Release 0.5.2 (#120)

* Fix #116 - workload.annotations and fix to serviceAccountName for hashicorp vault * #117 - Change fullimagename to fullname for cluster service * #117, #116 - Fixing bug with use of clusterIdentifier and image names * Prepping for release 0.5.2 * #116 - Support annotations at workload * #116 - Need to check to see if annotations are defined * Release 0.5.2 - final checkin
pingidentity · Apr 13, 2021 · 9e0b9a0 · 9e0b9a0
1 parent 2b88260
commit 9e0b9a0
Show file tree

Hide file tree

Showing 20 changed files with 306 additions and 106 deletions.
diff --git a/charts/ping-devops/Chart.yaml b/charts/ping-devops/Chart.yaml
@@ -4,9 +4,9 @@
 apiVersion: v2
 name: ping-devops
 ########################################################################
-# 0.5.1 - Refer to http://helm.pingidentity.com/release-notes/#release-051
+# 0.5.2 - Refer to http://helm.pingidentity.com/release-notes/#release-052
 ########################################################################
-version: 0.5.1
+version: 0.5.2
 description: All Ping Identity product images with integration
 type: application
 home: https://devops.pingidentity.com/

diff --git a/...templates/pingdataconsole/deployment.yaml → ...s/templates/pingdataconsole/workload.yaml b/...templates/pingdataconsole/deployment.yaml → ...s/templates/pingdataconsole/workload.yaml
diff --git a/charts/ping-devops/templates/pingdatagovernance/service-cluster.yaml b/charts/ping-devops/templates/pingdatagovernance/service-cluster.yaml
@@ -2,4 +2,11 @@
 
 
 {{- define "pingdatagovernance.service-cluster" -}}
+metadata:
+  annotations:
+    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+spec:
+  publishNotReadyAddresses: true
+  selector:
+    clusterIdentifier: {{ include "pinglib.addreleasename" (append . "pingdatagovernance") }}
 {{- end -}}
diff --git a/charts/ping-devops/templates/pingdatagovernance/workload.yaml b/charts/ping-devops/templates/pingdatagovernance/workload.yaml
@@ -3,4 +3,9 @@
 
 
 {{- define "pingdatagovernance.workload" -}}
+spec:
+  template:
+    metadata:
+      labels:
+        clusterIdentifier: {{ include "pinglib.addreleasename" (append . "pingdatagovernance") }}
 {{- end -}}
diff --git a/charts/ping-devops/templates/pingdatasync/service-cluster.yaml b/charts/ping-devops/templates/pingdatasync/service-cluster.yaml
@@ -2,4 +2,11 @@
 
 
 {{- define "pingdatasync.service-cluster" -}}
+metadata:
+  annotations:
+    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
+spec:
+  publishNotReadyAddresses: true
+  selector:
+    clusterIdentifier: {{ include "pinglib.addreleasename" (append . "pingdatasync") }}
 {{- end -}}
diff --git a/charts/ping-devops/templates/pingdatasync/workload.yaml b/charts/ping-devops/templates/pingdatasync/workload.yaml
@@ -3,4 +3,9 @@
 
