feat/azure integration

toggle-django-helm/templates/_helpers.tpl

@@ -31,6 +31,28 @@
     {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "django-app.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "django-app.fullname" .) .Values.serviceAccountName }}
+{{- else }}
+{{- default "default" .Values.serviceAccountName }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the secret to be used by the django-app
+*/}}
+{{- define "django-app.secretProviderName" -}}
+{{- if .Values.secretsStoreCsiDriverProviderName }}
+  {{- .Values.secretsStoreCsiDriverProviderName -}}
+{{- else }}
+  {{- printf "%s-secret-provider" (include "django-app.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Create the name of the secret to be used by the django-app
 */}}
@@ -68,6 +90,10 @@ Generate image metadata
 -}}
 image: "{{ printf "%s:%s" $merged.name $merged.tag }}"
 imagePullPolicy: {{ default "IfNotPresent" $merged.imagePullPolicy }}
+{{- with $merged.imagePullSecrets }}
+imagePullSecrets:
+{{- toYaml . | nindent 2 }}
+{{- end }}
 {{- end }}
 
 {{/*
@@ -118,8 +144,64 @@ Generate env configs for app types
 {{/*
 Generate default annotations for app deployments
 */}}
+{{- define "django-app.appDefaultDeploymentAnnotations" -}}
+annotations:
+  reloader.stakater.com/auto: "true"
+{{- end }}
+
+{{/*
+Generate default annotations for app pods
+*/}}
 {{- define "django-app.appDefaultAnnotations" -}}
-reloader.stakater.com/auto: "true"
 checksum/secret: {{ include (print .Template.BasePath "/config/secret.yaml") . | sha256sum }}
 checksum/configmap: {{ include (print .Template.BasePath "/config/configmap.yaml") . | sha256sum }}
+{{- with .Values.podAnnotations }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Generate default labels for app deployments
+*/}}
+{{- define "django-app.appDefaultLabels" -}}
+{{- with .Values.podLabels -}}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Generate default volumes for app deployments
+*/}}
+{{- define "django-app.appDefaultVolumes" -}}
+{{- if or .Values.secretsStoreCsiDriver.create .Values.podVolumes -}}
+volumes:
+{{- if .Values.secretsStoreCsiDriver.create }}
+  - name: {{ template "django-app.secretname" . }}
+    csi:
+      driver: "secrets-store.csi.k8s.io"
+      readOnly: true
+      volumeAttributes:
+        secretProviderClass: {{ template "django-app.secretProviderName" . }}
+{{- end }}
+{{- if .Values.podVolumes }}
+{{ .Values.podVolumes | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Generate default volumes mounts for app deployments
+*/}}
+{{- define "django-app.appDefaultVolumeMounts" -}}
+{{- if or .Values.secretsStoreCsiDriver.create .Values.podVolumeMounts -}}
+volumeMounts:
+{{- if .Values.secretsStoreCsiDriver.create }}
+  - name: {{ template "django-app.secretname" . }}
+    mountPath: /mnt/secrets-store
+    readOnly: true
+{{- end }}
+{{- if .Values.podVolumeMounts }}
+{{ .Values.podVolumeMounts | toYaml | indent 2 }}
+{{- end }}
+{{- end }}
 {{- end }}

toggle-django-helm/templates/api/deployment.yaml

@@ -4,6 +4,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ template "django-app.fullname" . }}-api
+  {{- with (include "django-app.appDefaultDeploymentAnnotations" $) -}}{{ . | nindent 2 }}{{- end }}
   labels:
     app: {{ include "django-app.fullname" . }}
     component: api
@@ -22,7 +23,12 @@ spec:
       labels:
         app: {{ include "django-app.fullname" . }}
         component: api
+        {{- with (include "django-app.appDefaultLabels" $) -}}{{ . | nindent 8 }}{{- end }}
     spec:
+      {{- with (include "django-app.appDefaultVolumes" $) -}}{{ . | nindent 6 }}{{- end }}
+      {{- if .Values.serviceAccount.create }}
+      serviceAccountName: {{ include "django-app.serviceAccountName" $ }}
+      {{- end }}
       containers:
         - name: api
           {{- include "django-app.imageConfig"
@@ -45,5 +51,6 @@ spec:
               (dict "Values" $.Values "Type" "web" )
               | nindent 12
           }}
+          {{- with (include "django-app.appDefaultVolumeMounts" $) -}}{{ . | nindent 10 }}{{- end }}
 
