Add missing VenafiConnection templates and values to the Helm chart

Signed-off-by: Richard Wall <richard.wall@venafi.com>

Author: wallrj

deploy/charts/venafi-kubernetes-agent/templates/_venafi-connection.tpl

@@ -0,0 +1,26 @@
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "venafi-connection.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "venafi-connection.labels" -}}
+helm.sh/chart: {{ include "venafi-connection.chart" . }}
+{{ include "venafi-connection.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "venafi-connection.selectorLabels" -}}
+app.kubernetes.io/name: "venafi-connection"
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

deploy/charts/venafi-kubernetes-agent/templates/deployment.yaml

@@ -57,10 +57,15 @@ spec:
             - "agent"
             - "-c"
             - "/etc/venafi/agent/config/{{ default "config.yaml" .Values.config.configmap.key }}"
-            - "--client-id"
-            - "{{ .Values.config.clientId }}"
             - "-p"
             - "0h1m0s"
+            {{- if .Values.config.venafiConnectionName }}
+            - --venafi-connection
+            - {{ .Values.config.venafiConnectionName | quote }}
+            {{- else }}
+            - --client-id
+            - {{ .Values.config.clientId | quote }}
+            {{- end }}
             - --venafi-cloud
             {{- if .Values.metrics.enabled }}
             - --enable-metrics

deploy/charts/venafi-kubernetes-agent/templates/rbac.yaml

@@ -1,32 +1,5 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "venafi-kubernetes-agent.fullname" . }}-venaficonnection
-  labels:
-    {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }}
-rules:
-  - apiGroups: ["jetstack.io"]
-    resources:
-      - venaficonnections
-    verbs: ["get", "list", "watch", "update"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ include "venafi-kubernetes-agent.fullname" . }}-venaficonnection
-  labels:
-    {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }}
-roleRef:
-  kind: ClusterRole
-  name: {{ include "venafi-kubernetes-agent.fullname" . }}-venaficonnection
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ include "venafi-kubernetes-agent.fullname" . }}-cluster-viewer

deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.without-validations.yaml

@@ -1,10 +1,15 @@
----
+{{- if .Values.venafiConnection.include }}
+{{- if (or (semverCompare "<1.25" .Capabilities.KubeVersion.GitVersion) .Values.crds.forceRemoveValidationAnnotations) }}
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
+    # This annotation prevents the CRD from being pruned by Helm when this chart is deleted.
+    "helm.sh/resource-policy": keep
   name: venaficonnections.jetstack.io
+  labels:
+  {{- include "venafi-connection.labels" $ | nindent 4 }}
 spec:
   group: jetstack.io
   names:
@@ -1114,3 +1119,5 @@ spec:
       storage: true
       subresources:
         status: {}
+{{- end }}
+{{- end }}

deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-crd.yaml

@@ -1,10 +1,15 @@
----
+{{- if .Values.venafiConnection.include }}
+{{- if not (or (semverCompare "<1.25" .Capabilities.KubeVersion.GitVersion) .Values.crds.forceRemoveValidationAnnotations) }}
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.14.0
+    # This annotation prevents the CRD from being pruned by Helm when this chart is deleted.
+    "helm.sh/resource-policy": keep
   name: venaficonnections.jetstack.io
+  labels:
+  {{- include "venafi-connection.labels" $ | nindent 4 }}
 spec:
   group: jetstack.io
   names:
@@ -1138,3 +1143,5 @@ spec:
       storage: true
       subresources:
         status: {}
+{{- end }}
+{{- end }}

