From ce44d0b3eb257c063859931d5483a256da94d260 Mon Sep 17 00:00:00 2001 From: Bagautdino <336373@edu.itmo.ru> Date: Wed, 20 Aug 2025 16:50:09 +0300 Subject: [PATCH] feat(helm): add envFrom to export.stdout via extraEnvFrom/envFromSecrets This commit extends the Helm chart for Tetragon by adding support for envFrom in the export.stdout template. Specifically: - export.stdout.extraEnvFrom: allows referencing ConfigMaps/Secrets via envFrom. - export.stdout.envFromSecrets: convenience for Secrets only, accepts strings or objects. Usage examples: values.yaml ----------- export: stdout: # Add specific env vars extraEnv: - name: LOG_LEVEL value: info # Pull multiple variables from ConfigMap/Secret via envFrom extraEnvFrom: - configMapRef: name: fluent-bit-config # Convenience for Secret envFrom envFromSecrets: - opensearch-credentials - name: optional-secret optional: true Rendered container ------------------ env: - name: LOG_LEVEL value: info envFrom: - configMapRef: name: fluent-bit-config - secretRef: name: opensearch-credentials - secretRef: name: optional-secret optional: true Signed-off-by: Bagautdino <336373@edu.itmo.ru> --- .../templates/_container_export_stdout.tpl | 26 ++++++++++++++-- install/kubernetes/tetragon/values.yaml | 31 +++++++++++++++++-- 2 files changed, 53 insertions(+), 4 deletions(-) diff --git a/install/kubernetes/tetragon/templates/_container_export_stdout.tpl b/install/kubernetes/tetragon/templates/_container_export_stdout.tpl index b1453ab7694..2b65bc2e5f7 100644 --- a/install/kubernetes/tetragon/templates/_container_export_stdout.tpl +++ b/install/kubernetes/tetragon/templates/_container_export_stdout.tpl @@ -3,7 +3,29 @@ image: "{{ if .Values.export.stdout.image.override }}{{ .Values.export.stdout.image.override }}{{ else }}{{ .Values.export.stdout.image.repository }}:{{ .Values.export.stdout.image.tag }}{{ end }}" imagePullPolicy: {{ .Values.imagePullPolicy }} terminationMessagePolicy: FallbackToLogsOnError - env: {{- toYaml .Values.export.stdout.extraEnv | nindent 4 }} + {{- with .Values.export.stdout.extraEnv }} + env: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- $envFrom := list }} + {{- with .Values.export.stdout.extraEnvFrom }} + {{- $envFrom = concat $envFrom . }} + {{- end }} + {{- range $item := .Values.export.stdout.envFromSecrets }} + {{- if kindIs "map" $item }} + {{- $sr := dict "name" ($item.name | default "") }} + {{- if hasKey $item "optional" }} + {{- $_ := set $sr "optional" $item.optional }} + {{- end }} + {{- $envFrom = append $envFrom (dict "secretRef" $sr) }} + {{- else }} + {{- $envFrom = append $envFrom (dict "secretRef" (dict "name" $item)) }} + {{- end }} + {{- end }} + {{- if gt (len $envFrom) 0 }} + envFrom: + {{- toYaml $envFrom | nindent 4 }} + {{- end }} securityContext: {{- toYaml .Values.export.securityContext | nindent 4 }} resources: @@ -32,4 +54,4 @@ {{- with .Values.export.stdout.extraVolumeMounts }} {{- toYaml . | nindent 4 }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/install/kubernetes/tetragon/values.yaml b/install/kubernetes/tetragon/values.yaml index 675adeb3371..d73d00b3ee3 100644 --- a/install/kubernetes/tetragon/values.yaml +++ b/install/kubernetes/tetragon/values.yaml @@ -356,10 +356,37 @@ export: - tetragon.log # stdout specific exporter settings stdout: - extraEnv: [] + # -- Extra environment variables to add to the export-stdout container. + # Example: # extraEnv: - # - name: foo + # - name: FOO # value: bar + # - name: SECRET_KEY + # valueFrom: + # secretKeyRef: + # name: my-secret + # key: secret-key + extraEnv: [] + + # -- Extra envFrom sources to add to the export-stdout container. + # This allows adding any type of envFrom source (configMapRef, secretRef, etc.). + # Example: + # extraEnvFrom: + # - configMapRef: + # name: my-config-map + # - secretRef: + # name: my-secret + # optional: true + extraEnvFrom: [] + + # -- A simplified way to add secret references to envFrom. + # Can be specified either as a string (just the secret name) or as an object with additional parameters. + # Example: + # envFromSecrets: + # - my-simple-secret + # - name: my-optional-secret + # optional: true + envFromSecrets: [] # * When enabledCommand=true and commandOverride is not set, the command inserted will be hubble-export-stdout. # This supports the default for the current deployment instructions to deploy stdout-export sidecar container.