diff --git a/.changelog/4471.txt b/.changelog/4471.txt new file mode 100644 index 0000000000..1c1868e4b3 --- /dev/null +++ b/.changelog/4471.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +helm: Add support for `server.snapshotAgent.extraVolumes` and `server.snapshotAgent.extraEnvironmentVars` so privileged credentials can be configured for the snapshot agent. +``` \ No newline at end of file diff --git a/charts/consul/templates/server-statefulset.yaml b/charts/consul/templates/server-statefulset.yaml index f8cb9b4def..208382f162 100644 --- a/charts/consul/templates/server-statefulset.yaml +++ b/charts/consul/templates/server-statefulset.yaml @@ -315,6 +315,22 @@ spec: {{- end }} {{- end }} {{- end }} + {{- range .Values.server.snapshotAgent.extraVolumes }} + - name: userconfig-snapshot-{{ .name }} + {{ .type }}: + {{- if (eq .type "configMap") }} + name: {{ .name }} + {{- else if (eq .type "secret") }} + secretName: {{ .name }} + {{- end }} + {{- with .items }} + items: + {{- range . }} + - key: {{.key}} + path: {{.path}} + {{- end }} + {{- end }} + {{- end }} {{- if .Values.server.priorityClassName }} priorityClassName: {{ .Values.server.priorityClassName | quote }} {{- end }} @@ -686,6 +702,7 @@ spec: value: /consul/license/{{ .Values.global.enterpriseLicense.secretKey }} {{- end }} {{- end }} + {{- include "consul.extraEnvironmentVars" .Values.server.snapshotAgent | nindent 12 }} command: - "/bin/sh" - "-ec" @@ -733,6 +750,11 @@ spec: mountPath: /consul/tls/ca readOnly: true {{- end }} + {{- range .Values.server.snapshotAgent.extraVolumes }} + - name: userconfig-snapshot-{{ .name }} + readOnly: true + mountPath: /consul/userconfig/{{ .name }} + {{- end }} {{- with .Values.server.snapshotAgent.resources }} resources: {{- toYaml . | nindent 12 }} diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml index 13615e716c..71ecb7a0ea 100644 --- a/charts/consul/values.yaml +++ b/charts/consul/values.yaml @@ -1438,6 +1438,35 @@ server: # @type: string caCert: null + # A list of extra environment variables to set on the snapshot agent specifically + # This could be used to configure credentials that the rest of the + # stateful set would not need access to, like GOOGLE_APPLICATION_CREDENTIALS + # @type: map + extraEnvironmentVars: { } + + # A list of extra volumes to mount onto the snapshot agent. This + # is useful for bringing in extra data that only the snapshot agent needs access + # to. Like storage credentials. The value of this should be a list of objects. + # + # Example: + # + # ```yaml + # extraVolumes: + # - type: secret + # name: storage-credentials + # ``` + # + # Each object supports the following keys: + # + # - `type` - Type of the volume, must be one of "configMap" or "secret". Case sensitive. + # + # - `name` - Name of the configMap or secret to be mounted. This also controls + # the path that it is mounted to. The volume will be mounted to `/consul/userconfig/`. + # + # The snapshot agent will not attempt to load any volumes passed in this stanza + # @type: array + extraVolumes: [ ] + # [Enterprise Only] Added in Consul 1.8, the audit object allow users to enable auditing # and configure a sink and filters for their audit logs. Please refer to # [audit logs](https://developer.hashicorp.com/consul/docs/enterprise/audit-logging) documentation