feat: add ability to customize pod labels in helm chart

README.md

@@ -23,7 +23,7 @@ encrypted files stored in `git` repository.
 
 | Kubernetes | Sops | Chart | Operator |
 |---|---|---|---|
-| v1.31.x | v3.9.1 | 0.20.1 | 0.14.1 |
+| v1.31.x | v3.9.1 | 0.20.2 | 0.14.1 |
 | v1.30.x | v3.9.0 | 0.19.4 | 0.13.3 |
 | v1.29.x | v3.8.1 | 0.18.6 | 0.12.6 |
 | v1.28.x | v3.8.1 | 0.17.4 | 0.11.4 |

chart/helm3/sops-secrets-operator/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 # UPDATE_HERE
-version: 0.20.1
+version: 0.20.2
 appVersion: 0.14.1
 type: application
 description: Helm chart deploys sops-secrets-operator

chart/helm3/sops-secrets-operator/README.md

@@ -140,7 +140,6 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | initImage.repository | string | `"ubuntu"` | Init container image name |
 | initImage.tag | string | `"oracular-20241009"` | Init container image tag |
 | kubeconfig | object | `{"enabled":false,"path":null}` | Paths to a kubeconfig. Only required if out-of-cluster. |
-| logging | object | `{"development":false,"encoder":"json","level":"info","stacktraceLevel":"error","timeEncoding":"iso8601"}` | Logging configuration section suggested values Development Mode (encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode (encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default) |
 | logging.development | bool | `false` | Zap Development Mode enabled |
 | logging.encoder | string | `"json"` | Zap log encoding (one of 'json' or 'console') |
 | logging.level | string | `"info"` | Zap Level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity |
@@ -151,7 +150,8 @@ The following table lists the configurable parameters of the Sops-secrets-operat
 | nameOverride | string | `""` | Overrides auto-generated short resource name |
 | namespaced | bool | `false` | If set - operator will watch SopsSecret resources only in operator namespace |
 | nodeSelector | object | `{}` | Node selector to use for pod configuration |
-| podAnnotations | object | `{}` | Annotations to be added to operator pod (can be used with kiam or kube2iam) |
+| podAnnotations | object | `{}` | Annotations to be added to operator pod |
+| podLabels | object | `{}` | Labels to be added to operator pod |
 | rbac.enabled | bool | `true` | Create and use RBAC resources |
 | replicaCount | int | `1` | Deployment replica count - should not be modified |
 | requeueAfter | int | `5` | Requeue failed reconciliation in minutes (min 1). (default 5) |

chart/helm3/sops-secrets-operator/templates/operator.yaml

@@ -21,6 +21,9 @@ spec:
         control-plane: controller-{{ .Chart.Name }}
         app.kubernetes.io/name: {{ include "sops-secrets-operator.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- if .Values.podLabels }}
+        {{ toYaml .Values.podLabels | nindent 8 }}
+        {{- end }}
     spec:
     {{- with .Values.imagePullSecrets }}
       imagePullSecrets:

chart/helm3/sops-secrets-operator/tests/monitor_test.yaml

@@ -1,60 +1,60 @@
 suite: operator prometheus monitor tests
 templates:
-  - monitor.yaml
+- monitor.yaml
 
 tests:
 
-  - it: should not render any ServiceMonitor documents
-    release:
-      name: sops
-      namespace: sops
-    asserts:
-      - hasDocuments:
-          count: 0
+- it: should not render any ServiceMonitor documents
+  release:
+    name: sops
+    namespace: sops
+  asserts:
+  - hasDocuments:
+      count: 0
 
-  - it: should set correct kind and apiVersion, one document and selector
-    release:
-      name: sops
-      namespace: sops
-    set:
-      metrics:
-        enabled: true
-    asserts:
-      - isKind:
-          of: ServiceMonitor
-      - isAPIVersion:
-          of: monitoring.coreos.com/v1
-      - hasDocuments:
-          count: 1
-      - equal:
-          path: spec.selector.matchLabels
-          value:
-            app.kubernetes.io/instance: sops
-            app.kubernetes.io/name: sops-secrets-operator
+- it: should set correct kind and apiVersion, one document and selector
+  release:
+    name: sops
+    namespace: sops
+  set:
+    metrics:
+      enabled: true
+  asserts:
+  - isKind:
+      of: ServiceMonitor
+  - isAPIVersion:
+      of: monitoring.coreos.com/v1
+  - hasDocuments:
+      count: 1
+  - equal:
+      path: spec.selector.matchLabels
+      value:
+        app.kubernetes.io/instance: sops
+        app.kubernetes.io/name: sops-secrets-operator
 
-  - it: should include additional labels when set
-    release:
-      name: sops
-      namespace: sops
-    set:
-      metrics:
-        enabled: true
-        additionalLabels:
-          custom-label: custom-value
-    asserts:
-      - hasDocuments:
-          count: 1
-      - isKind:
-          of: ServiceMonitor
-      - isAPIVersion:
-          of: monitoring.coreos.com/v1
-      - equal:
-          path: metadata.labels
-          # UPDATE_HERE
-          value:
-            app.kubernetes.io/instance: sops
-            app.kubernetes.io/managed-by: Helm
-            app.kubernetes.io/name: sops-secrets-operator
-            app.kubernetes.io/version: "0.14.1"
-            helm.sh/chart: sops-secrets-operator-0.20.1
-            custom-label: custom-value
+- it: should include additional labels when set
+  release:
+    name: sops
+    namespace: sops
+  set:
+    metrics:
+      enabled: true
+      additionalLabels:
+        custom-label: custom-value
+  asserts:
+  - hasDocuments:
+      count: 1
+  - isKind:
+      of: ServiceMonitor
+  - isAPIVersion:
+      of: monitoring.coreos.com/v1
+  - equal:
+      path: metadata.labels
+      # UPDATE_HERE
+      value:
+        app.kubernetes.io/instance: sops
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: sops-secrets-operator
+        app.kubernetes.io/version: "0.14.1"
+        helm.sh/chart: sops-secrets-operator-0.20.2
+        custom-label: custom-value

chart/helm3/sops-secrets-operator/tests/operator_test.yaml

@@ -31,7 +31,7 @@ tests:
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: sops-secrets-operator
         app.kubernetes.io/version: 0.14.1
-        helm.sh/chart: sops-secrets-operator-0.20.1
+        helm.sh/chart: sops-secrets-operator-0.20.2
 
 # custom name
 - it: should correctly render custome name
@@ -528,3 +528,34 @@ tests:
       - name: foo
         secret:
           secretName: mysecret
+
+# pod labels
+- it: pod labels should be empty by default
+  release:
+    name: sops
+    namespace: sops
+  asserts:
+  - equal:
+      path: spec.template.metadata.labels
+      value:
+        app.kubernetes.io/instance: sops
+        app.kubernetes.io/name: sops-secrets-operator
+        control-plane: controller-sops-secrets-operator
+
+- it: should render pod annotations if set in values
+  release:
+    name: sops
+    namespace: sops
+  set:
+    podLabels:
+      abc: qqq
+      cde: zzz
+  asserts:
+  - equal:
+      path: spec.template.metadata.labels
+      value:
+        app.kubernetes.io/instance: sops
+        app.kubernetes.io/name: sops-secrets-operator
+        control-plane: controller-sops-secrets-operator
+        abc: qqq
+        cde: zzz

chart/helm3/sops-secrets-operator/values.yaml

@@ -37,8 +37,10 @@ nameOverride: ""
 # -- Overrides auto-generated long resource name
 fullnameOverride: ""
 
-# -- Annotations to be added to operator pod (can be used with kiam or kube2iam)
+# -- Annotations to be added to operator pod
 podAnnotations: {}
+# -- Labels to be added to operator pod
+podLabels: {}
 
 serviceAccount:
   # -- Annotations to be added to the service account
@@ -52,9 +54,9 @@ kubeconfig:
   enabled: false
   path:
 
-# -- Logging configuration section suggested values
-# Development Mode (encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn).
-# Production Mode (encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default)
+    # -- Logging configuration section suggested values
+    # Development Mode (encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn).
+    # Production Mode (encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default)
 logging:
   # -- Zap Development Mode enabled
   development: false
@@ -99,7 +101,6 @@ gcp:
   # -- Name of a pre-existing secret containing GCP service account secret json payload
   existingSecretName: ''
 
-
 # -- Azure KeyVault configuration section
 azure:
   # Specify credentials here or use existingSecretName below to use a pre-configred secret