feat: enhance templates to handle secrets

Author: ferruhcihan

charts/prometheus-msteams/templates/deployment.yaml

@@ -41,7 +41,10 @@ spec:
           configMap:
             name: {{ template "app.name" . }}-card-template
       {{- if .Values.extraConfigmapMounts }}
-      {{ toYaml .Values.extraConfigmapMounts | nindent 8 }}
+        {{- toYaml .Values.extraConfigmapMounts | nindent 8 }}
+      {{- end }}
+      {{- if .Values.extraVolumes }}
+        {{- toYaml .Values.extraVolumes | nindent 8 }}
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}
@@ -69,7 +72,7 @@ spec:
           {{ toYaml .Values.extraVolumeMounts | nindent 12 }}
           {{- end }}
           args:
-            - -config-file=/etc/config/connectors.yaml
+            - -config-file={{ .Values.configFile }}
             - -template-file={{ .Values.templateFile }}
 {{- if .Values.workflowWebhook }}
             - -workflow-webhook={{ .Values.workflowWebhook }}

charts/prometheus-msteams/values.yaml

@@ -67,12 +67,17 @@ customCardTemplate: ""
 
 templateFile: /etc/template/card.tmpl
 
+configFile: /etc/config/connectors.yaml
+
 extraConfigmapMounts: []
 # extraConfigmapMounts:
 #   - name: customConfigMap
 #     configMap:
 #       name: customConfigMapName
 
+## Additional Volumes
+extraVolumes: []
+
 ## Additional Volume mounts
 extraVolumeMounts: []
 # extraVolumeMounts:

helmfile.d/helmfile-10.monitoring.yaml.gotmpl

@@ -32,7 +32,23 @@ releases:
     installed: {{ and ($a | get "loki.enabled") (not ($a | get "loki.enableOpenTelemetry")) }}
     namespace: monitoring
     <<: *default
+  - name: prometheus-msteams-artifacts
+    installed: {{ has "msteams" ($v | get "alerts.receivers") }}
+    namespace: monitoring
+    <<: *raw
   - name: prometheus-msteams
     installed: {{ has "msteams" ($v | get "alerts.receivers") }}
     namespace: monitoring
-    <<: *default
+    missingFileHandler: Debug
+    chart: ../charts/prometheus-msteams
+    values:
+      - ../values/prometheus-msteams/prometheus-msteams.gotmpl
+      - snippets/common.gotmpl
+      - configFile: /etc/secret/connectors.yaml
+        extraVolumes:
+          - name: connectors-secret
+            secret:
+              secretName: prometheus-msteams-connectors
+        extraVolumeMounts:
+          - name: connectors-secret
+            mountPath: /etc/secret

tests/fixtures/env/apps/kubeflow-pipelines.yaml

@@ -7,5 +7,4 @@ spec:
     persistence:
         mysql:
             size: 20Gi
-    rootPassword: mysqlsomesecretvalue
     _rawValues: {}

tests/fixtures/env/settings/alerts.yaml

@@ -6,7 +6,5 @@ spec:
     receivers:
         - slack
         - msteams
-    msteams:
-        highPrio: https://xxxxxxx.com
-        lowPrio: https://xxxxxxxx.com
+    msteams: {}
     slack: {}

tests/fixtures/env/settings/obj.yaml

@@ -6,7 +6,6 @@ spec:
     provider:
         linode:
             accessKeyId: someaccessKeyId
-            secretAccessKey: somesecretvalue
             buckets:
                 cnpg: my-clusterid-cnpg
                 gitea: my-clusterid-gitea

tests/fixtures/env/settings/otomi.yaml

@@ -5,7 +5,6 @@ metadata:
 spec:
     globalPullSecret:
         username: otomi
-        password: blablabla
     hasExternalDNS: true
     hasExternalIDP: false
     nodeSelector:

values/k8s/k8s-raw-teams.gotmpl

@@ -1,6 +1,5 @@
 {{- $v := .Values }}
 {{- $cm := $v.apps | get "cert-manager" }}
-{{- $dockerConfigTpl := readFile "../../helmfile.d/snippets/dockercfg.gotmpl" }}
 resources:
   {{- range $id, $team := omit $v.teamConfig "admin"}}
     {{- $ns := printf "team-%s" $id }}
@@ -17,14 +16,31 @@ resources:
         istio-injection: enabled
         {{- end }}
     {{- with $v.otomi | get "globalPullSecret" nil }}
-  - apiVersion: v1
-    kind: Secret
-    type: kubernetes.io/dockerconfigjson
+    {{- $gpsUsername := . | get "username" "" }}
+    {{- $gpsServer := . | get "server" "docker.io" }}
+    {{- $gpsEmail := . | get "email" "not@val.id" }}
+  - apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
     metadata:
       name: otomi-pullsecret-global
       namespace: {{ $ns }}
-    data:
-      .dockerconfigjson: {{ tpl $dockerConfigTpl . | b64enc }}
+    spec:
+      refreshInterval: 1h
+      secretStoreRef:
+        name: core-secrets-store
+        kind: ClusterSecretStore
+      target:
+        name: otomi-pullsecret-global
+        creationPolicy: Owner
+        template:
+          type: kubernetes.io/dockerconfigjson
+          data:
+            .dockerconfigjson: '{"auths":{"{{ $gpsServer }}":{"username":"{{ $gpsUsername }}","password":"{{ "{{ .password | toString }}" }}","email":"{{ $gpsEmail }}"}}}'
+      data:
+        - secretKey: password
+          remoteRef:
+            key: otomi-secrets
+            property: globalPullSecret_password
     {{- end }}
   # patching service account here as helm does not recognize it as it's own
   - apiVersion: v1

