radiantlogic-devops · adrianb-ens · Jun 22, 2023 · Jun 22, 2023 · Jun 22, 2023 · Jun 22, 2023
diff --git a/charts/eoc/Chart.yaml b/charts/eoc/Chart.yaml
@@ -7,13 +7,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.1
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.3.1"
+appVersion: "0.4.0"
 
 maintainers:
   - name: pgodey

diff --git a/charts/eoc/templates/backend_configmap.yaml b/charts/eoc/templates/backend_configmap.yaml
@@ -14,24 +14,10 @@ data:
   DATABASE_SCHEMA: {{ .Values.backend.database.schema | quote }}
   DATABASE_HOST: {{ .Values.backend.database.host | quote }}
   DATABASE_PORT: {{ .Values.backend.database.port | quote }}
-  DATABASE_USERNAME: {{ .Values.backend.database.auth.user | quote }}
-  DATABASE_PASSWORD: {{ .Values.backend.database.auth.pass | quote }}
 
-  JWT_SECRET: {{ .Values.backend.jwt.secret | quote }}
   JWT_EXPIRES_IN: {{ .Values.backend.jwt.expiresIn | quote }}
 
-  OAUTH_GOOGLE_CLIENT_ID: {{ .Values.backend.oauth.google.clientId | quote }}
-  OAUTH_GOOGLE_CLIENT_SECRET: {{ .Values.backend.oauth.google.clientSecret | quote }}
-
-  OAUTH_GITHUB_CLIENT_ID: {{ .Values.backend.oauth.github.clientId | quote }}
-  OAUTH_GITHUB_CLIENT_SECRET: {{ .Values.backend.oauth.github.clientSecret | quote }}
-
-  OAUTH_MICROSOFT_CLIENT_ID: {{ .Values.backend.oauth.microsoft.clientId | quote }}
-  OAUTH_MICROSOFT_CLIENT_SECRET: {{ .Values.backend.oauth.microsoft.clientSecret | quote }}
-
   EMAIL_FROM: {{ .Values.backend.smtp.from | quote }}
-  EMAIL_ID: {{ .Values.backend.smtp.user | quote }}
-  EMAIL_PASS: {{ .Values.backend.smtp.pass | quote }}
   EMAIL_HOST: {{ .Values.backend.smtp.host | quote }}
   EMAIL_PORT: {{ .Values.backend.smtp.port | quote }}
 
@@ -41,18 +27,11 @@ data:
 
   APP_ROOT_DIRECTORY: {{ .Values.backend.appRootDirectory | quote }}
 
-  ENCRYPTION_KEY: {{ .Values.backend.encryptionKey | quote }}
-
   KIBANA_API_LINK: {{ .Values.backend.kibana.apiUrl | quote }}
 
   GRAFANA_BASE_URL: {{ .Values.backend.grafana.host | quote }}
-  GRAFANA_USERNAME: {{ .Values.backend.grafana.username | quote }}
-  GRAFANA_PASSWORD: {{ .Values.backend.grafana.password | quote }}
 
   AGENTS_BASE_PATH: {{ .Values.backend.agents.api.endpoint | quote }}
-  AGENTS_CLIENT_ID: {{ .Values.backend.agents.api.clientId | quote }}
-  AGENTS_CLIENT_SECRET: {{ .Values.backend.agents.api.clientSecret | quote }}
-  AGENTS_INLETS_TOKEN: {{ .Values.backend.agents.inlets.token | quote }}
   AGENTS_SERVER_NAME: {{ .Values.backend.agents.inlets.serverName | quote }}
   AGENTS_SERVER_ENDPOINT: {{ .Values.backend.agents.inlets.serverEndpoint | quote }}
 