 
 {{- define "pingdatasync.workload" -}}
+spec:
+  template:
+    metadata:
+      labels:
+        clusterIdentifier: {{ include "pinglib.addreleasename" (append . "pingdatasync") }}
 {{- end -}}
diff --git a/charts/ping-devops/templates/pingdirectory/service-cluster.yaml b/charts/ping-devops/templates/pingdirectory/service-cluster.yaml
@@ -9,4 +9,6 @@ metadata:
     service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
 spec:
   publishNotReadyAddresses: true
+  selector:
+    clusterIdentifier: {{ include "pinglib.addreleasename" (append . "pingdirectory") }}
 {{- end -}}
diff --git a/charts/ping-devops/templates/pingdirectory/workload.yaml b/charts/ping-devops/templates/pingdirectory/workload.yaml
@@ -7,5 +7,6 @@ spec:
   template:
     metadata:
       labels:
-        clusterIdentifier: {{ include "pinglib.fullimagename" . }}
+        foo: bar
+        clusterIdentifier: {{ include "pinglib.addreleasename" (append . "pingdirectory") }}
 {{- end -}}
diff --git a/charts/ping-devops/templates/pingfederate-admin/configmap.yaml b/charts/ping-devops/templates/pingfederate-admin/configmap.yaml
@@ -8,6 +8,6 @@ data:
   OPERATIONAL_MODE: CLUSTERED_CONSOLE
   CLUSTER_BIND_ADDRESS: "NON_LOOPBACK"
   CLUSTER_NAME: {{ $top.Release.Name | quote }}
-  DNS_QUERY_LOCATION: "{{ include "pinglib.fullimagename" . }}-cluster.{{ $top.Release.Namespace }}.svc.cluster.local"
+  DNS_QUERY_LOCATION: "{{ include "pinglib.fullname" . }}-cluster.{{ $top.Release.Namespace }}.svc.cluster.local"
   DNS_RECORD_TYPE: "A"
 {{- end -}}
diff --git a/charts/ping-devops/templates/pingfederate-admin/service-cluster.yaml b/charts/ping-devops/templates/pingfederate-admin/service-cluster.yaml
@@ -7,4 +7,6 @@ metadata:
     service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
 spec:
   publishNotReadyAddresses: true
+  selector:
+    clusterIdentifier: {{ include "pinglib.addreleasename" (append . "pingfederate") }}
 {{- end }}
diff --git a/charts/ping-devops/templates/pingfederate-admin/workload.yaml b/charts/ping-devops/templates/pingfederate-admin/workload.yaml
@@ -7,5 +7,5 @@ spec:
   template:
     metadata:
       labels:
-        clusterIdentifier: {{ include "pinglib.fullimagename" . }}
+        clusterIdentifier: {{ include "pinglib.addreleasename" (append . "pingfederate") }}
 {{- end -}}
diff --git a/charts/ping-devops/templates/pingfederate-engine/configmap.yaml b/charts/ping-devops/templates/pingfederate-engine/configmap.yaml
@@ -8,6 +8,6 @@ data:
   OPERATIONAL_MODE: CLUSTERED_ENGINE
   CLUSTER_BIND_ADDRESS: "NON_LOOPBACK"
   CLUSTER_NAME: {{ $top.Release.Name | quote }}
-  DNS_QUERY_LOCATION: "{{ include "pinglib.fullimagename" . }}-cluster.{{ $top.Release.Namespace }}.svc.cluster.local"
+  DNS_QUERY_LOCATION: "{{ include "pinglib.fullname" . }}-cluster.{{ $top.Release.Namespace }}.svc.cluster.local"
   DNS_RECORD_TYPE: "A"
 {{- end -}}
diff --git a/charts/ping-devops/templates/pingfederate-engine/workload.yaml b/charts/ping-devops/templates/pingfederate-engine/workload.yaml
@@ -6,7 +6,7 @@ spec:
   template:
     metadata:
       labels:
-        clusterIdentifier: {{ include "pinglib.fullimagename" . }}
+        clusterIdentifier: {{ include "pinglib.addreleasename" (append . "pingfederate") }}
 {{- end -}}
 
 
diff --git a/charts/ping-devops/templates/pinglib/_service-cluster.tpl b/charts/ping-devops/templates/pinglib/_service-cluster.tpl
@@ -10,7 +10,7 @@ metadata:
   annotations:
     external-dns.alpha.kubernetes.io/hostname: {{ $v.services.clusterExternalDNSHostname }}
 {{- end }}
-  name: {{ include "pinglib.fullimagename" . }}-cluster
+  name: {{ include "pinglib.fullname" . }}-cluster
 spec:
   type: ClusterIP
   clusterIP: None
@@ -25,8 +25,6 @@ spec:
   {{- end }}
   {{- end }}
   {{- end }}
-  selector:
-    clusterIdentifier: {{ include "pinglib.fullimagename" . }}
 {{- end -}}
 
 

