Adding Fortanix DSM Secrets Chart (#286)

Author: manasag

charts/partners/fortanix/dsm-secrets-injector-chart/2.0/report.yaml

@@ -0,0 +1,92 @@
+apiversion: v1
+kind: verify-report
+metadata:
+    tool:
+        verifier-version: 0.0.1
+        profile:
+            VendorType: partner
+            version: v1.0
+        chart-uri: /charts/src
+        digest: sha256:492efc99f1c44f9a854b916859732a067bb1500795856b97f890cd1e0b672ffc
+        digests:
+            chart: sha256:492efc99f1c44f9a854b916859732a067bb1500795856b97f890cd1e0b672ffc
+        lastCertifiedTimestamp: "2021-08-11T08:00:19.068501+00:00"
+        certifiedOpenShiftVersions: 4.7.0
+    chart:
+        name: dsm-secrets-injector-chart
+        home: ""
+        sources: []
+        version: "2.0"
+        description: ""
+        keywords: []
+        maintainers:
+          - name: Aman Ahuja
+            email: [email protected]
+            url: ""
+        icon: ""
+        apiversion: v2
+        condition: ""
+        tags: ""
+        appversion: "1.0"
+        deprecated: false
+        annotations: {}
+        kubeversion: '>= 1.16.0 < 1.22.0'
+        dependencies:
+          - name: fortanix-cert-setup
+            version: "1.1"
+            repository: file://cert-setup
+            condition: ""
+            tags: []
+            enabled: false
+            importvalues: []
+            alias: ""
+        type: ""
+    chart-overrides: ""
+results:
+  - check: v1.0/not-contains-crds
+    type: Mandatory
+    outcome: PASS
+    reason: Chart does not contain CRDs
+  - check: v1.0/not-contain-csi-objects
+    type: Mandatory
+    outcome: PASS
+    reason: CSI objects do not exist
+  - check: v1.0/has-readme
+    type: Mandatory
+    outcome: PASS
+    reason: Chart has a README
+  - check: v1.0/contains-test
+    type: Mandatory
+    outcome: PASS
+    reason: Chart test files exist
+  - check: v1.0/contains-values
+    type: Mandatory
+    outcome: PASS
+    reason: Values file exist
+  - check: v1.0/helm-lint
+    type: Mandatory
+    outcome: PASS
+    reason: Helm lint successful
+  - check: v1.0/images-are-certified
+    type: Mandatory
+    outcome: PASS
+    reason: |-
+        Image is Red Hat certified : registry.access.redhat.com/ubi7/ubi-minimal:7.9
+        Image is Red Hat certified : registry.hub.docker.com/fortanix/k8s-sdkms-secrets-injector:ubi7-2.0
+        Image is Red Hat certified : registry.hub.docker.com/fortanix/k8s-sdkms-cert-setup:ubi7-1.1
+  - check: v1.0/chart-testing
+    type: Mandatory
+    outcome: PASS
+    reason: Chart tests have passed
+  - check: v1.0/is-helm-v3
+    type: Mandatory
+    outcome: PASS
+    reason: API version is V2, used in Helm 3
+  - check: v1.0/contains-values-schema
+    type: Mandatory
+    outcome: PASS
+    reason: Values schema file exist
+  - check: v1.0/has-kubeversion
+    type: Mandatory
+    outcome: PASS
+    reason: Kubernetes version specified

charts/partners/fortanix/dsm-secrets-injector-chart/2.0/src/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: fortanix-cert-setup
+  repository: file://cert-setup
+  version: "1.1"
+digest: sha256:07a87ec9e979541d13257c8bb24ebdcfaf3c840c5c1f02dc5061c0ccd395461f
+generated: "2021-08-11T11:23:04.320866317+05:30"

charts/partners/fortanix/dsm-secrets-injector-chart/2.0/src/Chart.yaml

@@ -0,0 +1,12 @@
+name: dsm-secrets-injector-chart
+version: "2.0"
+appVersion: "1.0"
+apiVersion: v2
+kubeVersion: ">= 1.16.0 < 1.22.0"
+dependencies: # A list of the chart requirements
+  - name: fortanix-cert-setup
+    version: 1.1
+    repository: file://cert-setup
+maintainers:
+  - name: Aman Ahuja
+    email: [email protected]

