chore(helm)!: Rearrange values to be somewhat consistent with the listener-operator value changes

NickLarsenNZ · NickLarsenNZ · commit 331b9fb7fa22 · 2025-09-19T10:21:05.000+02:00
Part of stackabletech/issues#763 NOTE: These aren't exactly consistent with listener-operator changes from stackabletech/listener-operator#334, but are a step towards consistency, and make it easier should we decide to split secret-operator into a CSI Provisioner Deployment and CSI Node Driver DaemonSet.
diff --git a/deploy/helm/secret-operator/templates/daemonset.yaml b/deploy/helm/secret-operator/templates/daemonset.yaml
@@ -28,11 +28,11 @@ spec:
       containers:
         - name: {{ include "operator.appname" . }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+            {{- toYaml .Values.secretOperator.securityContext | nindent 12 }}
+          image: "{{ .Values.secretOperator.image.repository }}:{{ .Values.secretOperator.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.secretOperator.image.pullPolicy }}
           resources:
-            {{ .Values.node.driver.resources | toYaml | nindent 12 }}
+            {{ .Values.secretOperator.resources | toYaml | nindent 12 }}
           env:
             # The following env vars are passed as clap (think CLI) arguments to the operator.
             # They are picked up by clap using the structs defied in the operator.
@@ -42,7 +42,7 @@ spec:
             - name: CSI_ENDPOINT
               value: /csi/csi.sock
             - name: PRIVILEGED
-              value: {{ .Values.securityContext.privileged | quote }}
+              value: {{ .Values.secretOperator.securityContext.privileged | quote }}
 
             # Sometimes products need to know the operator image, e.g. the opa-bundle-builder OPA
             # sidecar uses the operator image.
@@ -81,16 +81,16 @@ spec:
               mountPath: /csi
             - name: mountpoint
               mountPath: {{ .Values.kubeletDir }}/pods
-              {{- if .Values.securityContext.privileged }}
+              {{- if .Values.secretOperator.securityContext.privileged }}
               mountPropagation: Bidirectional
               {{- end }}
             - name: tmp
               mountPath: /tmp
         - name: external-provisioner
-          image: "{{ .Values.csiProvisioner.image.repository }}:{{ .Values.csiProvisioner.image.tag }}"
-          imagePullPolicy: {{ .Values.csiProvisioner.image.pullPolicy }}
+          image: "{{ .Values.externalProvisioner.image.repository }}:{{ .Values.externalProvisioner.image.tag }}"
+          imagePullPolicy: {{ .Values.externalProvisioner.image.pullPolicy }}
           resources:
-            {{ .Values.csiProvisioner.resources | toYaml | nindent 12 }}
+            {{ .Values.externalProvisioner.resources | toYaml | nindent 12 }}
           args:
             - --csi-address=/csi/csi.sock
             - --feature-gates=Topology=true
@@ -99,10 +99,10 @@ spec:
             - name: csi
               mountPath: /csi
         - name: node-driver-registrar
-          image: "{{ .Values.csiNodeDriverRegistrar.image.repository }}:{{ .Values.csiNodeDriverRegistrar.image.tag }}"
-          imagePullPolicy: {{ .Values.csiNodeDriverRegistrar.image.pullPolicy }}
+          image: "{{ .Values.nodeDriverRegistrar.image.repository }}:{{ .Values.nodeDriverRegistrar.image.tag }}"
+          imagePullPolicy: {{ .Values.nodeDriverRegistrar.image.pullPolicy }}
           resources:
-            {{ .Values.csiNodeDriverRegistrar.resources | toYaml | nindent 12 }}
+            {{ .Values.nodeDriverRegistrar.resources | toYaml | nindent 12 }}
           args:
             - --csi-address=/csi/csi.sock
             - --kubelet-registration-path={{ .Values.kubeletDir }}/plugins/secrets.stackable.tech/csi.sock
diff --git a/deploy/helm/secret-operator/values.yaml b/deploy/helm/secret-operator/values.yaml
@@ -1,11 +1,9 @@
 # Default values for secret-operator.
 ---
 image:
-  repository: oci.stackable.tech/sdp/secret-operator
-  pullPolicy: IfNotPresent
   pullSecrets: []
 
-csiProvisioner:
+externalProvisioner:
   image:
     repository: oci.stackable.tech/sdp/sig-storage/csi-provisioner
     tag: v5.2.0
@@ -17,7 +15,7 @@ csiProvisioner:
     limits:
       cpu: 100m
       memory: 128Mi
-csiNodeDriverRegistrar:
+nodeDriverRegistrar:
   image:
     repository: oci.stackable.tech/sdp/sig-storage/csi-node-driver-registrar
     tag: v2.13.0
@@ -30,16 +28,33 @@ csiNodeDriverRegistrar:
       cpu: 100m
       memory: 128Mi
 
-node:
-  driver:
-    # Resources of the secret-operator container itself
-    resources:
-      limits:
-        cpu: 100m
-        memory: 128Mi
-      requests:
-        cpu: 100m
-        memory: 128Mi
+secretOperator:
+  image:
+    repository: oci.stackable.tech/sdp/secret-operator
+    # tag: 0.0.0-dev
+    pullPolicy: IfNotPresent
+  # Resources of the secret-operator container itself
+  resources:
+    limits:
+      cpu: 100m
+      memory: 128Mi
+    requests:
+      cpu: 100m
+      memory: 128Mi
+
+  securityContext:
+    # secret-operator requires root permissions
+    runAsUser: 0
+    # It is strongly recommended to run secret-operator as a privileged container, since
+    # it enables additional protections for the secret contents.
+    # Unprivileged mode is EXPERIMENTAL and requires manual migration for an existing cluster.
+    privileged: true
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # readOnlyRootFilesystem: true
+    # runAsNonRoot: true
+    # runAsUser: 1000
 
 nameOverride: ""
 fullnameOverride: ""
@@ -62,26 +77,14 @@ labels:
 podSecurityContext: {}
   # fsGroup: 2000
 
-securityContext:
-  # secret-operator requires root permissions
-  runAsUser: 0
-  # It is strongly recommended to run secret-operator as a privileged container, since
-  # it enables additional protections for the secret contents.
-  # Unprivileged mode is EXPERIMENTAL and requires manual migration for an existing cluster.
-  privileged: true
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
-
 nodeSelector: {}
 
 tolerations: []
 
 affinity: {}
 
+# priorityClassName: ...
+
 # When running on a non-default Kubernetes cluster domain, the cluster domain can be configured here.
 # See the https://docs.stackable.tech/home/stable/guides/kubernetes-cluster-domain guide for details.
 # kubernetesClusterDomain: my-cluster.local