diff --git a/charts/ping-devops/templates/pinglib/_vaultSecrets.tpl b/charts/ping-devops/templates/pinglib/_vaultSecrets.tpl
@@ -0,0 +1,55 @@
+{{/**********************************************************************
+   ** pinglib.annotations.vault snippet
+   **********************************************************************/}}
+{{- define "pinglib.annotations.vault" -}}
+{{- if .enabled }}
+{{- with .hashicorp -}}
+#----------------------------------------------------
+# Annotation secrets prepared for hashicorp vault secrets
+# for use in Deployment, StatefulSet, Pod resources.
+#
+# https://www.vaultproject.io/docs/platform/k8s/injector/annotations
+#
+vault.hashicorp.com/agent-pre-populate-only: {{ ( index . "pre-populate-only" ) | quote }}
+vault.hashicorp.com/agent-inject: "true"
+vault.hashicorp.com/agent-init-first: "true"
+vault.hashicorp.com/role: {{ ( index . "role" ) | quote }}
+vault.hashicorp.com/log-level:  {{ ( index . "log-level" ) | quote }}
+vault.hashicorp.com/preserve-secret-case:  {{ ( index . "preserve-secret-case" ) | quote }}
+vault.hashicorp.com/secret-volume-path:  {{ index . "secret-volume-path" | quote }}
+#----------------------------------------------------
+# Additional Vault configuration annotations
+{{- range $annotation, $val := .annotations }}
+vault.hashicorp.com/{{ $annotation }}: {{ $val | quote }}
+{{- end -}}
+#----------------------------------------------------
+marker.hello.1: world2
+{{- $defaultSecretVolumePath := index .annotations "secret-volume-path" }}
+{{- $secretPrefix := .secretPrefix }}
+{{- range $secretName, $secretVal := .secrets }}
+#------------ Processing Secret
+  {{- $fullSecret := printf "%s%s" $secretPrefix $secretName }}
+debug.json.{{ $secretName }}: {{ $secretVal }}
+  {{- range $keyName, $keyVal := $secretVal }}
+marker.hello.{{ $keyName }}: {{ $keyVal }}
+    {{- $keyPath := default $defaultSecretVolumePath $keyVal.path }}
+    {{- $keyFile := default $keyName (required "A 'vault.hashicorp.secrets.{secret-name}.file' is required for each secret" $keyVal.file) }}
+    {{- $keyFile := ternary (printf "%s.json" $keyFile) $keyFile (eq $keyName "to-json") }}
+vault.hashicorp.com/secret-volume-path-{{ $keyFile }}: {{ $keyPath }}
+vault.hashicorp.com/agent-inject-secret-{{ $keyFile }}: {{ $fullSecret | quote }}
+    {{- if eq $keyName "to-json" }}
+vault.hashicorp.com/agent-inject-template-{{ $keyFile}}: |
+  {{ printf "{{- with secret %s }}" ($fullSecret | quote) }}
+  {{ printf "{{ .Data.data | toJSONPretty }}"             }}
+  {{ printf "{{- end }}"                                  }}
+    {{- else }}
+vault.hashicorp.com/agent-inject-template-{{ $keyFile }}: |
+  {{ printf "{{- with secret %s }}" ($fullSecret | quote) }}
+  {{ printf "{{- index .Data.data %s }}" ($keyName | quote)  }}
+  {{ printf "{{- end }}"                                  }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end -}}
diff --git a/charts/ping-devops/templates/pinglib/_workload.tpl b/charts/ping-devops/templates/pinglib/_workload.tpl
@@ -38,15 +38,18 @@ spec:
     metadata:
       {{ include "pinglib.metadata.labels" .  | nindent 6  }}
         {{ include "pinglib.selector.labels" . | nindent 8 }}
-        clusterIdentifier: {{ include "pinglib.fullimagename" . }}
-      annotations: {{ include "pinglib.annotations.vault" $v.vault | nindent 8 }}
+      annotations:
+        {{ include "pinglib.annotations.vault" $v.vault | nindent 8 }}
         {{ $prodChecksum := include (print $top.Template.BasePath "/" $v.name "/configmap.yaml") $top | sha256sum }}
         {{ $globChecksum := include (print $top.Template.BasePath "/global/configmap.yaml") $top | sha256sum }}
         checksum/config: {{ print $prodChecksum $globChecksum | sha256sum }}
+        {{- if $v.workload.annotations }}
+        {{- toYaml $v.workload.annotations | nindent 8 }}
+        {{- end }}
     spec:
       terminationGracePeriodSeconds: {{ $v.container.terminationGracePeriodSeconds }}
       {{- if $v.vault.enabled }}
-      serviceAccountName: {{ $v.vault.hashicorp.serviceAccountName }}
+      serviceAccountName: {{ $v.vault.hashicorp.annotations.serviceAccountName }}
       {{- end }}
       nodeSelector: {{ toYaml $v.container.nodeSelector | nindent 8 }}
       tolerations: {{ toYaml $v.container.tolerations | nindent 8 }}
@@ -131,7 +134,7 @@ spec:
         resources: {{ toYaml $v.container.resources | nindent 10 }}
         {{- if or (and (eq $v.workload.type "StatefulSet") $v.workload.statefulSet.persistentvolume.enabled) $v.privateCert.generate }}
         volumeMounts:
-        {{- if eq $v.workload.type "StatefulSet" }}
+        {{- if and (eq $v.workload.type "StatefulSet") $v.workload.statefulSet.persistentvolume.enabled }}
         {{- range $volName, $val := $v.workload.statefulSet.persistentvolume.volumes }}
         - name: {{ $volName }}{{ if eq "none" $v.addReleaseNameToResource }}-{{ $top.Release.Name }}{{ end }}
           mountPath: {{ .mountPath }}
@@ -156,7 +159,7 @@ spec:
       {{/*--------------------- Volumes ------------------*/}}
       {{- if or (and (eq $v.workload.type "StatefulSet") $v.workload.statefulSet.persistentvolume.enabled) $v.privateCert.generate }}
       volumes:
-      {{- if eq $v.workload.type "StatefulSet" }}
+      {{- if and (eq $v.workload.type "StatefulSet") $v.workload.statefulSet.persistentvolume.enabled }}
       {{- range $volName, $val := $v.workload.statefulSet.persistentvolume.volumes }}
       - name: {{ $volName }}{{ if eq "none" $v.addReleaseNameToResource }}-{{ $top.Release.Name }}{{ end }}
         persistentVolumeClaim:

diff --git a/charts/ping-devops/templates/pinglib/_yamlSnippets.tpl b/charts/ping-devops/templates/pinglib/_yamlSnippets.tpl
@@ -36,47 +36,6 @@ annotations:
   {{- end }}
 {{- end -}}
 