 {{- end }}

toggle-django-helm/templates/api/secrets-provider-class.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.secretsStoreCsiDriver.create -}}
+
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: {{ template "django-app.secretProviderName" . }}
+spec:
+  provider: {{ .Values.secretsStoreCsiDriver.provider }}
+  parameters:
+    {{- with .Values.secretsStoreCsiDriver.parameters -}}
+      {{ toYaml . | nindent 4 }}
+    {{- end }}
+    objects: |
+      array:
+      {{- range $secret_key, $object_key := .Values.secretsStoreCsiDriver.secretsKeyMap }}
+        - |
+          objectName: {{ $object_key }}
+          objectType: secret
+      {{- end }}
+  secretObjects:
+    - secretName: {{ template "django-app.secretname" . }}
+      type: Opaque
+      data:
+      {{- range $secret_key, $object_key := .Values.secretsStoreCsiDriver.secretsKeyMap }}
+        - objectName: {{ $object_key }}
+          key: {{ $secret_key }}
+      {{- end }}
+
+{{- end }}

toggle-django-helm/templates/api/service-account.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.serviceAccount.create -}}
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "django-app.serviceAccountName" . }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{ toYaml . | nindent 4}}
+  {{- end }}
+  {{- with .Values.serviceAccount.labels }}
+  labels:
+    {{ toYaml . | nindent 4}}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+
+{{- end }}

toggle-django-helm/templates/argo-hooks/hook-job.yaml

@@ -17,8 +17,19 @@ metadata:
     argocd.argoproj.io/hook: {{ $hook.hook }}
 spec:
   template:
+    metadata:
+      annotations:
+        {{- include "django-app.appDefaultAnnotations" $ | nindent 8 }}
+      labels:
+        app: {{ include "django-app.fullname" $ }}
+        component: argo-hooks
+        {{- with (include "django-app.appDefaultLabels" $) -}}{{ . | nindent 8 }}{{- end }}
     spec:
       restartPolicy: "Never"
+      {{- with (include "django-app.appDefaultVolumes" $) -}}{{ . | nindent 6 }}{{- end }}
+      {{- if $.Values.serviceAccount.create }}
+      serviceAccountName: {{ include "django-app.serviceAccountName" $ }}
+      {{- end }}
       containers:
         - name: {{ $hookName }}
           {{- include "django-app.imageConfig"
@@ -41,6 +52,7 @@ spec:
                 (dict "Values" $.Values "Type" "hook" )
                 | nindent 12
             }}
+          {{- with (include "django-app.appDefaultVolumeMounts" $) -}}{{ . | nindent 10 }}{{- end }}
 
 {{- end }}
 

toggle-django-helm/templates/celery-flower/deployment.yaml

@@ -5,6 +5,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ template "django-app.fullname" . }}-celery-flower
+  {{- with (include "django-app.appDefaultDeploymentAnnotations" $) -}}{{ . | nindent 2 }}{{- end }}
   labels:
     app: {{ include "django-app.fullname" . }}
     component: worker-flower
@@ -23,7 +24,12 @@ spec:
       labels:
         app: {{ include "django-app.fullname" . }}
         component: worker-flower
+        {{- with (include "django-app.appDefaultLabels" $) -}}{{ . | nindent 8 }}{{- end }}
     spec:
+      {{- with (include "django-app.appDefaultVolumes" $) -}}{{ . | nindent 6 }}{{- end }}
+      {{- if .Values.serviceAccount.create }}
+      serviceAccountName: {{ include "django-app.serviceAccountName" $ }}
+      {{- end }}
       containers:
         - name: worker
           {{- include "django-app.imageConfig"
@@ -42,6 +48,7 @@ spec:
                 (dict "Values" $.Values "Type" "worker" )
                 | nindent 12
             }}
+          {{- with (include "django-app.appDefaultVolumeMounts" $) -}}{{ . | nindent 10 }}{{- end }}
 
