Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: vault-sidecare-autoloader - copied logic from helm-service #2031

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions charts/app/templates/backend/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,36 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}


{{/*
Vault Sideloader Annotations
*/}}
{{- define "backend.vaultAnnotations" -}}
{{- if and .Values.backend.vault .Values.backend.vault.enabled }}
# 1. Vault injector configuration goes here, inside the template.
vault.hashicorp.com/agent-inject: 'true'
vault.hashicorp.com/agent-inject-token: 'true'
vault.hashicorp.com/agent-pre-populate-only: 'true' # this makes sure the secret vault will only change during pod restart
vault.hashicorp.com/auth-path: auth/k8s-silver # This was tricky. Be sure to use k8s-silver, k8s-gold, or k8s-golddr
vault.hashicorp.com/namespace: platform-services
vault.hashicorp.com/role: {{tpl .Values.backend.vault.role .}} # licenseplate-nonprod or licenseplate-prod are your options
{{- if .Values.backend.vault.resources }}
vault.hashicorp.com/agent-requests-cpu: {{.Values.backend.vault.resources.requests.cpu }}
vault.hashicorp.com/agent-limits-cpu: {{.Values.backend.vault.resources.limits.cpu }}
vault.hashicorp.com/agent-requests-mem: {{.Values.backend.vault.resources.requests.memory }}
vault.hashicorp.com/agent-limits-mem: {{.Values.backend.vault.resources.limits.memory }}
{{- end }}

# Configure how to retrieve and populate the secrets from Vault:
# - The name of the secret is any unique string after vault.hashicorp.com/agent-inject-secret-<name>
# - The value is the path in Vault where the secret is located.
{{- range $k := .Values.backend.vault.secretPaths }}
vault.hashicorp.com/agent-inject-secret-{{tpl $k $}}: {{tpl $.Values.backend.vault.role $}}/{{tpl $k $}}
vault.hashicorp.com/agent-inject-template-{{tpl $k $}}: |
{{ printf "%s" "{{" }}- with secret "{{tpl $.Values.backend.vault.role $}}/{{tpl $k $}}"{{ printf "%s" "}}" }}
{{ printf "%s" "{{" }}- range $k,$v := .Data.data{{ printf "%s" "}}" }}
export {{"{{"}}$k{{"}}"}}="{{"{{"}}$v{{"}}"}}"
{{ printf "%s" "{{" }}- end{{ printf "%s" "}}" }}
{{ printf "%s" "{{" }}- end{{ printf "%s" "}}" }}
{{- end }}
{{- end }}
{{- end }}
12 changes: 12 additions & 0 deletions charts/app/templates/backend/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ spec:
template:
metadata:
annotations:
{{- if and .Values.backend.vault .Values.backend.vault.enabled }}
{{- include "backend.vaultAnnotations" . | nindent 8 }}
{{- end }}
rollme: {{ randAlphaNum 5 | quote }}
prometheus.io/scrape: 'true'
prometheus.io/port: '3000'
Expand Down Expand Up @@ -49,12 +52,21 @@ spec:
requests:
cpu: 50m
memory: 25Mi
{{- if $.Values.backend.serviceAccount }}
serviceAccountName: {{tpl $.Values.backend.serviceAccount.name .}}
{{- end }}
containers:
- name: {{ include "backend.fullname" . }}
{{- if .Values.backend.securityContext }}
securityContext:
{{- toYaml .Values.backend.securityContext | nindent 12 }}
{{- end }}
{{- if (index .Values.backend.containers 0).command }}
command:
{{- range (index .Values.backend.containers 0).command }}
- "{{tpl . $}}"
{{- end }}
{{- end}}
image: "{{.Values.global.registry}}/{{.Values.global.repository}}/backend:{{ .Values.global.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ default "Always" .Values.backend.imagePullPolicy }}
envFrom:
Expand Down
21 changes: 19 additions & 2 deletions charts/app/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,19 @@ backend:
enabled: true
#-- the deployment strategy, can be "Recreate" or "RollingUpdate"
deploymentStrategy: Recreate
containers:
- name: backend
command:
- "sh"
- "-c"
- "source /vault/secrets/dev/api-1 && \
source /vault/secrets/dev/api-2 && \
source /vault/secrets/test/api-1 && \
source /vault/secrets/test/api-2 && \
source /vault/secrets/prod/api-1 && \
source /vault/secrets/prod/api-2 && \
caddy fmt /etc/caddy/Caddyfile"

#-- autoscaling for the component. it is optional and is an object.
autoscaling:
#-- enable or disable autoscaling.
Expand All @@ -37,12 +50,16 @@ backend:
maxReplicas: 7
#-- the target cpu utilization percentage, is from request cpu and NOT LIMIT CPU.
targetCPUUtilizationPercentage: 80
# -- Create a service account used to bind with vault.
# -- name is required, MUST BE #licenseplate-vault
serviceAccount:
name: "<LICENSEPLATE>-vault"
#-- vault, for injecting secrets from vault. it is optional and is an object. it creates an initContainer which reads from vault and app container can source those secrets. for referring to a working example with vault follow this link: https://github.com/bcgov/onroutebc/blob/main/charts/onroutebc/values.yaml#L171-L186
vault:
#-- enable or disable vault.
enabled: false
enabled: true
#-- the role of the vault. it is required, #licenseplate-prod or licenseplate-nonprod, license plate is the namespace without env
role: ~
role: "<LICENSEPLATE>-nonprod"
#-- the vault path where the secrets live. it is required, dev/api-1, dev/api-2, test/api-1 etc...
secretPaths:
- dev/api-1
Expand Down
Loading