KFLUXINFRA-2511 - Add Helm Charts based ESO deployment (#8994)

Add the Helm Charts based deployment of External Secrets Operator to
one staging cluster, 'stone-stg-p01', as a first step to validate the
migration does not produce any issue. The version deployed is the same
as the OLM version deployed in other clusters (0.11.0) to minimize the
possibility of introducing any regression.

Pulling the ESO Helm Chart from a remote repository fails with this error:

  "Error when running kustomize build for components/external-secrets-operator/helm-charts:
   Error: failed to untar: a file or directory with the name
   /home/runner/work/infra-deployments/infra-deployments/components/external-secrets-operator/helm-charts/charts/external-secrets-0.11.0/external-secrets-0.11.0.tgz
   already exists""

After several unsuccesful workarounds and given the recommended way of
handling the charts is by 'vendoring' them [1], the ESO Helm Charts are
added to this commit.

[1] https://github.com/kubernetes-sigs/kustomize/blob/master/examples/chart.md#best-practice

Author: oswcab

argo-cd-apps/base/all-clusters/infra-deployments/external-secrets-operator/external-secrets-operator.yaml

@@ -13,7 +13,7 @@ spec:
               values:
                 sourceRoot: components/external-secrets-operator
                 environment: staging
-                clusterDir: ""
+                clusterDir: "base"
           - list:
               elements:
                 - nameNormalized: stone-stage-p01

components/external-secrets-operator/helm-charts/custom-resources.yaml

@@ -0,0 +1,42 @@
+# Custom resources that match the OLM deployment
+
+---
+# Custom metrics Service (matching operator-config.yaml)
+apiVersion: v1
+kind: Service
+metadata:
+  name: cluster-external-secrets-metrics
+  namespace: external-secrets-operator
+  annotations:
+    ignore-check.kube-linter.io/dangling-service: "False positive"
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: cluster
+spec:
+  type: ClusterIP
+  ports:
+  - name: metrics
+    port: 8080
+    targetPort: 8080
+    protocol: TCP
+  selector:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: cluster
+---
+# ServiceMonitor (matching operator-config.yaml)
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: external-secrets-operator
+  namespace: external-secrets-operator
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: cluster
+spec:
+  endpoints:
+  - port: metrics
+    scheme: http
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: external-secrets
+      app.kubernetes.io/instance: cluster

components/external-secrets-operator/helm-charts/external-secrets/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: bitwarden-sdk-server
+  repository: oci://ghcr.io/external-secrets/charts
+  version: v0.3.1
+digest: sha256:2d01e9083fc32c18dca4f9614625e0172e338a663138c2670e5b911645b6b8ee
+generated: "2024-09-20T12:57:07.63511+02:00"

components/external-secrets-operator/helm-charts/external-secrets/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+appVersion: v0.11.0
+dependencies:
+- condition: bitwarden-sdk-server.enabled
+  name: bitwarden-sdk-server
+  repository: oci://ghcr.io/external-secrets/charts
+  version: v0.3.1
+description: External secret management for Kubernetes
+home: https://github.com/external-secrets/external-secrets
+icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png
+keywords:
+- kubernetes-external-secrets
+- secrets
+kubeVersion: '>= 1.19.0-0'
+maintainers:
+- email: [email protected]
+  name: mcavoyk
+name: external-secrets
+type: application
+version: 0.11.0

components/external-secrets-operator/helm-charts/external-secrets/README.md

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

components/external-secrets-operator/helm-charts/external-secrets/charts/bitwarden-sdk-server/.helmignore

@@ -0,0 +1,6 @@
+apiVersion: v2
+appVersion: v0.3.1
+description: A Helm chart for Kubernetes
+name: bitwarden-sdk-server
+type: application
+version: v0.3.1

components/external-secrets-operator/helm-charts/external-secrets/charts/bitwarden-sdk-server/Chart.yaml

@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "bitwarden-sdk-server.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "bitwarden-sdk-server.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "bitwarden-sdk-server.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "bitwarden-sdk-server.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

components/external-secrets-operator/helm-charts/external-secrets/charts/bitwarden-sdk-server/templates/NOTES.txt

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "bitwarden-sdk-server.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "bitwarden-sdk-server.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "bitwarden-sdk-server.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "bitwarden-sdk-server.labels" -}}
+helm.sh/chart: {{ include "bitwarden-sdk-server.chart" . }}
+{{ include "bitwarden-sdk-server.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "bitwarden-sdk-server.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "bitwarden-sdk-server.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "bitwarden-sdk-server.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "bitwarden-sdk-server.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

components/external-secrets-operator/helm-charts/external-secrets/charts/bitwarden-sdk-server/templates/_helpers.tpl

@@ -0,0 +1,77 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "bitwarden-sdk-server.fullname" . }}
+  labels:
+    {{- include "bitwarden-sdk-server.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "bitwarden-sdk-server.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "bitwarden-sdk-server.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "bitwarden-sdk-server.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          {{- if not .Values.image.tls.enabled }}
+          args:
+            - --insecure
+          {{- end }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.image.tls.enabled }}
+          volumeMounts:
+          {{- toYaml .Values.image.tls.volumeMounts | nindent 10 }}
+          {{- end}}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /live
+              port: http
+              {{- if .Values.image.tls.enabled }}
+              scheme: HTTPS
+              {{- end }}
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: http
+              {{- if .Values.image.tls.enabled }}
+              scheme: HTTPS
+              {{- end }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.image.tls.enabled }}
+      volumes:
+      {{- toYaml .Values.image.tls.volumes | nindent 8 }}
+      {{- end}}