Option to add additional files to ConfigMap

[cablespaghetti]

Add the option to add additional files to the ConfigMap and set a defaultMode on the volumes in the Pod.

This makes the extraContainers option a little more useful for me as I can easily throw the script used to run it in the ConfigMap and make that script executable.

[jasonodonnell]

Hi @cablespaghetti, thanks for the contribution!

How is this different than extraVolumes which already exists? Using extraVolumes a user can mount a custom configmap with the extra files they want to add.

[cablespaghetti]

Hi @jasonodonnell. Sorry I've been very busy this past week.

So what I'm doing right now, in order to bootstrap vault in an automatically built temporary dev environment is this, which might be considered a little hacky:

server:
  extraVolumes:
  - type: configMap
    name: vault-config
    defaultMode: 0777

  extraConfigFiles: |
    configure-kubernetes-auth.sh: |
      #!/bin/sh -ve
      wget https://releases.hashicorp.com/vault/1.3.2/vault_1.3.2_linux_amd64.zip
      unzip vault_1.3.2_linux_amd64.zip
      export VAULT_SKIP_VERIFY=true
      until ./vault status; do echo "Unable to connect to vault. Trying again." && sleep 5; done

      # Set SA_JWT_TOKEN value to the service account JWT used to access the TokenReview API
      export SA_JWT_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)

      # Set SA_CA_CRT to the PEM encoded CA cert used to talk to Kubernetes API
      export SA_CA_CRT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)

      # Tell Vault where to find the Kubernetes API
      export K8S_HOST=kubernetes.default

      # Configure the Kubernetes auth method
      ./vault write auth/kubernetes/config token_reviewer_jwt="$SA_JWT_TOKEN" kubernetes_host="https://$K8S_HOST" kubernetes_ca_cert="$SA_CA_CRT"
      export K8S_NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
      ./vault write auth/kubernetes/role/default bound_service_account_names=default bound_service_account_namespaces=${K8S_NAMESPACE} policies=allow_secrets_read ttl=1h

      # Sleep for all eternity
      while true; do sleep 10000; done

  extraContainers:
    - name: configure-kubernetes-auth
      image: lachlanevenson/k8s-kubectl:v1.14.10
      command: ["/bin/sh","/scripts/configure-kubernetes-auth.sh"]
      volumeMounts:
        - name: userconfig-vault-config
          mountPath: /scripts
      securityContext:
        runAsNonRoot: false
        runAsGroup: 0
        runAsUser: 0
      env:
        - name: VAULT_TOKEN
          valueFrom:
            secretKeyRef:
              name: vault-server-root
              key: value

With this addition, the only thing I get need to provision outside of Helm is the root token for Vault and the MySQL database where my state lives (which I've restored from a backup).

[jasonodonnell]

Closing in favor of #314, which adds much more flexibility to mounting all types of volumes.