Add https port support. Ingress is probably still preferred though.

• Fix typos (there is at least a tyep somewhere)
• Decide resource naming (pod vs Pod, container vs Container, service vs Service, service account vs Service Account)

Blocked by #64

See https://github.com/helm/kind-action

Credentials are also saved in a persistent volume (if any) which is probably not a really good practice. Might make sense to fix it in the upstream project, but for now we should support it.

Data to be stored:

• user uploaded data
• credentials
• backups

Allow enabling data provider upgrade job (when auto initialization is not enabled)

Hi @sagikazarmark , thank you for publishing these charts!

I had a small request, if it were possible on your end. In the sftpgo chart, you currently have provided:

sftpd.enabled
ftpd.enabled
webdavd.enabled

Would you also be able to add httpd.enabled as a toggleable flag, and setting port for the httpd service to 0 if set to false for users who might wish to disable httpd? Thank you!

Make the caddyfile content configurable from the chart values. For example, a caddyfile value could be written to a configmap and mounted into the container (if provided).

Support changing the adapter as well.

SFTPGo can load data on start

(Note: not released yet)

Currently tusd can be configured directly via container args. Let's add a better config structure so that container args are not exposed.

Example:

config:
  basePath:
  behindProxy:
  maxSize:
  timeout:
  uploadDir:
  verbose:

  tls:
    certPath:
    keyPath:
    mode:

  hooks:
    enabled: []
    stopCode:

    file:
      path:
    http:
      endpoint:
      backoff:
      forwardHeaders:
      retry:
    grpc:
      endpoint:
      backoff:
      retry:
    plugin:
      path:

  storage:
    gcs:
      bucket:
      objectPrefix:
    s3:
      bucket:
      objectPrefix:
      disableContentHashes:
      disableSsl:
      endpoint:
      partSize:
      transferAcceleration:

https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class

Consider the following service config:

service:
  annotations: {}
  type: ClusterIP
- port: 2022
+ ports:
+   sftp: 22
+   ftp: 21
+   webdav: 1234
+   # http: 80

Web could be disabled by default.

Also, web will probably need a separate service as well. See #5

As kube-secrets-init is a critical service it would be really useful to have ability to set priorityClass for pods and by default have it system-cluster-critical.

networking.k8s.io/v1beta1 is deprecated since 1.19 and will be removed in 1.22 (with 1.21 being just around the corner that's essentially the next release)

values.yaml:

env:
  - name: AWS_ACCESS_KEY_ID
    value: "1234567"

is rendered as

          env:
            - name: 0
              value: "map[name:AWS_ACCESS_KEY_ID value:1234567]"

helm3.4.0 install --generate-name --wait skm/sftpgo
Error: chart requires kubeVersion: >=1.16 which is incompatible with Kubernetes v1.16.15-gke.6000

Add support for metrics:

• running on port 80 (same as http)
• running on port 10000
• served from a different service?

Add tests to make sure the different scenarios work properly.

Hi,

the docker image for the latest stable version of SFTPGo and therefore the helm chart could be affect by security issues, for system packages, disclosed after the image is built.

For example, currently, the alpine image ships a vulnerable openssl version. We don't use openssl at all but this isn't the point.

To fix this issue, I'm thinking of rebuilding the last tag on schedule, for example once a week. What do you think about? thanks

doitintl/kube-secrets-init#5

Use ghcr images (to avoid potential rate limits)

There is only one configmap in the chart, so no need for a component name.

• how to configure sftpgo
• how to configure host keys
• how to persistent store
• web ingress + pomerium
• object store support

Add note about overriding config values

See drakkan/sftpgo#208

Great chart for sftpgo. But it's almost unusable without persistency of /var/lib/sftpgo - the secret key and all other configuration is lost every restart.

Would be great to have persistancy option in values (and true by default)

Not necessary yet, but it might be at some point.

There are some broken links pointing to Kubernetes documentation.

https://helm.sh/docs/topics/charts/#schema-files

See also https://github.com/garethr/kubernetes-json-schema

https://jsonschema.net/home
https://onlineyamltools.com/convert-yaml-to-json

There are some copy-paste errors around volumes.

Hi,
I tried to deploy ftp protocol (on GCP) .
It does not work because none of pasv ports are declared in service.

Improve the readme and document the different available options (eg. caddyfile).

