From 785002a63d9f4629944e9c3e5708bcd1c4e64c27 Mon Sep 17 00:00:00 2001
From: Matt March <matt.march@logdna.com>
Date: Fri, 8 Mar 2024 14:01:47 -0500
Subject: [PATCH] feat: allow specifying existing token secret

Adds a `mezmoApiAccessSecret` option to use instead of a manually
specified access token

ref: LOG-19426
---
 .github/workflows/lint-test.yaml                  |  4 ++--
 charts/edge/Chart.yaml                            |  2 +-
 charts/edge/README.md                             |  3 ++-
 charts/edge/templates/NOTES.txt                   | 11 -----------
 charts/edge/templates/_helpers.tpl                | 15 +++++++++++++++
 .../edge/templates/secret-api-access-token.yaml   |  2 ++
 charts/edge/templates/statefulset.yaml            |  2 +-
 charts/edge/values.yaml                           | 15 +++++++++++++++
 8 files changed, 38 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
index fc170f6..4fe42d3 100644
--- a/.github/workflows/lint-test.yaml
+++ b/.github/workflows/lint-test.yaml
@@ -34,7 +34,7 @@ jobs:
 
       - name: Run chart-testing (lint)
         if: steps.list-changed.outputs.changed == 'true'
-        run: ct lint --target-branch ${{ github.event.repository.default_branch }}
+        run: ct lint --target-branch ${{ github.event.repository.default_branch }} --helm-extra-set-args "--set mezmoApiAccessToken=my-token"
 
       - name: Create kind cluster
         if: steps.list-changed.outputs.changed == 'true'
@@ -42,4 +42,4 @@ jobs:
 
       - name: Run chart-testing (install)
         if: steps.list-changed.outputs.changed == 'true'
-        run: ct install --target-branch ${{ github.event.repository.default_branch }}
+        run: ct install --target-branch ${{ github.event.repository.default_branch }} --helm-extra-set-args "--set mezmoApiAccessToken=my-token"
diff --git a/charts/edge/Chart.yaml b/charts/edge/Chart.yaml
index 1504976..e1cf30e 100644
--- a/charts/edge/Chart.yaml
+++ b/charts/edge/Chart.yaml
@@ -5,7 +5,7 @@ icon: https://app.mezmo.com/assets/img/mz-logo-square-128.png
 description: A Helm chart for deploying Mezmo Edge
 type: application
 appVersion: "3.7.3"
-version: 1.0.0
+version: 1.1.0
 maintainers:
   - name: Mezmo
     email: help@mezmo.com
diff --git a/charts/edge/README.md b/charts/edge/README.md
index 5bb71b3..5823413 100644
--- a/charts/edge/README.md
+++ b/charts/edge/README.md
@@ -31,7 +31,8 @@ helm install edge mezmo/edge \
 
 | **Key**                   | **Type** | **Default**     | **Description**
 | ------------------------- | -------- | --------------- | ----------------------------------------------------------------------
-| mezmoApiAccessToken       | string   |                 | Your Mezmo API access token
+| mezmoApiAccessToken       | string   |                 | Your Mezmo API access token. If `mezmoApiAccessSecret` is also specified it take precedence and this will be unused
+| mezmoApiAccessSecret      | string   |                 | Existing secret containing your Mezmo API access token. Given secret should have the token in a key named `api-access-token` and be in the same namespace as the Edge instance. Takes precedence over `mezmoApiAccessToken`
 | mezmoDeploymentGroup      | string   |                 | Deployment group to apply to this Edge instance. Leaving undefined pulls all Edge pipelines for the org
 | mezmoApiScheme            | string   | "https"         | The scheme to use for the Mezmo API URL
 | mezmoApiHost              | string   | "api.mezmo.com" | The hostname(:port) of the Mezmo API
diff --git a/charts/edge/templates/NOTES.txt b/charts/edge/templates/NOTES.txt
index fb07d03..c3b20f2 100644
--- a/charts/edge/templates/NOTES.txt
+++ b/charts/edge/templates/NOTES.txt
@@ -1,13 +1,3 @@
-{{- if not .Values.mezmoApiAccessToken -}}
-#####################################################################
-###  ERROR: Please specify an access token `mezmoApiAccessToken`  ###
-#####################################################################
-
-Try:
-
-  $ helm upgrade --reuse-values --set mezmoApiAccessToken=<ACCESS_TOKEN> {{ .Release.Name }} mezmo/{{ .Chart.Name }}
-
-{{ else -}}
 Welcome to Edge {{ .Chart.Version }} release "{{ .Release.Name }}".
 
