From 4e5703b345bfebfdf25885743ff2cf9a10b1f24b Mon Sep 17 00:00:00 2001
From: Matt Conway <matt@conwaysplace.com>
Date: Mon, 3 May 2021 10:14:47 -0400
Subject: [PATCH] enable creation/modification of mappings through helm
 configuration mechanism e.g. at install time

---
 README.md                                     | 13 ++++++++++-
 helm/kubetruth/crds/projectmapping.yaml       |  2 +-
 helm/kubetruth/templates/projectmappings.yaml | 14 +++++++++++
 .../templates/rootprojectmapping.yaml         | 19 ---------------
 helm/kubetruth/values.yaml                    | 23 +++++++++++++++++++
 5 files changed, 50 insertions(+), 21 deletions(-)
 create mode 100644 helm/kubetruth/templates/projectmappings.yaml
 delete mode 100644 helm/kubetruth/templates/rootprojectmapping.yaml

diff --git a/README.md b/README.md
index 126c0e5..92f00e0 100644
--- a/README.md
+++ b/README.md
@@ -27,7 +27,7 @@ your system if you gave `helm install` a different release name.
 ## Uninstall
 
 ```shell
-helm delete my-kubetruth-name
+helm delete kubetruth
 helm repo remove cloudtruth
 ```
 
@@ -41,6 +41,17 @@ Parameterize the helm install with `--set appSettings.**` to control how kubetru
 | appSettings.environment | The cloudtruth environment to lookup parameter values for.  Use a separate helm install for each environment | string | `default` | yes |
 | appSettings.pollingInterval | Interval to poll cloudtruth api for changes | integer | 300 | no |
 | appSettings.debug | Debug logging | flag | n/a | no |
+| projectMappings.root.project_selector | A regexp to limit the projects acted against (client-side).  Supplies any named matches for template evaluation | string | "" | no |
+| projectMappings.root.key_selector | A regexp to limit the keys acted against (client-side).  Supplies any named matches for template evaluation | string | "" | no |
+| projectMappings.root.key_filter | Limits the keys fetched to contain the given substring (server-side, api search param) | string | "" | no |
+| projectMappings.root.configmap_name_template | The template to use in generating ConfigMap names | string | "{{project \| dns_safe}}" | no |
+| projectMappings.root.secret_name_template | The template to use in generating Secret names | string | "{{project \| dns_safe}}" | no |
+| projectMappings.root.namespace_template | The template to use in generating namespace names | string | "" | no |
+| projectMappings.root.key_template | The template to use in generating key names | string | "{{key}}" | no |
+| projectMappings.root.skip | Skips the generation of resources for the selected projects | flag | false | no |
+| projectMappings.root.skip_secrets | Prevent transfer of secrets to kubernetes Secrets | flag | false | no |
+| projectMappings.root.included_projects | Include the parameters from other projects into the selected ones.  This is non-recursive, so if A imports B and B imports C, then A will only get B's parameters.  For key conflicts, if A includes [B, C], then the precendence is A overrides C overrides B. | list | [] | no |
+| projectMappings.<override_name>.* | Define override mappings to override settings from the root selector for specific projects. When doing this on the command-line (e.g. for `helm install`), it may be more convenient to use `--values <file>` instead of `--set` for large data sets | map | {} | no |
 
 By default, Kubetruth maps the parameters from CloudTruth Projects into
 ConfigMaps and Secrets of the same names as the Projects. Kubetruth will not
diff --git a/helm/kubetruth/crds/projectmapping.yaml b/helm/kubetruth/crds/projectmapping.yaml
index 9843407..4b0d858 100644
--- a/helm/kubetruth/crds/projectmapping.yaml
+++ b/helm/kubetruth/crds/projectmapping.yaml
@@ -43,7 +43,7 @@ spec:
                   description: The template to use in generating key names
                 skip:
                   type: boolean
-                  description: Skips the generation of resources for the selected projects.  Useful for excluding projects that should only be included into others.
+                  description: Skips the generation of resources for the selected projects
                 skip_secrets:
                   type: boolean
                   description: Prevent transfer of secrets to kubernetes Secrets
diff --git a/helm/kubetruth/templates/projectmappings.yaml b/helm/kubetruth/templates/projectmappings.yaml
new file mode 100644
index 0000000..b4662a7
--- /dev/null
+++ b/helm/kubetruth/templates/projectmappings.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.projectMappings }}
+{{- range $k, $v := .Values.projectMappings }}
+---
+apiVersion: kubetruth.cloudtruth.com/v1
+kind: ProjectMapping
+metadata:
+  name: {{ include "kubetruth.fullname" $ }}-{{$k}}
+  namespace:  {{ $.Release.Namespace }}
+  labels:
+    {{- include "kubetruth.labels" $ | nindent 4 }}
+spec:
+  {{- toYaml $v | nindent 2 }}
+{{- end }}
+{{- end -}}
diff --git a/helm/kubetruth/templates/rootprojectmapping.yaml b/helm/kubetruth/templates/rootprojectmapping.yaml
deleted file mode 100644
index 61fccab..0000000
--- a/helm/kubetruth/templates/rootprojectmapping.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: kubetruth.cloudtruth.com/v1
-kind: ProjectMapping
-metadata:
-  name: {{ include "kubetruth.fullname" . }}-root
-  namespace:  {{ .Release.Namespace }}
-  labels:
-    {{- include "kubetruth.labels" . | nindent 4 }}
-spec:
-  scope: "root"
-  project_selector: ""
-  key_selector: ""
-  key_filter: ""
-  configmap_name_template: "{{ "{{" }}project | dns_safe}}"
-  secret_name_template: "{{ "{{" }}project | dns_safe}}"
-  namespace_template: ""
-  key_template: "{{ "{{" }}key}}"
-  skip: false
-  skip_secrets: false
-  included_projects: []
diff --git a/helm/kubetruth/values.yaml b/helm/kubetruth/values.yaml
index f7480b3..41c4cb0 100644
--- a/helm/kubetruth/values.yaml
+++ b/helm/kubetruth/values.yaml
@@ -72,3 +72,26 @@ appSettings:
   pollingInterval:
   debug: false
   config:
+
+# Create instances of the ProjectMapping CRD.  A single mapping with scope=root
+# is required (named root below.  You can also add multiple override mappings
+# (scope=override), any properties not overriden are inherited from the root
+# mapping.  An example override mapping could look like:
+#  my-override-name:
+#    scope: "override"
+#    project_selector: "common"
+#    skip: true
+#
+projectMappings:
+  root:
+    scope: "root"
+    project_selector: ""
+    key_selector: ""
+    key_filter: ""
+    configmap_name_template: "{{project | dns_safe}}"
+    secret_name_template: "{{project | dns_safe}}"
+    namespace_template: ""
+    key_template: "{{key}}"
+    skip: false
+    skip_secrets: false
+    included_projects: []