From 3607d4d1f905cb49e0a523ddca5a92530a9ba1af Mon Sep 17 00:00:00 2001
From: Calcagiara <jacopocristoforitn@gmail.com>
Date: Fri, 18 Oct 2024 15:02:50 +0200
Subject: [PATCH] fix(aac): aac secrets do not have the pre-install hook now by
 default; changed bootstrap to exclude clientSecret when needed

---
 charts/aac/Chart.yaml                | 2 +-
 charts/aac/confs/bootstrap.yaml      | 2 ++
 charts/aac/templates/deployment.yaml | 4 +++-
 charts/aac/templates/secret.yaml     | 9 +++++----
 charts/aac/values.yaml               | 6 ++++++
 5 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/charts/aac/Chart.yaml b/charts/aac/Chart.yaml
index 69065466..b31e8468 100644
--- a/charts/aac/Chart.yaml
+++ b/charts/aac/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: aac
 description: A Helm chart for Kubernetes
 type: application
-version: 0.1.10
+version: 0.1.11
 appVersion: "5.0.0"
 maintainers:
   - name: ffais
diff --git a/charts/aac/confs/bootstrap.yaml b/charts/aac/confs/bootstrap.yaml
index 5e0476d8..0d5680c4 100644
--- a/charts/aac/confs/bootstrap.yaml
+++ b/charts/aac/confs/bootstrap.yaml
@@ -65,7 +65,9 @@ realms:
         {{- end }}
         description: {{ $clientApp.description }}
         configuration:
+            {{- if $clientApp.configuration.clientSecret }}
             clientSecret: {{ tpl $clientApp.configuration.clientSecret $root }}
+            {{- end }}
             {{- toYaml $clientApp.configuration.conf | nindent 12 }}
         {{- if $clientApp.scopes }}
         scopes:
diff --git a/charts/aac/templates/deployment.yaml b/charts/aac/templates/deployment.yaml
index ae426778..78eafcd3 100644
--- a/charts/aac/templates/deployment.yaml
+++ b/charts/aac/templates/deployment.yaml
@@ -13,8 +13,10 @@ spec:
       {{- include "aac.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-      {{- with .Values.podAnnotations }}
       annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+      {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
diff --git a/charts/aac/templates/secret.yaml b/charts/aac/templates/secret.yaml
index 30985f4b..90ded407 100644
--- a/charts/aac/templates/secret.yaml
+++ b/charts/aac/templates/secret.yaml
@@ -5,8 +5,9 @@ kind: Secret
 metadata:
   name: aac-bootstrap-secret
   annotations:
-    "helm.sh/hook": pre-install
-    "helm.sh/hook-weight": "-5"
+    {{- with $.Values.secrets.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 type: Opaque
 data:
   bootstrap.yaml: {{ $v | b64enc }}
@@ -22,8 +23,6 @@ kind: Secret
 metadata:
   name: aac-{{ $realm.name | replace " " "-"}}-{{ $clientApp.name | replace " " "-"}}-secret
   annotations:
-    "helm.sh/hook": pre-install
-    "helm.sh/hook-weight": "-5"
     {{- with $.Values.secrets.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
@@ -36,7 +35,9 @@ metadata:
 type: Opaque
 data:
   clientid: {{ $clientApp.clientId | b64enc }}
+  {{- if (hasKey $clientApp.configuration "clientSecret") }}
   clientsecret: {{ $clientApp.configuration.clientSecret  | b64enc }}
+  {{- end }}
 {{- end }}
 {{- end }}
 {{- end }}
diff --git a/charts/aac/values.yaml b/charts/aac/values.yaml
index bd70846f..5a6c57fd 100644
--- a/charts/aac/values.yaml
+++ b/charts/aac/values.yaml
@@ -172,6 +172,12 @@ bootstrap: []
 
 secrets:
   annotations: {}
+  ## If you wish to generate clientId and clientSecrets randomly in the bootstrap (for example, using {{ randAlphaNum 24 | nospace }})
+  ## make sure that you add pre-install hook to the annotations, so that the secrets won't get modified in case of a helm update.
+  ## Example:
+  # annotations:
+  #   "helm.sh/hook": pre-install
+  #   "helm.sh/hook-weight": "-5"
   reflector:
     enabled: false