feat(platform-namespace-core): update chart version to 0.3.0 and add validation for namespace labels

Signed-off-by: Arthur Le Roux <[email protected]>

Author: arthlr

charts/platform-namespace-core/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: platform-namespace-core
 description: A Helm chart that defines core Kubernetes platform namespaced resources
 type: application
-version: 0.2.0
+version: 0.3.0
 appVersion: "0.1.0"
 icon: https://avatars.githubusercontent.com/u/9391624?s=200&v=4
 home: https://github.com/wiremind/wiremind-helm-charts/tree/main/charts/platform-namespace-core

charts/platform-namespace-core/templates/_helpers.tpl

@@ -63,3 +63,33 @@ Usage: {{ include "platform-namespace-core.serviceAccountName" (dict "def" $def
 {{ printf "%s" $defName }}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Validate the platform-namespace-core chart.
+*/}}
+{{- define "platform-namespace-core.validate" -}}
+{{- $errors := list -}}
+{{ if .Values.namespace.create }}
+{{- if not (hasKey .Values.namespace.labels "project") }}
+{{- $errors = append $errors (printf "Namespace label 'project' must be defined for platform-namespace-core") -}}
+{{- end -}}
+{{- if not (hasKey .Values.namespace.labels "product") }}
+{{- $errors = append $errors (printf "Namespace label 'product' must be defined for platform-namespace-core") -}}
+{{- end -}}
+{{- end -}}
+
+{{- if gt (len $errors) 0 }}
+{{- fail (join "\n" $errors) }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+ClusterSecretStore name definition.
+*/}}
+{{- define "platform-namespace-core.cluster-secret-store.name" -}}
+{{- if eq .Values.namespace.labels.project "platform" -}}
+{{- printf "%s-platform-%s" .Values.clusterSecretStore.provider.name .Release.Name -}}
+{{- else -}}
+{{- printf "%s-%s" .Values.clusterSecretStore.provider.name .Release.Name -}}
+{{- end -}}
+{{- end -}}

charts/platform-namespace-core/templates/external-secrets/clustersecretstore.yaml

@@ -1,50 +1,24 @@
-{{- if .Values.externalSecrets.enabled }}
-
-{{- range $name, $cfg := .Values.externalSecrets.clusterSecretStore }}
-
-{{- if or (not (hasKey $cfg "enabled")) $cfg.enabled }}
+{{- if .Values.clusterSecretStore.enabled -}}
 
 apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
-  name: {{ printf "%s-%s" $.Values.externalSecrets.provider.name $name | quote }}
+  name: {{ include "platform-namespace-core.cluster-secret-store.name" $ }}
   labels:
     {{- include "platform-namespace-core.labels" $ | nindent 4 }}
 spec:
   provider:
-    {{- if eq $.Values.externalSecrets.provider.name "infisical" }}
-    infisical:
-      auth:
-        universalAuthCredentials:
-          clientId:
-            key: clientId
-            name: {{ $.Values.externalSecrets.provider.secretName | quote }}
-            namespace: {{ $.Values.externalSecrets.provider.secretNamespace | quote }}
-          clientSecret:
-            key: clientSecret
-            name: {{ $.Values.externalSecrets.provider.secretName | quote }}
-            namespace: {{ $.Values.externalSecrets.provider.secretNamespace | quote }}
-      hostAPI: {{ $.Values.externalSecrets.provider.hostAPI | quote }}
-      secretsScope:
-        projectSlug: {{ $cfg.project | quote }}
-        environmentSlug: {{ $cfg.environment | quote }}
-        recursive: true
-        secretsPath: {{ $cfg.folder | quote }}
-    {{- end }}
+    {{- toYaml .Values.clusterSecretStore.provider | nindent 4 }}
   conditions:
-    - key: "kubernetes.io/metadata.name"
-      operator: "In"
-      values:
-        - "default"
-        - {{ $.Release.Name | quote }}
-  {{- with $cfg.namespaceConditions }}
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-
----
-
-{{- end }}
-
-{{- end }}
+    {{- if eq $.Values.namespace.labels.project "platform" }}
+    - namespaces:
+      - {{ $.Release.Name | quote }}
+    {{- else }}
+    - namespaceSelector:
+        matchLabels:
+          {{- range $key, $value := $.Values.namespace.labels }}
+          {{ $key }}: {{ $value | quote }}
+          {{- end }}
+    {{- end }}
 
-{{- end }}
+{{- end -}}

charts/platform-namespace-core/templates/external-secrets/externalsecret.yaml

@@ -9,6 +9,9 @@ metadata:
     {{- with .Values.namespace.labels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
+    {{- if .Values.namespace.reloader.enabled }}
+    reloader: enabled
+    {{- end }}
   {{- with .Values.namespace.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}

charts/platform-namespace-core/templates/namespace.yaml

@@ -0,0 +1 @@
+{{ include "platform-namespace-core.validate" . }}

charts/platform-namespace-core/templates/validation.yaml

@@ -8,15 +8,29 @@ certManager:
       dnsNames:
         - "*.{{ .Release.Name }}.{{ .Values.certManager.certificates.wildcard.domain }}"
 
-externalSecrets:
+clusterSecretStore:
   enabled: false
   provider:
-    name: ""
-    secretName: "credentials"
-    secretNamespace: "default"
-    hostAPI: "https://example.com"
-  clusterSecretStore: {}
-  externalSecret: {}
+    # Example configuration for AWS Provider
+    # Full documentation for all providers: https://external-secrets.io/latest/provider
+    aws:
+      service: SecretsManager
+      role: iam-role
+      region: eu-central-1
+      auth:
+        secretRef:
+          accessKeyIDSecretRef:
+            namespace: external-secrets
+            name: awssm-secret
+            key: access-key
+          secretAccessKeySecretRef:
+            namespace: external-secrets
+            name: awssm-secret
+            key: secret-access-key
+        jwt:
+          serviceAccountRef:
+            name: my-serviceaccount
+            namespace: sa-namespace
 
 gitlabRunnersConfig:
   enabled: false
@@ -44,6 +58,8 @@ namespace:
   create: false
   labels: {}
   annotations: {}
+  reloader:
+    enabled: true
   podSecurityLabels:
     profile: baseline
     definitions: