From 756dea707b1ced9de800cdabfded6dfc100e340e Mon Sep 17 00:00:00 2001
From: davidpoltorak-io <109518299+davidpoltorak-io@users.noreply.github.com>
Date: Tue, 22 Aug 2023 09:34:37 +0100
Subject: [PATCH] feat: allow external API keys to be defined for an agent
 (#643)

Signed-off-by: David Poltorak <david.poltorak@iohk.io>
---
 .../charts/agent/templates/_helpers.tpl       |  3 +++
 .../agent/templates/apisixconsumer.yaml       | 17 +++++++++++++++
 .../agent/templates/externalsecret.yaml       | 21 +++++++++++++++++++
 infrastructure/charts/agent/values.yaml       |  4 ++++
 4 files changed, 45 insertions(+)

diff --git a/infrastructure/charts/agent/templates/_helpers.tpl b/infrastructure/charts/agent/templates/_helpers.tpl
index c2b9bb2f7c..8cf20f9d47 100644
--- a/infrastructure/charts/agent/templates/_helpers.tpl
+++ b/infrastructure/charts/agent/templates/_helpers.tpl
@@ -16,6 +16,9 @@
         {{- range .Values.ingress.consumers }}
           -  {{ regexReplaceAll "-" $.Release.Name "_" }}_{{ regexReplaceAll "-" . "_" | lower }}
         {{- end }}
+        {{- range .Values.ingress.externalConsumers }}
+          -  {{ regexReplaceAll "-" $.Release.Name "_" }}_{{ regexReplaceAll "-" . "_" | lower }}
+        {{- end }}
 {{- end -}}
 {{- define "labels.common" -}}
 app.kubernetes.io/part-of: prism-agent
diff --git a/infrastructure/charts/agent/templates/apisixconsumer.yaml b/infrastructure/charts/agent/templates/apisixconsumer.yaml
index dbf17985c1..6aa2bc65ed 100644
--- a/infrastructure/charts/agent/templates/apisixconsumer.yaml
+++ b/infrastructure/charts/agent/templates/apisixconsumer.yaml
@@ -16,3 +16,20 @@ spec:
 ---
 {{- end }}
 {{- end }}
+
+{{- $root := . -}}
+{{- range $consumer := .Values.ingress.externalConsumers }}
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+  name: "{{ $consumer | lower }}"
+  namespace: "{{ $root.Release.Namespace }}"
+  labels:
+    {{ template "labels.common" . }}
+spec:
+  authParameter:
+    keyAuth:
+      secretRef:
+        name: "{{ $root.Values.ingress.externalConsumerKeyPrefix }}-{{ $consumer | lower }}"
+---
+{{- end }}
diff --git a/infrastructure/charts/agent/templates/externalsecret.yaml b/infrastructure/charts/agent/templates/externalsecret.yaml
index 39ced22be0..1d33c8ba60 100644
--- a/infrastructure/charts/agent/templates/externalsecret.yaml
+++ b/infrastructure/charts/agent/templates/externalsecret.yaml
@@ -18,3 +18,24 @@ spec:
   dataFrom:
     - extract:
         key: {{ .Values.secrets.dockerRegistryToken }}
+
+---
+
+{{- $root := . -}}
+{{- range $consumer := .Values.ingress.externalConsumers }}
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: "{{ $root.Values.ingress.externalConsumerKeyPrefix }}-{{ $consumer | lower }}"
+  labels:
+      {{ template "labels.common" . }}
+spec:
+  refreshInterval: "0"
+  secretStoreRef:
+    name: {{ $root.Values.secrets.secretStore | quote }}
+    kind: ClusterSecretStore
+  dataFrom:
+    - extract:
+        key: "{{ $root.Values.ingress.externalConsumerKeyPrefix }}-{{ $consumer | lower }}"
+---
+{{- end }}
diff --git a/infrastructure/charts/agent/values.yaml b/infrastructure/charts/agent/values.yaml
index 70db311663..cd458e08a2 100644
--- a/infrastructure/charts/agent/values.yaml
+++ b/infrastructure/charts/agent/values.yaml
@@ -7,6 +7,10 @@ ingress:
     enabled: true
     allow_origins: "*"
   consumers: []
+  # External Consumers are ones where the secret keys/API tokens
+  # are pulled in using External Secrets [and therefore aren't generated by helm]
+  externalConsumerKeyPrefix: chart-base-key-prefix
+  externalConsumers: []
 
 secrets:
   secretStore: chart-base-secretstore