feat: vault-sidecare-autoloader - copied logic from helm-service

charts/app/templates/backend/templates/_helpers.tpl

@@ -40,3 +40,36 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 
+{{/*
+Vault Sideloader Annotations
+*/}}
+{{- define "backend.vaultAnnotations" -}}
+{{- if and .Values.backend.vault .Values.backend.vault.enabled }}
+# 1. Vault injector configuration goes here, inside the template.
+vault.hashicorp.com/agent-inject: 'true'
+vault.hashicorp.com/agent-inject-token: 'true'
+vault.hashicorp.com/agent-pre-populate-only: 'true' # this makes sure the secret vault will only change during pod restart
+vault.hashicorp.com/auth-path: auth/k8s-silver  # This was tricky.  Be sure to use k8s-silver, k8s-gold, or k8s-golddr
+vault.hashicorp.com/namespace: platform-services
+vault.hashicorp.com/role: {{tpl .Values.backend.vault.role .}}  # licenseplate-nonprod or licenseplate-prod are your options
+{{- if .Values.backend.vault.resources }}
+vault.hashicorp.com/agent-requests-cpu: {{.Values.backend.vault.resources.requests.cpu }}
+vault.hashicorp.com/agent-limits-cpu: {{.Values.backend.vault.resources.limits.cpu }}
+vault.hashicorp.com/agent-requests-mem: {{.Values.backend.vault.resources.requests.memory }}
+vault.hashicorp.com/agent-limits-mem: {{.Values.backend.vault.resources.limits.memory }}
+{{- end }}
+
+# Configure how to retrieve and populate the secrets from Vault:
+# - The name of the secret is any unique string after vault.hashicorp.com/agent-inject-secret-<name>
+# - The value is the path in Vault where the secret is located.
+{{- range $k := .Values.backend.vault.secretPaths }}
+vault.hashicorp.com/agent-inject-secret-{{tpl $k $}}:    {{tpl $.Values.backend.vault.role $}}/{{tpl $k $}}
+vault.hashicorp.com/agent-inject-template-{{tpl $k $}}: |
+  {{ printf "%s" "{{" }}- with secret "{{tpl $.Values.backend.vault.role $}}/{{tpl $k $}}"{{ printf "%s" "}}" }}
+  {{ printf "%s" "{{" }}- range $k,$v := .Data.data{{ printf "%s" "}}"  }}
+  export {{"{{"}}$k{{"}}"}}="{{"{{"}}$v{{"}}"}}"
+  {{ printf "%s" "{{" }}- end{{ printf "%s" "}}" }}
+  {{ printf "%s" "{{" }}- end{{ printf "%s" "}}" }}
+{{- end }}
+{{- end }}
+{{- end }}

charts/app/templates/backend/templates/deployment.yaml

@@ -17,6 +17,9 @@ spec:
   template:
     metadata:
       annotations:
+        {{- if and .Values.backend.vault .Values.backend.vault.enabled }}
+        {{- include "backend.vaultAnnotations" . | nindent 8 }}
+        {{- end }}
         rollme: {{ randAlphaNum 5 | quote }}
         prometheus.io/scrape: 'true'
         prometheus.io/port: '3000'
@@ -49,12 +52,21 @@ spec:
             requests:
               cpu: 50m
               memory: 25Mi
+      {{- if $.Values.backend.serviceAccount }}
+      serviceAccountName: {{tpl $.Values.backend.serviceAccount.name .}}
+      {{- end }}
       containers:
         - name: {{ include "backend.fullname" . }}
           {{- if .Values.backend.securityContext }}
           securityContext:
             {{- toYaml .Values.backend.securityContext | nindent 12 }}
           {{- end }}
+          {{- if (index .Values.backend.containers 0).command }}
+          command:
+            {{- range (index .Values.backend.containers 0).command }}
+            - "{{tpl . $}}"
+          {{- end }}
+          {{- end}}
           image: "{{.Values.global.registry}}/{{.Values.global.repository}}/backend:{{ .Values.global.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ default "Always" .Values.backend.imagePullPolicy }}
           envFrom:

charts/app/values.yaml

@@ -27,6 +27,19 @@ backend:
   enabled: true
   #-- the deployment strategy, can be "Recreate" or "RollingUpdate"
   deploymentStrategy: Recreate
+  containers:
+    - name: backend
+      command:
+        - "sh"
+        - "-c"
+        - "source /vault/secrets/dev/api-1 && \
+           source /vault/secrets/dev/api-2 && \ 
+           source /vault/secrets/test/api-1 && \
+           source /vault/secrets/test/api-2 && \
+           source /vault/secrets/prod/api-1 && \
+           source /vault/secrets/prod/api-2 && \
+           caddy fmt /etc/caddy/Caddyfile"
+
   #-- autoscaling for the component. it is optional and is an object.
   autoscaling:
     #-- enable or disable autoscaling.
@@ -37,12 +50,16 @@ backend:
     maxReplicas: 7
     #-- the target cpu utilization percentage, is from request cpu and NOT LIMIT CPU.
     targetCPUUtilizationPercentage: 80
+  # -- Create a service account used to bind with vault.
+  # -- name is required, MUST BE #licenseplate-vault
+  serviceAccount:
+    name: "<LICENSEPLATE>-vault"
   #-- vault, for injecting secrets from vault. it is optional and is an object. it creates an initContainer which reads from vault and app container can source those secrets. for referring to a working example with vault follow this link: https://github.com/bcgov/onroutebc/blob/main/charts/onroutebc/values.yaml#L171-L186
   vault:
     #-- enable or disable vault.
-    enabled: false
+    enabled: true
     #-- the role of the vault. it is required, #licenseplate-prod or licenseplate-nonprod, license plate is the namespace without env
-    role: ~
+    role: "<LICENSEPLATE>-nonprod"
     #-- the vault path where the secrets live. it is required, dev/api-1, dev/api-2, test/api-1 etc...
     secretPaths:
       - dev/api-1