charts/partners/fortanix/dsm-secrets-injector-chart/2.0/src/README.md

@@ -0,0 +1,60 @@
+
+# DSM Secrets Injector Helm Chart v3
+
+This repository contains Helm chart for deploying and configuring secrets injection with Fortanix DSM in Kubernetes applications.
+
+It deploys Mutating Webhook Controller and sidecar container for injecting secrets.
+
+Note: This chart supports kubernetes version 1.16 and above.
+
+## Dependency Charts
+
+* **fortanix-cert-setup** - `cert-setup` folder in this repository
+
+## Install Chart
+
+* Install Dependency Chart
+````console
+$ helm dep up dsm-secrets-injector-chart
+````
+* Install dsm-secrets-injector Chart
+** Kubernetes cluster
+````console
+$ helm install dsm-secrets-injector-chart ./dsm-secrets-injector-chart
+````
+** OpenShift Cluster
+```console
+$ 
+$ helm install dsm-secrets-injector-chart ./dsm-secrets-injector --set global.
+## Uninstall chart 
+* Uninstall dsm-secrets-injector-chart
+````console
+$ helm delete dsm-secrets-injector-chart
+````
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Parameters
+
+The following tables lists the configurable parameters of the sdkms-secrets-injection chart and their default values.
+
+| Parameter                        | Description                                                                               | Default                                                      |
+|----------------------------------|-------------------------------------------------------------------------------------------|--------------------------------------------------------------|
+| `global.registry`           | Global Docker image registry                                                              | `fortanix`                                                        |
+| `global.namespace`        | Global Namespace                                           | `fortanix`      |
+| `global.service`                 | Global Kubernetes Service                                                              | `fortanix-secrets-injector-svc`                                                  |
+| `global.serviceAccount`               |  Service Account for cert TLS                                                                  | `fortanix-webhook-certs-sa`                                             |
+| `global.secret`                      | Secret containing cert TLS                                                                     | `fortanix-secrets-injector-certs`                                                 |
+| `global.caBundle`          | Kubernetes API Server CA Certificate pem bytes as base64 string    | nil
+| `configmap.name`               | ConfigMap for Controller configuration                                                            | `fortanix-webhook-config`                                                     |
+| `configmap.authTokenType`              | Authentication Type for Secrets-Injection                                          | `api-key` (can be set as `jwt` or `api-key`)      |
+| `configmap.secretAgent.imageName`                   | Image name for Secret Agent Image                                                                      | `k8s-sdkms-secret-agent`                                                  |
+| `configmap.secretAgent.tag`                 | Image tag for Secret Agent  Image                                                                       | `"1.0"`
+| `configmap.tokenVolumeProjection.audience` | The audience of the Service Account JWT token. This should be same as SDKMS endpoint. e.g. https://sdkms.fortanix.com. Applies only if `jwt`type of authentication is set | nil
+| `configmap.tokenVolumeProjection.expirationSeconds` | The expiration period of the Service Account JWT token (in seconds). Applies only if `jwt`type of authentication is set | `3600`
+| `replicas`                   | Number of replicas of the Secrets Injector deployment                                               | `1`                                                  |
+| `image.name`                | Secrets Injector Image Name                                                  | `k8s-sdkms-secrets-injector`                                                        |
+| `image.tag`                      | Secrets Injector Image Tag                                                        | `"1.0"`                                                        |
+| `image.pullPolicy`                | Secrets Injector Image Pull Policy                                                  | `IfNotPresent`                                                        |
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.

charts/partners/fortanix/dsm-secrets-injector-chart/2.0/src/cert-setup/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/partners/fortanix/dsm-secrets-injector-chart/2.0/src/cert-setup/Chart.yaml

@@ -0,0 +1,6 @@
+name: fortanix-cert-setup
+version: 1.1
+appVersion: 1.0
+maintainers:
+  - name: Aman Ahuja
+    email: [email protected]

charts/partners/fortanix/dsm-secrets-injector-chart/2.0/src/cert-setup/templates/NOTES.txt

@@ -0,0 +1,3 @@
+Job to create TLS certificates using Kubernetes apiserver has been deployed successfully.
+
+Generated TLS certificates are stored in secret.

charts/partners/fortanix/dsm-secrets-injector-chart/2.0/src/cert-setup/templates/_helpers.tpl

@@ -0,0 +1,12 @@
+{{- define "fortanix-cert-setup.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "fortanix-cert-setup.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "fortanix-cert-setup.image" -}}
+{{- $tag := .Values.image.tag | toString -}}
+{{- printf "%s/%s:%s" .Values.global.registry .Values.image.name $tag -}}
+{{- end -}}

charts/partners/fortanix/dsm-secrets-injector-chart/2.0/src/cert-setup/templates/cluster-role-bindings.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Values.clusterRoleBindings }}
+  namespace: {{ .Values.global.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.clusterRole }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount }}
+    namespace: {{ .Values.global.namespace }}

charts/partners/fortanix/dsm-secrets-injector-chart/2.0/src/cert-setup/templates/cluster-role.yaml

@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.clusterRole }}
+  namespace: {{ .Values.global.namespace }}
+rules:
+  - apiGroups: [ "certificates.k8s.io" ]
+    resources: [ "certificatesigningrequests" ]
+    verbs: [ "get", "create", "delete", "list", "watch" ]
+  - apiGroups: [ "certificates.k8s.io" ]
+    resources: [ "certificatesigningrequests/approval" ]
+    verbs: [ "update" ]
+  - apiGroups: [ "certificates.k8s.io" ]
+    resources: [ "signers" ]
+    resourceNames: [ "kubernetes.io/*" ]
+    verbs: [ "approve" ]
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "create", "get", "patch", "update" ]
+  - apiGroups: [ "" ]
+    resources: [ "configmaps" ]
+    verbs: [ "get" ]

charts/partners/fortanix/dsm-secrets-injector-chart/2.0/src/cert-setup/templates/job.yaml

