From 5e2233cf8d443bb7b4cc9aae02e7a35eedcff5a0 Mon Sep 17 00:00:00 2001
From: "M. Essam" <github@messam.xyz>
Date: Fri, 22 Dec 2023 15:43:40 +0200
Subject: [PATCH] add commonLabels to customizable values (#1404)

**Description of the change**

Helm Chart only update, add new value `commonLabels` that functions the
same as `commonAnnotations` by adding labels to `_helpers.tpl` in
`sealed-secrets.labels`

**Benefits**

* Ability to add custom labels to all resources for any organization
compliance

**Possible drawbacks**

N/A

**Applicable issues**
- fixes #1373

**Additional information**

My current organization requires adding a custom label to all resources,
thus the PR.
The changes in the PR were tested on a local Kubernetes installation
with both `commonLabels: {}` and `commonLabels: {x: 'y'}`

---------

Signed-off-by: M Essam Hamed <github@messam.xyz>
---
 helm/sealed-secrets/README.md                             | 1 +
 helm/sealed-secrets/templates/cluster-role-binding.yaml   | 3 +++
 helm/sealed-secrets/templates/cluster-role.yaml           | 3 +++
 helm/sealed-secrets/templates/configmap-dashboards.yaml   | 3 +++
 helm/sealed-secrets/templates/deployment.yaml             | 3 +++
 helm/sealed-secrets/templates/ingress.yaml                | 3 +++
 helm/sealed-secrets/templates/networkpolicy.yaml          | 3 +++
 helm/sealed-secrets/templates/pdb.yaml                    | 3 +++
 helm/sealed-secrets/templates/psp-clusterrole.yaml        | 3 +++
 helm/sealed-secrets/templates/psp-clusterrolebinding.yaml | 3 +++
 helm/sealed-secrets/templates/psp.yaml                    | 3 +++
 helm/sealed-secrets/templates/role-binding.yaml           | 6 ++++++
 helm/sealed-secrets/templates/role.yaml                   | 6 ++++++
 helm/sealed-secrets/templates/service-account.yaml        | 3 +++
 helm/sealed-secrets/templates/service.yaml                | 6 ++++++
 helm/sealed-secrets/templates/servicemonitor.yaml         | 3 +++
 helm/sealed-secrets/templates/tls-secret.yaml             | 6 ++++++
 helm/sealed-secrets/values.yaml                           | 5 +++++
 18 files changed, 66 insertions(+)

diff --git a/helm/sealed-secrets/README.md b/helm/sealed-secrets/README.md
index e4c86780c..4612b8c2f 100644
--- a/helm/sealed-secrets/README.md
+++ b/helm/sealed-secrets/README.md
@@ -78,6 +78,7 @@ The command removes all the Kubernetes components associated with the chart and
 | `namespace`         | Namespace where to deploy the Sealed Secrets controller | `""`  |
 | `extraDeploy`       | Array of extra objects to deploy with the release       | `[]`  |
 | `commonAnnotations` | Annotations to add to all deployed resources            | `{}`  |
+| `commonLabels`      | Labels to add to all deployed resources                 | `{}`  |
 
