feat(helm): add envFrom to export.stdout via extraEnvFrom/envFromSecrets

This commit extends the Helm chart for Tetragon by adding support
for envFrom in the export.stdout template. Specifically:

- export.stdout.extraEnvFrom: allows referencing ConfigMaps/Secrets
  via envFrom.
- export.stdout.envFromSecrets: convenience for Secrets only,
  accepts strings or objects.

Usage examples:

values.yaml
-----------
export:
  stdout:
    # Add specific env vars
    extraEnv:
      - name: LOG_LEVEL
        value: info

    # Pull multiple variables from ConfigMap/Secret via envFrom
    extraEnvFrom:
      - configMapRef:
          name: fluent-bit-config

    # Convenience for Secret envFrom
    envFromSecrets:
      - opensearch-credentials
      - name: optional-secret
        optional: true

Rendered container
------------------
env:
  - name: LOG_LEVEL
    value: info
envFrom:
  - configMapRef:
      name: fluent-bit-config
  - secretRef:
      name: opensearch-credentials
  - secretRef:
      name: optional-secret
      optional: true

Motivation:
This is useful when multiple environment variables need to be injected
from Secrets without enumerating them individually.

Author: Bagautdino

install/kubernetes/tetragon/README.md

@@ -3,23 +3,29 @@
   image: "{{ if .Values.export.stdout.image.override }}{{ .Values.export.stdout.image.override }}{{ else }}{{ .Values.export.stdout.image.repository }}:{{ .Values.export.stdout.image.tag }}{{ end }}"
   imagePullPolicy: {{ .Values.imagePullPolicy }}
   terminationMessagePolicy: FallbackToLogsOnError
-
-  env: {{- toYaml .Values.export.stdout.extraEnv | nindent 4 }}
-
-  {{- if .Values.export.stdout.extraEnvFrom }}
-  envFrom:
-  {{- toYaml .Values.export.stdout.extraEnvFrom | nindent 4 }}
-  {{- else if .Values.export.stdout.envFromSecrets }}
-  envFrom:
-  {{- range .Values.export.stdout.envFromSecrets }}
-    - secretRef:
-        name: {{ .name | default . }}
-        {{- if hasKey . "optional" }}
-        optional: {{ .optional }}
-        {{- end }}
+  {{- with .Values.export.stdout.extraEnv }}
+  env:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- $envFrom := list }}
+  {{- with .Values.export.stdout.extraEnvFrom }}
+    {{- $envFrom = concat $envFrom . }}
   {{- end }}
+  {{- range $item := .Values.export.stdout.envFromSecrets }}
+    {{- if kindIs "map" $item }}
+      {{- $sr := dict "name" ($item.name | default "") }}
+      {{- if hasKey $item "optional" }}
+        {{- $_ := set $sr "optional" $item.optional }}
+      {{- end }}
+      {{- $envFrom = append $envFrom (dict "secretRef" $sr) }}
+    {{- else }}
+      {{- $envFrom = append $envFrom (dict "secretRef" (dict "name" $item)) }}
+    {{- end }}
+  {{- end }}
+  {{- if gt (len $envFrom) 0 }}
+  envFrom:
+    {{- toYaml $envFrom | nindent 4 }}
   {{- end }}
-
   securityContext:
     {{- toYaml .Values.export.securityContext | nindent 4 }}
   resources:
@@ -48,4 +54,4 @@
       {{- with .Values.export.stdout.extraVolumeMounts }}
         {{- toYaml . | nindent 4 }}
       {{- end }}      
-{{- end }}
+{{- end }}

install/kubernetes/tetragon/templates/_container_export_stdout.tpl

@@ -350,10 +350,37 @@ export:
     - tetragon.log
   # stdout specific exporter settings
   stdout:
-    extraEnv: []
+    # -- Extra environment variables to add to the export-stdout container.
+    # Example:
     # extraEnv:
-    #   - name: foo
+    #   - name: FOO
     #     value: bar
+    #   - name: SECRET_KEY
+    #     valueFrom:
+    #       secretKeyRef:
+    #         name: my-secret
+    #         key: secret-key
+    extraEnv: []
+    
+    # -- Extra envFrom sources to add to the export-stdout container.
+    # This allows adding any type of envFrom source (configMapRef, secretRef, etc.).
+    # Example:
+    # extraEnvFrom:
+    #   - configMapRef:
+    #       name: my-config-map
+    #   - secretRef:
+    #       name: my-secret
+    #       optional: true
+    extraEnvFrom: []
+    
+    # -- A simplified way to add secret references to envFrom.
+    # Can be specified either as a string (just the secret name) or as an object with additional parameters.
+    # Example:
+    # envFromSecrets:
+    #   - my-simple-secret
+    #   - name: my-optional-secret
+    #     optional: true
+    envFromSecrets: []
 
     # * When enabledCommand=true and commandOverride is not set, the command inserted will be hubble-export-stdout.
     #   This supports the default for the current deployment instructions to deploy stdout-export sidecar container.