diff --git a/charts/eoc/templates/backend_deployment.yaml b/charts/eoc/templates/backend_deployment.yaml
@@ -21,9 +21,135 @@ spec:
         imagePullPolicy: {{ .Values.backend.image.pullPolicy }}
         ports:
         - containerPort: 80
+        volumeMounts:
+          - mountPath: "/var/secrets"
+            name: secrets
+            readOnly: true
         envFrom:
           - configMapRef:
               name: {{ template "eoc-backend.fullname" . }}
+        env:
+{{- if not .Values.backend.mountSecrets }}
+  {{- if .Values.backend.database.auth.user }}
+          - name: DATABASE_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-backend.fullname" . }}
+                key: database-auth-user
+  {{- end }}
+  {{- if .Values.backend.database.auth.pass }}
+          - name: DATABASE_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-backend.fullname" . }}
+                key: database-auth-pass
+  {{- end }}
+  {{- if .Values.backend.jwt.secret }}
+          - name: JWT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-backend.fullname" . }}
+                key: jwt-secret
+  {{- end }}
+  {{- if .Values.backend.oauth.google.clientId }}
+          - name: OAUTH_GOOGLE_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-backend.fullname" . }}
+                key: oauth-google-clientid
+  {{- end }}
+  {{- if .Values.backend.oauth.google.clientSecret }}
+          - name: OAUTH_GOOGLE_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-backend.fullname" . }}
+                key: oauth-google-clientsecret
+  {{- end }}
+  {{- if .Values.backend.oauth.github.clientId }}
+          - name: OAUTH_GITHUB_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-backend.fullname" . }}
+                key: oauth-github-clientid
+  {{- end }}
+  {{- if .Values.backend.oauth.google.clientSecret }}
+          - name: OAUTH_GOOGLE_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-backend.fullname" . }}
+                key: oauth-github-clientsecret
+  {{- end }}
+  {{- if .Values.backend.oauth.microsoft.clientId }}
+          - name: OAUTH_MICROSOFT_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-backend.fullname" . }}
+                key: oauth-microsoft-clientid
+  {{- end }}
+  {{- if .Values.backend.oauth.microsoft.clientSecret }}
+          - name: OAUTH_MICROSOFT_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-backend.fullname" . }}
+                key: oauth-microsoft-clientsecret
+  {{- end }}
+  {{- if .Values.backend.smtp.user }}
+          - name: EMAIL_ID
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-backend.fullname" . }}
+                key: smtp-user
+  {{- end }}
+  {{- if .Values.backend.smtp.pass }}
+          - name: EMAIL_PASS
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-backend.fullname" . }}
+                key: smtp-pass
+  {{- end }}
+  {{- if .Values.backend.encryptionKey }}
+          - name: ENCRYPTION_KEY
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-backend.fullname" . }}
+                key: encryption-key
+  {{- end }}
+  {{- if .Values.backend.grafana.username }}
+          - name: GRAFANA_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-backend.fullname" . }}
+                key: grafana-username
+  {{- end }}
+  {{- if .Values.backend.grafana.password }}
+          - name: GRAFANA_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-backend.fullname" . }}
+                key: grafana-password
+  {{- end }}
+  {{- if .Values.backend.agents.api.clientId }}
+          - name: AGENTS_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-backend.fullname" . }}
+                key: agents-api-clientid
+  {{- end }}
+  {{- if .Values.backend.agents.api.clientSecret }}
+          - name: AGENTS_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-backend.fullname" . }}
+                key: agents-api-clientsecret
+  {{- end }}
+  {{- if .Values.backend.agents.inlets.token }}
+          - name: AGENTS_INLETS_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-backend.fullname" . }}
+                key: agents-inlets-token
+  {{- end }}
+{{- end }}
         livenessProbe:
           httpGet:
             path: /eoc-backend/health
@@ -52,3 +178,7 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      volumes:
+        - name: secrets
+          secret:
+            secretName: secrets-{{ template "eoc-backend.fullname" . }}
diff --git a/charts/eoc/templates/backend_secret.yaml b/charts/eoc/templates/backend_secret.yaml
@@ -0,0 +1,69 @@
+{{- if not .Values.backend.sealedSecrets }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secrets-{{ template "eoc-backend.fullname" . }}
+  labels:
+    {{- include "eoc-backend.labels" . | nindent 4 }}
+type: Opaque
+data:
+  {{- if .Values.backend.database.auth.user }}
+  database-auth-user:  {{ .Values.backend.database.auth.user | b64enc | quote }}
+  {{- end }}
+  {{- if .Values.backend.database.auth.pass }}
+  database-auth-pass:  {{ .Values.backend.database.auth.pass | b64enc | quote }}
+  {{- end }}
+
+  {{- if .Values.backend.jwt.secret }}
+  jwt-secret:  {{ .Values.backend.jwt.secret | b64enc | quote }}
+  {{- end }}
+
+  {{- if .Values.backend.oauth.google.clientId }}
+  oauth-google-clientid:  {{ .Values.backend.oauth.google.clientId | b64enc | quote }}
+  {{- end }}
+  {{- if .Values.backend.oauth.google.clientSecret }}
+  oauth-google-clientsecret:  {{ .Values.backend.oauth.google.clientSecret | b64enc | quote }}
+  {{- end }}
+
+  {{- if .Values.backend.oauth.github.clientId }}
+  oauth-github-clientid:  {{ .Values.backend.oauth.github.clientId | b64enc | quote }}
+  {{- end }}
+  {{- if .Values.backend.oauth.github.clientSecret }}
+  oauth-github-clientsecret:  {{ .Values.backend.oauth.github.clientSecret | b64enc | quote }}
+  {{- end }}
+
+  {{- if .Values.backend.oauth.microsoft.clientId }}
+  oauth-microsoft-clientid:  {{ .Values.backend.oauth.microsoft.clientId | b64enc | quote }}
+  {{- end }}
+  {{- if .Values.backend.oauth.microsoft.clientSecret }}
+  oauth-microsoft-clientsecret:  {{ .Values.backend.oauth.microsoft.clientSecret | b64enc | quote }}
+  {{- end }}
+
+  {{- if .Values.backend.smtp.user }}
+  smtp-user:  {{ .Values.backend.smtp.user | b64enc | quote }}
+  {{- end }}
+  {{- if .Values.backend.smtp.pass }}
+  smtp-pass:  {{ .Values.backend.smtp.pass | b64enc | quote }}
+  {{- end }}
+
+  {{- if .Values.backend.encryptionKey }}
+  encryption-key:  {{ .Values.backend.encryptionKey | b64enc | quote }}
+  {{- end }}
+
+  {{- if .Values.backend.grafana.username }}
+  grafana-username:  {{ .Values.backend.grafana.username | b64enc | quote }}
+  {{- end }}
+  {{- if .Values.backend.grafana.password }}
+  grafana-password:  {{ .Values.backend.grafana.password | b64enc | quote }}
+  {{- end }}
+
+  {{- if .Values.backend.agents.api.clientId }}
+  agents-api-clientid:  {{ .Values.backend.agents.api.clientId | b64enc | quote }}
+  {{- end }}
+  {{- if .Values.backend.agents.api.clientSecret }}
+  agents-api-clientsecret:  {{ .Values.backend.agents.api.clientSecret | b64enc | quote }}
+  {{- end }}
+  {{- if .Values.backend.agents.inlets.token }}
+  agents-inlets-token:  {{ .Values.backend.agents.inlets.token | b64enc | quote }}
+  {{- end }}
+{{- end }}
diff --git a/charts/eoc/templates/ochestrator_deployment.yaml b/charts/eoc/templates/ochestrator_deployment.yaml
@@ -21,9 +21,58 @@ spec:
         imagePullPolicy: {{ .Values.orchestrator.image.pullPolicy }}
         ports:
         - containerPort: 80
+        volumeMounts:
+          - mountPath: "/var/secrets"
+            name: secrets
+            readOnly: true
         envFrom:
           - configMapRef:
               name: {{ template "eoc-orchestrator.fullname" . }}
+        env:
+{{- if not .Values.orchestrator.mountSecrets }}
+  {{- if .Values.global.certificateArn }}
+          - name: CERTIFICATE_ARN
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-orchestrator.fullname" . }}
+                key: certificate-arn
+  {{- end }}
+  {{- if .Values.orchestrator.duplo.token }}
+          - name: DUPLO_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-orchestrator.fullname" . }}
+                key: duplo-token
+  {{- end }}
+  {{- if .Values.orchestrator.argocd.token }}
+          - name: ARGO_CD_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-orchestrator.fullname" . }}
+                key: argocd-token
+  {{- end }}
+  {{- if .Values.global.fidLicense }}
+          - name: FID_LICENSE_KEY
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-orchestrator.fullname" . }}
+                key: fid-license
+  {{- end }}
+  {{- if .Values.orchestrator.git.privateKey }}
+          - name: GIT_PRIVATE_KEY
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-orchestrator.fullname" . }}
+                key: git-private-key
+  {{- end }}
+  {{- if .Values.backend.encryptionKey }}
+          - name: ENCRYPTION_KEY
+            valueFrom:
+              secretKeyRef:
+                name: secrets-{{ template "eoc-orchestrator.fullname" . }}
+                key: encryption-key
+  {{- end }}
+{{- end }}
         readinessProbe:
           tcpSocket:
             port: 3001
@@ -49,4 +98,8 @@ spec:
       {{- with .Values.orchestrator.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+      {{- end }}
+      volumes:
+        - name: secrets
+          secret:
+            secretName: secrets-{{ template "eoc-orchestrator.fullname" . }}
diff --git a/charts/eoc/templates/orchestrator_configmap.yaml b/charts/eoc/templates/orchestrator_configmap.yaml
@@ -2,30 +2,22 @@ apiVersion: v1
 data:
   REGION: {{ .Values.global.region | quote }}
   DOMAIN_NAME: {{ .Values.global.domainName | quote }}
-  CERTIFICATE_ARN: {{ .Values.global.certificateArn | quote }}
 
