Conversation
Add extraVolumes and extraVolumeMounts to the chart, enabling external file-based credential flows (e.g. CSI-driven mounts) without introducing a new feature toggle. Default chart behaviour is unchanged for existing users. New chart values: - extraVolumes - extraVolumeMounts Wired into all relevant workloads: agent-deploy, agent-daemonset, aggregator-deploy, config-loader-job, webhook-deploy, and backfill-job. Added reusable Helm helpers for rendering the extra volumes and mounts. Strengthened schema validation: - Default mode: exactly one of apiKey or existingSecretName must be set. - External mode: if both are null, extraVolumes and extraVolumeMounts must be non-empty. Added render-time validation guard: in external mode, at least one extraVolumeMount.mountPath must match serverConfig.containerSecretFilePath. This prevents misconfiguration where credentials are mounted but not at the path the app reads. Added Helm unit tests for extra volume/mount behaviour, API key source validation logic, and external mount-path validation.
Community PR #772 added generic extraVolumes/extraVolumeMounts to support CSI-driven API key delivery from external vaults. The approach was too broad — it coupled generic volume mounting to credential validation and exposed the API key volume to every workload regardless of need. This replaces that with a single components.apiKey.secretProviderClass property that switches the API key volume source from a Kubernetes Secret to a Secrets Store CSI Driver volume. Functional Requirements: 1. Users must be able to mount the API key via the Secrets Store CSI Driver without creating a Kubernetes Secret object. Added components.apiKey.secretProviderClass. When set (and both top-level apiKey and existingSecretName are null), the chart generates a CSI volume using the secrets-store.csi.k8s.io driver instead of a Kubernetes Secret volume. The mount path (serverConfig.containerSecretFilePath) is unchanged. 2. Existing apiKey and existingSecretName must continue to work and take priority. The top-level properties are not deprecated or relocated. A new cloudzero-agent.apiKey.mode helper resolves the active provisioning mode (inline, secret, csi, or none) and is used by the volume mount, volume definition, and volumes-section guards. 3. The volume definition must not be duplicated across templates. Added a cloudzero-agent.apiKeyVolume helper that generates the correct volume definition (Secret or CSI) based on the resolved mode. This replaced six identical inline volume blocks across agent-deploy, agent-daemonset, aggregator-deploy, webhook-deploy, backfill-job, and config-loader-job templates. 4. The generic extraVolumes/extraVolumeMounts mechanism must be removed. Removed the extraVolumes and extraVolumeMounts values, schema properties, template helpers, and all wiring across the six workload templates. Removed the validateExternalApiKeyMountPath render-time guard since CSI mode no longer depends on extra volume mounts. Validation: - All 565 Helm unit tests pass (schema, template rendering, CSI volume rendering, precedence, and backwards compatibility) - Added helm/tests/apikey_csi_volume_test.yaml covering CSI volume rendering across all workload templates - Updated helm/tests/apikey_secret_validation_test.yaml with secretProviderClass schema validation and precedence tests - Removed helm/tests/api_key_mount_path_validation_test.yaml and helm/tests/extra_volumes_test.yaml (no longer applicable) - Deployed and validated end-to-end on EKS (AWS Secrets Manager) and AKS (Azure Key Vault) using the Secrets Store CSI Driver
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Community PR #772 added generic extraVolumes/extraVolumeMounts to support CSI-driven API key delivery from external vaults. The approach was too broad — it coupled generic volume mounting to credential validation and
exposed the API key volume to every workload regardless of need. This replaces that with a single components.apiKey.secretProviderClass property that switches the API key volume source from a Kubernetes Secret to a Secrets Store CSI Driver volume.
Functional Requirements:
Users must be able to mount the API key via the Secrets Store CSI Driver without creating a Kubernetes Secret object.
Added components.apiKey.secretProviderClass. When set (and both top-level apiKey and existingSecretName are null), the chart generates a CSI volume using the secrets-store.csi.k8s.io driver instead of a Kubernetes Secret volume. The mount path (serverConfig.containerSecretFilePath) is unchanged.
Existing apiKey and existingSecretName must continue to work and take priority.
The top-level properties are not deprecated or relocated. A new cloudzero-agent.apiKey.mode helper resolves the active provisioning mode (inline, secret, csi, or none) and is used by the volume mount, volume definition, and volumes-section guards.
The volume definition must not be duplicated across templates.
Added a cloudzero-agent.apiKeyVolume helper that generates the correct volume definition (Secret or CSI) based on the resolved mode. This replaced six identical inline volume blocks across agent-deploy, agent-daemonset, aggregator-deploy, webhook-deploy, backfill-job, and config-loader-job templates.
The generic extraVolumes/extraVolumeMounts mechanism must be removed.
Removed the extraVolumes and extraVolumeMounts values, schema properties, template helpers, and all wiring across the six workload templates. Removed the validateExternalApiKeyMountPath render-time guard since CSI mode no longer depends on extra volume mounts.
Validation: