Merge pull request #160 from camptocamp/external-secrets

Add external secrets

.github/spell-ignore-words.txt

@@ -2,3 +2,9 @@ fullname
 Kubernetes
 ConfigMap
 YAML
+1h
+1m
+1s
+SecretStore
+ExternalSecret
+secretKey

.github/workflows/main.yaml

@@ -68,6 +68,11 @@ jobs:
       - name: Setup k3s/k3d
         run: c2cciutils-k8s-install
 
+      - name: Install external-secret CRD
+        run: |
+          curl https://raw.githubusercontent.com/external-secrets/external-secrets/main/deploy/crds/bundle.yaml --output /tmp/external-secrets-crd.yaml
+          kubectl apply -f /tmp/external-secrets-crd.yaml
+
       - name: Apply
         run: kubectl apply -f tests/expected.yaml
 

.pre-commit-config.yaml

@@ -56,6 +56,22 @@ repos:
           - custom
           - .
           - tests/expected.yaml
+  - repo: https://github.com/camptocamp/helm-common
+    rev: 2.0.1
+    hooks:
+      - id: helm-template-gen
+        files: |-
+          (?x)(
+            ^templates/.*$
+            |^values\.yaml$
+            |^Chart\.yaml$
+            |tests/values-external\.yaml$
+          )
+        args:
+          - --values=tests/values-external.yaml
+          - custom
+          - .
+          - tests/expected-external.yaml
   - repo: https://github.com/codespell-project/codespell
     rev: v2.3.0
     hooks:
@@ -64,6 +80,7 @@ repos:
     rev: v3.1.0
     hooks:
       - id: prettier
+        exclude: ^tests/expected.*\.yaml$
         additional_dependencies:
           - prettier@3.3.3 # npm
           - prettier-plugin-sh@0.14.0 # npm

templates/_helpers.tpl

@@ -13,3 +13,31 @@
   }
 }
 {{- end }}
+
+{{- define "application.secrets.externaldockerregistry" -}}
+{
+  "auths": {
+    {{- range $registryName, $conf := . }}
+    {{- $url := ( default ( printf "{{ .%s-url }}" $registryName ) $conf.url ) }}
+    {{- $username := ( default ( printf "{{ .%s-username }}" $registryName ) $conf.username ) }}
+    {{- $password := ( default ( printf "{{ .%s-password }}" $registryName ) $conf.password ) }}
+    {{- $email := ( default ( printf "{{ .%s-email }}" $registryName ) $conf.email ) }}
+    {{ $url | quote }}: {
+      {{- if and ( hasKey $conf "username" ) ( hasKey $conf "password" ) }}
+      "auth": {{ printf "%s:%s" $conf.username $conf.password | b64enc | quote }},
+      {{- else if hasKey $conf "username" }}
+      "auth": {{ printf "{{ ( printf \"%s:%s\" .%s-password ) | b64enc | quote }}" $conf.username "%s" $registryName }},
+      {{- else if hasKey $conf "password" }}
+      "auth": {{ printf "{{ ( printf \"%s:%s\" .%s-username ) | b64enc | quote }}" "%s" $conf.password $registryName }},
+      {{- else }}
+      "auth": {{ printf "{{ ( printf \"%s:%s\" .%s-username .%s-password ) | b64enc | quote }}" "%s" "%s" $registryName $registryName }},
+      {{- end }}
+      "username": {{ $username | quote }},
+      "password": {{ $password | quote }},
+      "email": {{ $email | quote }}
+    },
+    {{- end }}
+    "fix-end-comma": {"auth": ""}
+  }
+}
+{{- end }}

templates/dockerhub-secret.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.external }}
 {{- if .Values.dockerregistry }}
 apiVersion: v1
 kind: Secret
@@ -8,3 +9,4 @@ type: kubernetes.io/dockerconfigjson
 data:
   .dockerconfigjson: {{ include "secrets.dockerregistry" . | b64enc }}
 {{- end }}
+{{- end }}

templates/external-secret-docker-registry.yaml

@@ -0,0 +1,45 @@
+{{- if .Values.external }}
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ include "common.fullname" ( dict "root" $ "service" $.Values ) }}-dockerregistry
+  {{- include "common.metadata" ( dict "root" $ "service" $.Values ) | nindent 2 }}
+spec:
+  {{- with $.Values.dockerregistryRefreshInterval }}
+  refreshInterval: {{ . }}
+  {{- end }}
+  {{- with $.Values.dockerregistrySecretStoreRef }}
+  secretStoreRef: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  target:
+    name: {{ include "common.fullname" ( dict "root" $ "service" $.Values ) }}-dockerregistry
+    template:
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: |-
+          {{- include "application.secrets.externaldockerregistry" .Values.dockerregistry | nindent 10 }}
+  data:
+  {{- range $registryName, $conf := .Values.dockerregistry }}
+  {{- with $conf.externalUsername }}
+    - secretKey: {{ $registryName }}-username
+      remoteRef:
+        key: {{ $conf.externalUsername }}
+  {{- end }}
+  {{- with $conf.externalPassword }}
+    - secretKey: {{ $registryName }}-password
+      remoteRef:
+        key: {{ $conf.externalPassword }}
+  {{- end }}
+  {{- with $conf.externalEmail }}
+    - secretKey: {{ $registryName }}-email
+      remoteRef:
+        key: {{ $conf.externalEmail }}
+  {{- end }}
+  {{- with $conf.externalUrl }}
+    - secretKey: {{ $registryName }}-url
+      remoteRef:
+        key: {{ $conf.externalUrl }}
+  {{- end }}
+  {{- end }}
+{{- end }}

templates/external-secret.yaml

@@ -0,0 +1,27 @@
+{{- if .Values.external }}
+{{- with .Values.externalSecrets }}
+{{- if ( or .data .dataFrom ) }}
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ include "common.fullname" ( dict "root" $ "service" $.Values ) }}
+  {{- include "common.metadata" ( dict "root" $ "service" $.Values ) | nindent 2 }}
+spec:
+  {{- with .refreshInterval }}
+  refreshInterval: {{ . }}
+  {{- end }}
+  {{- with .secretStoreRef }}
+  secretStoreRef: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  target:
+    name: {{ include "common.fullname" ( dict "root" $ "service" $.Values ) }}
+  {{- with .dataFrom }}
+  dataFrom: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .data }}
+  data: {{- include "common.dictToList" ( dict "keyName" "secretKey" "contents" . ) | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

templates/secret.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.external }}
 {{- with .Values.secrets }}
 ---
 apiVersion: v1
@@ -17,3 +18,4 @@ data:
 {{- end }}
 {{- end }}
 {{- end }}
+{{- end }}

tests/expected-external.yaml

@@ -0,0 +1,94 @@
+---
+# Source: secrets/templates/external-secret-docker-registry.yaml
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: custom-secrets-dockerregistry
+  labels:
+    helm.sh/chart: secrets
+    app.kubernetes.io/version: "1.0"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: secrets
+    app.kubernetes.io/instance: custom
+    app.kubernetes.io/component: main
+  annotations:
+    testAnnotation: annotation value
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: SecretStore
+    name: my-secret-store
+  target:
+    name: custom-secrets-dockerregistry
+    template:
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: |-
+          {
+            "auths": {
+              "{{ .docker.io-url }}": {
+                "auth": {{ ( printf "%s:%s" .docker.io-username .docker.io-password ) | b64enc | quote }},
+                "username": "{{ .docker.io-username }}",
+                "password": "{{ .docker.io-password }}",
+                "email": "{{ .docker.io-email }}"
+              },
+              "ghcr.io": {
+                "auth": "YzJjLWJvdC1naXMtY2k6MTIzNA==",
+                "username": "c2c-bot-gis-ci",
+                "password": "1234",
+                "email": "geospatial-bot@camptocamp.com"
+              },
+              "https://index.docker.io/v1/": {
+                "auth": "YzJjZ2lzYm90OjEyMzQ=",
+                "username": "c2cgisbot",
+                "password": "1234",
+                "email": "docker-hub@camptocamp.com"
+              },
+              "fix-end-comma": {"auth": ""}
+            }
+          }
+  data:
+    - secretKey: docker.io-username
+      remoteRef:
+        key: docker-username
+    - secretKey: docker.io-password
+      remoteRef:
+        key: docker-password
+    - secretKey: docker.io-email
+      remoteRef:
+        key: docker-email
+    - secretKey: docker.io-url
+      remoteRef:
+        key: docker-url
+---
+# Source: secrets/templates/external-secret.yaml
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: custom-secrets
+  labels:
+    helm.sh/chart: secrets
+    app.kubernetes.io/version: "1.0"
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: secrets
+    app.kubernetes.io/instance: custom
+    app.kubernetes.io/component: main
+  annotations:
+    testAnnotation: annotation value
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: SecretStore
+    name: my-secret-store
+  target:
+    name: custom-secrets
+  data:
+    - secretKey: test
+      remoteRef:
+        key: toto
+    - secretKey: test2
+      remoteRef:
+        key: toto2
+    - secretKey: test3
+      remoteRef:
+        key: toto3

