feat: use secrets for sensitive data

metatypedev · Sep 25, 2023 · b12ccc1 · b12ccc1
1 parent ce5f1f0
commit b12ccc1
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 9 deletions.
diff --git a/charts/typegate/Chart.lock b/charts/typegate/Chart.lock
@@ -1,9 +1,9 @@
 dependencies:
 - name: redis
   repository: https://charts.bitnami.com/bitnami
-  version: 17.10.2
+  version: 18.1.0
 - name: common
   repository: https://charts.bitnami.com/bitnami
-  version: 1.17.1
-digest: sha256:9c93750370c424705e5a4b15302e28f5ae0f12bc271c08e8c29710ca2b52a6c6
-generated: "2023-05-05T23:03:21.839783+02:00"
+  version: 2.12.0
+digest: sha256:d115bd59db58af36e1eddc51c6e6df1d8f53b99a8fc4ef0801da120437b49be6
+generated: "2023-09-25T18:05:26.560982+02:00"
diff --git a/charts/typegate/Chart.yaml b/charts/typegate/Chart.yaml
@@ -2,14 +2,14 @@ apiVersion: v2
 name: typegate
 description: A Helm chart for Typegate
 type: application
-version: 0.1.2
+version: 0.2.0
 appVersion: "0.1.7"
 icon: https://metatype.dev/images/logo.svg
 dependencies:
   - name: redis
     condition: redis.enabled
-    version: "17.10.x"
+    version: "18.x.x"
     repository: "https://charts.bitnami.com/bitnami"
   - name: common
     repository: https://charts.bitnami.com/bitnami
-    version: 1.x.x
+    version: 2.x.x
diff --git a/charts/typegate/templates/deployment.yaml b/charts/typegate/templates/deployment.yaml
@@ -4,8 +4,9 @@ metadata:
   name: {{ include "typegate.fullname" . }}
   labels:
     {{- include "typegate.labels" . | nindent 4 }}
-  {{- with .Values.deploymentAnnotations }}
   annotations:
+    checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+  {{- with .Values.deploymentAnnotations }}
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
@@ -48,6 +49,16 @@ spec:
                 secretKeyRef:
                   name: {{ template "redis.secretName" .Subcharts.redis }}
                   key: {{ template "redis.secretPasswordKey" .Subcharts.redis }}
+            - name: TG_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default (include "typegate.fullname" .) .Values.auth.existingSecret }}
+                  key: {{ .Values.auth.secretKeys.secretKey }}
+            - name: TG_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default (include "typegate.fullname" .) .Values.auth.existingSecret }}
+                  key: {{ .Values.auth.secretKeys.adminPasswordKey }}
             {{- with .Values.extraEnv }}
             {{- toYaml . | nindent 12 }}
             {{- end }}

diff --git a/charts/typegate/templates/secret.yaml b/charts/typegate/templates/secret.yaml
@@ -0,0 +1,10 @@
+{{- if eq .Values.auth.existingSecret "" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "typegate.fullname" . }}
+type: Opaque
+data:
+  {{ .Values.auth.secretKeys.secretKey }}: {{ .Values.auth.secret | b64enc | quote }}
+  {{ .Values.auth.secretKeys.adminPasswordKey }}: {{ .Values.auth.adminPassword | b64enc | quote }}
+{{- end }}
diff --git a/charts/typegate/values.yaml b/charts/typegate/values.yaml
@@ -4,12 +4,24 @@ image:
   registry: ghcr.io
   repository: metatypedev/typegate
   pullPolicy: IfNotPresent
-  tag: v0.1.7
+  tag: v0.1.14
 
 imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
+auth:
+  # password to manage the typegate
+  adminPassword: ""
+  # encryption key (64 bytes in base64)
+  # can be generated by:
+  # openssl rand -base64 64 | tr -d '\n'
+  secret: ""
+  existingSecret: ""
+  secretKeys:
+    adminPasswordKey: "adminPassword"
+    secretKey: "secret"
+
 podAnnotations: {}
 
 deploymentAnnotations: {}