@@ -0,0 +1,23 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "fortanix-cert-setup.name" . }}
+  namespace: {{ .Values.global.namespace }}
+spec:
+  template:
+    spec:
+      serviceAccountName: {{ .Values.serviceAccount }}
+      containers:
+        - name: {{ include "fortanix-cert-setup.name" . }}
+          image: {{ include "fortanix-cert-setup.image" . }}
+          args:
+            - "-n"
+            - {{ .Values.global.namespace }}
+            - "-s"
+            - {{ .Values.global.service }}
+            - "-p"
+            - {{ .Values.global.secret }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+      restartPolicy: Never
+  backoffLimit: 4
+

charts/partners/fortanix/dsm-secrets-injector-chart/2.0/src/cert-setup/templates/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.global.namespace }}

charts/partners/fortanix/dsm-secrets-injector-chart/2.0/src/cert-setup/templates/service-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount }}
+  namespace: {{ .Values.global.namespace }}

charts/partners/fortanix/dsm-secrets-injector-chart/2.0/src/cert-setup/values.yaml

@@ -0,0 +1,19 @@
+# Default values for fortanix-cert-setup.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+clusterRole: fortanix-webhook-cert-sa-cluster-role
+
+clusterRoleBindings: fortanix-webhook-cert-sa-role-binding
+
+image:
+  name: k8s-sdkms-cert-setup
+  tag: "ubi7-1.1"
+  pullPolicy: IfNotPresent
+
+serviceAccount: fortanix-sa
+
+ 
+
+
+

charts/partners/fortanix/dsm-secrets-injector-chart/2.0/src/charts/fortanix-cert-setup-1.1.tgz

@@ -0,0 +1,3 @@
+kubernetes Integration with Fortanix SDKMS has been deployed successfully.
+
+Follow the guide to setup your application and inject secrets from SDKMS into your application on Kubernetes.

charts/partners/fortanix/dsm-secrets-injector-chart/2.0/src/templates/NOTES.txt

@@ -0,0 +1,12 @@
+{{- define "fortanix-secrets-injector.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "fortanix-secrets-injector.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "fortanix-secrets-injector.image" -}}
+{{- $tag := .Values.image.tag | toString -}}
+{{- printf "%s/%s:%s" .Values.global.registry .Values.image.name $tag -}}
+{{- end -}}

charts/partners/fortanix/dsm-secrets-injector-chart/2.0/src/templates/_helpers.tpl

@@ -0,0 +1,32 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ include "fortanix-secrets-injector.name" . }}
+  namespace: {{ .Values.global.namespace }}
+{{ if not .Values.global.caBundle }}
+  annotations:
+    cert-manager.io/inject-apiserver-ca: "true"
+{{ end }}
+  labels:
+    app: {{ include "fortanix-secrets-injector.name" . }}
+webhooks:
+  - name: secrets-injector.fortanix.com
+    admissionReviewVersions: ["v1"]
+    rules:
+      - apiGroups: [""]
+        apiVersions: ["v1"]
+        operations: [ "CREATE" ]
+        resources: ["pods"]
+        scope: "Namespaced"
+    namespaceSelector:
+      matchLabels:
+        fortanix-secrets-injector: enabled
+    clientConfig:
+{{ if .Values.global.caBundle }}
+      caBundle: {{ .Values.global.caBundle | quote }}
+{{ end }}
+      service:
+        name: {{ .Values.global.service }}
+        namespace: {{ .Values.global.namespace }}
+        path: "/mutate-pod"
+    sideEffects: None

charts/partners/fortanix/dsm-secrets-injector-chart/2.0/src/templates/mutating-webhook.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.configmap.name }}
+  namespace: {{ .Values.global.namespace }}
+data:
+  controller-config.yaml: |
+    authTokenType: {{ .Values.configmap.authTokenType }} # acceptable values: `api-key`, `jwt`.
+    secretAgentImage: {{ .Values.global.registry }}/{{ .Values.configmap.secretAgent.imageName }}:{{ .Values.configmap.secretAgent.tag }}
+    proxySettings:
+      #httpProxy: 'http://example.com'
+      #httpsProxy: 'https://example.com'
+      #noProxy: '*.example.com,1.2.3.4'
+    # the following values are set only if authTokenType is set to 'jwt'
+{{ if eq .Values.configmap.authTokenType "jwt" }}
+    tokenVolumeProjection:
+      addToAllPods: true
+      audience: {{ .Values.configmap.tokenVolumeProjection.audience }}
+      expirationSeconds: {{ .Values.configmap.tokenVolumeProjection.expirationSeconds | default "3600" }}
+{{ end }}