Skip to content

Commit 4604393

Browse files
zachsparzachspar
authored
feat: ingress configurations + external secrets (#35)
1 parent 30ede06 commit 4604393

12 files changed

Lines changed: 541 additions & 40 deletions

File tree

charts/ctrlplane/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ apiVersion: v2
22
name: ctrlplane
33
description: Ctrlplane Helm chart for Kubernetes
44
type: application
5-
version: 0.10.2
5+
version: 0.11.0
66
appVersion: "1.0.0"
77

88
maintainers:

charts/ctrlplane/charts/api/templates/deployment.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,11 +49,17 @@ spec:
4949
- name: WORKSPACE_ENGINE_ROUTER_URL
5050
value: http://{{ .Release.Name }}-workspace-engine-router.{{ .Release.Namespace }}.svc.cluster.local:9090
5151

52+
{{- if include "ctrlplane.isValueFrom" .Values.global.secrets.encryptionKey }}
53+
- name: VARIABLES_AES_256_KEY
54+
valueFrom:
55+
{{- toYaml .Values.global.secrets.encryptionKey.valueFrom | nindent 16 }}
56+
{{- else }}
5257
- name: VARIABLES_AES_256_KEY
5358
valueFrom:
5459
secretKeyRef:
5560
name: {{ .Release.Name }}-encryption-key
5661
key: AES_256_KEY
62+
{{- end }}
5763

5864
# Auth providers with valueFrom support
5965
{{- include "ctrlplane.authProviderEnvVars" . | nindent 12 }}
@@ -68,11 +74,17 @@ spec:
6874
- name: KAFKA_BROKERS
6975
value: {{ .Values.global.kafka.brokers | quote }}
7076

77+
{{- if include "ctrlplane.isValueFrom" .Values.global.secrets.authSecret }}
78+
- name: AUTH_SECRET
79+
valueFrom:
80+
{{- toYaml .Values.global.secrets.authSecret.valueFrom | nindent 16 }}
81+
{{- else }}
7182
- name: AUTH_SECRET
7283
valueFrom:
7384
secretKeyRef:
7485
name: {{ include "api.fullname" . }}
7586
key: AUTH_SECRET
87+
{{- end }}
7688

7789
- name: GITHUB_URL
7890
value: {{ include "ctrlplane.githubUrl" . }}

charts/ctrlplane/charts/api/templates/secrets.yaml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,16 @@
1-
{{- $secretName := (include "api.fullname" .) }}
2-
{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
1+
{{- if not (include "ctrlplane.isValueFrom" .Values.global.secrets.authSecret) }}
2+
{{- $secretName := (include "api.fullname" .) }}
3+
{{- $existing := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
34
apiVersion: v1
45
kind: Secret
56
metadata:
67
name: {{ $secretName }}
78
labels:
89
{{- include "api.labels" . | nindent 4 }}
910
data:
10-
{{- if $secret }}
11-
AUTH_SECRET: {{ $secret.data.AUTH_SECRET }}
11+
{{- if and $existing (hasKey $existing.data "AUTH_SECRET") }}
12+
AUTH_SECRET: {{ index $existing.data "AUTH_SECRET" }}
1213
{{- else }}
1314
AUTH_SECRET: {{ randAlphaNum 64 | b64enc }}
14-
{{- end }}
15+
{{- end }}
16+
{{- end }}

charts/ctrlplane/charts/pty-proxy/templates/deployment.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,11 +56,17 @@ spec:
5656
port: http
5757
env:
5858
{{- include "ctrlplane.postgresqlEnvVars" . | nindent 12 }}
59+
{{- if include "ctrlplane.isValueFrom" .Values.global.secrets.encryptionKey }}
60+
- name: VARIABLES_AES_256_KEY
61+
valueFrom:
62+
{{- toYaml .Values.global.secrets.encryptionKey.valueFrom | nindent 16 }}
63+
{{- else }}
5964
- name: VARIABLES_AES_256_KEY
6065
valueFrom:
6166
secretKeyRef:
6267
name: {{ .Release.Name }}-encryption-key
6368
key: AES_256_KEY
69+
{{- end }}
6470
{{- include "ctrlplane.extraEnv" . | nindent 12 }}
6571
{{- include "ctrlplane.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }}
6672
resources:

