diff --git a/charts/app/templates/backend/templates/_helpers.tpl b/charts/app/templates/backend/templates/_helpers.tpl index 305a674ad..58dc9089e 100644 --- a/charts/app/templates/backend/templates/_helpers.tpl +++ b/charts/app/templates/backend/templates/_helpers.tpl @@ -40,3 +40,36 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} +{{/* +Vault Sideloader Annotations +*/}} +{{- define "backend.vaultAnnotations" -}} +{{- if and .Values.backend.vault .Values.backend.vault.enabled }} +# 1. Vault injector configuration goes here, inside the template. +vault.hashicorp.com/agent-inject: 'true' +vault.hashicorp.com/agent-inject-token: 'true' +vault.hashicorp.com/agent-pre-populate-only: 'true' # this makes sure the secret vault will only change during pod restart +vault.hashicorp.com/auth-path: auth/k8s-silver # This was tricky. Be sure to use k8s-silver, k8s-gold, or k8s-golddr +vault.hashicorp.com/namespace: platform-services +vault.hashicorp.com/role: {{tpl .Values.backend.vault.role .}} # licenseplate-nonprod or licenseplate-prod are your options +{{- if .Values.backend.vault.resources }} +vault.hashicorp.com/agent-requests-cpu: {{.Values.backend.vault.resources.requests.cpu }} +vault.hashicorp.com/agent-limits-cpu: {{.Values.backend.vault.resources.limits.cpu }} +vault.hashicorp.com/agent-requests-mem: {{.Values.backend.vault.resources.requests.memory }} +vault.hashicorp.com/agent-limits-mem: {{.Values.backend.vault.resources.limits.memory }} +{{- end }} + +# Configure how to retrieve and populate the secrets from Vault: +# - The name of the secret is any unique string after vault.hashicorp.com/agent-inject-secret- +# - The value is the path in Vault where the secret is located. +{{- range $k := .Values.backend.vault.secretPaths }} +vault.hashicorp.com/agent-inject-secret-{{tpl $k $}}: {{tpl $.Values.backend.vault.role $}}/{{tpl $k $}} +vault.hashicorp.com/agent-inject-template-{{tpl $k $}}: | + {{ printf "%s" "{{" }}- with secret "{{tpl $.Values.backend.vault.role $}}/{{tpl $k $}}"{{ printf "%s" "}}" }} + {{ printf "%s" "{{" }}- range $k,$v := .Data.data{{ printf "%s" "}}" }} + export {{"{{"}}$k{{"}}"}}="{{"{{"}}$v{{"}}"}}" + {{ printf "%s" "{{" }}- end{{ printf "%s" "}}" }} + {{ printf "%s" "{{" }}- end{{ printf "%s" "}}" }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/app/templates/backend/templates/deployment.yaml b/charts/app/templates/backend/templates/deployment.yaml index 6d8fd5ab0..d98acf14d 100644 --- a/charts/app/templates/backend/templates/deployment.yaml +++ b/charts/app/templates/backend/templates/deployment.yaml @@ -17,6 +17,9 @@ spec: template: metadata: annotations: + {{- if and .Values.backend.vault .Values.backend.vault.enabled }} + {{- include "backend.vaultAnnotations" . | nindent 8 }} + {{- end }} rollme: {{ randAlphaNum 5 | quote }} prometheus.io/scrape: 'true' prometheus.io/port: '3000' @@ -49,12 +52,21 @@ spec: requests: cpu: 50m memory: 25Mi + {{- if $.Values.backend.serviceAccount }} + serviceAccountName: {{tpl $.Values.backend.serviceAccount.name .}} + {{- end }} containers: - name: {{ include "backend.fullname" . }} {{- if .Values.backend.securityContext }} securityContext: {{- toYaml .Values.backend.securityContext | nindent 12 }} {{- end }} + {{- if (index .Values.backend.containers 0).command }} + command: + {{- range (index .Values.backend.containers 0).command }} + - "{{tpl . $}}" + {{- end }} + {{- end}} image: "{{.Values.global.registry}}/{{.Values.global.repository}}/backend:{{ .Values.global.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ default "Always" .Values.backend.imagePullPolicy }} envFrom: diff --git a/charts/app/values.yaml b/charts/app/values.yaml index 3014589d4..a4b6c7341 100644 --- a/charts/app/values.yaml +++ b/charts/app/values.yaml @@ -27,6 +27,19 @@ backend: enabled: true #-- the deployment strategy, can be "Recreate" or "RollingUpdate" deploymentStrategy: Recreate + containers: + - name: backend + command: + - "sh" + - "-c" + - "source /vault/secrets/dev/api-1 && \ + source /vault/secrets/dev/api-2 && \ + source /vault/secrets/test/api-1 && \ + source /vault/secrets/test/api-2 && \ + source /vault/secrets/prod/api-1 && \ + source /vault/secrets/prod/api-2 && \ + caddy fmt /etc/caddy/Caddyfile" + #-- autoscaling for the component. it is optional and is an object. autoscaling: #-- enable or disable autoscaling. @@ -37,12 +50,16 @@ backend: maxReplicas: 7 #-- the target cpu utilization percentage, is from request cpu and NOT LIMIT CPU. targetCPUUtilizationPercentage: 80 + # -- Create a service account used to bind with vault. + # -- name is required, MUST BE #licenseplate-vault + serviceAccount: + name: "-vault" #-- vault, for injecting secrets from vault. it is optional and is an object. it creates an initContainer which reads from vault and app container can source those secrets. for referring to a working example with vault follow this link: https://github.com/bcgov/onroutebc/blob/main/charts/onroutebc/values.yaml#L171-L186 vault: #-- enable or disable vault. - enabled: false + enabled: true #-- the role of the vault. it is required, #licenseplate-prod or licenseplate-nonprod, license plate is the namespace without env - role: ~ + role: "-nonprod" #-- the vault path where the secrets live. it is required, dev/api-1, dev/api-2, test/api-1 etc... secretPaths: - dev/api-1