Don't create or mount an empty configMap when not using TLS encryption for the metrics endpoint
While templating out the helm chart today, I noticed that a configMap is being created with no content, and a volume/volume mount is present which consumes the empty configMap:
---
# Source: gitlab-agent/charts/gitlab-agent/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: release-name-gitlab-agent
labels:
helm.sh/chart: gitlab-agent-1.16.0
app.kubernetes.io/name: gitlab-agent
app.kubernetes.io/version: "v16.1.3"
app.kubernetes.io/managed-by: Helm
data:
---
# Source: gitlab-agent/charts/gitlab-agent/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
...
spec:
...
template:
...
spec:
...
containers:
- name: gitlab-agent
...
volumeMounts:
- name: secret-volume
mountPath: /etc/agentk/secrets
- name: config-volume
mountPath: /etc/agentk/config
volumes:
- name: secret-volume
secret:
secretName: release-name-gitlab-agent-token
- name: config-volume
configMap:
name: release-name-gitlab-agent
The configMap volume is mounted in read/write mode which provides a location for a rogue cluster admin or other malicious user with sufficient privileges, to write abritrary data (scripts, etc) into the pod for the furtherance of their end goal.
In our existing setup using kubernetes manifests which were templated from an older version of the helm chart, we don't have this configMap nor the volume and volume mount, however we are running the latest agent version 16.1.3 and it is working fine. Therefore, this configMap, volume, and volume mount are not required when not taking advantage of TLS encryption for the metrics endpoint, and are safe to remove from the deployment.
This merge request facilitates the removal of these items, while allowing them to be created and properly populated if the user wants to configure TLS.