-{{/**********************************************************************
-   ** metadata.vault.headers snippet
-   **********************************************************************/}}
-{{- define "pinglib.annotations.vault" -}}
-{{- if .enabled }}
-{{- with .hashicorp -}}
-#----------------------------------------------------
-# Annotation secrets prepared for hashicorp vault secrets
-# for use in Deployment, StatefulSet, Pod resources.
-#
-# https://www.vaultproject.io/docs/platform/k8s/injector/annotations
-#
-vault.hashicorp.com/agent-pre-populate-only: {{ ( index . "pre-populate-only" ) | quote }}
-vault.hashicorp.com/agent-inject: "true"
-vault.hashicorp.com/agent-init-first: "true"
-vault.hashicorp.com/role: {{ ( index . "role" ) | quote }}
-vault.hashicorp.com/log-level:  {{ ( index . "log-level" ) | quote }}
-vault.hashicorp.com/preserve-secret-case:  {{ ( index . "preserve-secret-case" ) | quote }}
-vault.hashicorp.com/secret-volume-path:  {{ ( index . "secret-volume-path" ) | quote }}
-#----------------------------------------------------
-# Additional Vault configuration annotations
-{{- range $annotation, $val := .annotations }}
-vault.hashicorp.com/{{ $annotation }}: {{ $val | quote }}
-{{- end -}}
-#----------------------------------------------------
-{{- $secretPrefix := .secretPrefix }}
-{{- range .secrets }}
-{{- $fullSecret := printf "%s%s" $secretPrefix .secret }}
-#------------ secret: {{ .name }}
-vault.hashicorp.com/agent-inject-secret-{{ .name }}.json: {{ $fullSecret | quote }}
-vault.hashicorp.com/agent-inject-template-{{ .name }}.json: |
-  {{ printf "{{ with secret %s -}}" ($fullSecret | quote) }}
-  {{ printf "{{ .Data.data | toJSONPretty }}" }}
-  {{ printf "{{- end }}" }}
-#------------------------------------------------
-{{- end }}
-{{- end }}
-{{- toYaml .annotations }}
-{{- end }}
-{{- end -}}
-
 {{/* Generate certificates */}}
 {{- define "pinglib.gen-cert" -}}
 {{- $top := index . 0 -}}

diff --git a/charts/ping-devops/values.yaml b/charts/ping-devops/values.yaml
@@ -51,9 +51,16 @@ global:
   # be created along with mount of the certificate in
   # /run/secrets/internal-cert (creates a tls.crt and tls.key)
   #
+  # By default the Issuer of the cert will be the service name
+  # created by the Helm Chart.  Additionally, the ingress hosts,
+  # if enabled, will be added to the list of X509v3 Subject Alternative Name
+  #
+  # Use the additionalHosts and additionalIPs if additional custom
+  # names and ips are needed.
+  #
   #      privateCert.generate: {true | false}
-  #      privateCert.additionalHosts: {optioanl array of hosts}
-  #      privateCert.additionalIPs: {optioanl array of IP Addresses}
+  #      privateCert.additionalHosts: {optional array of hosts}
+  #      privateCert.additionalIPs: {optional array of IP Addresses}
   ############################################################
   privateCert:
     generate: false
@@ -80,10 +87,11 @@ global:
         role: k8s-default
         secret-volume-path: /run/secrets
         serviceAccountName: vault-auth
-      # secretPrefix: path/to/secrets
-      # secrets:
-      # - name: secret-name
-      #   secret: secret-name
+  #   secrets:
+  #     {secret-name}:
+  #       {secret-key | to-json}:
+  #         path: /opt/in/some/location/secrets
+  #         file: devops-secret.env
 
   ############################################################
   # Image
@@ -161,6 +169,8 @@ global:
     # Can be Deployment or StatefulSet (see warning above)
     type: Deployment
 
+    annotations: {}
+
     deployment:
       strategy:
         # Can be RollingUpdate or Recreate
@@ -746,6 +756,9 @@ pingaccess-admin:
   image:
     name: pingaccess
 
+  workload:
+    type: StatefulSet
+
   container:
     resources:
       requests: