[NET-11567] Update Helm Chart to allow snapshotagent to support extra…

…Volumes and extraEnvionmentVars (#4471) * update helm chart to allow for configuring google application credentials * changelog
hashicorp · Feb 5, 2025 · 79b60f7 · 79b60f7
1 parent b7f2b70
commit 79b60f7
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 0 deletions.
diff --git a/.changelog/4471.txt b/.changelog/4471.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+helm: Add support for `server.snapshotAgent.extraVolumes` and `server.snapshotAgent.extraEnvironmentVars` so privileged credentials can be configured for the snapshot agent.
+```
diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml
@@ -315,6 +315,22 @@ spec:
             {{- end }}
             {{- end }}
         {{- end }}
+        {{- range .Values.server.snapshotAgent.extraVolumes }}
+        - name: userconfig-snapshot-{{ .name }}
+          {{ .type }}:
+            {{- if (eq .type "configMap") }}
+            name: {{ .name }}
+            {{- else if (eq .type "secret") }}
+            secretName: {{ .name }}
+            {{- end }}
+            {{- with .items }}
+            items:
+            {{- range . }}
+            - key: {{.key}}
+              path: {{.path}}
+            {{- end }}
+            {{- end }}
+        {{- end }}
       {{- if .Values.server.priorityClassName }}
       priorityClassName: {{ .Values.server.priorityClassName | quote }}
       {{- end }}
@@ -686,6 +702,7 @@ spec:
               value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }}
               {{- end }}
             {{- end }}
+            {{- include "consul.extraEnvironmentVars" .Values.server.snapshotAgent | nindent 12 }}
           command:
             - "/bin/sh"
             - "-ec"
@@ -733,6 +750,11 @@ spec:
               mountPath: /consul/tls/ca
               readOnly: true
             {{- end }}
+            {{- range .Values.server.snapshotAgent.extraVolumes }}
+            - name: userconfig-snapshot-{{ .name }}
+              readOnly: true
+              mountPath: /consul/userconfig/{{ .name }}
+            {{- end }}
           {{- with .Values.server.snapshotAgent.resources }}
           resources:
             {{- toYaml . | nindent 12 }}

diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
@@ -1438,6 +1438,35 @@ server:
     # @type: string
     caCert: null
 
+    # A list of extra environment variables to set on the snapshot agent specifically
+    # This could be used to configure credentials that the rest of the
+    # stateful set would not need access to, like GOOGLE_APPLICATION_CREDENTIALS
+    # @type: map
+    extraEnvironmentVars: { }
+
+    # A list of extra volumes to mount onto the snapshot agent. This
+    # is useful for bringing in extra data that only the snapshot agent needs access
+    # to. Like storage credentials. The value of this should be a list of objects.
+    #
+    # Example:
+    #
+    # ```yaml
+    # extraVolumes:
+    #   - type: secret
+    #     name: storage-credentials
+    # ```
+    #
+    # Each object supports the following keys:
+    #
+    # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive.
+    #
+    # - `name` - Name of the configMap or secret to be mounted. This also controls
+    #   the path that it is mounted to. The volume will be mounted to `/consul/userconfig/<name>`.
+    #
+    # The snapshot agent will not attempt to load any volumes passed in this stanza
+    # @type: array<map>
+    extraVolumes: [ ]
+
   # [Enterprise Only] Added in Consul 1.8, the audit object allow users to enable auditing
   # and configure a sink and filters for their audit logs. Please refer to
   # [audit logs](https://developer.hashicorp.com/consul/docs/enterprise/audit-logging) documentation