feat: add ability to define flavour for tag (external-secrets#2881)

Signed-off-by: Allen Conlon <[email protected]>
cloudant · Jan 3, 2024 · 0fbc4a8 · 0fbc4a8
1 parent bfc158a
commit 0fbc4a8
Show file tree

Hide file tree

Showing 9 changed files with 79 additions and 6 deletions.
diff --git a/deploy/charts/external-secrets/README.md b/deploy/charts/external-secrets/README.md
@@ -44,6 +44,7 @@ The command removes all the Kubernetes components associated with the chart and
 | certController.extraVolumes | list | `[]` |  |
 | certController.fullnameOverride | string | `""` |  |
 | certController.hostNetwork | bool | `false` | Run the certController on the host network |
+| certController.image.flavour | string | `""` |  |
 | certController.image.pullPolicy | string | `"IfNotPresent"` |  |
 | certController.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` |  |
 | certController.image.tag | string | `""` |  |
@@ -98,9 +99,10 @@ The command removes all the Kubernetes components associated with the chart and
 | extraVolumes | list | `[]` |  |
 | fullnameOverride | string | `""` |  |
 | hostNetwork | bool | `false` | Run the controller on the host network |
+| image.flavour | string | `""` | The flavour of tag you want to use There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default the distroless image is used. |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"ghcr.io/external-secrets/external-secrets"` |  |
-| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default the distroless image is used. |
+| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
 | imagePullSecrets | list | `[]` |  |
 | installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. |
 | leaderElect | bool | `false` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. |
@@ -166,6 +168,7 @@ The command removes all the Kubernetes components associated with the chart and
 | webhook.failurePolicy | string | `"Fail"` | Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore |
 | webhook.fullnameOverride | string | `""` |  |
 | webhook.hostNetwork | bool | `false` | Specifies if webhook pod should use hostNetwork or not. |
+| webhook.image.flavour | string | `""` | The flavour of tag you want to use |
 | webhook.image.pullPolicy | string | `"IfNotPresent"` |  |
 | webhook.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` |  |
 | webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |

diff --git a/deploy/charts/external-secrets/templates/_helpers.tpl b/deploy/charts/external-secrets/templates/_helpers.tpl
@@ -133,3 +133,13 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
+{{/*
+Determine the image to use, including if using a flavour.
+*/}}
+{{- define "external-secrets.image" -}}
+{{- if .image.flavour -}}
+{{ printf "%s:%s-%s" .image.repository (.image.tag | default .chartAppVersion) .image.flavour }}
+{{- else }}
+{{ printf "%s:%s" .image.repository (.image.tag | default .chartAppVersion) }}
+{{- end }}
+{{- end }}
diff --git a/deploy/charts/external-secrets/templates/cert-controller-deployment.yaml b/deploy/charts/external-secrets/templates/cert-controller-deployment.yaml
@@ -45,7 +45,7 @@ spec:
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          image: "{{ .Values.certController.image.repository }}:{{ .Values.certController.image.tag | default .Chart.AppVersion }}"
+          image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.certController.image) | trim }}
           imagePullPolicy: {{ .Values.certController.image.pullPolicy }}
           args:
           - certcontroller

diff --git a/deploy/charts/external-secrets/templates/deployment.yaml b/deploy/charts/external-secrets/templates/deployment.yaml
@@ -45,7 +45,7 @@ spec:
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.image) | trim }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           {{- if or (.Values.leaderElect) (.Values.scopedNamespace) (.Values.processClusterStore) (.Values.processClusterExternalSecret) (.Values.concurrent) (.Values.extraArgs) }}
           args:

diff --git a/deploy/charts/external-secrets/templates/webhook-deployment.yaml b/deploy/charts/external-secrets/templates/webhook-deployment.yaml
@@ -45,7 +45,7 @@ spec:
           securityContext:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          image: "{{ .Values.webhook.image.repository }}:{{ .Values.webhook.image.tag | default .Chart.AppVersion }}"
+          image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.webhook.image) | trim }}
           imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
           args:
           - webhook