values/k8s/k8s-raw.gotmpl

@@ -1,6 +1,5 @@
 {{- $v := .Values }}
 {{- $cm := $v.apps | get "cert-manager" }}
-{{- $dockerConfigTpl := readFile "../../helmfile.d/snippets/dockercfg.gotmpl" }}
 resources:
   {{- if  ( (hasKey $v "bootstrap"))}}
   - {{- $v.bootstrap | toYaml | nindent 4 }}
@@ -21,14 +20,31 @@ resources:
         {{- end }}
         {{- with $ns | get "labels" nil }}{{ toYaml . | nindent 8 }}{{ end }}
       {{- with $v.otomi | get "globalPullSecret" nil }}
-  - apiVersion: v1
-    kind: Secret
-    type: kubernetes.io/dockerconfigjson
+      {{- $gpsUsername := . | get "username" "" }}
+      {{- $gpsServer := . | get "server" "docker.io" }}
+      {{- $gpsEmail := . | get "email" "not@val.id" }}
+  - apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
     metadata:
       name: otomi-pullsecret-global
       namespace: {{ $ns.name }}
-    data:
-      .dockerconfigjson: {{ tpl $dockerConfigTpl . | b64enc }}
+    spec:
+      refreshInterval: 1h
+      secretStoreRef:
+        name: core-secrets-store
+        kind: ClusterSecretStore
+      target:
+        name: otomi-pullsecret-global
+        creationPolicy: Owner
+        template:
+          type: kubernetes.io/dockerconfigjson
+          data:
+            .dockerconfigjson: '{"auths":{"{{ $gpsServer }}":{"username":"{{ $gpsUsername }}","password":"{{ "{{ .password | toString }}" }}","email":"{{ $gpsEmail }}"}}}'
+      data:
+        - secretKey: password
+          remoteRef:
+            key: otomi-secrets
+            property: globalPullSecret_password
       {{- end }}
   - apiVersion: v1
     kind: ServiceAccount

values/kubeflow-pipelines/kubeflow-pipelines-raw.gotmpl

@@ -1,29 +1,60 @@
 {{- $v := .Values }}
-{{- $kfp := index $v.apps "kubeflow-pipelines" }}
 {{- $obj := $v.obj.provider }}
 {{- $httpRoute := tpl (readFile "../../helmfile.d/snippets/routes.gotmpl") $v | fromYaml }}
 {{- $hostname := print "kubeflow-pipelines." $v.cluster.domainSuffix }}
 resources:
-  - apiVersion: v1
-    kind: Secret
+  - apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
     metadata:
-      labels:
-        app: kubeflow-pipelines
       name: kfp-mysql-secret
-    data:
-      password: "{{ $kfp.rootPassword | b64enc }}"
-      username: "{{ "root" | b64enc }}"
+    spec:
+      refreshInterval: 1h
+      secretStoreRef:
+        name: core-secrets-store
+        kind: ClusterSecretStore
+      target:
+        name: kfp-mysql-secret
+        creationPolicy: Owner
+        template:
+          type: Opaque
+          data:
+            username: root
+            password: '{{ "{{ .rootPassword | toString }}" }}'
+      data:
+        - secretKey: rootPassword
+          remoteRef:
+            key: kubeflow-pipelines-secrets
+            property: rootPassword
+  {{- if eq $obj.type "linode" }}
+  - apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
+    metadata:
+      name: mlpipeline-obj-artifact
+    spec:
+      refreshInterval: 1h
+      secretStoreRef:
+        name: core-secrets-store
+        kind: ClusterSecretStore
+      target:
+        name: mlpipeline-obj-artifact
+        creationPolicy: Owner
+        template:
+          type: Opaque
+          data:
+            accesskey: {{ $obj.linode.accessKeyId }}
+            secretkey: '{{ "{{ .secretAccessKey | toString }}" }}'
+      data:
+        - secretKey: secretAccessKey
+          remoteRef:
+            key: obj-secrets
+            property: provider_linode_secretAccessKey
+  {{- else }}
   - apiVersion: v1
     kind: Secret
     metadata:
-      labels:
-        app: kubeflow-pipelines
       name: mlpipeline-obj-artifact
-    data:
-      {{- if eq $obj.type "linode" }}
-      accesskey: "{{ $obj.linode.accessKeyId | b64enc }}"
-      secretkey: "{{ $obj.linode.secretAccessKey | b64enc }}"
-      {{- end }}
+    data: {}
+  {{- end }}
   - apiVersion: gateway.networking.k8s.io/v1
     kind: HTTPRoute
     metadata: