From 23290c3629d27f7169e42cc4fc0bcfd426a45a3f Mon Sep 17 00:00:00 2001 From: Roey Date: Sat, 20 Sep 2025 10:16:51 +0300 Subject: [PATCH] Feat: Add a post install hook to delet distribution secret Signed-off-by: Roey --- charts/konnector/Chart.yaml | 2 +- charts/konnector/templates/batch.yaml | 39 +++++++++++++++++++++++--- charts/konnector/templates/secret.yaml | 2 +- charts/konnector/values.yaml | 2 ++ 4 files changed, 39 insertions(+), 6 deletions(-) diff --git a/charts/konnector/Chart.yaml b/charts/konnector/Chart.yaml index 96c07d6..46c6e4b 100644 --- a/charts/konnector/Chart.yaml +++ b/charts/konnector/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: konnector description: Deploys Palo Alto Networks' Cortex KSPM connector for advanced Kubernetes security posture management. type: application -version: 1.0.11 +version: 1.0.12 appVersion: "1.0.0" maintainers: - name: Palo Alto Networks - Cortex KSPM team diff --git a/charts/konnector/templates/batch.yaml b/charts/konnector/templates/batch.yaml index 709b7e6..6735350 100644 --- a/charts/konnector/templates/batch.yaml +++ b/charts/konnector/templates/batch.yaml @@ -1,10 +1,13 @@ +{{- $ns := .Values.namespace.name }} +{{- $konnectorJobName := printf "%s-job-revision-%d" .Chart.Name .Release.Revision }} +{{- $secret := .Values.system.secrets.distribution.name | default "distribution-id" }} {{- include "common.validateImage" . }} apiVersion: batch/v1 kind: Job metadata: - name: "{{ .Chart.Name }}-job-revision-{{ .Release.Revision }}" - namespace: {{ .Values.namespace.name }} + name: {{ $konnectorJobName }} + namespace: {{ $ns }} labels: {{- include "common.labels" . | nindent 4 }} {{- include "common.jobTemplate" . | nindent 0 }} @@ -14,7 +17,7 @@ apiVersion: batch/v1 kind: CronJob metadata: name: {{ .Chart.Name }} - namespace: {{ .Values.namespace.name }} + namespace: {{ $ns }} labels: {{- include "common.labels" . | nindent 4 }} spec: @@ -26,7 +29,7 @@ apiVersion: batch/v1 kind: Job metadata: name: delete-{{ .Values.system.K8sManager.ReleaseName }} - namespace: {{ .Values.namespace.name }} + namespace: {{ $ns }} annotations: "helm.sh/hook": pre-delete "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded @@ -56,3 +59,31 @@ spec: echo -e "\033[33m{{ .Values.system.K8sManager.ReleaseName }} not found, skipping uninstall.\033[0m"; exit 0 fi +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: delete-{{ .Values.system.secrets.distribution.name }}-secret + namespace: {{ $ns }} + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + ttlSecondsAfterFinished: 60 + backoffLimit: 0 + template: + spec: + serviceAccountName: {{ .Values.system.serviceAccount.name }} + restartPolicy: "Never" + containers: + - name: kubectl + image: bitnami/kubectl:1.30 + command: ["sh","-c"] + args: + - | + set -euo pipefail + kubectl -n {{ $ns }} get job "{{ $konnectorJobName }}" >/dev/null 2>&1 \ + && kubectl -n {{ $ns }} wait --for=condition=complete --timeout=2m "job/{{ $konnectorJobName }}" \ + || echo "Job {{ $konnectorJobName }} not found; continuing." + kubectl -n {{ $ns }} delete secret "{{ $secret }}" --ignore-not-found=true diff --git a/charts/konnector/templates/secret.yaml b/charts/konnector/templates/secret.yaml index 028f55b..53a0967 100644 --- a/charts/konnector/templates/secret.yaml +++ b/charts/konnector/templates/secret.yaml @@ -24,7 +24,7 @@ data: apiVersion: v1 kind: Secret metadata: - name: distribution-id + name: {{ .Values.system.secrets.distribution.name }} namespace: {{ .Values.namespace.name }} labels: {{- include "common.labels" . | nindent 4 }} diff --git a/charts/konnector/values.yaml b/charts/konnector/values.yaml index a773196..8f4b25e 100644 --- a/charts/konnector/values.yaml +++ b/charts/konnector/values.yaml @@ -192,3 +192,5 @@ system: name: backend-auth-secret # Secret holding backend authentication credentials (e.g. API tokens) dockerSecret: name: konnector-docker-secret # Secret for Docker credentials (e.g., for pulling private images) + distribution: + name: distribution-id