Skip to content

Commit

Permalink
feat(chart): move secrets to infisical
Browse files Browse the repository at this point in the history
  • Loading branch information
@rtrompier
rtrompier committed Jun 12, 2024
1 parent e7e674a commit adee48d
Show file tree
Hide file tree
Showing 11 changed files with 75 additions and 88 deletions.
36 changes: 12 additions & 24 deletions chart/env/prod.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,53 +65,41 @@ images:
repository: datasets-server-services-webhook
tag: sha-fb3399a
secrets:
externalSecret:
infisical:
enabled: true
secretName: "datasets-server-prod-secrets"
secretStoreName: "datasets-server-prod-secretstore"
parameters:
MONGO_URL: "hub-prod-datasets-server-mongo-url"
HF_TOKEN: "hub-prod-datasets-server-hf-token"
PARQUET_CONVERTER_HF_TOKEN: "hub-prod-datasets-server-parquet-converter-hf-token"
WEBHOOK_SECRET: "hub-prod-datasets-server-webhook-secret"
SPAWNING_TOKEN: "hub-prod-datasets-server-spawning-token"
API_HF_JWT_ADDITIONAL_PUBLIC_KEYS: "hub-prod-datasets-server-jwt-additional-public-keys"
AWS_ACCESS_KEY_ID: "hub-prod-datasets-server-s3-access-key-id"
AWS_SECRET_ACCESS_KEY: "hub-prod-datasets-server-s3-secret-access-key"
CLOUDFRONT_KEY_PAIR_ID: "hub-prod-datasets-server-cloudfront-key-id"
CLOUDFRONT_PRIVATE_KEY: "hub-prod-datasets-server-cloudfront-key"
env: "prod-us-east-1"
mongoUrl:
fromSecret: true
secretName: "datasets-server-prod-secrets"
secretName: ""
appHfToken:
fromSecret: true
secretName: "datasets-server-prod-secrets"
secretName: ""
appParquetConverterHfToken:
fromSecret: true
secretName: "datasets-server-prod-secrets"
secretName: ""
hfWebhookSecret:
fromSecret: true
secretName: "datasets-server-prod-secrets"
secretName: ""
hfJwtAdditionalPublicKeys:
fromSecret: true
secretName: "datasets-server-prod-secrets"
secretName: ""
spawningToken:
fromSecret: true
secretName: "datasets-server-prod-secrets"
secretName: ""
s3:
accessKeyId:
fromSecret: true
secretName: "datasets-server-prod-secrets"
secretName: ""
secretAccessKey:
fromSecret: true
secretName: "datasets-server-prod-secrets"
secretName: ""
cloudfront:
keyPairId:
fromSecret: true
secretName: "datasets-server-prod-secrets"
secretName: ""
privateKey:
fromSecret: true
secretName: "datasets-server-prod-secrets"
secretName: ""

persistence:
duckDBIndex:
Expand Down
36 changes: 12 additions & 24 deletions chart/env/staging.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,53 +62,41 @@ images:
tag: sha-fb3399a

secrets:
externalSecret:
infisical:
enabled: true
secretName: "datasets-server-staging-secrets"
secretStoreName: "datasets-server-ephemeral-secretstore"
parameters:
MONGO_URL: "hub-ephemeral-datasets-server-mongo-url"
HF_TOKEN: "hub-ephemeral-datasets-server-hf-token"
PARQUET_CONVERTER_HF_TOKEN: "hub-ephemeral-datasets-server-parquet-converter-hf-token"
WEBHOOK_SECRET: "hub-ephemeral-datasets-server-webhook-secret"
SPAWNING_TOKEN: "hub-ephemeral-datasets-server-spawning-token"
API_HF_JWT_ADDITIONAL_PUBLIC_KEYS: "hub-ephemeral-datasets-server-jwt-additional-public-keys"
AWS_ACCESS_KEY_ID: "hub-ephemeral-datasets-server-s3-access-key-id"
AWS_SECRET_ACCESS_KEY: "hub-ephemeral-datasets-server-s3-secret-access-key"
CLOUDFRONT_KEY_PAIR_ID: "hub-ephemeral-datasets-server-cloudfront-key-id"
CLOUDFRONT_PRIVATE_KEY: "hub-ephemeral-datasets-server-cloudfront-key"
env: "ephemeral-us-east-1"
mongoUrl:
fromSecret: true
secretName: "datasets-server-staging-secrets"
secretName: ""
appHfToken:
fromSecret: true
secretName: "datasets-server-staging-secrets"
secretName: ""
appParquetConverterHfToken:
fromSecret: true
secretName: "datasets-server-staging-secrets"
secretName: ""
hfWebhookSecret:
fromSecret: false
secretName: "datasets-server-staging-secrets"
secretName: ""
hfJwtAdditionalPublicKeys:
fromSecret: true
secretName: "datasets-server-staging-secrets"
secretName: ""
spawningToken:
fromSecret: true
secretName: "datasets-server-staging-secrets"
secretName: ""
s3:
accessKeyId:
fromSecret: true
secretName: "datasets-server-staging-secrets"
secretName: ""
secretAccessKey:
fromSecret: true
secretName: "datasets-server-staging-secrets"
secretName: ""
cloudfront:
keyPairId:
fromSecret: true
secretName: "datasets-server-staging-secrets"
secretName: ""
privateKey:
fromSecret: true
secretName: "datasets-server-staging-secrets"
secretName: ""

persistence:
duckDBIndex:
Expand Down
8 changes: 8 additions & 0 deletions chart/templates/_common/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -200,3 +200,11 @@ note: keep $instanceAnnotations in first position during the merge, to avoid ove
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end -}}


{{/*
Return the secret name where Infisical secrets are loaded
*/}}
{{- define "datasetsServer.infisical.secretName" -}}
{{ include "name" $ }}-secs
{{- end -}}
4 changes: 2 additions & 2 deletions chart/templates/_env/_envCloudfront.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
{{- if .Values.secrets.cloudfront.keyPairId.fromSecret }}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.cloudfront.keyPairId.secretName | quote }}
name: {{ .Values.secrets.cloudfront.keyPairId.secretName | default (include "datasetsServer.infisical.secretName" $) | quote }}
key: CLOUDFRONT_KEY_PAIR_ID
optional: false
{{- else }}
Expand All @@ -18,7 +18,7 @@
{{- if .Values.secrets.cloudfront.privateKey.fromSecret }}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.cloudfront.privateKey.secretName | quote }}
name: {{ .Values.secrets.cloudfront.privateKey.secretName | default (include "datasetsServer.infisical.secretName" $) | quote }}
key: CLOUDFRONT_PRIVATE_KEY
optional: false
{{- else }}
Expand Down
8 changes: 2 additions & 6 deletions chart/templates/_env/_envCommon.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,7 @@
{{- if .Values.secrets.appHfToken.fromSecret }}
valueFrom:
secretKeyRef:
{{- if eq .Values.secrets.appHfToken.secretName "" }}
name: {{ .Release.Name }}-datasets-server-app-token
{{- else }}
name: {{ .Values.secrets.appHfToken.secretName | quote }}
{{- end }}
name: {{ .Values.secrets.appHfToken.secretName | default (include "datasetsServer.infisical.secretName" $) | quote }}
key: HF_TOKEN
optional: false
{{- else }}
Expand All @@ -30,7 +26,7 @@
{{- if .Values.secrets.mongoUrl.fromSecret }}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.mongoUrl.secretName | quote }}
name: {{ .Values.secrets.mongoUrl.secretName | default (include "datasetsServer.infisical.secretName" $) | quote }}
key: MONGO_URL
optional: false
{{- else }}
Expand Down
2 changes: 1 addition & 1 deletion chart/templates/_env/_envDiscussions.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
{{- if .Values.secrets.appParquetConverterHfToken.fromSecret }}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.appParquetConverterHfToken.secretName | quote }}
name: {{ .Values.secrets.appParquetConverterHfToken.secretName | default (include "datasetsServer.infisical.secretName" $) | quote }}
key: PARQUET_CONVERTER_HF_TOKEN
optional: false
{{- else }}
Expand Down
4 changes: 2 additions & 2 deletions chart/templates/_env/_envHf.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
{{- if .Values.secrets.hfJwtAdditionalPublicKeys.fromSecret }}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.hfJwtAdditionalPublicKeys.secretName | quote }}
name: {{ .Values.secrets.hfJwtAdditionalPublicKeys.secretName | default (include "datasetsServer.infisical.secretName" $) | quote }}
key: API_HF_JWT_ADDITIONAL_PUBLIC_KEYS
optional: false
{{- else }}
Expand All @@ -24,7 +24,7 @@
{{- if .Values.secrets.hfWebhookSecret.fromSecret }}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.hfWebhookSecret.secretName | quote }}
name: {{ .Values.secrets.hfWebhookSecret.secretName | default (include "datasetsServer.infisical.secretName" $) | quote }}
key: WEBHOOK_SECRET
optional: false
{{- else }}
Expand Down
4 changes: 2 additions & 2 deletions chart/templates/_env/_envS3.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
{{- if .Values.secrets.s3.accessKeyId.fromSecret }}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.s3.accessKeyId.secretName | quote }}
name: {{ .Values.secrets.s3.accessKeyId.secretName | default (include "datasetsServer.infisical.secretName" $) | quote }}
key: AWS_ACCESS_KEY_ID
optional: false
{{- else }}
Expand All @@ -18,7 +18,7 @@
{{- if .Values.secrets.s3.secretAccessKey.fromSecret }}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.s3.secretAccessKey.secretName | quote }}
name: {{ .Values.secrets.s3.secretAccessKey.secretName | default (include "datasetsServer.infisical.secretName" $) | quote }}
key: AWS_SECRET_ACCESS_KEY
optional: false
{{- else }}
Expand Down
6 changes: 3 additions & 3 deletions chart/templates/_env/_envWorker.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@
{{- if .Values.secrets.appParquetConverterHfToken.fromSecret }}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.appParquetConverterHfToken.secretName | quote }}
name: {{ .Values.secrets.appParquetConverterHfToken.secretName | default (include "datasetsServer.infisical.secretName" $) | quote }}
key: PARQUET_CONVERTER_HF_TOKEN
optional: false
{{- else }}
Expand Down Expand Up @@ -70,7 +70,7 @@
{{- if .Values.secrets.spawningToken.fromSecret }}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.spawningToken.secretName | quote }}
name: {{ .Values.secrets.spawningToken.secretName | default (include "datasetsServer.infisical.secretName" $) | quote }}
key: SPAWNING_TOKEN
optional: false
{{- else }}
Expand All @@ -89,7 +89,7 @@
{{- if .Values.secrets.appParquetConverterHfToken.fromSecret }}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.appParquetConverterHfToken.secretName | quote }}
name: {{ .Values.secrets.appParquetConverterHfToken.secretName | default (include "datasetsServer.infisical.secretName" $) | quote }}
key: PARQUET_CONVERTER_HF_TOKEN
optional: false
{{- else }}
Expand Down
38 changes: 21 additions & 17 deletions chart/templates/secrets.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,24 @@
{{- if .Values.secrets.externalSecret.enabled }}
apiVersion: "external-secrets.io/v1beta1"
kind: ExternalSecret
{{- if .Values.secrets.infisical.enabled }}
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: {{ include "name" $ }}-external-secret
name: {{ include "name" $ }}-infisical-secret
namespace: {{ $.Release.Namespace }}
spec:
refreshInterval: 1h
secretStoreRef:
name: {{ .Values.secrets.externalSecret.secretStoreName }}
kind: SecretStore
target:
name: {{ .Values.secrets.externalSecret.secretName }}
data:
{{- range $key, $value := .Values.secrets.externalSecret.parameters }}
- secretKey: {{ $key | quote }}
remoteRef:
key: {{ $value | quote }}
{{- end }}
{{- end }}
authentication:
universalAuth:
credentialsRef:
secretName: {{ .Values.secrets.infisical.operatorSecretName | quote }}
secretNamespace: {{ .Values.secrets.infisical.operatorSecretNamespace | quote }}
secretsScope:
envSlug: {{ .Values.secrets.infisical.env | quote }}
projectSlug: {{ .Values.secrets.infisical.project | quote }}
secretsPath: /
hostAPI: {{ .Values.secrets.infisical.url | quote }}
managedSecretReference:
creationPolicy: Owner
secretName: {{ include "datasetsServer.infisical.secretName" $ }}
secretNamespace: {{ .Release.Namespace | quote }}
secretType: Opaque
resyncInterval: {{ .Values.secrets.infisical.resyncInterval }}
{{- end }}
17 changes: 10 additions & 7 deletions chart/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,11 +93,14 @@ log:
# --- common parameters ---

secrets:
externalSecret:
infisical:
enabled: false
secretName: ""
secretStoreName: ""
parameters: {}
env: ""
project: "datasets-server-n5x-l"
url: ""
resyncInterval: 60
operatorSecretName: "datasets-server-operator-secrets"
operatorSecretNamespace: "datasets-server"
mongoUrl:
fromSecret: false
secretName: "mongo-url"
Expand All @@ -123,14 +126,14 @@ secrets:
value: ""
spawningToken:
fromSecret: true
secretName: "spawning-token"
secretName: ""
s3:
accessKeyId:
fromSecret: true
secretName: "aws-access-key-id"
secretName: ""
secretAccessKey:
fromSecret: true
secretName: "aws-secret-access-key"
secretName: ""
cloudfront:
keyPairId:
fromSecret: false
Expand Down

0 comments on commit adee48d

Please sign in to comment.