From 8662dcf77532c2b7c425e44ed6d401f68475e76d Mon Sep 17 00:00:00 2001 From: Sebastien Blot Date: Fri, 27 Feb 2026 16:50:58 +0100 Subject: [PATCH] register jobs: use a dedicated image with kubectl instead of installing it at runtime in the job --- charts/crowdsec/templates/_helpers.tpl | 10 ++++++++ .../crowdsec/templates/capi-register-job.yaml | 25 ++++++++++++++++--- .../templates/cscli-lapi-register-job.yaml | 25 ++++++++++++++++--- charts/crowdsec/values.schema.json | 18 +++++++++++++ charts/crowdsec/values.yaml | 8 ++++++ 5 files changed, 80 insertions(+), 6 deletions(-) diff --git a/charts/crowdsec/templates/_helpers.tpl b/charts/crowdsec/templates/_helpers.tpl index 7b0f90a..64fd9e4 100644 --- a/charts/crowdsec/templates/_helpers.tpl +++ b/charts/crowdsec/templates/_helpers.tpl @@ -94,6 +94,16 @@ true {{- $IsCAPIDisabled }} {{- end }} +{{/* + Return the kubectl helper image used by registration jobs. + If image.kubectl.tag is empty, default to latest. +*/}} +{{ define "registerJobKubectlImage" }} +{{- $repository := .Values.image.kubectl.repository | default "alpine/kubectl" -}} +{{- $tag := .Values.image.kubectl.tag | default "latest" -}} +{{- printf "%s:%s" $repository $tag -}} +{{- end -}} + {{/* Provide a default value for StoreCAPICredentialsInSecret. If StoreCAPICredentialsInSecret is not set in the values, and there's no persistency for the LAPI config, defaults to true diff --git a/charts/crowdsec/templates/capi-register-job.yaml b/charts/crowdsec/templates/capi-register-job.yaml index b144ebc..2c0a75e 100644 --- a/charts/crowdsec/templates/capi-register-job.yaml +++ b/charts/crowdsec/templates/capi-register-job.yaml @@ -37,18 +37,34 @@ spec: tolerations: {{ toYaml .Values.lapi.tolerations | indent 8 }} {{- end }} + initContainers: + - name: install-kubectl + image: {{ include "registerJobKubectlImage" . | quote }} + imagePullPolicy: {{ .Values.image.kubectl.pullPolicy | default .Values.image.pullPolicy }} + command: + - "/bin/sh" + - "-c" + - | + cp "$(command -v kubectl)" /kubectl-bin/kubectl + chmod 0755 /kubectl-bin/kubectl + volumeMounts: + - name: kubectl-bin + mountPath: /kubectl-bin containers: - name: capi-register image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: kubectl-bin + mountPath: /kubectl-bin command: - "/bin/bash" - "-c" - | - apk update && apk add kubectl set -ex + KUBECTL=/kubectl-bin/kubectl echo "Checking if the secret {{ .Release.Name }}-capi-credentials already exists..." - if kubectl -n {{ .Release.Namespace }} get secret {{ .Release.Name }}-capi-credentials >/dev/null 2>&1; then + if $KUBECTL -n {{ .Release.Namespace }} get secret {{ .Release.Name }}-capi-credentials >/dev/null 2>&1; then echo "Secret already exists. Skipping registration." exit 0 fi @@ -61,9 +77,12 @@ spec: cscli -c /staging/etc/crowdsec/config.yaml capi register yq -i '.papi_url="https://papi.api.crowdsec.net/"' /tmp/online_api_credentials.yaml echo "Creating secret {{ .Release.Name }}-capi-credentials..." - kubectl create secret generic {{ .Release.Name }}-capi-credentials \ + $KUBECTL create secret generic {{ .Release.Name }}-capi-credentials \ -n {{ .Release.Namespace }} \ --from-file=online_api_credentials.yaml=/tmp/online_api_credentials.yaml + volumes: + - name: kubectl-bin + emptyDir: {} {{- end }} {{- end }} {{- end }} diff --git a/charts/crowdsec/templates/cscli-lapi-register-job.yaml b/charts/crowdsec/templates/cscli-lapi-register-job.yaml index 66370c9..093ee95 100644 --- a/charts/crowdsec/templates/cscli-lapi-register-job.yaml +++ b/charts/crowdsec/templates/cscli-lapi-register-job.yaml @@ -36,18 +36,34 @@ spec: tolerations: {{ toYaml .Values.lapi.tolerations | indent 8 }} {{- end }} + initContainers: + - name: install-kubectl + image: {{ include "registerJobKubectlImage" . | quote }} + imagePullPolicy: {{ .Values.image.kubectl.pullPolicy | default .Values.image.pullPolicy }} + command: + - "/bin/sh" + - "-c" + - | + cp "$(command -v kubectl)" /kubectl-bin/kubectl + chmod 0755 /kubectl-bin/kubectl + volumeMounts: + - name: kubectl-bin + mountPath: /kubectl-bin containers: - name: lapi-cscli-register image: "{{ .Values.image.repository | default "crowdsecurity/crowdsec" }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: kubectl-bin + mountPath: /kubectl-bin command: - "/bin/bash" - "-c" - | - apk update && apk add kubectl set -ex + KUBECTL=/kubectl-bin/kubectl echo "Checking if the secret {{ .Release.Name }}-lapi-cscli-credentials already exists..." - if kubectl -n {{ .Release.Namespace }} get secret {{ .Release.Name }}-lapi-cscli-credentials >/dev/null 2>&1; then + if $KUBECTL -n {{ .Release.Namespace }} get secret {{ .Release.Name }}-lapi-cscli-credentials >/dev/null 2>&1; then echo "Secret already exists. Skipping registration." exit 0 fi @@ -60,8 +76,11 @@ spec: echo "Creating secret {{ .Release.Name }}-lapi-cscli-credentials..." - kubectl create secret generic {{ .Release.Name }}-lapi-cscli-credentials \ + $KUBECTL create secret generic {{ .Release.Name }}-lapi-cscli-credentials \ -n {{ .Release.Namespace }} \ --from-file=lapi_cscli_credentials.yaml=/tmp/lapi-cscli-credentials.yaml + volumes: + - name: kubectl-bin + emptyDir: {} {{- end }} {{- end }} diff --git a/charts/crowdsec/values.schema.json b/charts/crowdsec/values.schema.json index 4b276b0..1baa664 100644 --- a/charts/crowdsec/values.schema.json +++ b/charts/crowdsec/values.schema.json @@ -45,6 +45,24 @@ }, "pullPolicy": { "type": "string" + }, + "kubectl": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + }, + "pullPolicy": { + "type": "string" + } + }, + "required": [ + "repository", + "pullPolicy" + ] } }, "required": [ diff --git a/charts/crowdsec/values.yaml b/charts/crowdsec/values.yaml index 8dc6d11..7e2c466 100644 --- a/charts/crowdsec/values.yaml +++ b/charts/crowdsec/values.yaml @@ -23,6 +23,14 @@ image: ## @param image.tag [string] docker image tag (empty defaults to chart AppVersion) tag: "" + ## @param image.kubectl.repository [default: alpine/kubectl] [string] kubectl image repository used by registration jobs initContainers + ## @param image.kubectl.tag [default: latest] [string] kubectl image tag (override to match your cluster version if you encounter issues with registration jobs) + ## @param image.kubectl.pullPolicy [default: IfNotPresent] [string] kubectl image pull policy (Always, IfNotPresent, Never) + kubectl: + repository: alpine/kubectl + tag: latest + pullPolicy: IfNotPresent + ## @param podAnnotations [object] podAnnotations to be added to pods (string:string map) podAnnotations: {} # Uncomment the following lines if you use Prometheus Helm Chart rather than Prometheus Operator.