 {{- end }}
 {{- end }}

toggle-django-helm/templates/config/secret.yaml

@@ -1,3 +1,5 @@
+{{- if not .Values.secretsStoreCsiDriver.create -}}
+
 kind: Secret
 apiVersion: v1
 metadata:
@@ -12,3 +14,5 @@ stringData:
   {{- range $name, $value := .Values.secrets }}
   {{ $name }}: {{ tpl $value $ | quote }}
   {{- end }}
+
+{{- end }}

toggle-django-helm/templates/cronjobs/deployment.yaml

@@ -24,9 +24,22 @@ spec:
   jobTemplate:
     spec:
       activeDeadlineSeconds: {{ default 7200 $job.timeLimit }}  # 2 hours default
+      metadata:
+        {{- with $.Values.podAnnotations }}
+        annotations:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        labels:
+          app: {{ include "django-app.fullname" $ }}
+          component: cronjob
+          {{- with (include "django-app.appDefaultLabels" $) -}}{{ . | nindent 10 }}{{- end }}
       template:
         spec:
           restartPolicy: "Never"
+          {{- with (include "django-app.appDefaultVolumes" $) -}}{{ . | nindent 10 }}{{- end }}
+          {{- if $.Values.serviceAccount.create }}
+          serviceAccountName: {{ include "django-app.serviceAccountName" $ }}
+          {{- end }}
           containers:
             - name: cronjob
               command:
@@ -47,6 +60,7 @@ spec:
                     (dict "Values" $.Values "Type" "cronjob" )
                     | nindent 16
                 }}
+              {{- with (include "django-app.appDefaultVolumeMounts" $) -}}{{ . | nindent 14 }}{{- end }}
 
 {{- end }}
 

toggle-django-helm/templates/worker-beat/deployment.yaml

@@ -4,6 +4,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ template "django-app.fullname" . }}-worker-beat
+  {{- with (include "django-app.appDefaultDeploymentAnnotations" $) -}}{{ . | nindent 2 }}{{- end }}
   labels:
     app: {{ include "django-app.fullname" . }}
     component: worker-beat
@@ -22,7 +23,12 @@ spec:
       labels:
         app: {{ include "django-app.fullname" . }}
         component: worker-beat
+        {{- with (include "django-app.appDefaultLabels" $) -}}{{ . | nindent 8 }}{{- end }}
     spec:
+      {{- with (include "django-app.appDefaultVolumes" $) -}}{{ . | nindent 6 }}{{- end }}
+      {{- if .Values.serviceAccount.create }}
+      serviceAccountName: {{ include "django-app.serviceAccountName" $ }}
+      {{- end }}
       containers:
         - name: worker-beat
           {{- include "django-app.imageConfig"
@@ -41,5 +47,6 @@ spec:
                 (dict "Values" $.Values "Type" "worker" )
                 | nindent 12
             }}
+          {{- with (include "django-app.appDefaultVolumeMounts" $) -}}{{ . | nindent 10 }}{{- end }}
 
 {{- end }}

toggle-django-helm/templates/worker/deployment.yaml

@@ -7,6 +7,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ template "django-app.fullname" $ }}-worker-{{ $queue_name }}
+  {{- with (include "django-app.appDefaultDeploymentAnnotations" $) -}}{{ . | nindent 2 }}{{- end }}
   labels:
     app: {{ include "django-app.fullname" $ }}
     component: worker
@@ -28,7 +29,12 @@ spec:
         app: {{ include "django-app.fullname" $ }}
         component: worker
         queue: {{ $queue_name }}
+        {{- with (include "django-app.appDefaultLabels" $) -}}{{ . | nindent 8 }}{{- end }}
     spec:
+      {{- with (include "django-app.appDefaultVolumes" $) -}}{{ . | nindent 6 }}{{- end }}
+      {{- if $.Values.serviceAccount.create }}
+      serviceAccountName: {{ include "django-app.serviceAccountName" $ }}
+      {{- end }}
       containers:
         - name: worker
           command:
@@ -51,6 +57,7 @@ spec:
                 (dict "Values" $.Values "Type" "worker" )
                 | nindent 12
             }}
+          {{- with (include "django-app.appDefaultVolumeMounts" $) -}}{{ . | nindent 10 }}{{- end }}
 
 {{- end }}
 

toggle-django-helm/tests/values-1.yaml

@@ -89,6 +89,15 @@ secrets:
   AWS_S3_BUCKET_STATIC_NAME: static-data
   AWS_S3_BUCKET_MEDIA_NAME: media-data
 
+serviceAccountName: "secret-account"
+serviceAccount:
+  create: true
+  annotations:
+    azure.workload.identity/client-id : "XXXXXXXX-YYYYYYYY"
+  labels:
+    azure.workload.identity/use: "true"
+  automountServiceAccountToken: true
+
 extraManifests:
   - apiVersion: postgresql.cnpg.io/v1
     kind: ScheduledBackup