Hi everyone!
For the project: "https://github.com/sagikazarmark/helm-charts/tree/master/charts/kube-secrets-init"
I have some questions about the functionality of this, when the k8s cluster has dinamic namespaces.

We use gitlab for CI/CD and create one namespace for every branch so, I want apply your config but I don´t identify what is the component that I need add to the deploy process for every service to use the inyector like azure key vault.

I use helm to make the deploy of the my apps, and this deploys have a service account.
With the config "namespaceSelector" I understood that the inyector works with every pod to every namespace in the cluster, except kube-system namespace, if I don´t add another exclude rules, this is correct? Or I need add something else to the rest of my apps that i deploy with helm to make this works?

Sorry for my english, I tried to explain my doubt.
If you can explain more about the relationship between the inyector and the common services of every microservices arquitecture that I want that use this inyector, I really appreciate.
Greetings!

Some environment variables could be set directly from values.yaml

be good to be able to set the initial admin user and password (not password??). The core product does not seem to do this - do you know if his is possible.

Your chart could then be extended to enable a secrets file t generate and hold the pasword/username

Hi @sagikazarmark
How are you?
I have a problem with the init-container, is the same like here:
doitintl/kube-secrets-init#22

I also need use private registries.
Reading the code here:
https://github.com/doitintl/kube-secrets-init/blob/master/cmd/secrets-init-webhook/registry/registry.go#L103

It use a library that don't have new ways to make a login:
https://github.com/heroku/docker-registry-client/blob/master/registry/registry.go#L33
the last commit is from 2019...

Do you have any workaround about this situation or some project like alternative to make the mutation webhook?
I really appreciate any help about this.
Greetings!

The new chart options in 0.2.0 include:
kubeVersion: ">=1.16"
On GKE the kubernetes version are strings like:
1.16.15-gke.6000
or
1.17.16-gke.1600
This does not match and hence will refuse to install on a GKE cluster.
The version string should take this into account.
This should be something like:
kubeVersion: ">=v1.16.0-r0"

GKE, k8s v1.18

chart version 0.8.1

kube-system namespace excluded from being monitored in the values.yaml:

namespaceSelector:
  matchExpressions:
    - key: name
      operator: NotIn
      values:
        - kube-system

resulted webhook configuration:

namespaceSelector:
    matchExpressions:
    - key: name
      operator: NotIn
      values:
      - kube-system
    - key: kube-secrets-init.doit-intl.com/disable-mutation
      operator: NotIn
      values:
      - "true"
    - key: name
      operator: NotIn
      values:
      - kube-secrets-init
  objectSelector:
    matchExpressions:
    - key: kube-secrets-init.doit-intl.com/mutate
      operator: NotIn
      values:
      - skip
    - key: kube-secrets-init.doit-intl.com/disable-mutation
      operator: NotIn
      values:
      - "true"
  objectSelector:
    matchExpressions:
    - key: kube-secrets-init.doit-intl.com/mutate
      operator: NotIn
      values:
      - skip
    - key: kube-secrets-init.doit-intl.com/disable-mutation
      operator: NotIn
      values:
      - "true"

but kube-secrets-init still getting events for pods, created in kube-system namespace:

time="2021-06-29T14:36:29Z" level=debug msg="no pod init containers were mutated"
2021/06/29 14:36:29 registry.ping url=https://eu.gcr.io/v2/
time="2021-06-29T14:38:24Z" level=debug msg="no pod init containers were mutated"
time="2021-06-29T14:38:24Z" level=debug msg="no pod containers were mutated"
time="2021-06-29T14:38:25Z" level=debug msg="Webhook mutating review finished with: '[]' JSON Patch" dry-run=false kind=v1/Pod name= ns=kube-system op=create path=/pods request-id=e2907e60-f76d-4b42-8a36-b84a4404c26b webhhok-type=mutating webhook-id=init-secrets-pods webhook-kind=mutating wh-version=v1beta1
time="2021-06-29T14:38:25Z" level=info msg="Admission review request handled" dry-run=false duration=471.053278ms kind=v1/Pod name= ns=kube-system op=create path=/pods request-id=e2907e60-f76d-4b42-8a36-b84a4404c26b svc=http.Handler webhook-id=init-secrets-pods webhook-kind=mutating wh-version=v1beta1