 ### Sealed Secrets Parameters
 
diff --git a/helm/sealed-secrets/templates/cluster-role-binding.yaml b/helm/sealed-secrets/templates/cluster-role-binding.yaml
index 75f3d38c5..21f0c5d48 100644
--- a/helm/sealed-secrets/templates/cluster-role-binding.yaml
+++ b/helm/sealed-secrets/templates/cluster-role-binding.yaml
@@ -7,6 +7,9 @@ metadata:
     {{- if .Values.rbac.labels }}
     {{- include "sealed-secrets.render" ( dict "value" .Values.rbac.labels "context" $) | nindent 4 }}
     {{- end }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
diff --git a/helm/sealed-secrets/templates/cluster-role.yaml b/helm/sealed-secrets/templates/cluster-role.yaml
index c73b2517c..05d837028 100644
--- a/helm/sealed-secrets/templates/cluster-role.yaml
+++ b/helm/sealed-secrets/templates/cluster-role.yaml
@@ -7,6 +7,9 @@ metadata:
     {{- if .Values.rbac.labels }}
     {{- include "sealed-secrets.render" ( dict "value" .Values.rbac.labels "context" $) | nindent 4 }}
     {{- end }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
 rules:
   - apiGroups:
       - bitnami.com
diff --git a/helm/sealed-secrets/templates/configmap-dashboards.yaml b/helm/sealed-secrets/templates/configmap-dashboards.yaml
index 845248184..648f4b05c 100644
--- a/helm/sealed-secrets/templates/configmap-dashboards.yaml
+++ b/helm/sealed-secrets/templates/configmap-dashboards.yaml
@@ -11,6 +11,9 @@ metadata:
     {{- if $.Values.metrics.dashboards.labels }}
     {{- include "sealed-secrets.render" ( dict "value" $.Values.metrics.dashboards.labels "context" $) | nindent 4 }}
     {{- end }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
   annotations:
     {{- if $.Values.metrics.dashboards.annotations }}
     {{- include "sealed-secrets.render" ( dict "value" $.Values.metrics.dashboards.annotations "context" $) | nindent 4 }}
diff --git a/helm/sealed-secrets/templates/deployment.yaml b/helm/sealed-secrets/templates/deployment.yaml
index a195f1f43..32318887b 100644
--- a/helm/sealed-secrets/templates/deployment.yaml
+++ b/helm/sealed-secrets/templates/deployment.yaml
@@ -5,6 +5,9 @@ metadata:
   name: {{ include "sealed-secrets.fullname" . }}
   namespace: {{ include "sealed-secrets.namespace" . }}
   labels: {{- include "sealed-secrets.labels" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
   {{- if .Values.commonAnnotations }}
   annotations: {{- toYaml .Values.commonAnnotations | nindent 4 }}
   {{- end }}
diff --git a/helm/sealed-secrets/templates/ingress.yaml b/helm/sealed-secrets/templates/ingress.yaml
index 966a37eea..39ae89338 100644
--- a/helm/sealed-secrets/templates/ingress.yaml
+++ b/helm/sealed-secrets/templates/ingress.yaml
@@ -5,6 +5,9 @@ metadata:
   name: {{ include "sealed-secrets.fullname" . }}
   namespace: {{ include "sealed-secrets.namespace" . }}
   labels: {{- include "sealed-secrets.labels" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
   {{- if .Values.ingress.annotations }}
   annotations:
     {{- if .Values.ingress.annotations }}
diff --git a/helm/sealed-secrets/templates/networkpolicy.yaml b/helm/sealed-secrets/templates/networkpolicy.yaml
index 927400619..58f44b048 100644
--- a/helm/sealed-secrets/templates/networkpolicy.yaml
+++ b/helm/sealed-secrets/templates/networkpolicy.yaml
@@ -5,6 +5,9 @@ metadata:
   name: {{ include "sealed-secrets.fullname" . }}
   namespace: {{ include "sealed-secrets.namespace" . }}
   labels: {{- include "sealed-secrets.labels" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
 spec:
   podSelector:
     matchLabels: {{- include "sealed-secrets.matchLabels" . | nindent 6 }}
diff --git a/helm/sealed-secrets/templates/pdb.yaml b/helm/sealed-secrets/templates/pdb.yaml
index 133883b43..e6db12260 100644
--- a/helm/sealed-secrets/templates/pdb.yaml
+++ b/helm/sealed-secrets/templates/pdb.yaml
@@ -5,6 +5,9 @@ metadata:
   name: {{ include "sealed-secrets.fullname" . }}
   namespace: {{ include "sealed-secrets.namespace" . }}
   labels: {{- include "sealed-secrets.labels" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
   {{- if .Values.commonAnnotations }}
   annotations: {{- toYaml .Values.commonAnnotations | nindent 4 }}
   {{- end }}
diff --git a/helm/sealed-secrets/templates/psp-clusterrole.yaml b/helm/sealed-secrets/templates/psp-clusterrole.yaml
index 65b555553..aa118d04e 100644
--- a/helm/sealed-secrets/templates/psp-clusterrole.yaml
+++ b/helm/sealed-secrets/templates/psp-clusterrole.yaml
@@ -7,6 +7,9 @@ metadata:
     {{- if .Values.rbac.labels }}
     {{- include "sealed-secrets.render" ( dict "value" .Values.rbac.labels "context" $) | nindent 4 }}
     {{- end }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
 rules:
   - apiGroups: ['extensions']
     resources: ['podsecuritypolicies']
diff --git a/helm/sealed-secrets/templates/psp-clusterrolebinding.yaml b/helm/sealed-secrets/templates/psp-clusterrolebinding.yaml
index 3c1ed3605..b9430df5a 100644
--- a/helm/sealed-secrets/templates/psp-clusterrolebinding.yaml
+++ b/helm/sealed-secrets/templates/psp-clusterrolebinding.yaml
@@ -7,6 +7,9 @@ metadata:
     {{- if .Values.rbac.labels }}
     {{- include "sealed-secrets.render" ( dict "value" .Values.rbac.labels "context" $) | nindent 4 }}
     {{- end }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
diff --git a/helm/sealed-secrets/templates/psp.yaml b/helm/sealed-secrets/templates/psp.yaml
