feat: Add helm chart and dynamic config syncer

.github/workflows/backport.yaml

@@ -10,7 +10,7 @@ on:
 jobs:
   backport:
     name: Backport PR
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: |
       github.event.pull_request.merged == true
       && contains(github.event.pull_request.labels.*.name, 'auto-backport')

.github/workflows/checks.yml

@@ -18,7 +18,7 @@ permissions:
 
 jobs:
   unit-test:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Check out code
         uses: actions/checkout@v3
@@ -36,7 +36,7 @@ jobs:
           test-results: test.json
 
   e2e-test:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Check out code
         uses: actions/checkout@v3
@@ -66,7 +66,7 @@ jobs:
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
 
   lint:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Check out code
         uses: actions/checkout@v3
@@ -84,7 +84,7 @@ jobs:
           golangci_lint_version: v${{ fromJson(steps.versions.outputs.tools).golangci-lint }}
 
   generated:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Check out code
         uses: actions/checkout@v3
@@ -106,7 +106,7 @@ jobs:
           exit 1
 
   pre-commit:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Check out code
         uses: actions/checkout@v3

.github/workflows/codeql-analysis.yml

@@ -10,7 +10,7 @@ on:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions:
       actions: read
       contents: read

.github/workflows/conventional-label.yaml

@@ -9,6 +9,6 @@ on:
       - edited
 jobs:
   label:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - uses: bcoe/conventional-release-labels@v1

.github/workflows/conventional-pr-title.yaml

@@ -9,7 +9,7 @@ on:
       - edited
 jobs:
   check:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - uses: amannn/action-semantic-pull-request@v5
         env:

.github/workflows/dependabot-automation.yaml

@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   auto-approve:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata
@@ -34,7 +34,7 @@ jobs:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
 
   enable-automerge:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: ${{ github.event.pull_request.user.login == 'dependabot[bot]'}}
     steps:
       - name: Dependabot metadata

.github/workflows/release-main.yaml

@@ -10,7 +10,7 @@ on:
 
 jobs:
   release-please:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - uses: google-github-actions/[email protected]
         id: release-please

.github/workflows/stacked-prs.yml

@@ -16,7 +16,7 @@ on:
 
 jobs:
   check:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - uses: z0al/dependent-issues@v1
         env:

.pre-commit-config.yaml

@@ -28,6 +28,7 @@ repos:
   - id: check-yaml
     args: ["-m", "--unsafe"]
     stages: [commit]
+    exclude: ^charts/.+/templates/
   - id: mixed-line-ending
     args: ["-f", "lf"]
     exclude: \.bat$
@@ -91,6 +92,7 @@ repos:
     args:
       - --license-filepath
       - header.txt
+    exclude: ^charts/.+/templates/
   - id: insert-license
     name: License headers - Markdown
     stages: [commit]

Dockerfile

@@ -41,9 +41,6 @@ FROM --platform=linux/arm64 gcr.io/distroless/static@sha256:df73bc639be43c3c4f9f
 
 FROM --platform=linux/${TARGETARCH} linux-${TARGETARCH}
 
-# Run as nonroot user using numeric ID for compatibllity.
-USER 65532
-
 COPY --from=credential_provider_builder \
      /go/bin/ecr-credential-provider \
      /go/bin/acr-credential-provider \

charts/dynamic-credential-provider/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/dynamic-credential-provider/Chart.yaml

@@ -0,0 +1,9 @@
+# Copyright 2022 D2iQ, Inc. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v2
+name: dynamic-credential-provider
+description: A Helm chart for Kubernetes dynamic credential provider
+type: application
+version: "0.0.0-dev"
+appVersion: "v0.0.0-dev"

charts/dynamic-credential-provider/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "dynamic-credential-provider.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "dynamic-credential-provider.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "dynamic-credential-provider.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "dynamic-credential-provider.labels" -}}
+helm.sh/chart: {{ include "dynamic-credential-provider.chart" . }}
+{{ include "dynamic-credential-provider.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "dynamic-credential-provider.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "dynamic-credential-provider.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "dynamic-credential-provider.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "dynamic-credential-provider.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/dynamic-credential-provider/templates/daemonset.yaml

@@ -0,0 +1,100 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ include "dynamic-credential-provider.fullname" . }}
+  labels:
+    {{- include "dynamic-credential-provider.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "dynamic-credential-provider.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "dynamic-credential-provider.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "dynamic-credential-provider.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      initContainers:
+        - name: installer
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - install
+          env:
+            - name: CREDENTIAL_PROVIDER_TARGET_DIR
+              value: {{ clean ( printf "/host/%s" .Values.installer.kubeletImageCredentialProviderBinDir ) }}
+          volumeMounts:
+            - name: credentialproviderbindir
+              mountPath: {{ clean ( printf "/host/%s" .Values.installer.kubeletImageCredentialProviderBinDir ) }}
+      containers:
+        - name: config-watcher
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - sync-config
+            - --config-file
+            - /etc/dynamic-provider-config/dynamic-credential-provider-config.yaml={{ clean ( printf "/host/%s" .Values.installer.kubeletImageCredentialProviderBinDir ) }}/dynamic-credential-provider-config.yaml
+            - --config-file
+            - /etc/static-provider-auth/static-image-credentials.json={{ clean ( printf "/host/%s" .Values.installer.kubeletImageCredentialProviderBinDir ) }}/static-image-credentials.json
+          volumeMounts:
+            - name: credentialproviderbindir
+              mountPath: {{ clean ( printf "/host/%s" .Values.installer.kubeletImageCredentialProviderBinDir ) }}
+            {{- with .Values.configSync.secrets.dynamicCredentialProviderConfig }}
+            - name: dynamicproviderconfig
+              mountPath: /etc/dynamic-provider-config/
+            {{- end }}
+            {{- with .Values.configSync.secrets.staticCredentialProvider }}
+            - name: staticprovider
+              mountPath: /etc/static-provider-auth/
+            {{- end }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+        - name: credentialproviderbindir
+          hostPath:
+            path: {{ .Values.installer.kubeletImageCredentialProviderBinDir }}
+        {{- with .Values.configSync.secrets.dynamicCredentialProviderConfig }}
+        - name: dynamicproviderconfig
+          secret:
+            secretName: {{ . }}
+            defaultMode: 0400
+            items:
+              - key: dynamic-credential-provider-config.yaml
+                path: dynamic-credential-provider-config.yaml
+        {{- end }}
+        {{- with .Values.configSync.secrets.staticCredentialProvider }}
+        - name: staticprovider
+          secret:
+            secretName: {{ . }}
+            defaultMode: 0400
+            items:
+              - key: static-image-credentials.json
+                path: static-image-credentials.json
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/dynamic-credential-provider/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: {{ include "dynamic-credential-provider.serviceAccountName" . }}
+  labels:
+    {{- include "dynamic-credential-provider.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}