tests/values-external.yaml

@@ -0,0 +1,43 @@
+annotations:
+  testAnnotation: annotation value
+
+external: true
+metadata: false
+
+dockerregistryRefreshInterval: 1h
+dockerregistrySecretStoreRef:
+  name: my-secret-store
+  kind: SecretStore
+
+dockerregistry:
+  https://index.docker.io/v1/:
+    email: docker-hub@camptocamp.com
+    username: c2cgisbot
+    password: '1234'
+    url: https://index.docker.io/v1/
+  docker.io:
+    externalEmail: docker-email
+    externalUsername: docker-username
+    externalPassword: docker-password
+    externalUrl: docker-url
+  ghcr.io:
+    email: geospatial-bot@camptocamp.com
+    username: c2c-bot-gis-ci
+    password: '1234'
+    url: ghcr.io
+
+externalSecrets:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: my-secret-store
+    kind: SecretStore
+  data:
+    test:
+      remoteRef:
+        key: toto
+    test2:
+      remoteRef:
+        key: toto2
+    test3:
+      remoteRef:
+        key: toto3

values.md

@@ -12,6 +12,13 @@
 - **`labels`**: Refer to _[#/definitions/labels](#definitions/labels)_.
 - **`annotations`**: Refer to _[#/definitions/annotations](#definitions/annotations)_.
 - **`metadata`** _(boolean)_: Generate a ConfigMap with some metadata related to the chart.
+- **`external`** _(boolean)_: Secrets from external sources.
+- **`externalSecrets`** _(object)_: Cannot contain additional properties.
+  - **`refreshInterval`** _(string)_: The refresh interval like 1h, 1m, 1s.
+  - **`secretStoreRef`** _(object)_: defines which SecretStore to fetch the ExternalSecret data.
+  - **`dataFrom`** _(array)_: used to fetch all properties from a specific Provider data.
+  - **`data`** _(object)_: Data defines the connection between the Kubernetes Secret keys and the Provider data. Can contain additional properties.
+    - **Additional properties** _(object)_: defines the connection between the Kubernetes Secret key and the Provider data. The map key became the secretKey.
 - **`secrets`** _(object)_: Secrets configuration. Can contain additional properties.
   - **Additional properties**
     - **One of**
@@ -22,11 +29,18 @@
         - **`type`** _(string)_: Type of the secret. Must be one of: `["basicAuth"]`.
         - **`user`** _(string)_: Username.
         - **`password`** _(string)_: Password.
+- **`dockerregistryRefreshInterval`** _(string)_: The refresh interval like 1h, 1m, 1s.
+- **`dockerregistrySecretStoreRef`** _(object)_: defines which SecretStore to fetch the ExternalSecret data.
 - **`dockerregistry`** _(object)_: Docker registries authentication. Can contain additional properties.
   - **Additional properties** _(object)_: Cannot contain additional properties.
-    - **`username`** _(string, required)_: Username.
-    - **`password`** _(string, required)_: Password.
+    - **`username`** _(string)_: Username.
+    - **`password`** _(string)_: Password.
     - **`email`** _(string)_: Email.
+    - **`url`** _(string)_: URL, used only for external secret.
+    - **`externalUsername`** _(string)_: Key of the external secret for the username.
+    - **`externalPassword`** _(string)_: Key of the external secret for the password.
+    - **`externalEmail`** _(string)_: Key of the external secret for the email.
+    - **`externalUrl`** _(string)_: Key of the external secret for the URL.
 - **`configMap`** _(object)_: ConfigMap configuration. Can contain additional properties.
   - **Additional properties**
     - **One of**