Merge pull request #129 from Calcagiara/aacHookRemoval

fix(aac): aac secrets do not have the pre-install hook now by default; changed bootstrap to exclude clientSecret when needed
scc-digitalhub · Oct 18, 2024 · 599818a · 599818a
2 parents 9c756b5 + 3607d4d
commit 599818a
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 6 deletions.
diff --git a/charts/aac/Chart.yaml b/charts/aac/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: aac
 description: A Helm chart for Kubernetes
 type: application
-version: 0.1.10
+version: 0.1.11
 appVersion: "5.0.0"
 maintainers:
   - name: ffais

diff --git a/charts/aac/confs/bootstrap.yaml b/charts/aac/confs/bootstrap.yaml
@@ -65,7 +65,9 @@ realms:
         {{- end }}
         description: {{ $clientApp.description }}
         configuration:
+            {{- if $clientApp.configuration.clientSecret }}
             clientSecret: {{ tpl $clientApp.configuration.clientSecret $root }}
+            {{- end }}
             {{- toYaml $clientApp.configuration.conf | nindent 12 }}
         {{- if $clientApp.scopes }}
         scopes:

diff --git a/charts/aac/templates/deployment.yaml b/charts/aac/templates/deployment.yaml
@@ -13,8 +13,10 @@ spec:
       {{- include "aac.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-      {{- with .Values.podAnnotations }}
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+      {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:

diff --git a/charts/aac/templates/secret.yaml b/charts/aac/templates/secret.yaml
@@ -5,8 +5,9 @@ kind: Secret
 metadata:
   name: aac-bootstrap-secret
   annotations:
-    "helm.sh/hook": pre-install
-    "helm.sh/hook-weight": "-5"
+    {{- with $.Values.secrets.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 type: Opaque
 data:
   bootstrap.yaml: {{ $v | b64enc }}
@@ -22,8 +23,6 @@ kind: Secret
 metadata:
   name: aac-{{ $realm.name | replace " " "-"}}-{{ $clientApp.name | replace " " "-"}}-secret
   annotations:
-    "helm.sh/hook": pre-install
-    "helm.sh/hook-weight": "-5"
     {{- with $.Values.secrets.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
@@ -36,7 +35,9 @@ metadata:
 type: Opaque
 data:
   clientid: {{ $clientApp.clientId | b64enc }}
+  {{- if (hasKey $clientApp.configuration "clientSecret") }}
   clientsecret: {{ $clientApp.configuration.clientSecret  | b64enc }}
+  {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}

diff --git a/charts/aac/values.yaml b/charts/aac/values.yaml
@@ -172,6 +172,12 @@ bootstrap: []
 
 secrets:
   annotations: {}
+  ## If you wish to generate clientId and clientSecrets randomly in the bootstrap (for example, using {{ randAlphaNum 24 | nospace }})
+  ## make sure that you add pre-install hook to the annotations, so that the secrets won't get modified in case of a helm update.
+  ## Example:
+  # annotations:
+  #   "helm.sh/hook": pre-install
+  #   "helm.sh/hook-weight": "-5"
   reflector:
     enabled: false