helm: venafi agent: add volumes and volumeMounts for custom CA bundles

Author: maelvls

deploy/charts/venafi-kubernetes-agent/templates/deployment.yaml

@@ -74,6 +74,9 @@ spec:
             - name: credentials
               mountPath: "/etc/venafi/agent/key"
               readOnly: true
+            {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -95,3 +98,6 @@ spec:
           secret:
             secretName: {{ default "agent-credentials" .Values.authentication.secretName }}
             optional: false
+        {{- with .Values.volumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}

deploy/charts/venafi-kubernetes-agent/tests/deployment_test.yaml

@@ -74,3 +74,31 @@ tests:
       - contains:
           path: spec.template.spec.containers[0].command
           content: notpreflight
+
+  # Check the volumes and volumeMounts works correctly
+  - it: Volumes and VolumeMounts added correctly
+    set:
+      config.organisation: test_org
+      config.cluster: test_cluster
+    values:
+      - ./values/custom-volumes.yaml
+    asserts:
+      - isKind:
+          of: Deployment
+      - equal:
+          # In template this comes after credentials and agent config volumeMounts
+          path: spec.template.spec.containers[0].volumeMounts[?(@.name == "cabundle")]
+          value:
+            name: cabundle
+            mountPath: /etc/ssl/certs/ca-certificates.crt
+            subPath: ca-certificates.crt
+            readOnly: true
+      - equal:
+          path: spec.template.spec.volumes[?(@.name == "cabundle")].configMap
+          value:
+            name: cabundle
+            optional: false
+            defaultMode: 0644
+            items:
+              - key: cabundle
+                path: ca-certificates.crt

deploy/charts/venafi-kubernetes-agent/tests/values/custom-volumes.yaml

@@ -0,0 +1,15 @@
+volumes:
+  - name: cabundle
+    configMap:
+      name: cabundle
+      optional: false
+      defaultMode: 0644
+      items:
+        - key: cabundle
+          path: ca-certificates.crt
+
+volumeMounts:
+  - name: cabundle
+    mountPath: /etc/ssl/certs/ca-certificates.crt
+    subPath: ca-certificates.crt
+    readOnly: true

deploy/charts/venafi-kubernetes-agent/values.yaml

@@ -36,7 +36,8 @@ serviceAccount:
 podAnnotations: {}
 
 # -- Optional Pod (all containers) `SecurityContext` options, see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod.
-podSecurityContext: {}
+podSecurityContext:
+  {}
   # runAsUser: 1000
   # runAsGroup: 3000
   # fsGroup: 2000
@@ -60,7 +61,7 @@ podSecurityContext: {}
 securityContext:
   capabilities:
     drop:
-    - ALL
+      - ALL
   readOnlyRootFilesystem: true
   runAsNonRoot: true
   runAsUser: 1000
@@ -90,6 +91,35 @@ command: []
 # For example `["--strict", "--oneshot"]`
 extraArgs: []
 
+# -- Additional volumes to add to the Venafi Kubernetes Agent container. This is
+# useful for mounting a custom CA bundle. For example:
+#
+#     volumes:
+#       - name: cabundle
+#         configMap:
+#           name: cabundle
+#           optional: false
+#           defaultMode: 0644
+#           items:
+#             - key: cabundle
+#               path: ca-certificates.crt
+#
+# In order to create the ConfigMap, you can use the following command:
+#
+#     kubectl create configmap cabundle \
+#       --from-file=cabundle=./your/custom/ca/bundle.pem
+volumes: []
+
+# -- Additional volume mounts to add to the Venafi Kubernetes Agent container.
+# This is useful for mounting a custom CA bundle. For example:
+#
+#     volumeMounts:
+#       - name: cabundle
+#         mountPath: /etc/ssl/certs/ca-certificates.crt
+#         subPath: ca-certificates.crt
+#         readOnly: true
+volumeMounts: []
+
 # -- Authentication details for the Venafi Kubernetes Agent
 authentication:
   # -- Name of the secret containing the private key