helm charts for external-secrets manifest

akhil27051999 · akhil27051999 · commit d7fb53367511 · 2025-10-22T16:13:20.000Z
diff --git a/helm/external-secrets/templates/_helpers.tpl b/helm/external-secrets/templates/_helpers.tpl
@@ -5,6 +5,22 @@ Expand the name of the chart.
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "external-secrets.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@@ -30,4 +46,21 @@ Selector labels
 {{- define "external-secrets.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "external-secrets.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Namespace labels
+*/}}
+{{- define "external-secrets.namespaceLabels" -}}
+app.kubernetes.io/name: {{ . }}
+app.kubernetes.io/instance: {{ $.Release.Name }}
+app.kubernetes.io/managed-by: {{ $.Release.Service }}
+{{- end }}
+
+{{/*
+Namespace annotations
+*/}}
+{{- define "external-secrets.namespaceAnnotations" -}}
+meta.helm.sh/release-name: {{ $.Release.Name }}
+meta.helm.sh/release-namespace: {{ $.Release.Namespace }}
 {{- end }}
diff --git a/helm/external-secrets/templates/clusterrole.yaml b/helm/external-secrets/templates/clusterrole.yaml
@@ -4,6 +4,10 @@ metadata:
   name: {{ .Values.rbac.clusterRole.name }}
   labels:
     {{- include "external-secrets.labels" . | nindent 4 }}
+    app.kubernetes.io/component: rbac
+  annotations:
+    meta.helm.sh/release-name: {{ .Release.Name }}
+    meta.helm.sh/release-namespace: {{ .Release.Namespace }}
 rules:
   - apiGroups: [""]
     resources: ["secrets", "namespaces", "events"]
@@ -12,7 +16,7 @@ rules:
     resources: ["secretstores", "clustersecretstores", "externalsecrets", "clusterexternalsecrets", "pushsecrets"]
     verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
   - apiGroups: ["external-secrets.io"]
-    resources: ["externalsecrets/status", "clusterexternalsecrets/status"]
+    resources: ["externalsecrets/status", "clusterexternalsecrets/status", "secretstores/status", "clustersecretstores/status"]
     verbs: ["get", "list", "watch", "update", "patch"]
   - apiGroups: [""]
     resources: ["services"]
diff --git a/helm/external-secrets/templates/clusterrolebinding.yaml b/helm/external-secrets/templates/clusterrolebinding.yaml
@@ -4,6 +4,10 @@ metadata:
   name: {{ .Values.rbac.clusterRoleBinding.name }}
   labels:
     {{- include "external-secrets.labels" . | nindent 4 }}
+    app.kubernetes.io/component: rbac
+  annotations:
+    meta.helm.sh/release-name: {{ .Release.Name }}
+    meta.helm.sh/release-namespace: {{ .Release.Namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
diff --git a/helm/external-secrets/templates/clustersecretstore.yaml b/helm/external-secrets/templates/clustersecretstore.yaml
@@ -1,20 +1,24 @@
-{{- range $name, $config := .Values.clusterSecretStores }}
+{{- range .Values.clusterSecretStores }}
+---
 apiVersion: external-secrets.io/v1beta1
 kind: ClusterSecretStore
 metadata:
-  name: {{ $name }}
+  name: {{ .name }}
   labels:
     {{- include "external-secrets.labels" $ | nindent 4 }}
+    app.kubernetes.io/component: secret-store
+  annotations:
+    meta.helm.sh/release-name: {{ $.Release.Name }}
+    meta.helm.sh/release-namespace: {{ $.Release.Namespace }}
 spec:
   provider:
     vault:
-      server: "{{ $.Values.vault.server }}"
-      path: "{{ $.Values.vault.path }}"
-      version: "{{ $.Values.vault.version }}"
+      server: {{ $.Values.vault.server | quote }}
+      path: {{ $.Values.vault.path | quote }}
+      version: {{ $.Values.vault.version | quote }}
       auth:
         tokenSecretRef:
-          name: "{{ $.Values.tokenSecret.name }}"
-          key: "{{ $.Values.tokenSecret.key }}"
-          namespace: "{{ $.Values.namespaces.operator }}"
----
+          name: {{ $.Values.vaultToken.secretName }}
+          key: {{ $.Values.vaultToken.secretKey }}
+          namespace: {{ $.Values.namespaces.operator }}
 {{- end }}
diff --git a/helm/external-secrets/templates/deployment.yaml b/helm/external-secrets/templates/deployment.yaml
@@ -5,23 +5,33 @@ metadata:
   namespace: {{ .Values.namespaces.operator }}
   labels:
     {{- include "external-secrets.labels" . | nindent 4 }}
-    {{- toYaml .Values.operator.labels | nindent 4 }}
+    app.kubernetes.io/component: operator
+  annotations:
+    meta.helm.sh/release-name: {{ .Release.Name }}
+    meta.helm.sh/release-namespace: {{ .Release.Namespace }}
 spec:
   replicas: {{ .Values.operator.replicaCount }}
   selector:
     matchLabels:
-      {{- toYaml .Values.operator.labels | nindent 6 }}
+      app: external-secrets
