Merge pull request #3 from IFRCGo/feature/setup-secret-vault

Author: thenav56

helm/snapshots/alpha-1.yaml

@@ -15,7 +15,7 @@ metadata:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: release-name-cacheppuccino-helm
+  name: release-name-cacheppuccino-helm-vault-secret
   labels:
     helm.sh/chart: cacheppuccino-helm-0.1.0
     app.kubernetes.io/name: cacheppuccino-helm
@@ -24,7 +24,7 @@ metadata:
     app.kubernetes.io/managed-by: Helm
 type: Opaque
 stringData:
-  TRANSLATION_API_KEY: "test"
+  TRANSLATION_API_KEY: "dummy"
 ---
 # Source: cacheppuccino-helm/templates/configmap.yaml
 apiVersion: v1
@@ -38,17 +38,14 @@ metadata:
     app.kubernetes.io/version: "0.1.0"
     app.kubernetes.io/managed-by: Helm
 data:
+  SQLITE_PATH: "/data/cacheppuccino.db"
+  HTTP_TIMEOUT: "1m"
+  INITIAL_PULL_DEADLINE: "2m"
   LISTEN_ADDR: ":8080"
   LOG_LEVEL: "info"
-
-  TRANSLATION_BASE_URL: "https://ifrc-translationapi.azurewebsites.net"
-  TRANSLATION_APPLICATION_ID: "18"
-
   PULL_INTERVAL: "10m"
-  HTTP_TIMEOUT: "1m"
-  INITIAL_PULL_DEADLINE: "2m"
-
-  SQLITE_PATH: "/data/cacheppuccino.db"
+  TRANSLATION_APPLICATION_ID: "18"
+  TRANSLATION_BASE_URL: "https://ifrc-translationapi.azurewebsites.net"
 ---
 # Source: cacheppuccino-helm/templates/pvc.yaml
 apiVersion: v1
@@ -96,6 +93,8 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: release-name-cacheppuccino-helm
+  annotations:
+    reloader.stakater.com/auto: "true"
   labels:
     helm.sh/chart: cacheppuccino-helm-0.1.0
     app.kubernetes.io/name: cacheppuccino-helm
@@ -126,12 +125,8 @@ spec:
           envFrom:
             - configMapRef:
                 name: release-name-cacheppuccino-helm
-          env:
-            - name: TRANSLATION_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: release-name-cacheppuccino-helm
-                  key: "TRANSLATION_API_KEY"
+            - secretRef:
+                name: release-name-cacheppuccino-helm-vault-secret
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true

helm/snapshots/staging.yaml

@@ -0,0 +1,220 @@
+---
+# Source: cacheppuccino-helm/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ifrcgo-cacheppuccino
+  labels:
+    helm.sh/chart: cacheppuccino-helm-0.1.0
+    app.kubernetes.io/name: cacheppuccino-helm
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    azure.workload.identity/client-id: test_id
+---
+# Source: cacheppuccino-helm/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ifrcgo-cacheppuccino
+  labels:
+    helm.sh/chart: cacheppuccino-helm-0.1.0
+    app.kubernetes.io/name: cacheppuccino-helm
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+data:
+  SQLITE_PATH: "/data/cacheppuccino.db"
+  HTTP_TIMEOUT: "30s"
+  INITIAL_PULL_DEADLINE: "45s"
+  LISTEN_ADDR: ":8080"
+  LOG_LEVEL: "info"
+  PULL_INTERVAL: "10m"
+  TRANSLATION_APPLICATION_ID: "18"
+  TRANSLATION_BASE_URL: "https://ifrc-test-translationapi.azurewebsites.net"
+---
+# Source: cacheppuccino-helm/templates/pvc.yaml
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: ifrcgo-cacheppuccino
+  labels:
+    helm.sh/chart: cacheppuccino-helm-0.1.0
+    app.kubernetes.io/name: cacheppuccino-helm
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: "512Mi"
+---
+# Source: cacheppuccino-helm/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: ifrcgo-cacheppuccino
+  labels:
+    helm.sh/chart: cacheppuccino-helm-0.1.0
+    app.kubernetes.io/name: cacheppuccino-helm
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 8080
+      targetPort: http
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: cacheppuccino-helm
+    app.kubernetes.io/instance: release-name
+---
+# Source: cacheppuccino-helm/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ifrcgo-cacheppuccino
+  annotations:
+    reloader.stakater.com/auto: "true"
+  labels:
+    helm.sh/chart: cacheppuccino-helm-0.1.0
+    app.kubernetes.io/name: cacheppuccino-helm
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: cacheppuccino-helm
+      app.kubernetes.io/instance: release-name
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: cacheppuccino-helm
+        app.kubernetes.io/instance: release-name
+        azure.workload.identity/use: "true"
+    spec:
+      serviceAccountName: ifrcgo-cacheppuccino
+      containers:
+        - name: cacheppuccino
+          image: "ghcr.io/ifrcgo/cacheppuccino:SET-BY-CICD-TAG"
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: ifrcgo-cacheppuccino
+            - secretRef:
+                name: ifrcgo-cacheppuccino-vault-secret
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsGroup: 0
+            runAsUser: 0
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 2
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 2
+            failureThreshold: 6
+          resources:
+            limits:
+              cpu: 500m
+              memory: 512Mi
+            requests:
+              cpu: 100m
+              memory: 128Mi
+          volumeMounts:
+            - name: sqlite
+              mountPath: "/data"
+            - name: secrets-store
+              mountPath: "/mnt/secrets-store"
+              readOnly: true
+      volumes:
+        - name: sqlite
+          persistentVolumeClaim:
+            claimName: ifrcgo-cacheppuccino
+        - name: secrets-store
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: ifrcgo-cacheppuccino-secret-provider
+---
+# Source: cacheppuccino-helm/templates/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ifrcgo-cacheppuccino
+  labels:
+    helm.sh/chart: cacheppuccino-helm-0.1.0
+    app.kubernetes.io/name: cacheppuccino-helm
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: "cacheppuccino-test-stage.ifrc.org"
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: ifrcgo-cacheppuccino
+                port:
+                  number: 8080
+  tls:
+    - secretName: cacheppuccino-helm-secret-cert-test
+      hosts:
+        - "cacheppuccino-test-stage.ifrc.org"
+---
+# Source: cacheppuccino-helm/templates/secret-provider-class.yaml
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: ifrcgo-cacheppuccino-secret-provider
+  labels:
+    helm.sh/chart: cacheppuccino-helm-0.1.0
+    app.kubernetes.io/name: cacheppuccino-helm
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  provider: azure
+  parameters:
+    clientID: test_client_id
+    keyvaultName: test_key_vault_name
+    tenantId: test_tenant_id
+    usePodIdentity: "false"
+    useVMManagedIdentity: "false"
+    objects: |
+      array:
+        - |
+          objectName: TRANSLATION-API-KEY
+          objectType: secret
+  secretObjects:
+    - secretName: ifrcgo-cacheppuccino-vault-secret
+      type: Opaque
+      data:
+        - objectName: TRANSLATION-API-KEY
+          key: TRANSLATION_API_KEY