diff --git a/deploy/charts/external-secrets/tests/cert_controller_test.yaml b/deploy/charts/external-secrets/tests/cert_controller_test.yaml
@@ -61,3 +61,20 @@ tests:
       - equal:
           path: spec.template.spec.containers[0].args[6]
           value: "--metrics-addr=:8888"
+  - it: should override image flavour
+    set:
+      certController.image.repository: ghcr.io/external-secrets/external-secrets
+      certController.image.tag: v0.9.8
+      certController.image.flavour: ubi-boringssl
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: ghcr.io/external-secrets/external-secrets:v0.9.8-ubi-boringssl
+  - it: should override image flavour
+    set:
+      certController.image.repository: example.com/external-secrets/external-secrets
+      certController.image.tag: v0.9.9-ubi
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: example.com/external-secrets/external-secrets:v0.9.9-ubi
diff --git a/deploy/charts/external-secrets/tests/controller_test.yaml b/deploy/charts/external-secrets/tests/controller_test.yaml
@@ -54,3 +54,20 @@ tests:
       - equal:
           path: spec.template.spec.containers[0].args[1]
           value: "--metrics-addr=:8888"
+  - it: should override image flavour
+    set:
+      image.repository: ghcr.io/external-secrets/external-secrets
+      image.tag: v0.9.8
+      image.flavour: ubi-boringssl
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: ghcr.io/external-secrets/external-secrets:v0.9.8-ubi-boringssl
+  - it: should override image flavour
+    set:
+      image.repository: example.com/external-secrets/external-secrets
+      image.tag: v0.9.9-ubi
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: example.com/external-secrets/external-secrets:v0.9.9-ubi
diff --git a/deploy/charts/external-secrets/tests/webhook_test.yaml b/deploy/charts/external-secrets/tests/webhook_test.yaml
@@ -170,3 +170,24 @@ tests:
       - equal:
           path: spec.template.spec.containers[0].args[5]
           value: "--metrics-addr=:8888"
+  - it: should override image flavour
+    set:
+      webhook.image.repository: ghcr.io/external-secrets/external-secrets
+      webhook.image.tag: v0.9.8
+      webhook.image.flavour: ubi-boringssl
+    templates:
+      - webhook-deployment.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: ghcr.io/external-secrets/external-secrets:v0.9.8-ubi-boringssl
+  - it: should override image flavour
+    set:
+      webhook.image.repository: example.com/external-secrets/external-secrets
+      webhook.image.tag: v0.9.9-ubi
+    templates:
+      - webhook-deployment.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: example.com/external-secrets/external-secrets:v0.9.9-ubi
diff --git a/deploy/charts/external-secrets/values.yaml b/deploy/charts/external-secrets/values.yaml
@@ -7,10 +7,12 @@ image:
   repository: ghcr.io/external-secrets/external-secrets
   pullPolicy: IfNotPresent
   # -- The image tag to use. The default is the chart appVersion.
+  tag: ""
+  # -- The flavour of tag you want to use
   # There are different image flavours available, like distroless and ubi.
   # Please see GitHub release notes for image tags for these flavors.
   # By default the distroless image is used.
-  tag: ""
+  flavour: ""
 
 # -- If set, install and upgrade CRDs through helm chart.
 installCRDs: true
@@ -224,8 +226,10 @@ webhook:
   image:
     repository: ghcr.io/external-secrets/external-secrets
     pullPolicy: IfNotPresent
-  # -- The image tag to use. The default is the chart appVersion.
+    # -- The image tag to use. The default is the chart appVersion.
     tag: ""
+    # -- The flavour of tag you want to use
+    flavour: ""
   imagePullSecrets: []
   nameOverride: ""
   fullnameOverride: ""
@@ -376,6 +380,7 @@ certController:
     repository: ghcr.io/external-secrets/external-secrets
     pullPolicy: IfNotPresent
     tag: ""
+    flavour: ""
   imagePullSecrets: []
   nameOverride: ""
   fullnameOverride: ""