   REDIS_HOST: {{ .Values.orchestrator.redis.host | quote }}
   REDIS_PORT: {{ .Values.orchestrator.redis.port | quote }}
 
   DUPLO_PLAN_ID: {{ .Values.global.infrastructureName | quote }}
-  DUPLO_TOKEN: {{ .Values.orchestrator.duplo.token | quote }}
   DUPLO_BASE_URL: {{ .Values.orchestrator.duplo.baseUrl | quote }}
   DUPLO_SERVICES_TENANT_NAME: {{ .Values.orchestrator.duplo.servicesTenantName | quote }}
   DUPLO_ZONES: {{ .Values.global.zones | quote }}
   DUPLO_AMI_IMAGE_ID: {{ .Values.global.amiImageId | quote }}
 
   ARGO_CD_BASE_URL: {{ .Values.orchestrator.argocd.baseUrl | quote }}
-  ARGO_CD_TOKEN: {{ .Values.orchestrator.argocd.token | quote }}
 
-  FID_LICENSE_KEY: {{ .Values.global.fidLicense | quote }}
-
   GIT_REPO: {{ .Values.orchestrator.git.repo | quote }}
-  GIT_PRIVATE_KEY: {{ .Values.orchestrator.git.privateKey | quote }}
 
   REDIS_HOST: {{ .Values.orchestrator.redis.host | quote }}
   REDIS_PORT: {{ .Values.orchestrator.redis.port | quote }}
-
-  ENCRYPTION_KEY: {{ .Values.backend.encryptionKey | quote }}
 kind: ConfigMap
 metadata:
   labels: