feat: ds mode support

Author: ryanfaircloth

charts/s3proxy/templates/daemonset.yaml

@@ -0,0 +1,129 @@
+{{ if eq .Values.DeploymentMode "DaemonSet" }}
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "s3proxy.fullname" . }}
+  labels:
+    {{- include "s3proxy.labels" . | nindent 4 }}
+  annotations:
+    checkov.io/skip1: CKV_K8S_35=Inorder to use a generated secret in two ways we can't do this
+spec:
+  selector:
+    matchLabels:
+      {{- include "s3proxy.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "s3proxy.selectorLabels" . | nindent 8 }}
+        {{- with .Values.podLabels -}}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "s3proxy.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken | default false }}
+
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          #checkov:skip=CKV_K8S_43: Not for Public Charts
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            {{- .Values.command | toYaml | nindent 12 }}
+          args:
+            {{- .Values.args | toYaml | nindent 12 }}
+          env:
+          - name: S3PROXY_IDENTITY
+            valueFrom:
+              secretKeyRef:
+                {{- if empty .Values.existingSecretName }}
+                name: "{{ include "s3proxy.fullname" . }}-awsclient"
+                {{- else }}
+                name: {{ .Values.existingSecretName }}
+                {{- end }}
+                key: AWS_ACCESS_KEY_ID
+                optional: false
+          - name: S3PROXY_CREDENTIAL
+            valueFrom:
+              secretKeyRef:
+                {{- if empty .Values.existingSecretName }}
+                name: "{{ include "s3proxy.fullname" . }}-awsclient"
+                {{- else }}
+                name: {{ .Values.existingSecretName }}
+                {{- end }}
+                key: AWS_SECRET_ACCESS_KEY
+                optional: false
+          {{- with .Values.config.env }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          # livenessProbe:
+          #   httpGet:
+          #     path: /
+          #     port: http
+          # readinessProbe:
+          #   httpGet:
+          #     path: /
+          #     port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+          {{- if eq .Values.config.jclouds.provider "filesystem" }}
+          - mountPath: {{ .Values.config.jclouds.filesystem.baseDir }}
+            name: tmp-volume
+          {{- end }}
+          - name: secret-volume
+            readOnly: true
+            mountPath: "/etc/s3proxy"
+      volumes:
+      {{- if eq .Values.config.jclouds.provider "filesystem" }}
+      - name: tmp-volume
+        emptyDir:
+          sizeLimit: {{ .Values.config.jclouds.filesystem.tmpSize }}
+      {{- end }}
+      - name: secret-volume
+        {{- if .Values.csiSecret.enabled }}
+        csi:
+          driver: {{ .Values.csiSecret.driver | default "secrets-store.csi.k8s.io" }}
+          readOnly: {{ .Values.csiSecret.readOnly | default true }}
+          volumeAttributes:
+            secretProviderClass: {{ .Values.csiSecret.class }}
+        {{ else }}
+        secret:
+      {{- if .Values.existingPropertiesSecret }}
+          secretName: {{ .Values.existingPropertiesSecret }}
+      {{ else }}
+          secretName: {{ include "s3proxy.fullname" . }}
+      {{- end }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

charts/s3proxy/templates/deployment.yaml

@@ -1,3 +1,4 @@
+{{ if eq .Values.DeploymentMode "Deployment" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -30,7 +31,8 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "s3proxy.serviceAccountName" . }}
-      automountServiceAccountToken: false
+      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken | default false }}
+
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
@@ -127,3 +129,4 @@ spec:
       topologySpreadConstraints:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+{{- end }}

charts/s3proxy/templates/hpa.yaml

@@ -1,3 +1,4 @@
+{{- if eq .Values.DeploymentMode "Deployment" }}
 {{- if .Values.autoscaling.enabled }}
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
@@ -30,3 +31,4 @@ spec:
           averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
     {{- end }}
 {{- end }}
+{{- end }}

charts/s3proxy/values.yaml

@@ -1,7 +1,7 @@
 # Default values for s3proxy.
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
-
+DeploymentMode: Deployment
 replicaCount: 1
 labels: {}
 podLabels: {}
@@ -50,6 +50,7 @@ serviceAccount:
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name: ""
+  automountServiceAccountToken: false
 
 podAnnotations: {}