return secrets back to original structure but omit them from the conf…

…igmap (#84) Signed-off-by: Mike Mason <[email protected]>
infratographer · Sep 3, 2024 · 51cd772 · 51cd772
1 parent 11319f1
commit 51cd772
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 15 deletions.
diff --git a/chart/iam-runtime-infratographer/templates/_configmap.tpl b/chart/iam-runtime-infratographer/templates/_configmap.tpl
@@ -1,6 +1,14 @@
 {{- define "iam-runtime-infratographer.configmap" }}
 {{- $values := (index .Subcharts "iam-runtime-infratographer").Values -}}
 {{- $defaultConfig := dict "server" (dict "socketPath" "/var/iam-runtime/runtime.sock") }}
+{{- $config := include "iam-runtime-infratographer.omit" (dict
+        "source" (merge $defaultConfig $values.config)
+        "omit" (list
+          "events.nats.token"
+          "accessTokenProvider.source.clientCredentials.clientSecret"
+        )
+    )
+}}
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -9,5 +17,5 @@ metadata:
   labels: {{- include "common.labels.standard" $ | nindent 4 }}
 data:
   config.yaml: |
-    {{- tpl (merge $defaultConfig $values.config | toYaml) $ | nindent 4 }}
+    {{- tpl $config $ | nindent 4 }}
 {{- end }}
diff --git a/chart/iam-runtime-infratographer/templates/_helpers.tpl b/chart/iam-runtime-infratographer/templates/_helpers.tpl
@@ -0,0 +1,32 @@
+{{- define "iam-runtime-infratographer.omit" }}
+  {{- $subOmit := list }}
+  {{- range .omit }}
+    {{- if contains "." . }}
+      {{- $subkey := splitList "." . | rest | join "." }}
+      {{- $subOmit = append $subOmit $subkey }}
+    {{- end}}
+  {{- end }}
+
+  {{- $result := dict }}
+  {{- range $key, $val := .source }}
+    {{- if has $key $.omit }}
+      {{- /* key is ommited */}}
+    {{- else if and $subOmit (kindIs "map" $val) }}
+      {{- $ctx := dict
+            "source" $val
+            "omit" $subOmit
+            "quiet" true
+      }}
+      {{- include "iam-runtime-infratographer.omit" $ctx }}
+      {{- $_ := set $result $key $ctx.source }}
+    {{- else }}
+      {{- $_ := set $result $key $val }}
+    {{- end }}
+  {{- end }}
+
+  {{- $_ := set . "source" $result }}
+
+  {{- if not .quiet }}
+    {{- toYaml $result }}
+  {{- end }}
+{{- end }}
diff --git a/chart/iam-runtime-infratographer/templates/_secrets.tpl b/chart/iam-runtime-infratographer/templates/_secrets.tpl
@@ -7,6 +7,10 @@ metadata:
   name: {{ include "iam-runtime-infratographer.resource.fullname" (dict "suffix" "secrets" "context" $) | quote }}
   labels: {{- include "common.labels.standard" $ | nindent 4 }}
 data:
-  IAMRUNTIME_EVENTS_NATS_TOKEN: {{ $values.secrets.nats.token | quote }}
-  IAMRUNTIME_ACCESSTOKENPROVIDER_SOURCE_CLIENTCREDENTIALS_CLIENTSECRET: {{ $values.secrets.accessToken.source.clientSecret | quote }}
+  {{- with $values.config.events.nats.token }}
+  IAMRUNTIME_EVENTS_NATS_TOKEN: {{ quote . }}
+  {{- end }}
+  {{- with $values.config.accessTokenProvider.source.clientCredentials.clientSecret }}
+  IAMRUNTIME_ACCESSTOKENPROVIDER_SOURCE_CLIENTCREDENTIALS_CLIENTSECRET: {{ quote . }}
+  {{- end }}
 {{- end }}
diff --git a/chart/iam-runtime-infratographer/values.yaml b/chart/iam-runtime-infratographer/values.yaml
@@ -26,6 +26,8 @@ config:
       publishPrefix: ""
       # -- publishTopic NATS publihs topic to use.
       publishTopic: ""
+      # -- token NATS user token to use.
+      token: ""
       # -- credsFile path to NATS credentials file
       credsFile: ""
   tracing:
@@ -53,6 +55,10 @@ config:
         # This attribute also supports a file path by prefixing the value with `file://`.
         # example: `file:///var/secrets/client-id`
         clientID: ""
+        # -- clientSecret is the client credentials secret which is used to retrieve a token from the issuer.
+        # This attribute also supports a file path by prefixing the value with `file://`.
+        # example: `file:///var/secrets/client-secret`
+        clientSecret: ""
     exchange:
       # -- issuer specifies the URL for the issuer for the exchanged token.
       # The Issuer must support OpenID discovery to discover the token endpoint.
@@ -64,18 +70,6 @@ config:
       # @default -- urn:ietf:params:oauth:token-type:jwt
       tokenType: ""
 
-secrets:
-  nats:
-    # -- token NATS user token to use.
-    token: ""
-  accessToken:
-    source:
-      # -- clientSecret is the client credentials secret which is used to retrieve a token from the issuer.
-      # This attribute also supports a file path by prefixing the value with `file://`.
-      # example: `file:///var/secrets/client-secret`
-      clientSecret: ""
-
-
 # -- restartPolicy set to Always if using with initContainers on kube 1.29 and up
 # with the SideContainer feature flag enabled.
 # ref: https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/#sidecar-containers-and-pod-lifecycle