feat: secret store (#96)

* feat: secret store * ci: fix helm lint version * ci: photon architecture x86 * ci: use default phyton version
myriadsocial · Nov 18, 2023 · a693a1b · a693a1b
1 parent dc3bf39
commit a693a1b
Show file tree

Hide file tree

Showing 27 changed files with 109 additions and 815 deletions.
diff --git a/.github/workflows/releaser.yaml b/.github/workflows/releaser.yaml
@@ -28,7 +28,7 @@ jobs:
       - name: Set up Helm
         uses: azure/setup-helm@v3
         with:
-          version: v3.9.4
+          version: v3.12.1
       - name: Run chart-releaser
         uses: helm/[email protected]
         env:

diff --git a/.github/workflows/tester.yaml b/.github/workflows/tester.yaml
@@ -22,21 +22,17 @@ jobs:
       - name: Set up Helm
         uses: azure/setup-helm@v3
         with:
-          version: v3.9.4
+          version: v3.12.1
       - name: Set up Python
         uses: actions/setup-python@v4
-        with:
-          python-version: 3.7
       - name: Set up Chart Testing
-        uses: helm/[email protected]
-        with:
-          version: v3.4.0
+        uses: helm/[email protected]
       - name: Run chart-testing (list-changed)
         id: list-changed
         run: |
           changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
           if [[ -n "$changed" ]]; then
-            echo "::set-output name=changed::true"
+            echo "changed=true" >> "$GITHUB_OUTPUT"
           fi
       - name: Run chart-testing (lint)
         if: steps.list-changed.outputs.changed == 'true'

diff --git a/README.md b/README.md
@@ -16,19 +16,8 @@ Starting with Myriad.Social, we are creating a platform where social app, metave
 
 ---
 
-## Actions
-
-* [@helm/kind-action](https://github.com/helm/kind-action)
-* [@helm/chart-testing-action](https://github.com/helm/chart-testing-action)
-* [@helm/chart-releaser-action](https://github.com/helm/chart-releaser-action)
-
-## Project Status
-
-`main` supports Helm 3 only, i. e. both `v1` and `v2` [API version](https://helm.sh/docs/topics/charts/#the-apiversion-field) charts are installable.
-
 ## Chart Sources
 
-* `charts/myriad-node`: [Myriad Node Chart](./charts/myriad-node)
 * `charts/myriad-api` : [Myriad API Chart](./charts/myriad-api)
 * `charts/myriad-web` : [Myriad Web App Chart](./charts/myriad-web)
 * `charts/myriad-federated` : [Myriad Web Federated Chart](./charts/myriad-federated)
@@ -38,5 +27,5 @@ Starting with Myriad.Social, we are creating a platform where social app, metave
 ```bash
 helm repo add myriadsocial https://charts.myriad.social
 helm repo update
-helm install myriad-node myriadsocial/myriad-node
+helm install myriad-api myriadsocial/myriad-api
 ```
diff --git a/charts/myriad-api/Chart.yaml b/charts/myriad-api/Chart.yaml
@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.3.4
+version: 2.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "2.3.4"
+appVersion: "2.4.0"
 maintainers:
   - email: [email protected]
     name: myriadsocial
diff --git a/charts/myriad-api/templates/deployment.yaml b/charts/myriad-api/templates/deployment.yaml
@@ -39,7 +39,7 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if .Values.config.firebase.serviceAccountBase64 }}
+      {{- if and (not .Values.config.secretsStore.enabled) .Values.config.firebase.serviceAccountBase64 }}
       volumes:
         - name: google-service-account-credentials
           secret:
@@ -48,6 +48,15 @@ spec:
               - key: serviceAccount
                 path: sa_credentials.json
       {{- end }}
+      {{- if and .Values.config.secretsStore.enabled .Values.config.secretsStore.providerClass }}
+      volumes:
+        - name: secrets-store
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: {{ .Values.config.secretsStore.providerClass }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
@@ -56,6 +65,7 @@ spec:
             {{- toYaml .Values.resources | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if not .Values.config.secretsStore.enabled }}
           env:
             {{- if .Values.config.domain }}
             - name: DOMAIN
@@ -198,6 +208,18 @@ spec:
               mountPath: /etc/google
               readOnly: true
           {{- end }}
+          {{- end }}
+          {{- if .Values.config.secretsStore.enabled }}
+          envFrom:
+            {{- if .Values.config.secretsStore.name }}
+            - secretRef:
+                name: {{ .Values.config.secretsStore.name }}
+            {{- end }}
+          volumeMounts:
+            - name: secrets-store
+              mountPath: "/var/secrets"
+              readOnly: true
+          {{- end }}
           ports:
             - name: http
               containerPort: 3000

diff --git a/charts/myriad-api/templates/secrets.yaml b/charts/myriad-api/templates/secrets.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.config.secretsStore.enabled }}
 {{- if .Values.config.adminSubstrateMnemonic }}
 apiVersion: v1
 kind: Secret
@@ -115,3 +116,4 @@ type: Opaque
 data:
   apiKey: {{ .Values.config.coinMarketCap.apiKey | b64enc }}
 {{- end }}
+{{- end }}
diff --git a/charts/myriad-api/values.yaml b/charts/myriad-api/values.yaml
@@ -14,6 +14,10 @@ image:
 imagePullSecrets: []
 
 config:
+  secretsStore:
+    enabled: false
+    providerClass: ""
+    name: ""
   domain: ""
   adminSubstrateMnemonic: ""
   adminNearMnemonic: ""
@@ -50,6 +54,12 @@ config:
     apiKey: ""
   coinMarketCap:
     apiKey: ""
+  startupProbe:
+    path: ""
+  livenessProbe:
+    path: ""
+  readinessProbe:
+    path: ""
 
 serviceAccount:
   # Specifies whether a service account should be created

diff --git a/charts/myriad-federated/Chart.yaml b/charts/myriad-federated/Chart.yaml
@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.4
+version: 2.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.0.4"
+appVersion: "2.4.0"
 maintainers:
   - email: [email protected]
     name: myriadsocial
diff --git a/charts/myriad-federated/templates/deployment.yaml b/charts/myriad-federated/templates/deployment.yaml
@@ -39,6 +39,15 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if and .Values.config.secretsStore.enabled .Values.config.secretsStore.providerClass }}
+      volumes:
+        - name: secrets-store
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: {{ .Values.config.secretsStore.providerClass }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
@@ -47,6 +56,7 @@ spec:
             {{- toYaml .Values.resources | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if not .Values.config.secretsStore.enabled }}
           env:
             {{- if .Values.config.app.environment }}
             - name: NEXT_PUBLIC_APP_ENVIRONMENT
@@ -87,6 +97,18 @@ spec:
             - name: NEXT_PUBLIC_SENTRY_DSN
               value: {{ .Values.config.sentry.dsn }}
             {{- end }}
+          {{- end }}
+          {{- if .Values.config.secretsStore.enabled }}
+          envFrom:
+            {{- if .Values.config.secretsStore.name }}
+            - secretRef:
+                name: {{ .Values.config.secretsStore.name }}
+            {{- end }}
+          volumeMounts:
+            - name: secrets-store
+              mountPath: "/var/secrets"
+              readOnly: true
+          {{- end }}
           ports:
             - name: http
               containerPort: 3000

diff --git a/charts/myriad-federated/templates/secrets.yaml b/charts/myriad-federated/templates/secrets.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.config.secretsStore.enabled }}
 {{- if .Values.config.app.secret }}
 apiVersion: v1
 kind: Secret
@@ -10,3 +11,4 @@ data:
 ---
 
 {{- end }}
+{{- end }}
diff --git a/charts/myriad-federated/values.yaml b/charts/myriad-federated/values.yaml
@@ -14,14 +14,18 @@ image:
 imagePullSecrets: []
 
 config:
+  secretsStore:
+    enabled: false
+    providerClass: ""
+    name: ""
   app:
     environment: ""
     name: ""
     version: ""
     authURL: ""
     secret: ""
-  websiteURL: ""
   supportMail: ""
+  websiteURL: ""
   rpcURL: ""
   sentry:
     dsn: ""

diff --git a/charts/myriad-node/.helmignore b/charts/myriad-node/.helmignore
diff --git a/charts/myriad-node/Chart.yaml b/charts/myriad-node/Chart.yaml