Added Helm Chart

.gitignore

@@ -15,4 +15,5 @@ imagepullsecret-patcher
 # Dependency directories (remove the comment below to include it)
 # vendor/
 .vscode/
-.DS_Store
+.DS_Store
+!helm/*

helm/imagepullsecret-patcher/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

helm/imagepullsecret-patcher/Chart.yaml

@@ -0,0 +1,4 @@
+apiVersion: v2
+description: imagepullsecret-patcher
+name: imagepullsecret-patcher
+version: 1.0.0

helm/imagepullsecret-patcher/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Titansoft Pte Ltd
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

helm/imagepullsecret-patcher/README.MD

@@ -0,0 +1,3 @@
+## Installation
+
+helm install -n imagepullsecret-patcher --create-namespace imagepullsecret-patcher imagepullsecret-patcher --set dockerConfigJsonBase64Encoded="REPLACE_ME"

helm/imagepullsecret-patcher/templates/_helpers.tpl

@@ -0,0 +1,16 @@
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "imagepullsecret-patcher.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}

helm/imagepullsecret-patcher/templates/deployment.yaml

@@ -0,0 +1,46 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "imagepullsecret-patcher.fullname" . }}
+  labels:
+    app: {{ template "imagepullsecret-patcher.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: {{ .Release.Name }}
+spec:
+  replicas: {{.Values.replicaCount}}
+  selector:
+    matchLabels:
+      name: {{ template "imagepullsecret-patcher.fullname" . }}
+  template:
+    metadata:
+      annotations:
+        envChecksum: {{ include (print $.Template.BasePath "/environment-variables.yaml") . | sha256sum }}
+      labels:
+        name: {{ template "imagepullsecret-patcher.fullname" . }}
+    spec:
+      {{- with .Values.image.pullSecrets }}
+      imagePullSecrets:
+        {{- range . }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+      automountServiceAccountToken: true
+      serviceAccountName: {{ template "imagepullsecret-patcher.fullname" . }}
+      containers:
+        - name: {{ template "imagepullsecret-patcher.fullname" . }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: CONFIG_DOCKERCONFIGJSONPATH
+              value: "/app/secrets/.dockerconfigjson"
+          envFrom:
+            - secretRef:
+                name: {{ template "imagepullsecret-patcher.fullname" . }}-env
+          volumeMounts:
+            - name: src-dockerconfigjson
+              mountPath: "/app/secrets"
+              readOnly: true
+      volumes:
+        - name: src-dockerconfigjson
+          secret:
+            secretName: {{ template "imagepullsecret-patcher.fullname" . }}-dockerconfigjson

helm/imagepullsecret-patcher/templates/dockerconfig.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+  name: {{ template "imagepullsecret-patcher.fullname" . }}-dockerconfigjson
+  labels:
+    app: {{ template "imagepullsecret-patcher.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: {{ .Release.Name }}
+data:
+  .dockerconfigjson: {{.Values.dockerConfigJsonBase64Encoded}}

helm/imagepullsecret-patcher/templates/environment-variables.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "imagepullsecret-patcher.fullname" . }}-env
+data:
+  {{- range $key, $value := .Values.env }}
+  {{ printf "%s" $key | replace "." "_" | upper }}: {{ $value |toString | b64enc}}
+  {{- end }}

helm/imagepullsecret-patcher/templates/rbac.yaml

@@ -0,0 +1,44 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "imagepullsecret-patcher.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app: {{ template "imagepullsecret-patcher.fullname" . }}
+  name: {{ template "imagepullsecret-patcher.fullname" . }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - serviceaccounts
+    verbs:
+      - list
+      - patch
+      - create
+      - get
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - list
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "imagepullsecret-patcher.fullname" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "imagepullsecret-patcher.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "imagepullsecret-patcher.fullname" . }}
+    namespace: {{ .Release.Namespace }}

helm/imagepullsecret-patcher/values.yaml

@@ -0,0 +1,29 @@
+# number of replicas to run
+replicaCount: 1
+image:
+  # docker image
+  repository: quay.io/titansoft/imagepullsecret-patcher
+  # docker image tag
+  tag: v0.14
+  pullPolicy: IfNotPresent
+  pullSecrets: []
+dockerConfigJsonBase64Encoded: "REPLACE_ME"
+env:
+  #overwrite secrets when not match
+  CONFIG_FORCE: true
+  #show DEBUG logs
+  CONFIG_DEBUG: false
+  #only modify secrets which were created by imagepullsecret
+  CONFIG_MANAGEDONLY: false
+  #run the update loop once, allowing for cronjob scheduling if desired
+  CONFIG_RUNONCE: false
+  #comma-separated list of serviceaccounts to patch
+  CONFIG_SERVICEACCOUNTS: default
+  #if true, list and patch all service accounts and the `-servicesaccounts` argument is ignored
+  CONFIG_ALLSERVICEACCOUNT: true
+  #name of managed secrets
+  CONFIG_SECRETNAME: image-pull-secret
+  #comma-separated namespaces excluded from processing
+  CONFIG_EXCLUDED_NAMESPACES :
+  #duration string which defines how often namespaces are checked, see https://golang.org/pkg/time/#ParseDuration for more examples
+  CONFIG_LOOP_DURATION: 10s