helm/templates/_helpers.tpl

@@ -31,3 +31,19 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- default "default" .Values.serviceAccount.name -}}
 {{- end -}}
 {{- end -}}
+
+{{- define "cacheppuccino.secretProviderName" -}}
+{{- if .Values.secretsStoreCsiDriver.secretProviderClassName -}}
+{{- .Values.secretsStoreCsiDriver.secretProviderClassName -}}
+{{- else -}}
+{{- printf "%s-secret-provider" (include "cacheppuccino.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "cacheppuccino.secretName" -}}
+{{- if .Values.secretsStoreCsiDriver.secretName -}}
+{{- .Values.secretsStoreCsiDriver.secretName -}}
+{{- else -}}
+{{- printf "%s-vault-secret" (include "cacheppuccino.fullname" .) -}}
+{{- end -}}
+{{- end -}}

helm/templates/configmap.yaml

@@ -6,15 +6,10 @@ metadata:
   labels:
     {{- include "cacheppuccino.labels" . | nindent 4 }}
 data:
-  LISTEN_ADDR: {{ .Values.app.listenAddr | quote }}
-  LOG_LEVEL: {{ .Values.app.logLevel | quote }}
-
-  TRANSLATION_BASE_URL: {{ .Values.app.translation.baseUrl | quote }}
-  TRANSLATION_APPLICATION_ID: {{ .Values.app.translation.applicationId | quote }}
-
-  PULL_INTERVAL: {{ .Values.app.pull.interval | quote }}
-  HTTP_TIMEOUT: {{ .Values.app.pull.httpTimeout | quote }}
-  INITIAL_PULL_DEADLINE: {{ .Values.app.pull.initialPullDeadline | quote }}
-
+  {{- if .Values.sqlite.enabled }}
   SQLITE_PATH: {{ printf "%s/%s" .Values.sqlite.mountPath .Values.sqlite.filename | quote }}
+  {{- end }}
+  {{- range $name, $value := .Values.env }}
+  {{ $name }}: {{ tpl $value $ | quote }}
+  {{- end }}
 {{- end }}

helm/templates/deployment.yaml

@@ -3,6 +3,8 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "cacheppuccino.fullname" . }}
+  annotations:
+    reloader.stakater.com/auto: "true"
   labels:
     {{- include "cacheppuccino.labels" . | nindent 4 }}
 spec:
@@ -42,12 +44,8 @@ spec:
           envFrom:
             - configMapRef:
                 name: {{ include "cacheppuccino.fullname" . }}
-          env:
-            - name: TRANSLATION_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ default (include "cacheppuccino.fullname" .) .Values.app.translation.existingSecret.name }}
-                  key: {{ .Values.app.translation.existingSecret.key | quote }}
+            - secretRef:
+                name: {{ include "cacheppuccino.secretName" . }}
           {{- with .Values.securityContext }}
           securityContext:
             {{- toYaml . | nindent 12 }}
@@ -75,12 +73,25 @@ spec:
             - name: sqlite
               mountPath: {{ .Values.sqlite.mountPath | quote }}
             {{- end }}
+            {{- if .Values.secretsStoreCsiDriver.enabled }}
+            - name: secrets-store
+              mountPath: "/mnt/secrets-store"
+              readOnly: true
+            {{- end }}
       volumes:
         {{- if .Values.sqlite.enabled }}
         - name: sqlite
           persistentVolumeClaim:
             claimName: {{ default (include "cacheppuccino.fullname" .) .Values.sqlite.existingClaim }}
         {{- end }}
+        {{- if .Values.secretsStoreCsiDriver.enabled }}
+        - name: secrets-store
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: {{ include "cacheppuccino.secretProviderName" . }}
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}