charts/ctrlplane/charts/web/templates/secrets.yaml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,16 @@
1-
{{- $secretName := (include "web.fullname" .) }}
2-
{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
1+
{{- if not (include "ctrlplane.isValueFrom" .Values.global.secrets.authSecret) }}
2+
{{- $secretName := (include "web.fullname" .) }}
3+
{{- $existing := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
34
apiVersion: v1
45
kind: Secret
56
metadata:
67
name: {{ $secretName }}
78
labels:
89
{{- include "web.labels" . | nindent 4 }}
910
data:
10-
{{- if $secret }}
11-
AUTH_SECRET: {{ $secret.data.AUTH_SECRET }}
11+
{{- if and $existing (hasKey $existing.data "AUTH_SECRET") }}
12+
AUTH_SECRET: {{ index $existing.data "AUTH_SECRET" }}
1213
{{- else }}
1314
AUTH_SECRET: {{ randAlphaNum 64 | b64enc }}
14-
{{- end }}
15+
{{- end }}
16+
{{- end }}

charts/ctrlplane/charts/workspace-engine/templates/statefulset.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,11 +43,17 @@ spec:
4343
containerPort: 8081
4444
protocol: TCP
4545
env:
46+
{{- if include "ctrlplane.isValueFrom" .Values.global.secrets.encryptionKey }}
47+
- name: AES_256_KEY
48+
valueFrom:
49+
{{- toYaml .Values.global.secrets.encryptionKey.valueFrom | nindent 16 }}
50+
{{- else }}
4651
- name: AES_256_KEY
4752
valueFrom:
4853
secretKeyRef:
4954
name: {{ .Release.Name }}-encryption-key
5055
key: AES_256_KEY
56+
{{- end }}
5157
- name: KAFKA_BROKERS
5258
value: {{ .Values.global.kafka.brokers | quote }}
5359
- name: KAFKA_GROUP_ID
@@ -71,11 +77,17 @@ spec:
7177

7278
{{- include "ctrlplane.postgresqlEnvVars" . | nindent 12 }}
7379
{{- include "ctrlplane.githubBotEnvVars" . | nindent 12 }}
80+
{{- if include "ctrlplane.isValueFrom" .Values.global.secrets.encryptionKey }}
81+
- name: VARIABLES_AES_256_KEY
82+
valueFrom:
83+
{{- toYaml .Values.global.secrets.encryptionKey.valueFrom | nindent 16 }}
84+
{{- else }}
7485
- name: VARIABLES_AES_256_KEY
7586
valueFrom:
7687
secretKeyRef:
7788
name: {{ .Release.Name }}-encryption-key
7889
key: AES_256_KEY
90+
{{- end }}
7991
{{- include "ctrlplane.extraEnv" . | nindent 12 }}
8092
{{- include "ctrlplane.extraEnvFrom" (dict "root" $ "local" .) | nindent 12 }}
8193
resources:

charts/ctrlplane/templates/NOTES.txt

Lines changed: 39 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,11 @@
11
1. Get the application URL by running these commands:
22
{{- if .Values.ingress.create }}
3-
{{- range $host := .Values.ingress.hosts }}
4-
{{- range .paths }}
5-
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
6-
{{- end }}
3+
{{- $fqdn := .Values.global.fqdn | trimPrefix "https://" | trimPrefix "http://" | trimSuffix "/" }}
4+
{{- if $fqdn }}
5+
http{{ if .Values.ingress.tls.enabled }}s{{ end }}://{{ $fqdn }}
6+
{{- else }}
7+
Ingress is enabled but no host is configured (global.fqdn is empty).
8+
Access the service via the ingress IP or configure global.fqdn.
79
{{- end }}
810
{{- else if contains "NodePort" .Values.service.type }}
911
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "ctrlplane.fullname" . }})
@@ -30,6 +32,18 @@
3032
⚠ Password configured directly in values (less secure for production)
3133
{{- end }}
3234

35+
Secrets:
36+
{{- if include "ctrlplane.isValueFrom" .Values.global.secrets.encryptionKey }}
37+
✓ Encryption key (AES_256_KEY) configured via secret reference
38+
{{- else }}
39+
⚠ Encryption key auto-generated by chart (consider using ExternalSecrets for production)
40+
{{- end }}
41+
{{- if include "ctrlplane.isValueFrom" .Values.global.secrets.authSecret }}
42+
✓ Auth secret configured via secret reference
43+
{{- else }}
44+
⚠ Auth secret auto-generated by chart (consider using ExternalSecrets for production)
45+
{{- end }}
46+
3347
Auth Providers:
3448
{{- if include "ctrlplane.isValueFrom" .Values.global.authProviders.google.clientSecret }}
3549
✓ Google OAuth configured via secret reference
@@ -58,20 +72,30 @@
5872

5973
3. Using valueFrom pattern for secrets:
6074

61-
Instead of:
62-
postgresql:
63-
password: "my-secret-password"
75+
Instead of auto-generated secrets:
76+
global:
77+
secrets:
78+
authSecret: ""
79+
encryptionKey: ""
6480

