From e89cf36279d028001aff14904c911f3c11dbc22b Mon Sep 17 00:00:00 2001
From: adobrodey <8377544+ADobrodey@users.noreply.github.com>
Date: Mon, 3 Jun 2024 15:40:33 +0200
Subject: [PATCH] [VDEVOPS-000]: Support for vault ext secrets

Signed-off-by: adobrodey <8377544+ADobrodey@users.noreply.github.com>
---
 stable/deployment/Chart.yaml                  |  2 +-
 .../deployment/templates/external-secret.yaml | 42 ++++++++++++++++++-
 stable/statefulset/Chart.yaml                 |  2 +-
 .../templates/external-secret.yaml            | 41 +++++++++++++++++-
 4 files changed, 83 insertions(+), 4 deletions(-)

diff --git a/stable/deployment/Chart.yaml b/stable/deployment/Chart.yaml
index 086d930..0601280 100644
--- a/stable/deployment/Chart.yaml
+++ b/stable/deployment/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: deployment
-version: 1.8.3
+version: 1.8.5
 description: Typical microservice chart. Supports Ingress controller, horizontal-scalable containers
 type: application
 dependencies:
diff --git a/stable/deployment/templates/external-secret.yaml b/stable/deployment/templates/external-secret.yaml
index d5d151b..3a38a64 100644
--- a/stable/deployment/templates/external-secret.yaml
+++ b/stable/deployment/templates/external-secret.yaml
@@ -33,7 +33,7 @@ spec:
   {{ end -}}
 {{ end -}}
 
-{{- range (concat .Values.sidecarContainers .Values.initContainers ) }}
+{{- range .Values.sidecarContainers }}
 {{- $values := dict "Values" . "Release" $.Release "Template" $.Template -}}
 {{ if and (hasKey $values.Values "env") (hasKey $values.Values.env "vaultSecret") }}
 {{ $name := default $.Release.Name $values.Values.global.serviceName }}
@@ -72,6 +72,46 @@ spec:
 {{ end -}}
 {{ end -}}
 
+{{- range .Values.initContainers }}
+{{- $values := dict "Values" . "Release" $.Release "Template" $.Template -}}
+{{ if and (hasKey $values.Values "env") (hasKey $values.Values.env "vaultSecret") }}
+{{ $name := default $.Release.Name $values.Values.global.serviceName }}
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ include "k8s-common.names.fullname" $values }}-vault
+  namespace: {{ $.Release.Namespace }}
+  labels: {{ include "k8s-common.labels.standard" $ | nindent 4 }}
+spec:
+  secretStoreRef:
+    name: default
+    kind: ClusterSecretStore
+  refreshInterval: "3m"
+  target:
+    name: {{ include "k8s-common.names.fullname" $values }}-vault
+    template:
+      metadata:
+        annotations:
+          external-secret: "true"
+  data:
+  {{- $allVaultSecrets := default (dict) $values.Values.env.vaultSecret -}}
+  {{- range $key, $value := $allVaultSecrets }}
+    - secretKey: {{ $key }}
+      remoteRef:
+        key: {{ if $value.fullPath -}}
+          {{- $value.fullPath -}}
+          {{- else -}}
+          secret-{{ $.Values.global.product }}/data/
+          {{- $.Values.global.environment -}}
+          /k8s/{{ $.Release.Namespace}}/{{ $value.path }}
+        {{- end }}
+        property: {{ default $key $value.secret }}
+  {{ end -}}
+{{ end -}}
+{{ end -}}
+
+
 {{- if .Values.vaultVolumesSupport -}}
 {{- $allVolumes := default (dict) .Values.volumes -}}
 {{- range $key, $value := $allVolumes }}
diff --git a/stable/statefulset/Chart.yaml b/stable/statefulset/Chart.yaml
index 0ca9ce2..f1a5a09 100644
--- a/stable/statefulset/Chart.yaml
+++ b/stable/statefulset/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: statefulset
-version: 1.8.4
+version: 1.8.5
 description: Typical StateFul Set application
 type: application
 dependencies:
diff --git a/stable/statefulset/templates/external-secret.yaml b/stable/statefulset/templates/external-secret.yaml
index bcad37a..c49674e 100644
--- a/stable/statefulset/templates/external-secret.yaml
+++ b/stable/statefulset/templates/external-secret.yaml
@@ -33,7 +33,7 @@ spec:
   {{ end -}}
 {{ end -}}
 
-{{- range (concat .Values.sidecarContainers .Values.initContainers ) }}
+{{- range .Values.sidecarContainers }}
 {{- $values := dict "Values" . "Release" $.Release "Template" $.Template -}}
 {{ if and (hasKey $values.Values "env") (hasKey $values.Values.env "vaultSecret") }}
 {{ $name := default $.Release.Name $values.Values.global.serviceName }}
@@ -72,6 +72,45 @@ spec:
 {{ end -}}
 {{ end -}}
 
+{{- range .Values.initContainers }}
+{{- $values := dict "Values" . "Release" $.Release "Template" $.Template -}}
+{{ if and (hasKey $values.Values "env") (hasKey $values.Values.env "vaultSecret") }}
+{{ $name := default $.Release.Name $values.Values.global.serviceName }}
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ include "k8s-common.names.fullname" $values }}-vault
+  namespace: {{ $.Release.Namespace }}
+  labels: {{ include "k8s-common.labels.standard" $ | nindent 4 }}
+spec:
+  secretStoreRef:
+    name: default
+    kind: ClusterSecretStore
+  refreshInterval: "3m"
+  target:
+    name: {{ include "k8s-common.names.fullname" $values }}-vault
+    template:
+      metadata:
+        annotations:
+          external-secret: "true"
+  data:
+  {{- $allVaultSecrets := default (dict) $values.Values.env.vaultSecret -}}
+  {{- range $key, $value := $allVaultSecrets }}
+    - secretKey: {{ $key }}
+      remoteRef:
+        key: {{ if $value.fullPath -}}
+          {{- $value.fullPath -}}
+          {{- else -}}
+          secret-{{ $.Values.global.product }}/data/
+          {{- $.Values.global.environment -}}
+          /k8s/{{ $.Release.Namespace}}/{{ $value.path }}
+        {{- end }}
+        property: {{ default $key $value.secret }}
+  {{ end -}}
+{{ end -}}
+{{ end -}}
+
 {{- if .Values.vaultVolumesSupport -}}
 {{- $allVolumes := default (dict) .Values.volumes -}}
 {{- range $key, $value := $allVolumes }}