[chart] use the ubi image to perform secret validation (#1635)

atoulme · jvoravong · web-flow · commit 34601ea3e324 · 2025-01-29T08:43:00.000-08:00
* [chart] use the ubi image to perform secret validation

* Update helm-charts/splunk-otel-collector/values.yaml

Co-authored-by: jvoravong &lt;47871238+jvoravong@users.noreply.github.com&gt;

---------

Co-authored-by: jvoravong &lt;47871238+jvoravong@users.noreply.github.com&gt;
diff --git a/.chloggen/useubiforsecretvalidation.yaml b/.chloggen/useubiforsecretvalidation.yaml
@@ -0,0 +1,12 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+# The name of the component, or a single word describing the area of concern, (e.g. agent, clusterReceiver, gateway, operator, chart, other)
+component: chart
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Offer to use the UBI image to perform secret validation
+# One or more tracking issues related to the change
+issues: [1635]
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
diff --git a/examples/secret-validation/rendered_manifests/secret-splunk-validation-hook.yaml b/examples/secret-validation/rendered_manifests/secret-splunk-validation-hook.yaml
@@ -20,7 +20,7 @@ spec:
   restartPolicy: Never
   containers:
   - name: validate-secret
-    image: quay.io/signalfx/splunk-otel-collector:0.117.0
+    image: registry.access.redhat.com/ubi9/ubi
     imagePullPolicy: IfNotPresent
     command: ["sh", "-c"]
     args:
diff --git a/helm-charts/splunk-otel-collector/templates/_helpers.tpl b/helm-charts/splunk-otel-collector/templates/_helpers.tpl
@@ -220,6 +220,13 @@ Create the patch-log-dirs image name.
 {{- printf "%s:%s" .Values.image.initPatchLogDirs.repository .Values.image.initPatchLogDirs.tag | trimSuffix ":" -}}
 {{- end -}}
 
+{{/*
+Create the validateSecret image name.
+*/}}
+{{- define "splunk-otel-collector.image.validateSecret" -}}
+{{- printf "%s:%s" .Values.image.initPatchLogDirs.repository .Values.image.initPatchLogDirs.tag | trimSuffix ":" -}}
+{{- end -}}
+
 {{/*
   This helper converts the input value of memory to MiB.
   Input needs to be a valid value as supported by k8s memory resource field.
diff --git a/helm-charts/splunk-otel-collector/templates/secret-splunk-validation-hook.yaml b/helm-charts/splunk-otel-collector/templates/secret-splunk-validation-hook.yaml
@@ -15,8 +15,8 @@ spec:
   restartPolicy: Never
   containers:
   - name: validate-secret
-    image: {{ template "splunk-otel-collector.image.otelcol" . }}
-    imagePullPolicy: {{ .Values.image.otelcol.pullPolicy }}
+    image: {{ template "splunk-otel-collector.image.validateSecret" . }}
+    imagePullPolicy: {{ .Values.image.validateSecret.pullPolicy }}
     command: ["sh", "-c"]
     args:
       - if [ "{{ include "splunk-otel-collector.splunkO11yEnabled" . }}" = "true" ] && [ ! -f /otel/secret/splunk_observability_access_token ]; then
diff --git a/helm-charts/splunk-otel-collector/values.schema.json b/helm-charts/splunk-otel-collector/values.schema.json
@@ -1123,6 +1123,26 @@
               ]
             }
           }
+        },
+        "validateSecret": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "repository": {
+              "type": "string"
+            },
+            "tag": {
+              "type": "string"
+            },
+            "pullPolicy": {
+              "type": "string",
+              "enum": [
+                "IfNotPresent",
+                "Always",
+                "Never"
+              ]
+            }
+          }
         }
       }
     },
diff --git a/helm-charts/splunk-otel-collector/values.yaml b/helm-charts/splunk-otel-collector/values.yaml
@@ -975,6 +975,16 @@ image:
     # The policy that specifies when the user wants the Universal Base images to be pulled
     pullPolicy: IfNotPresent
 
+  # Image to be used by a container to validate the secret's presence ahead of starting a helm install or upgrade using pre-install and pre-upgrade Helm hooks.
+  # Effective only if `secret.create` is set to false and `secret.validateSecret` is set to true (default).
+  validateSecret:
+    # The registry and name of the Universal Base Image 9 image to pull
+    repository: registry.access.redhat.com/ubi9/ubi
+    # The tag of the Universal Base Image 9, default value is latest
+    tag: ""
+    # The policy that specifies when the user wants the Universal Base images to be pulled
+    pullPolicy: IfNotPresent
+
 
 ################################################################################
 # Extra system configuration

Original file line number	Diff line number	Diff line change
`@@ -1123,6 +1123,26 @@`
`1123`	`1123`	`]`
`1124`	`1124`	`}`
`1125`	`1125`	`}`
	`1126`	`+ },`
	`1127`	`+ "validateSecret": {`
	`1128`	`+ "type": "object",`
	`1129`	`+ "additionalProperties": false,`
	`1130`	`+ "properties": {`
	`1131`	`+ "repository": {`
	`1132`	`+ "type": "string"`
	`1133`	`+ },`
	`1134`	`+ "tag": {`
	`1135`	`+ "type": "string"`
	`1136`	`+ },`
	`1137`	`+ "pullPolicy": {`
	`1138`	`+ "type": "string",`
	`1139`	`+ "enum": [`
	`1140`	`+ "IfNotPresent",`
	`1141`	`+ "Always",`
	`1142`	`+ "Never"`
	`1143`	`+ ]`
	`1144`	`+ }`
	`1145`	`+ }`
`1126`	`1146`	`}`
`1127`	`1147`	`}`
`1128`	`1148`	`},`