ROSAENG-133 - feat: add extraVolumes and extraVolumeMounts support to…

[cdoan1]

… Helm chart

Summary

Adds configuration options to inject custom volumes and volume mounts into the Sentinel deployment, enabling users to mount additional ConfigMaps, Secrets, or other volume types as needed.

Used by the regional team to support aws podidentity

• HYPERFLEET-XXX

Test Plan

• Unit tests added/updated
• make test-all passes
• make lint passes
• Helm chart changes validated with make test-helm (if applicable)
• Deployed to a development cluster and verified (if Helm/config changes)
• E2E tests passed (if cross-component or major changes)

[openshift-ci]

Hi @cdoan1. Thanks for your PR.

I'm waiting for a openshift-hyperfleet member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Warning

Review limit reached

@cdoan1, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 41 minutes and 54 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c8d03244-930e-4e0f-aa1f-556518abe8a2

📥 Commits

Reviewing files that changed from the base of the PR and between 0163cb9 and 6a35d25.

📒 Files selected for processing (3)

• charts/README.md
• charts/templates/deployment.yaml
• charts/values.yaml

📝 Walkthrough

Walkthrough

This PR adds two Helm values, extraVolumes and extraVolumeMounts (defaults: empty arrays), and updates the Deployment template to conditionally render .Values.extraVolumeMounts into spec.template.spec.containers[].volumeMounts and .Values.extraVolumes into spec.template.spec.volumes using toYaml. The blocks are enclosed in with conditionals and only emit YAML when the corresponding values are set.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title clearly identifies the main change: adding extraVolumes and extraVolumeMounts support to the Helm chart, directly matching the changeset.
Description check	✅ Passed	Description directly addresses the changeset, explaining the purpose of the new configuration options and their intended use case for AWS pod identity support.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	No slog/log/logr/zap/fmt.Print* statements in non-test Go files include token/password/credential/secret strings/fields; charts YAML changes contain no logging. (CWE-532)
No Hardcoded Secrets	✅ Passed	PR #89 only adds conditional Helm rendering for .Values.extraVolumes/extraVolumeMounts (default empty). No CWE-798 hardcoded credential/password/token/private-key literals found in the changes.
No Weak Cryptography	✅ Passed	Scanned charts/templates/deployment.yaml, charts/values.yaml, and all repo .go/.yaml/.tpl/.md for crypto/md5, crypto/des, crypto/rc4, SHA1, and ECB patterns; no matches found.
No Injection Vectors	✅ Passed	Scanned repo for CWE-89 SQL fmt.Sprintf patterns, CWE-78 exec.Command/CommandContext, CWE-79 template.HTML, and CWE-502 yaml.Unmarshal: none found in the Helm/template changes (and overall).
No Privileged Containers	✅ Passed	PR only adds .Values.extraVolumes/extraVolumeMounts rendering. deployment.yaml has no privileged/hostPID/hostNetwork/hostIPC; values.yaml allowPrivilegeEscalation=false, runAsUser=65532; Dockerfile...
No Pii Or Sensitive Data In Logs	✅ Passed	Reviewed PR chart files (deployment.yaml, values.yaml): no slog/log/zap/fmt.Print statements or PII-like data; changes only add Helm volume/volumeMount injection blocks.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ciaranRoche]

/ok-to-test

[ciaranRoche]

Just one comment inline, not against this change, so added ok-to-test while you confirm its required beyond using the SA annotations.

[ciaranRoche]

Not against adding the extra vol mounts to the vals here, but wondering if SA annotations would solve your pod identity setup?

[cdoan1]

@ciaranRoche where using this like below, so even with SA annotation, we need mount the secret

   # Service account configuration for AWS Pod Identity
    serviceAccount:
      create: true
      annotations:
        # AWS IAM role for Pod Identity
        # Replace with your actual IAM role ARN
        eks.amazonaws.com/role-arn: ""
      name: sentinel-sa

    # Volume configuration to mount secrets from SecretProviderClass
    # Using extraVolumes/extraVolumeMounts to integrate with upstream chart
    extraVolumes:
      - name: secrets-store-inline
        csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: hyperfleet-sentinel-secrets

    extraVolumeMounts:
      - name: secrets-store-inline
        mountPath: /mnt/secrets-store
        readOnly: true

[cdoan1]

let me rebase

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rafabene for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hyperfleet-ci-bot]

Risk Score: 0 — risk/low

Signal	Detail	Points
PR size	22 lines	+0
Sensitive paths	none	+0

_{Computed by hyperfleet-risk-scorer}

[cdoan1]

/test

[cdoan1]

/test helm-test