staging/charts/secrets-store-csi-driver/values.yaml

@@ -217,3 +217,7 @@ imagePullSecrets: []
 tokenRequests: []
 # - audience: aud1
 # - audience: aud2
+
+# -- Labels to apply to all resources
+commonLabels: {}
+# team_name: dev