refactor deepfence-agent helm chart

deployment-scripts/helm-charts/deepfence-agent/ReadMe.md

@@ -29,26 +29,26 @@ helm show values deepfence/deepfence-agent > deepfence_agent_values.yaml
 ```
 - (Optional) Edit values file and set docker hub username and password (if using your own registry)
 ```yaml
-registry:
-  name: "https://index.docker.io/v1/"
-  username: "<>"
-  password: "<>"
+imagePullSecret:
+  # Specifies whether a image pull secret should be created
+  create: true
+  registry: "https://index.docker.io/v1/"
+  username: ""
+  password: ""
+  # The name of the imagePullSecret to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
 ```
 - Set Deepfence management console ip address
 ```yaml
 managementConsoleUrl: ""
 ```
 - Set image tag
 ```yaml
-image:
-  # deepfence agent runs as a daemonset in all nodes in the cluster
-  name: deepfenceio/deepfence_agent_ce
-  tag: 2.0.0
-  # cluster agent runs as a single pod
-  clusterAgentImageName: deepfenceio/deepfence_cluster_agent_ce
-  clusterAgentImageTag: 2.0.0
-  pullPolicy: Always
-  pullSecretName: deepfence-docker-secret
+global:
+  # this image tag is used every where for agents
+  # to override set tag at agents level
+  imageTag: 2.0.0
 ```
 - Set deepfence auth key
 Set authentication key when it is enabled in management console
@@ -99,5 +99,5 @@ kubectl get pods -n deepfence
 ### Delete
 
 ```bash
-helm delete deepfence-agent -n deepfence
+helm uninstall deepfence-agent -n deepfence
 ```

deployment-scripts/helm-charts/deepfence-agent/templates/_helpers.tpl

@@ -43,15 +43,6 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
-{{- define "deepfence-cluster-agent.labels" -}}
-helm.sh/chart: {{ include "deepfence-agent.chart" . }}
-{{ include "deepfence-cluster-agent.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
 {{/*
 Selector labels
 */}}
@@ -60,14 +51,31 @@ app.kubernetes.io/name: {{ include "deepfence-agent.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
-{{- define "deepfence-cluster-agent.selectorLabels" -}}
-app.kubernetes.io/name: deepfence-cluster-agent
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
 {{/*
 Create secret to access docker registry
 */}}
 {{- define "imagePullSecret" }}
 {{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.registry.name (printf "%s:%s" .Values.registry.username .Values.registry.password | b64enc) | b64enc }}
+{{- end }}
+
+{{/*
+Create the name of the imagePullSecret to use
+*/}}
+{{- define "deepfence-agent.imagePullSecretName" -}}
+{{- if .Values.imagePullSecret.create }}
+{{- default (include "deepfence-agent.fullname" .) .Values.imagePullSecret.name }}
+{{- else }}
+{{- .Values.imagePullSecret.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "deepfence-agent.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "deepfence-agent.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
 {{- end }}

deployment-scripts/helm-charts/deepfence-agent/templates/cluster_role.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: deepfence-agent
+  name: {{ include "deepfence-agent.fullname" . }}
   labels:
     {{- include "deepfence-agent.labels" . | nindent 4 }}
 rules:

deployment-scripts/helm-charts/deepfence-agent/templates/cluster_role_binding.yaml

@@ -1,14 +1,14 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: deepfence-agent
+  name: {{ include "deepfence-agent.fullname" . }}
   labels:
     {{- include "deepfence-agent.labels" . | nindent 4 }}
 roleRef:
   kind: ClusterRole
-  name: deepfence-agent
+  name: {{ include "deepfence-agent.fullname" . }}
   apiGroup: rbac.authorization.k8s.io
 subjects:
   - kind: ServiceAccount
-    name: {{ .Values.serviceAccount.name }}
+    name: {{ include "deepfence-agent.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}

deployment-scripts/helm-charts/deepfence-agent/templates/daemonset.yaml

@@ -1,30 +1,30 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  name: deepfence-agent