65-
Use:
66-
postgresql:
67-
password:
68-
valueFrom:
69-
secretKeyRef:
70-
name: "postgresql-secret"
71-
key: "password"
81+
Reference externally managed secrets:
82+
global:
83+
secrets:
84+
authSecret:
85+
valueFrom:
86+
secretKeyRef:
87+
name: "my-auth-secret"
88+
key: "AUTH_SECRET"
89+
encryptionKey:
90+
valueFrom:
91+
secretKeyRef:
92+
name: "my-encryption-secret"
93+
key: "AES_256_KEY"
7294

7395
This pattern works for all sensitive configuration values including:
96+
- Encryption key (AES_256_KEY)
97+
- Auth secret (AUTH_SECRET)
7498
- PostgreSQL password
7599
- OAuth client secrets (Google, Okta)
76100
- GitHub bot credentials
77-
- Azure app credentials
101+
- Azure app credentials

charts/ctrlplane/templates/ingress.yaml

Lines changed: 23 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,39 +1,52 @@
11
{{- if .Values.ingress.create }}
2+
{{- $fqdn := .Values.global.fqdn | trimPrefix "https://" | trimPrefix "http://" | trimSuffix "/" -}}
23
apiVersion: networking.k8s.io/v1
34
kind: Ingress
45
metadata:
56
name: {{ include "ctrlplane.fullname" . }}
67
labels:
7-
{{- if .Values.ingress.labels -}}
8-
{{- toYaml .Values.ingress.labels | nindent 4 }}
8+
{{- include "ctrlplane.labels" . | nindent 4 }}
9+
{{- with .Values.ingress.labels }}
10+
{{- toYaml . | nindent 4 }}
911
{{- end }}
12+
{{- with .Values.ingress.annotations }}
1013
annotations:
11-
{{- if .Values.ingress.annotations -}}
12-
{{- toYaml .Values.ingress.annotations | nindent 4 }}
13-
{{- end }}
14+
{{- toYaml . | nindent 4 }}
15+
{{- end }}
1416
spec:
17+
{{- if .Values.ingress.class }}
1518
ingressClassName: {{ .Values.ingress.class }}
19+
{{- end }}
20+
{{- if and $fqdn .Values.ingress.tls.enabled }}
21+
tls:
22+
- hosts:
23+
- {{ $fqdn }}
24+
secretName: {{ .Values.ingress.tls.secretName | default (printf "%s-tls" (include "ctrlplane.fullname" .)) }}
25+
{{- end }}
1626
defaultBackend:
1727
service:
18-
name: {{ .Release.Name }}-webservice
28+
name: {{ .Release.Name }}-web
1929
port:
2030
number: 3000
2131
rules:
22-
- http:
32+
- {{- if $fqdn }}
33+
host: {{ $fqdn }}
34+
{{- end }}
35+
http:
2336
paths:
2437
- pathType: Prefix
2538
path: /
2639
backend:
2740
service:
2841
name: {{ .Release.Name }}-web
29-
port:
42+
port:
3043
number: 3000
3144
- pathType: Prefix
3245
path: /api
3346
backend:
3447
service:
3548
name: {{ .Release.Name }}-api
36-
port:
49+
port:
3750
number: 8081
3851
- pathType: Prefix
3952
path: /api/v1/resources/proxy
@@ -42,4 +55,4 @@ spec:
4255
name: {{ .Release.Name }}-pty-proxy
4356
port:
4457
number: 4000
45-
{{- end }}
58+
{{- end }}

charts/ctrlplane/templates/secrets.yaml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
1+
{{- if not (include "ctrlplane.isValueFrom" .Values.global.secrets.encryptionKey) }}
12
---
23
{{- $secretName := (printf "%s-encryption-key" .Release.Name) }}
3-
{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
4+
{{- $existing := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
45
apiVersion: v1
56
kind: Secret
67
metadata:
@@ -9,8 +10,9 @@ metadata:
910
{{- include "ctrlplane.labels" . | nindent 4 }}
1011
type: Opaque
1112
data:
12-
{{- if $secret }}
13-
AES_256_KEY: {{ $secret.data.AES_256_KEY }}
13+
{{- if and $existing (hasKey $existing.data "AES_256_KEY") }}
14+
AES_256_KEY: {{ index $existing.data "AES_256_KEY" }}
1415
{{- else }}
15-
AES_256_KEY: {{ randAlphaNum 64 | b64enc | quote }}
16+
AES_256_KEY: {{ randAlphaNum 64 | b64enc }}
1617
{{- end }}
18+
{{- end }}

0 commit comments

Comments
 (0)