Helm chart improvement: additionalContainers

[jluckett-panw]

There is a need to connect to remote databases through an auth proxy for certain containerized workloads.
Since that is generally deployed as a "sidecar" instead of a standalone service to prevent unwanted external connections from hijacking auth we would like to add a section to the deployment.yaml template to process an additional container definition in the values.yaml. Some engineers do not wish to use the other auth methods due to high governance requirements around non-rotating auth in more secure networks.

I have considered writing my own helm chart, or not exporting from DBs in cloud environments, but nothing beats this capability for mature reliable system and application metrics.

On the plus side, the pattern is fairly simple and has been tested. Document an additionalContainers: section in the values file, then add the following to the helm/templates/deployment.yaml file.

{{- if .Values.additionalContainers}}
{{ tpl (toYaml .Values.additionalContainers | indent 8) .}}
{{- end }}

This will ensure that additional containers are rendered if present, but not disrupt any other deployments with new value requirements.

[jluckett-panw]

I would be happy to submit a PR with documentation and the changes noted above.

[burningalchemist]

Hey @jluckett-panw, yeah it definitely makes sense. Please feel free to open a PR if you may. I'd call it extraContainers though, but it's just naming in the end. I'm happy to review and merge this feature. :)

[jacek-jablonski]

Please take into account that most often ServiceAccount is also required to run SQL Proxy. F.e. GCP's cloud-sql-proxy with Workload Identity.

[jluckett-panw]

I'm easy on the naming, and yes the servivceAccount will definetly play with Workload Identity. Thank you for the participation and willingness to talk about this! :)

[burningalchemist]

Resolved by #509. Thank you! 👍