-  namespace: {{ .Release.Namespace }}
+  name: {{ include "deepfence-agent.fullname" . }}
   labels:
     {{- include "deepfence-agent.labels" . | nindent 4 }}
+    name: {{ include "deepfence-agent.fullname" . }}
 spec:
   selector:
     matchLabels:
       {{- include "deepfence-agent.selectorLabels" . | nindent 6 }}
+      name: {{ include "deepfence-agent.fullname" . }}
   updateStrategy:
     type: RollingUpdate
   template:
     metadata:
       labels:
         {{- include "deepfence-agent.selectorLabels" . | nindent 8 }}
+        name: {{ include "deepfence-agent.fullname" . }}
     spec:
       {{- if .Values.priorityClassName }}
       priorityClassName: {{ .Values.priorityClassName | quote }}
       {{- end }}
-
       hostPID: true
       hostNetwork: true
-      serviceAccountName: {{ .Values.serviceAccount.name }}
+      serviceAccountName: {{ include "deepfence-agent.serviceAccountName" . }}
       dnsPolicy: ClusterFirstWithHostNet
-
       volumes:
         {{- if .Values.mountContainerRuntimeSocket.dockerSock }}
         - name: docker-sock
@@ -62,25 +62,19 @@ spec:
           emptyDir: {}
         - name: fenced-path-compliance-scan-logs
           emptyDir: {}
-
       containers:
         - name: deepfence-agent
-          image: "{{ .Values.image.name }}:{{ .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          image: "{{ .Values.agent.image.name }}:{{ default .Values.global.imageTag .Values.agent.image.tag }}"
+          imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
           securityContext:
             privileged: true
           resources:
-            requests:
-              cpu: {{ .Values.resources.requests.cpu }}
-              memory: {{ .Values.resources.requests.memory }}
-            limits:
-              cpu: {{ .Values.resources.limits.cpu }}
-              memory: {{ .Values.resources.limits.memory }}
+            {{- toYaml .Values.agent.resources | nindent 12 }}
           env:
             - name: DEEPFENCE_KEY
               valueFrom:
                 secretKeyRef:
-                  name: "deepfence-key"
+                  name: {{ include "deepfence-agent.fullname" . }}-key
                   key: "deepfence-key"
             - name: USER_DEFINED_TAGS
               value: {{ .Values.userDefinedTags }}
@@ -157,18 +151,15 @@ spec:
               name: fenced-path-compliance
             - mountPath: /var/log/fenced/compliance-scan-logs
               name: fenced-path-compliance-scan-logs
-      imagePullSecrets:
-        - name: {{ .Values.image.pullSecretName }}
-
-      {{- with .Values.nodeSelector }}
+      {{- with .Values.agent.nodeSelector }}
       nodeSelector:
       {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.affinity }}
+      {{- with .Values.agent.affinity }}
       affinity:
       {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.tolerations }}
+      {{- with .Values.agent.tolerations }}
       tolerations:
       {{- toYaml . | nindent 8 }}
       {{- end }}

deployment-scripts/helm-charts/deepfence-agent/templates/deployment.yaml

@@ -1,28 +1,31 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: deepfence-cluster-agent
-  namespace: {{ .Release.Namespace }}
+  name: {{ include "deepfence-agent.fullname" . }}-cluster
   labels:
-  {{- include "deepfence-cluster-agent.labels" . | nindent 4 }}
+    {{- include "deepfence-agent.labels" . | nindent 4 }}
+    name: {{ include "deepfence-agent.fullname" . }}-cluster
 spec:
   replicas: 1
   revisionHistoryLimit: 2
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-  {{- include "deepfence-cluster-agent.selectorLabels" . | nindent 6 }}
+      {{- include "deepfence-agent.selectorLabels" . | nindent 6 }}
+      name: {{ include "deepfence-agent.fullname" . }}-cluster
   template:
     metadata:
       labels:
-    {{- include "deepfence-cluster-agent.selectorLabels" . | nindent 8 }}