index 61634a1e9..596867159 100644
--- a/helm/sealed-secrets/templates/psp.yaml
+++ b/helm/sealed-secrets/templates/psp.yaml
@@ -4,6 +4,9 @@ kind: PodSecurityPolicy
 metadata:
   name: {{ include "sealed-secrets.fullname" . }}
   labels: {{- include "sealed-secrets.labels" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
 spec:
   privileged: false
   allowPrivilegeEscalation: false
diff --git a/helm/sealed-secrets/templates/role-binding.yaml b/helm/sealed-secrets/templates/role-binding.yaml
index 1b0bb7e29..12c109ab1 100644
--- a/helm/sealed-secrets/templates/role-binding.yaml
+++ b/helm/sealed-secrets/templates/role-binding.yaml
@@ -8,6 +8,9 @@ metadata:
     {{- if .Values.rbac.labels }}
     {{- include "sealed-secrets.render" ( dict "value" .Values.rbac.labels "context" $) | nindent 4 }}
     {{- end }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -27,6 +30,9 @@ metadata:
     {{- if .Values.rbac.labels }}
     {{- include "sealed-secrets.render" ( dict "value" .Values.rbac.labels "context" $) | nindent 4 }}
     {{- end }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
diff --git a/helm/sealed-secrets/templates/role.yaml b/helm/sealed-secrets/templates/role.yaml
index 32a254816..06b5e0f5c 100644
--- a/helm/sealed-secrets/templates/role.yaml
+++ b/helm/sealed-secrets/templates/role.yaml
@@ -8,6 +8,9 @@ metadata:
     {{- if .Values.rbac.labels }}
     {{- include "sealed-secrets.render" ( dict "value" .Values.rbac.labels "context" $) | nindent 4 }}
     {{- end }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
 rules:
   - apiGroups:
       - ""
@@ -34,6 +37,9 @@ metadata:
     {{- if .Values.rbac.labels }}
     {{- include "sealed-secrets.render" ( dict "value" .Values.rbac.labels "context" $) | nindent 4 }}
     {{- end }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
 rules:
   - apiGroups:
       - ""
diff --git a/helm/sealed-secrets/templates/service-account.yaml b/helm/sealed-secrets/templates/service-account.yaml
index e58126d78..a205bfec7 100644
--- a/helm/sealed-secrets/templates/service-account.yaml
+++ b/helm/sealed-secrets/templates/service-account.yaml
@@ -17,4 +17,7 @@ metadata:
     {{- if .Values.serviceAccount.labels }}
     {{- include "sealed-secrets.render" ( dict "value" .Values.serviceAccount.labels "context" $) | nindent 4 }}
     {{- end }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
 {{ end }}
diff --git a/helm/sealed-secrets/templates/service.yaml b/helm/sealed-secrets/templates/service.yaml
index 939586ba1..629c9b7cf 100644
--- a/helm/sealed-secrets/templates/service.yaml
+++ b/helm/sealed-secrets/templates/service.yaml
@@ -17,6 +17,9 @@ metadata:
     {{- if .Values.service.labels }}
     {{- include "sealed-secrets.render" ( dict "value" .Values.service.labels "context" $) | nindent 4 }}
     {{- end }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
 spec:
   type: {{ .Values.service.type }}
   ports:
@@ -48,6 +51,9 @@ metadata:
     {{- if .Values.metrics.service.labels }}
     {{- include "sealed-secrets.render" ( dict "value" .Values.metrics.service.labels "context" $) | nindent 4 }}
     {{- end }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
 spec:
   type: {{ .Values.metrics.service.type }}
   ports:
diff --git a/helm/sealed-secrets/templates/servicemonitor.yaml b/helm/sealed-secrets/templates/servicemonitor.yaml
index d94cae68b..5d31551dd 100644
--- a/helm/sealed-secrets/templates/servicemonitor.yaml
+++ b/helm/sealed-secrets/templates/servicemonitor.yaml
@@ -12,6 +12,9 @@ metadata:
     {{- if .Values.metrics.serviceMonitor.labels }}
     {{- include "sealed-secrets.render" ( dict "value" .Values.metrics.serviceMonitor.labels "context" $) | nindent 4 }}
     {{- end }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
   {{- if .Values.metrics.serviceMonitor.annotations }}
   annotations: {{- include "sealed-secrets.render" (dict "value" .Values.metrics.serviceMonitor.annotations "context" $) | nindent 4 }}
   {{- end }}
diff --git a/helm/sealed-secrets/templates/tls-secret.yaml b/helm/sealed-secrets/templates/tls-secret.yaml
index 79bc5bd79..161cb7cdf 100644
--- a/helm/sealed-secrets/templates/tls-secret.yaml
+++ b/helm/sealed-secrets/templates/tls-secret.yaml
@@ -7,6 +7,9 @@ metadata:
   name: {{ .name }}
   namespace: {{ include "sealed-secrets.namespace" $ | quote }}
   labels: {{- include "sealed-secrets.labels" $ | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
 type: kubernetes.io/tls
 data:
   tls.crt: {{ .certificate | b64enc }}
@@ -23,6 +26,9 @@ metadata:
   name: {{ printf "%s-tls" .Values.ingress.hostname }}
   namespace: {{ include "sealed-secrets.namespace" . }}
   labels: {{- include "sealed-secrets.labels" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "sealed-secrets.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
 type: kubernetes.io/tls
 data:
   tls.crt: {{ $cert.Cert | b64enc | quote }}
diff --git a/helm/sealed-secrets/values.yaml b/helm/sealed-secrets/values.yaml
index 7417e2d67..6d3c090a4 100644
--- a/helm/sealed-secrets/values.yaml
+++ b/helm/sealed-secrets/values.yaml
@@ -21,6 +21,11 @@ extraDeploy: []
 ##
 commonAnnotations: {}
 
+## @param commonLabels [ojbect] Labels to add to all deployed resources
+## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+## 
+commonLabels: {}
+
 ## @section Sealed Secrets Parameters
 
 ## Sealed Secrets image