feat: Support hostNetwork and dnsPolicy (#946)

This change adds the hostNetwork and dnsPolicy pod attributes. This is needed in the cases such as where you're running an EKS cluster with Cilium as a CNI you aren't able to kubeseal without: hostNetwork: true dnsPolicy: ClusterFirstWithHostNet
bitnami-labs · Sep 19, 2022 · 59a59bc · 59a59bc
1 parent 0e3ca3f
commit 59a59bc
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 1 deletion.
diff --git a/helm/sealed-secrets/Chart.yaml b/helm/sealed-secrets/Chart.yaml
@@ -14,4 +14,4 @@ maintainers:
     url: https://github.com/bitnami-labs/sealed-secrets
 name: sealed-secrets
 type: application
-version: 2.6.4
+version: 2.6.5
diff --git a/helm/sealed-secrets/README.md b/helm/sealed-secrets/README.md
@@ -137,6 +137,8 @@ The command removes all the Kubernetes components associated with the chart and
 | `affinity`                                        | Affinity for Sealed Secret pods assignment                                           | `{}`                                |
 | `nodeSelector`                                    | Node labels for Sealed Secret pods assignment                                        | `{}`                                |
 | `tolerations`                                     | Tolerations for Sealed Secret pods assignment                                        | `[]`                                |
+| `hostNetwork`                                     | Run Sealed Secret pods in the host network of the node where the pod is deployed     | `false`                             |
+| `dnsPolicy`                                       | Sealed Secret pods' dnsPolicy                                                        | `""`                                |
 
 
 ### Traffic Exposure Parameters

diff --git a/helm/sealed-secrets/templates/deployment.yaml b/helm/sealed-secrets/templates/deployment.yaml
@@ -49,6 +49,12 @@ spec:
       {{- if .Values.automountServiceAccountToken }}
       automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       {{- end }}
+      {{- if .Values.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      {{- if .Values.dnsPolicy }}
+      dnsPolicy: {{ .Values.dnsPolicy }}
+      {{- end }}
       containers:
         - name: controller
           command:

diff --git a/helm/sealed-secrets/templates/psp.yaml b/helm/sealed-secrets/templates/psp.yaml
@@ -15,7 +15,9 @@ spec:
     - 'secret'
     - 'downwardAPI'
     - 'persistentVolumeClaim'
+  {{- if not .Values.hostNetwork }}
   hostNetwork: false
+  {{- end }}
   hostIPC: false
   hostPID: false
   runAsUser:

diff --git a/helm/sealed-secrets/values.yaml b/helm/sealed-secrets/values.yaml
@@ -195,6 +195,10 @@ additionalVolumes: []
 ## ref: https://kubernetes.io/docs/concepts/storage/volumes/
 ##
 additionalVolumeMounts: []
+## @param hostNetwork Sealed Secrets pods' hostNetwork
+hostNetwork: false
+## @param dnsPolicy Sealed Secrets pods' dnsPolicy
+dnsPolicy: ""
 
 ## @section Traffic Exposure Parameters