Add extra initContainers, containers, volumes to agent and server

With plugin support, agents and servers need more customization.
This patch enables initContainers, extraContainers, extraVolumes
and extraVolumeMounts to be added to those services.

Signed-off-by: Kevin Fox <[email protected]>

Author: kfox1111

.github/tests/extras/values.yaml

@@ -0,0 +1,61 @@
+spire-agent:
+  initContainers:
+  - name: extra-init
+    image: busybox
+    command:
+    - sh
+    - -xec
+    - |
+      echo 'hi there' > /extra/file
+    volumeMounts:
+    - name: extra
+      mountPath: /extra
+  extraContainers:
+  - name: extra
+    image: busybox
+    command:
+    - sh
+    - -xec
+    - |
+      [ -f /extra/file ]
+      while true; do sleep 1000; done
+    volumeMounts:
+    - name: extra
+      mountPath: /extra
+  extraVolumeMounts:
+  - name: extra
+    mountPath: /extra
+  extraVolumes:
+  - name: extra
+    emptyDir: {}
+
+spire-server:
+  initContainers:
+  - name: extra-init
+    image: busybox
+    command:
+    - sh
+    - -xec
+    - |
+      echo 'hi there' > /extra/file
+    volumeMounts:
+    - name: extra
+      mountPath: /extra
+  extraContainers:
+  - name: extra
+    image: busybox
+    command:
+    - sh
+    - -xec
+    - |
+      [ -f /extra/file ]
+      while true; do sleep 1000; done
+    volumeMounts:
+    - name: extra
+      mountPath: /extra
+  extraVolumeMounts:
+  - name: extra
+    mountPath: /extra
+  extraVolumes:
+  - name: extra
+    emptyDir: {}

charts/spire/charts/spire-agent/README.md

@@ -16,13 +16,17 @@ A Helm chart to install the SPIRE agent.
 |-----|------|---------|-------------|
 | bundleConfigMap | string | `"spire-bundle"` |  |
 | clusterName | string | `"example-cluster"` |  |
+| extraContainers | list | `[]` |  |
+| extraVolumeMounts | list | `[]` |  |
+| extraVolumes | list | `[]` |  |
 | fullnameOverride | string | `""` |  |
 | healthChecks.port | int | `9980` | override the host port used for health checking |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.registry | string | `"ghcr.io"` |  |
 | image.repository | string | `"spiffe/spire-agent"` |  |
 | image.version | string | `""` |  |
 | imagePullSecrets | list | `[]` |  |
+| initContainers | list | `[]` |  |
 | logLevel | string | `"info"` |  |
 | nameOverride | string | `""` |  |
 | nodeSelector | object | `{}` |  |

charts/spire/charts/spire-agent/templates/daemonset.yaml

@@ -43,6 +43,9 @@ spec:
           args: ["-t", "30", "-h", "{{ .Release.Name }}-server", "-p", {{ .Values.server.port | quote }}]
           resources:
             {{- toYaml .Values.waitForIt.resources | nindent 12 }}
+        {{- if gt (len .Values.initContainers) 0 }}
+        {{- toYaml .Values.initContainers | nindent 8 }}
+        {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: {{ template "spire-agent.image" (dict "appVersion" $.Chart.AppVersion "image" .Values.image) }}
@@ -67,6 +70,9 @@ spec:
               readOnly: false
             - name: spire-token
               mountPath: /var/run/secrets/tokens
+            {{- if gt (len .Values.extraVolumeMounts) 0 }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
           livenessProbe:
             httpGet:
               path: /live
@@ -81,6 +87,9 @@ spec:
             periodSeconds: 60
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+        {{- if gt (len .Values.extraContainers) 0 }}
+        {{- toYaml .Values.extraContainers | nindent 8 }}
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -103,3 +112,6 @@ spec:
           hostPath:
             path: {{ include "spire.agent-socket-path" . | dir }}
             type: DirectoryOrCreate
+        {{- if gt (len .Values.extraVolumes) 0 }}
+        {{- toYaml .Values.extraVolumes | nindent 8 }}
+        {{- end }}

charts/spire/charts/spire-agent/values.yaml

@@ -86,3 +86,9 @@ telemetry:
 
 # -- Priority class assigned to daemonset pods
 priorityClassName: ""
+
+extraVolumes: []
+extraVolumeMounts: []
+extraContainers: []
+
+initContainers: []

charts/spire/charts/spire-server/README.md

@@ -49,12 +49,16 @@ A Helm chart to install the SPIRE server.
 | dataStorage.enabled | bool | `true` |  |
 | dataStorage.size | string | `"1Gi"` |  |
 | dataStorage.storageClass | string | `nil` |  |
+| extraContainers | list | `[]` |  |
+| extraVolumeMounts | list | `[]` |  |
+| extraVolumes | list | `[]` |  |
 | fullnameOverride | string | `""` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.registry | string | `"ghcr.io"` |  |
 | image.repository | string | `"spiffe/spire-server"` |  |
 | image.version | string | `""` |  |
 | imagePullSecrets | list | `[]` |  |
+| initContainers | list | `[]` |  |
 | jwtIssuer | string | `"oidc-discovery.example.org"` |  |
 | logLevel | string | `"info"` |  |
 | nameOverride | string | `""` |  |

charts/spire/charts/spire-server/templates/statefulset.yaml

@@ -32,6 +32,10 @@ spec:
       shareProcessNamespace: true
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- if gt (len .Values.initContainers) 0 }}
+      initContainers:
+        {{- toYaml .Values.initContainers | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
@@ -87,6 +91,9 @@ spec:
               mountPath: /run/spire/upstream_ca
               readOnly: false
             {{ end }}
+            {{- if gt (len .Values.extraVolumeMounts) 0 }}
+            {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+            {{- end }}
         {{- if eq (.Values.controllerManager.enabled | toString) "true" }}
         - name: spire-controller-manager
           securityContext:
@@ -124,6 +131,9 @@ spec:
               subPath: controller-manager-config.yaml
               readOnly: true
         {{- end }}
+        {{- if gt (len .Values.extraContainers) 0 }}
+        {{- toYaml .Values.extraContainers | nindent 8 }}
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -156,6 +166,9 @@ spec:
           configMap:
             name: {{ include "spire-controller-manager.fullname" . }}
         {{- end }}
+        {{- if gt (len .Values.extraVolumes) 0 }}
+        {{- toYaml .Values.extraVolumes | nindent 8 }}
+        {{- end }}
   volumeClaimTemplates:
     {{- if eq (.Values.dataStorage.enabled | toString) "true" }}
     - metadata:

charts/spire/charts/spire-server/values.yaml

@@ -161,3 +161,9 @@ controllerManager:
 telemetry:
   prometheus:
     enabled: false
+
+extraVolumes: []
+extraVolumeMounts: []
+extraContainers: []
+
+initContainers: []