   template:
     metadata:
       labels:
-        {{- toYaml .Values.operator.labels | nindent 8 }}
+        app: external-secrets
+        {{- include "external-secrets.selectorLabels" . | nindent 8 }}
     spec:
       serviceAccountName: {{ .Values.serviceAccount.name }}
       containers:
-        - name: {{ .Values.operator.name }}
-          image: {{ .Values.operator.image }}
+        - name: external-secrets-operator
+          image: "{{ .Values.operator.image }}:{{ .Values.operator.tag }}"
           imagePullPolicy: {{ .Values.operator.imagePullPolicy }}
-          {{- if .Values.operator.resources }}
+          env:
+            - name: VAULT_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.vaultToken.secretName }}
+                  key: {{ .Values.vaultToken.secretKey }}
+          {{- with .Values.operator.resources }}
           resources:
-            {{- toYaml .Values.operator.resources | nindent 12 }}
+            {{- toYaml . | nindent 12 }}
           {{- end }}
diff --git a/helm/external-secrets/templates/externalsecret.yaml b/helm/external-secrets/templates/externalsecret.yaml
@@ -1,11 +1,16 @@
 {{- range .Values.externalSecrets }}
+---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
   name: {{ .name }}
   namespace: {{ .namespace }}
   labels:
     {{- include "external-secrets.labels" $ | nindent 4 }}
+    app.kubernetes.io/component: external-secret
+  annotations:
+    meta.helm.sh/release-name: {{ $.Release.Name }}
+    meta.helm.sh/release-namespace: {{ $.Release.Namespace }}
 spec:
   refreshInterval: {{ .refreshInterval }}
   secretStoreRef:
@@ -23,5 +28,4 @@ spec:
         key: {{ .vaultKey | quote }}
         property: {{ .vaultProperty | quote }}
     {{- end }}
----
 {{- end }}
diff --git a/helm/external-secrets/templates/secret.yaml b/helm/external-secrets/templates/secret.yaml
@@ -1,10 +1,16 @@
+{{- if .Values.vaultToken.value }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Values.tokenSecret.name }}
+  name: {{ .Values.vaultToken.secretName }}
   namespace: {{ .Values.namespaces.operator }}
   labels:
     {{- include "external-secrets.labels" . | nindent 4 }}
+    app.kubernetes.io/component: secret
+  annotations:
+    meta.helm.sh/release-name: {{ .Release.Name }}
+    meta.helm.sh/release-namespace: {{ .Release.Namespace }}
 type: Opaque
 stringData:
-  {{ .Values.tokenSecret.key }}: {{ .Values.vault.token | default "" }}
+  {{ .Values.vaultToken.secretKey }}: {{ .Values.vaultToken.value | quote }}
+{{- end }}
diff --git a/helm/external-secrets/templates/serviceaccount.yaml b/helm/external-secrets/templates/serviceaccount.yaml
@@ -4,4 +4,8 @@ metadata:
   name: {{ .Values.serviceAccount.name }}
   namespace: {{ .Values.namespaces.operator }}
   labels:
-    {{- include "external-secrets.labels" . | nindent 4 }}
+    {{- include "external-secrets.labels" . | nindent 4 }}
+    app.kubernetes.io/component: service-account
+  annotations:
+    meta.helm.sh/release-name: {{ .Release.Name }}
+    meta.helm.sh/release-namespace: {{ .Release.Namespace }}
diff --git a/helm/external-secrets/values.yaml b/helm/external-secrets/values.yaml
@@ -1,3 +1,8 @@
+# Global configuration
+global:
+  releaseName: external-secrets
+  releaseNamespace: external-secrets
+
 # Namespace configuration
 namespaces:
   operator: external-secrets
@@ -7,19 +12,11 @@ namespaces:
 # Operator configuration
 operator:
   name: external-secrets-operator
-  image: ghcr.io/external-secrets/external-secrets:v0.9.9
+  image: ghcr.io/external-secrets/external-secrets
+  tag: "v0.9.9"
   imagePullPolicy: IfNotPresent
   replicaCount: 1
-  labels:
-    app: external-secrets
-  # Configurable resources - can be overridden or set to null to disable
-  resources:
-    requests:
-      memory: "64Mi"
-      cpu: "50m"
-    limits:
-      memory: "128Mi"
-      cpu: "100m"
+  resources: {}
 
 # Service Account configuration
 serviceAccount:
@@ -37,18 +34,18 @@ vault:
   server: "http://vault-service.vault.svc.cluster.local:8200"
   path: "secret"
   version: "v2"
-  # This will be set during deployment
-  token: ""
 
 # Token secret configuration
-tokenSecret:
-  name: vault-token
-  key: token
+vaultToken:
+  secretName: vault-token
+  secretKey: token
+  # Set this during deployment: --set vaultToken.value="your-token-here"
+  value: ""
 
 # ClusterSecretStore configuration
 clusterSecretStores:
-  vault-backend: {}
-  vault-backend-monitoring: {}
+  - name: vault-backend
+  - name: vault-backend-monitoring
 
 # ExternalSecret configuration
 externalSecrets:
