[registry-scanner] feat: allow specify existing or external secrets i…

…nstead of creating a new one (sysdiglabs#146)
nkraemer-sysdig · May 17, 2021 · 9fba346 · 9fba346
1 parent 019a2b5
commit 9fba346
Show file tree

Hide file tree

Showing 6 changed files with 26 additions and 2 deletions.
diff --git a/charts/registry-scanner/CHANGELOG.md b/charts/registry-scanner/CHANGELOG.md
@@ -5,6 +5,12 @@
 This file documents all notable changes to Sysdig Registry Scanner. The release
 numbering uses [semantic versioning](http://semver.org).
 
+## v0.0.7
+
+### Minor changes
+
+* New option `existingSecretName` to use existing or external secret
+
 ## v0.0.5
 
 ### Minor changes

diff --git a/charts/registry-scanner/Chart.yaml b/charts/registry-scanner/Chart.yaml
@@ -4,7 +4,7 @@ description: Sysdig Registry Scanner
 type: application
 home: https://sysdiglabs.github.io/registry-scanner/
 icon: https://478h5m1yrfsa3bbe262u7muv-wpengine.netdna-ssl.com/wp-content/uploads/2019/02/Shovel_600px.png
-version: 0.0.6
+version: 0.0.7
 appVersion: 0.0.1
 maintainers:
   - name: airadier

diff --git a/charts/registry-scanner/README.md b/charts/registry-scanner/README.md
@@ -51,6 +51,7 @@ The following table lists the configurable parameters of the Sysdig Registry Sca
 | `imagePullSecrets`                    | The image pull secrets                                                                                                 | `[]`                                          |
 | `nameOverride`                        | Chart name override                                                                                                    | ` `                                           |
 | `fullnameOverride`                    | Chart full name override                                                                                               | ` `                                           |
+| `existingSecretName`                  | Name of a Kubernetes secret containing an 'secureAPIToken', 'registryUser', and 'registryPassword' entries             | ` `                                           |
 | `podAnnotations`                      | Registry scanner pod annotations                                                                                       | `{}`                                          |
 | `podSecurityContext`                  | Security context for Registry Scanner pod                                                                              | `{}`                                          |
 | `securityContext`                     | Security context for Registry Scanner container                                                                        | `{}`                                          |

diff --git a/charts/registry-scanner/templates/cronjob.yaml b/charts/registry-scanner/templates/cronjob.yaml
@@ -47,7 +47,11 @@ spec:
               - name: SECURE_API_TOKEN
                 valueFrom:
                   secretKeyRef:
+                    {{- if not .Values.existingSecretName }}
                     name: {{ include "registry-scanner.fullname" . }}
+                    {{- else }}
+                    name: {{ .Values.existingSecretName }}
+                    {{- end }}
                     key: secureAPIToken
               {{- if .Values.proxy.httpProxy }}
               - name: http_proxy
@@ -64,12 +68,20 @@ spec:
               - name: REGISTRYSCANNER_REGISTRY_USER
                 valueFrom:
                   secretKeyRef:
+                    {{- if not .Values.existingSecretName }}
                     name: {{ include "registry-scanner.fullname" . }}
+                    {{- else }}
+                    name: {{ .Values.existingSecretName }}
+                    {{- end }}
                     key: registryUser
               - name: REGISTRYSCANNER_REGISTRY_PASSWORD
                 valueFrom:
                   secretKeyRef:
+                    {{- if not .Values.existingSecretName }}
                     name: {{ include "registry-scanner.fullname" . }}
+                    {{- else }}
+                    name: {{ .Values.existingSecretName }}
+                    {{- end }}
                     key: registryPassword
           restartPolicy: {{ .Values.cronjob.restartPolicy }}
           {{- with .Values.nodeSelector }}

diff --git a/charts/registry-scanner/templates/secret.yaml b/charts/registry-scanner/templates/secret.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.existingSecretName }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -8,4 +9,5 @@ type: Opaque
 data:
   secureAPIToken: {{ .Values.config.secureAPIToken | b64enc | quote }}
   registryUser: {{ .Values.config.registryUser | b64enc | quote }}
-  registryPassword: {{ .Values.config.registryPassword | b64enc | quote }}
+  registryPassword: {{ .Values.config.registryPassword | b64enc | quote }}
+{{- end }}
diff --git a/charts/registry-scanner/values.yaml b/charts/registry-scanner/values.yaml
@@ -46,6 +46,9 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
+# Specify the name of a Kubernetes secret containing an 'secureAPIToken', 'registryUser', and 'registryPassword' entries
+existingSecretName: ""
+
 podAnnotations: {}
 
 podSecurityContext: {}