feat(PLATFORM-1020): support custom volume mounts for certificate files

thefirstofthe300 · thefirstofthe300 · commit 8d87a5890f99 · 2022-11-18T16:44:52.000-08:00
This opens up supporting the use case of reading certificate files from
volumes created by the Secrets Store CSI driver for k8s.
diff --git a/gremlin/templates/chao-deployment.yaml b/gremlin/templates/chao-deployment.yaml
@@ -116,8 +116,7 @@ spec:
 {{- end }}
       volumes:
       - name: gremlin-cert
-        secret:
-          secretName: {{ include "gremlin.secretName" . }}
+{{ .Values.gremlin.secret.certVolume | toYaml | indent 8}}
 {{- if .Values.ssl.certFile }}
       - name: ssl-cert-file
         secret:
diff --git a/gremlin/templates/chao-service-account.yaml b/gremlin/templates/chao-service-account.yaml
@@ -4,6 +4,10 @@ kind: ServiceAccount
 metadata:
   name: chao
   namespace: {{ .Release.Namespace }}
+  {{ if .Values.chao.serviceAccount.annotations -}}
+  annotations:
+    {{ .Values.chao.serviceAccount.annotations | toYaml }}
+  {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
diff --git a/gremlin/templates/daemonset.yaml b/gremlin/templates/daemonset.yaml
@@ -174,8 +174,7 @@ spec:
             path: /proc/sysrq-trigger
         {{- if (eq (include "gremlin.secretType" .) "certificate") }}
         - name: gremlin-cert
-          secret:
-            secretName: {{ include "gremlin.secretName" . }}
+{{ .Values.gremlin.secret.certVolume | toYaml | indent 10}}
         {{- end }}
         {{- if and .Values.gremlin.podSecurity.seccomp.enabled (eq "localhost/gremlin" .Values.gremlin.podSecurity.seccomp.profile) }}
         - name: seccomp-root
diff --git a/gremlin/templates/gremlin-service-account.yaml b/gremlin/templates/gremlin-service-account.yaml
@@ -5,6 +5,10 @@ kind: ServiceAccount
 metadata:
   name: gremlin
   namespace: {{ .Release.Namespace }}
+  {{ if .Values.gremlin.serviceAccount.annotations -}}
+  annotations:
+    {{ .Values.gremlin.serviceAccount.annotations | toYaml }}
+  {{- end }}
 {{ if .Values.gremlin.podSecurity.podSecurityPolicy.create }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/gremlin/values.yaml b/gremlin/values.yaml
@@ -110,6 +110,7 @@ gremlin:
     #   Gremlin's requirements (see gremlin.podSecurity.podSecurityPolicy and
     #   gremlin.podSecurity.securityContextConstraints)
     create: true
+    annotations: {}
 
   podSecurity:
 
@@ -250,6 +251,16 @@ gremlin:
     # team private key (e.g. -----BEGIN EC PRIVATE KEY-----...-----END EC PRIVATE KEY-----)
     key:
 
+    # Used to define the value of the gremlin-cert volume except the name
+    # This volume should always contain two files named
+    # - gremlin.cert
+    # - gremlin.key
+    # containing the team certificate and private key used to auth the agents
+    # to the gremlin API
+    certVolume:
+      secret:
+        secretName: gremlin-cert
+
     ## Secret auth requires: `teamSecret`
     # team secret (e.g. 00000000-0000-0000-0000-000000000000)
     teamSecret:
@@ -276,6 +287,9 @@ chao:
 
   affinity: {}
 
+  serviceAccount:
+    annotations: {}
+
 ssl:
   # ssl.certFile -
   # Add a certificate file to Gremlin's set of certificate authorities. This argument expects a file containing the