+        {{- include "deepfence-agent.selectorLabels" . | nindent 8 }}
+        name: {{ include "deepfence-agent.fullname" . }}-cluster
     spec:
       hostNetwork: true
+      serviceAccountName: {{ include "deepfence-agent.serviceAccountName" . }}
       containers:
         - name: deepfence-cluster-agent
-          image: "{{ .Values.image.clusterAgentImageName }}:{{ .Values.image.clusterAgentImageTag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          image: "{{ .Values.cluster_agent.image.name }}:{{ default .Values.global.imageTag .Values.cluster_agent.image.tag }}"
+          imagePullPolicy: {{ .Values.cluster_agent.image.pullPolicy }}
           env:
             - name: MGMT_CONSOLE_URL
               value: "{{ required "managementConsoleUrl is required" .Values.managementConsoleUrl }}"
@@ -31,7 +34,7 @@ spec:
             - name: DEEPFENCE_KEY
               valueFrom:
                 secretKeyRef:
-                  name: "deepfence-key"
+                  name: {{ include "deepfence-agent.fullname" . }}-key
                   key: "deepfence-key"
             - name: DF_CLUSTER_NAME
               value: "{{ .Values.clusterName }}"
@@ -57,25 +60,16 @@ spec:
                 fieldRef:
                   fieldPath: metadata.namespace
           resources:
-            requests:
-              cpu: {{ .Values.clusterAgentResources.requests.cpu }}
-              memory: {{ .Values.clusterAgentResources.requests.memory }}
-            limits:
-              cpu: {{ .Values.clusterAgentResources.limits.cpu }}
-              memory: {{ .Values.clusterAgentResources.limits.memory }}
-      serviceAccountName: {{ .Values.serviceAccount.name }}
-      imagePullSecrets:
-        - name: {{ .Values.image.pullSecretName }}
-
-      {{- with .Values.clusterAgentNodeSelector }}
+            {{- toYaml .Values.cluster_agent.resources | nindent 12 }}
+      {{- with .Values.cluster_agent.nodeSelector }}
       nodeSelector:
       {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.clusterAgentAffinity }}
+      {{- with .Values.cluster_agent.affinity }}
       affinity:
       {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.clusterAgentTolerations }}
+      {{- with .Values.cluster_agent.tolerations }}
       tolerations:
       {{- toYaml . | nindent 8 }}
       {{- end }}

deployment-scripts/helm-charts/deepfence-agent/templates/secret.yaml

@@ -1,12 +1,11 @@
 ---
-{{- if .Values.registry.createRegistrySecret }}
+{{- if .Values.imagePullSecret.create }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Values.image.pullSecretName }}
+  name: {{ include "deepfence-agent.imagePullSecretName" . }}
   labels:
     {{- include "deepfence-agent.labels" . | nindent 4 }}
-  namespace: {{ .Release.Namespace }}
 type: kubernetes.io/dockerconfigjson
 data:
   .dockerconfigjson: "{{ template "imagePullSecret" . }}"
@@ -16,16 +15,10 @@ data:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: deepfence-key
+  name: {{ include "deepfence-agent.fullname" . }}-key
   labels:
     {{- include "deepfence-agent.labels" . | nindent 4 }}
-  namespace: {{ .Release.Namespace }}
 type: Opaque
 data:
-{{- if .Values.deepfenceKey }}
-  deepfence-key: "{{ .Values.deepfenceKey | b64enc }}"
-{{- else }}
-  deepfence-key: ""
+  deepfence-key: {{ required "deepfenceKey is required" .Values.deepfenceKey | b64enc }}
 {{- end }}
-{{- end }}
----

deployment-scripts/helm-charts/deepfence-agent/templates/serviceaccount.yaml

@@ -1,11 +1,15 @@
+{{- if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Values.serviceAccount.name }}
+  name: {{ include "deepfence-agent.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "deepfence-agent.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
-  {{- end }}
+  {{- end }}
+imagePullSecrets:
+  - name: {{ include "deepfence-agent.imagePullSecretName" . }}
+{{- end }}