deploy/charts/venafi-kubernetes-agent/templates/venafi-connection-rbac.yaml

@@ -0,0 +1,51 @@
+# Copied from approver-policy-enterprise
+# https://github.com/jetstack/approver-policy-enterprise/blob/main/deploy/charts/approver-policy-enterprise/templates/venafi-connection-rbac.yaml
+---
+{{- with .Values.venafiConnection }}
+{{- if .include }}
+# The 'venafi-connection' service account is used by multiple
+# controllers. When configuring which resources a VenafiConnection
+# can access, the RBAC rules you create manually must point to this SA.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: venafi-connection
+  namespace: {{ $.Release.Namespace | quote }}
+  labels:
+  {{- include "venafi-connection.labels" $ | nindent 4 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: venafi-connection-role
+  labels:
+  {{- include "venafi-connection.labels" $ | nindent 4 }}
+rules:
+- apiGroups: [ "" ]
+  resources: [ "namespaces" ]
+  verbs: [ "get", "list", "watch" ]
+
+- apiGroups: [ "jetstack.io" ]
+  resources: [ "venaficonnections" ]
+  verbs: [ "get", "list", "watch" ]
+
+- apiGroups: [ "jetstack.io" ]
+  resources: [ "venaficonnections/status" ]
+  verbs: [ "get", "patch" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: venafi-connection-rolebinding
+  labels:
+  {{- include "venafi-connection.labels" $ | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: venafi-connection-role
+subjects:
+- kind: ServiceAccount
+  name: venafi-connection
+  namespace: {{ $.Release.Namespace | quote }}
+{{- end }}
+{{- end }}

deploy/charts/venafi-kubernetes-agent/templates/venafi-rbac.yaml

@@ -0,0 +1,31 @@
+# Copied from approver-policy-enterprise
+# https://github.com/jetstack/approver-policy-enterprise/blob/028fd7e0c57cb059d0ba7d03b6899b448285a240/deploy/charts/approver-policy-enterprise/templates/venafi-rbac.yaml
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: venafi-kubernetes-agent-impersonate-role
+  namespace: {{ $.Release.Namespace | quote }}
+  labels:
+  {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }}
+rules:
+- apiGroups: [ "" ]
+  resources: [ "serviceaccounts" ]
+  verbs: [ "impersonate" ]
+  resourceNames: [ "venafi-connection" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: venafi-kubernetes-agent-impersonate-rolebinding
+  namespace: {{ $.Release.Namespace | quote }}
+  labels:
+  {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: venafi-kubernetes-agent-impersonate-role
+subjects:
+- kind: ServiceAccount
+  name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }}
+  namespace: {{ $.Release.Namespace | quote }}

deploy/charts/venafi-kubernetes-agent/values.yaml

@@ -57,7 +57,7 @@ image:
   # -- Defaults to only pull if not already present
   pullPolicy: IfNotPresent
   # -- Overrides the image tag whose default is the chart appVersion
-  tag: "v0.1.49"
+  # tag: "v0.1.49-alpha.0"
 
 # -- Specify image pull credentials if using a private registry
 # example: - name: my-pull-secret
@@ -192,6 +192,10 @@ config:
     name:
     key:
 
+  # -- The name of a VenafiConnection resource which contains the configuration
+  # for authenticating to Venafi.
+  venafiConnectionName: venafi-components
+
 # -- Configure a PodDisruptionBudget for the agent's Deployment. If running with multiple
 # replicas, consider setting podDisruptionBudget.enabled to true.
 podDisruptionBudget:
@@ -208,3 +212,22 @@ podDisruptionBudget:
   # an integer (e.g. 1) or a percentage value (e.g. 25%).
   # Cannot be used if `minAvailable` is set.
   # maxUnavailable: 1
+
+# +docs:section=CRDs
+# The CRDs installed by this chart are annotated with "helm.sh/resource-policy: keep", this
+# prevents them from being accidentally removed by Helm when this chart is deleted. After
+# deleting the installed chart, the user still has to manually remove the remaining CRDs.
+crds:
+  # The 'x-kubernetes-validations' annotation is not supported in Kubernetes 1.22 and below.
+  # This annotation is used by CEL, which is a feature introduced in Kubernetes 1.25 that
+  # improves how validation is performed.
+  # This option allows to force the 'x-kubernetes-validations' annotation to be excluded,
+  # even on Kubernetes 1.25+ clusters.
+  forceRemoveValidationAnnotations: false
+
+# +docs:section=Venafi Connection
+venafiConnection:
+  # When set to false, the rendered output does not contain the
+  # VenafiConnection CRDs and RBAC. This is useful for when the
+  # Venafi Connection resources are already installed separately.
+  include: true

test.sh

@@ -0,0 +1,89 @@
+#!/usr/bin/env bash
+
+# Prerequisites
+# * https://github.com/ko-build/ko/releases/tag/v0.16.0
+
+set -o nounset
+set -o errexit
+set -o pipefail
+set -o xtrace
+
+: ${VEN_API_KEY?}
+: ${VEN_OWNING_TEAM?}
+
+script_dir=$(cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd)
+root_dir=$(cd "${script_dir}/.." && pwd)
+
+cd "${script_dir}"
+
+export VERSION=0.1.49
+export TERM=dumb
+OCI_BASE=ttl.sh/63773370-0bcf-4ac0-bd42-5515616089ff
+export KO_DOCKER_REPO=$OCI_BASE/images/venafi-agent
+
+ko build . --bare --tags "v${VERSION}"
+helm package deploy/charts/venafi-kubernetes-agent --version "${VERSION}"
+helm push venafi-kubernetes-agent-${VERSION}.tgz "oci://${OCI_BASE}/charts"
+
+kind create cluster || true
+
+kubectl create ns venafi || true
+
+# Pull secret for Venafi OCI registry
+if ! kubectl get secret venafi-image-pull-secret -n venafi; then
+    venctl iam service-accounts registry create \
+           --no-prompts \
+           --owning-team "${VEN_OWNING_TEAM}" \
+           --name "venafi-kubernetes-agent-e2e-registry-${RANDOM}" \
+           --scopes enterprise-cert-manager,enterprise-venafi-issuer,enterprise-approver-policy \
+    | jq '{
+            "apiVersion": "v1",
+            "kind": "Secret",
+            "metadata": {
+              "name": "venafi-image-pull-secret"
+            },
+            "type": "kubernetes.io/dockerconfigjson",
+            "stringData": {
+              ".dockerconfigjson": {
+                "auths": {
+                  "\(.oci_registry)": {
+                    "username": .username,
+                    "password": .password
+                  }
+                }
+              } | tostring
+            }
+          }' \
+    | kubectl create -n venafi -f -
+fi
+
+# Service account credentials for venafi-kubernetes-agent
+if ! kubectl get secret agent-credentials -n venafi; then
+    venctl iam service-account agent create \
+           --no-prompts \
+           --owning-team "${VEN_OWNING_TEAM}" \
+           --name "venafi-kubernetes-agent-e2e-agent-${RANDOM}" \
+    | jq '{
+            "apiVersion": "v1",
+            "kind": "Secret",
+            "metadata": {
+              "name": "agent-credentials"
+            },
+            "stringData": {
+              "privatekey.pem": .private_key,
+              "client-id": .client_id
+            }
+          }' \
+    | kubectl create -n venafi -f -
+fi
+
+# export VENAFI_KUBERNETES_AGENT_CLIENT_ID=$(kubectl get secret -n venafi agent-credentials -o jsonpath='{.data.client-id}' | base64 -d)
+export VENAFI_KUBERNETES_AGENT_CLIENT_ID="not-used-but-required-by-venctl"
+venctl components kubernetes apply \
+       --venafi-kubernetes-agent \
+       --venafi-kubernetes-agent-version "$VERSION" \
+       --venafi-kubernetes-agent-values-files "${script_dir}/values.venafi-kubernetes-agent.yaml" \
+       --venafi-kubernetes-agent-custom-image-registry "${OCI_BASE}/images" \
+       --venafi-kubernetes-agent-custom-chart-repository "oci://${OCI_BASE}/charts"
+
+envsubst < venafi-components.yaml | kubectl apply -n venafi -f -

venafi-components.yaml

@@ -0,0 +1,40 @@
+apiVersion: jetstack.io/v1alpha1
+kind: VenafiConnection
+metadata:
+  name: venafi-components
+spec:
+  vcp:
+    apiKey:
+    - secret:
+        name: venafi-credentials
+        fields: ["api-key"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+      name: get-venafi-credentials
+rules:
+    - apiGroups: [ "" ]
+      resources: [ "secrets" ]
+      verbs: [ "get" ]
+      resourceNames: [ "venafi-credentials" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: application-team-1-secret-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: get-venafi-credentials
+subjects:
+- kind: ServiceAccount
+  name: venafi-connection
+  namespace: venafi
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: venafi-credentials
+stringData:
+  api-key: ${VEN_API_KEY}