 ----------------------------------------------------------------
@@ -37,7 +27,6 @@ To run selected pipelines, apply a Deployment Group in the Pipeline Settings pag
 
 This Edge instance is running the "{{ .Values.mezmoDeploymentGroup}}" deployment group pipelines.
 
-{{end -}}
 {{end -}}
 
 -
diff --git a/charts/edge/templates/_helpers.tpl b/charts/edge/templates/_helpers.tpl
index e2d24d0..b926cc1 100644
--- a/charts/edge/templates/_helpers.tpl
+++ b/charts/edge/templates/_helpers.tpl
@@ -102,3 +102,18 @@ deployment_group: {{ .Values.mezmoDeploymentGroup | quote }}
 ports: {{- include "edge.sourcePorts" . | nindent 2 }}
 version: edge-{{ $.Chart.Version }}
 {{- end }}
+
+{{/*
+Secret file name to use
+*/}}
+{{- define "edge.tokenSecretRef" -}}
+{{- if .Values.mezmoApiAccessSecret }}
+name: {{ .Values.mezmoApiAccessSecret }}
+{{- else }}
+{{- if .Values.mezmoApiAccessToken }}
+name: {{ include "edge.fullname" . }}
+{{- else }}
+{{ fail .Values.tokenSecretRefError }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/edge/templates/secret-api-access-token.yaml b/charts/edge/templates/secret-api-access-token.yaml
index 6f5c9e6..3eea855 100644
--- a/charts/edge/templates/secret-api-access-token.yaml
+++ b/charts/edge/templates/secret-api-access-token.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.mezmoApiAccessToken -}}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -10,3 +11,4 @@ metadata:
 type: Opaque
 data:
   api-access-token: {{ default "MISSING" .Values.mezmoApiAccessToken | b64enc | quote }}
+{{- end }}
diff --git a/charts/edge/templates/statefulset.yaml b/charts/edge/templates/statefulset.yaml
index bf5fe92..4a36c20 100644
--- a/charts/edge/templates/statefulset.yaml
+++ b/charts/edge/templates/statefulset.yaml
@@ -64,7 +64,7 @@ spec:
           - name: MEZMO_LOCAL_DEPLOY_AUTH_TOKEN
             valueFrom:
               secretKeyRef:
-                name: {{ include "edge.fullname" . }}
+                {{ include "edge.tokenSecretRef" . | nindent 16  }}
                 key: api-access-token
           - name: MEZMO_METRICS_ENDPOINT_URL
             value: "{{include "edge.mezmoApiBaseUrl" . }}/v3/pipeline/account/local-deploy/metric/usage?edge_id={{include "edge.Id" . | urlquery }}"
diff --git a/charts/edge/values.yaml b/charts/edge/values.yaml
index 3f56570..b971e0f 100644
--- a/charts/edge/values.yaml
+++ b/charts/edge/values.yaml
@@ -15,6 +15,9 @@ mezmoApiHost: "api.mezmo.com"
 # Your Mezmo API Access Token
 mezmoApiAccessToken: ""
 
+# Secret containing your Mezmo API Access Token
+mezmoApiAccessSecret: ""
+
 # Deployment group for this Edge instance.
 # Setting configures only pipelines tagged with this group name.
 # Leaving unset configures all Edge pipelines defined in your org.
@@ -78,3 +81,15 @@ pvcName: ""
 
 maxDiskBufferBytes: 0
 maxMemBufferEvents: 0
+
+tokenSecretRefError: |+
+
+
+  ######################################################################
+  ###  ERROR: Please specify an access token (`mezmoApiAccessToken`) ###
+  ###    or a secret containing a token (`mezmoApiAccessSecret`)     ###
+  ######################################################################
+
+  Try:
+
+    $ helm upgrade --reuse-values --set mezmoApiAccessToken=<ACCESS_TOKEN> {{ .Release.Name }} mezmo/{{ .Chart.Name }}