Skip to content
This repository was archived by the owner on Jan 30, 2026. It is now read-only.
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions .golangci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,6 @@ linters-settings:
govet:
enable:
- shadow
disable:
- check-shadowing

errcheck:
check-type-assertions: true
Expand Down
23 changes: 23 additions & 0 deletions charts/pull-secret/.helmignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
13 changes: 13 additions & 0 deletions charts/pull-secret/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v2
name: pull-secret
description: HyperFleet Pull Secret Adapter - Manages pull secrets in GCP Secret Manager
type: application
version: 0.1.0
appVersion: "1.0"
keywords:
- hyperfleet
- pull-secret
- gcp
- secret-manager
maintainers:
- name: HyperFleet Team
193 changes: 193 additions & 0 deletions charts/pull-secret/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,193 @@
# Pull Secret Adapter Helm Chart

This Helm chart deploys the HyperFleet Pull Secret Adapter as a Kubernetes Job on GKE.

## Prerequisites

1. **Helm 3.x installed**
```bash
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
```

2. **kubectl configured for your GKE cluster**
```bash
gcloud container clusters get-credentials YOUR_CLUSTER_NAME \
--zone=YOUR_ZONE \
--project=YOUR_PROJECT_ID
```

3. **Workload Identity configured**
- Service Account: `your-service-account@your-project.iam.gserviceaccount.com`
- Workload Pool: `your-project.svc.id.goog`

## Installation

### Quick Start

Deploy with default values:

```bash
helm install pullsecret-job ./charts/pull-secret \
--namespace hyperfleet-system \
--create-namespace
```

### Custom Values

Deploy with custom configuration:

```bash
helm install pullsecret-job ./charts/pull-secret \
--namespace hyperfleet-system \
--create-namespace \
--set env.gcpProjectId=my-project \
--set env.clusterId=my-cluster-123 \
--set env.pullSecretData='{"auths":{...}}' \
--set image.tag=latest
```

### Using a Values File

Create a custom values file (`my-values.yaml`):

```yaml
env:
gcpProjectId: "my-gcp-project"
clusterId: "my-cluster-123"
secretName: "hyperfleet-my-cluster-123-pull-secret"
pullSecretData: '{"auths":{"registry.example.com":{"auth":"...","email":"user@example.com"}}}'

serviceAccount:
gcpServiceAccount: "my-service-account@my-project.iam.gserviceaccount.com"

image:
tag: "v1.0.0"
```

Then install:

```bash
helm install pullsecret-job ./charts/pull-secret \
--namespace hyperfleet-system \
--create-namespace \
-f my-values.yaml
```

## Configuration

The following table lists the configurable parameters:

| Parameter | Description | Default |
|-----------|-------------|---------|
| `namespace` | Kubernetes namespace | `hyperfleet-system` |
| `job.name` | Job name | `pullsecret-job` |
| `job.backoffLimit` | Number of retries on failure | `3` |
| `job.ttlSecondsAfterFinished` | Cleanup delay after completion | `3600` (1 hour) |
| `image.repository` | Container image repository | `quay.io/hyperfleet/pull-secret` |
| `image.tag` | Container image tag | `latest` |
| `image.pullPolicy` | Image pull policy | `Always` |
| `serviceAccount.name` | Kubernetes ServiceAccount name | `pullsecret-adapter` |
| `serviceAccount.gcpServiceAccount` | GCP service account for Workload Identity | `your-service-account@your-project.iam.gserviceaccount.com` |
| `env.gcpProjectId` | GCP project ID | `your-gcp-project` |
| `env.clusterId` | Cluster identifier | `your-cluster-id` |
| `env.secretName` | Secret name in GCP Secret Manager | `hyperfleet-your-cluster-id-pull-secret` |
| `env.pullSecretData` | Pull secret JSON data (required) | `{"auths":{...}}` |
| `resources.requests.cpu` | CPU request | `100m` |
| `resources.requests.memory` | Memory request | `128Mi` |
| `resources.limits.cpu` | CPU limit | `500m` |
| `resources.limits.memory` | Memory limit | `512Mi` |

## Usage

### Monitoring

Check job status:
```bash
helm status pullsecret-job -n hyperfleet-system
kubectl get job pullsecret-job -n hyperfleet-system
```

View logs:
```bash
kubectl logs -f job/pullsecret-job -n hyperfleet-system
```

### Upgrading

Upgrade the deployment with new values:
```bash
helm upgrade pullsecret-job ./charts/pull-secret \
--namespace hyperfleet-system \
--set image.tag=v1.1.0
```

### Uninstalling

Remove the job:
```bash
helm uninstall pullsecret-job -n hyperfleet-system
```

## Dry Run Mode

Test without creating secrets:
```bash
helm install pullsecret-job ./charts/pull-secret \
--namespace hyperfleet-system \
--dry-run --debug
```

## Troubleshooting

### View rendered templates
```bash
helm template pullsecret-job ./charts/pull-secret
```

### Check deployment issues
```bash
kubectl describe job pullsecret-job -n hyperfleet-system
kubectl get events -n hyperfleet-system --sort-by='.lastTimestamp'
```

### Authentication errors

Verify Workload Identity binding:
```bash
# Check ServiceAccount
kubectl get sa pullsecret-adapter -n hyperfleet-system -o yaml

# Check GCP IAM binding
gcloud iam service-accounts get-iam-policy \
your-service-account@your-project.iam.gserviceaccount.com \
--project=your-project
```

## Development

### Linting

Lint the chart:
```bash
helm lint ./charts/pull-secret
```

### Testing

Test template rendering:
```bash
helm template test-release ./charts/pull-secret --debug
```

### Packaging

Package the chart:
```bash
helm package ./charts/pull-secret
```

## References

- [Helm Documentation](https://helm.sh/docs/)
- [GKE Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
- [Kubernetes Jobs](https://kubernetes.io/docs/concepts/workloads/controllers/job/)
57 changes: 57 additions & 0 deletions charts/pull-secret/templates/_helpers.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "pull-secret.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Create a default fully qualified app name.
*/}}
{{- define "pull-secret.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}

{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "pull-secret.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Common labels
*/}}
{{- define "pull-secret.labels" -}}
helm.sh/chart: {{ include "pull-secret.chart" . }}
{{ include "pull-secret.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}

{{/*
Selector labels
*/}}
{{- define "pull-secret.selectorLabels" -}}
app.kubernetes.io/name: {{ include "pull-secret.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app: {{ .Values.labels.app }}
{{- end }}

{{/*
Create the name of the service account to use
*/}}
{{- define "pull-secret.serviceAccountName" -}}
{{- default "pullsecret-adapter" .Values.serviceAccount.name }}
{{- end }}
35 changes: 35 additions & 0 deletions charts/pull-secret/templates/job.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Values.job.name }}
namespace: {{ .Values.namespace }}
labels:
{{- include "pull-secret.labels" . | nindent 4 }}
job-type: {{ .Values.labels.jobType }}
spec:
backoffLimit: {{ .Values.job.backoffLimit }}
ttlSecondsAfterFinished: {{ .Values.job.ttlSecondsAfterFinished }}
template:
metadata:
labels:
{{- include "pull-secret.selectorLabels" . | nindent 8 }}
spec:
serviceAccountName: {{ include "pull-secret.serviceAccountName" . }}
restartPolicy: {{ .Values.job.restartPolicy }}
containers:
- name: pull-secret
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: GCP_PROJECT_ID
value: {{ .Values.env.gcpProjectId | quote }}
- name: CLUSTER_ID
value: {{ .Values.env.clusterId | quote }}
- name: SECRET_NAME
value: {{ .Values.env.secretName | quote }}
- name: PULL_SECRET_DATA
value: {{ .Values.env.pullSecretData | quote }}
resources:
{{- toYaml .Values.resources | nindent 10 }}
securityContext:
{{- toYaml .Values.securityContext | nindent 10 }}
9 changes: 9 additions & 0 deletions charts/pull-secret/templates/serviceaccount.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "pull-secret.serviceAccountName" . }}
namespace: {{ .Values.namespace }}
labels:
{{- include "pull-secret.labels" . | nindent 4 }}
annotations:
iam.gke.io/gcp-service-account: {{ .Values.serviceAccount.gcpServiceAccount }}
Loading