From 6a6ad813610c835973a8fac82fc2786651c15908 Mon Sep 17 00:00:00 2001
From: Jake Heath <76011913+jakeyheath@users.noreply.github.com>
Date: Tue, 21 May 2024 12:12:47 -0700
Subject: [PATCH] feat: Update helm chart to include ExternalSecret CRDs for
 env-level and stack level (#19)

Co-authored-by: Hayden Spitzley <hspitzley@chanzuckerberg.com>
Co-authored-by: Hayden Spitzley <105455169+hspitzley-czi@users.noreply.github.com>
---
 stack/templates/_helpers.tpl              | 18 ++++++------
 stack/templates/external_secrets_env.yaml | 35 +++++++++++++++++++++++
 stack/values.yaml                         | 12 ++++++--
 3 files changed, 53 insertions(+), 12 deletions(-)
 create mode 100644 stack/templates/external_secrets_env.yaml

diff --git a/stack/templates/_helpers.tpl b/stack/templates/_helpers.tpl
index a7624e7..5828b3e 100644
--- a/stack/templates/_helpers.tpl
+++ b/stack/templates/_helpers.tpl
@@ -93,26 +93,26 @@ env:
 {{- end }}
 {{- end }}
 
-{{- if or (or (or (ne (trim .Values.appConfig.envSecretName) "") (ne (trim .Values.appConfig.envSecretName) "")) (ne (trim .Values.appConfig.envContextConfigMapName) "")) (ne (trim .Values.appConfig.stackContextConfigMapName) "") -}}
+{{- if or (or (or (ne (trim .Values.appSecrets.envSecret.secretName) "") (ne (trim .Values.appSecrets.envSecret.secretName) "")) (ne (trim .Values.appContext.envContextConfigMapName) "")) (ne (trim .Values.appContext.stackContextConfigMapName) "") -}}
 envFrom:
-{{- if ne (trim .Values.appConfig.envSecretName) "" }}
+{{- if ne (trim .Values.appSecrets.envSecret.secretName) "" }}
 - secretRef:
-    name: {{ .Values.appConfig.envSecretName }}
+    name: {{ .Values.appSecrets.envSecret.secretName }}
     optional: true
 {{- end }}
-{{- if ne (trim .Values.appConfig.stackSecretName) "" }}
+{{- if ne (trim .Values.appSecrets.stackSecret.secretName) "" }}
 - secretRef:
-    name: {{ .Values.appConfig.stackSecretName }}
+    name: {{ .Values.appSecrets.stackSecret.secretName }}
     optional: true
 {{- end }}
-{{- if ne (trim .Values.appConfig.envContextConfigMapName) "" }}
+{{- if ne (trim .Values.appContext.envContextConfigMapName) "" }}
 - configMapRef:
-    name: {{ .Values.appConfig.envContextConfigMapName }}
+    name: {{ .Values.appContext.envContextConfigMapName }}
     optional: true
 {{- end }}
-{{- if ne (trim .Values.appConfig.stackContextConfigMapName) "" }}
+{{- if ne (trim .Values.appContext.stackContextConfigMapName) "" }}
 - configMapRef:
-    name: {{ .Values.appConfig.stackContextConfigMapName }}
+    name: {{ .Values.appContext.stackContextConfigMapName }}
     optional: true
 {{- end }}
 {{- end }}
diff --git a/stack/templates/external_secrets_env.yaml b/stack/templates/external_secrets_env.yaml
new file mode 100644
index 0000000..8103497
--- /dev/null
+++ b/stack/templates/external_secrets_env.yaml
@@ -0,0 +1,35 @@
+{{ $global := . }}
+{{ range $serviceName, $serviceValues := .Values.services }}
+  {{- $globalValuesDict := $global.Values.global | toYaml -}}
+  {{- $values := fromYaml $globalValuesDict -}}
+  {{- $values = set $values "name" $serviceName -}}
+  {{- $values := mergeOverwrite $values $serviceValues -}}
+  {{- $service := dict "Chart" $global.Chart "Release" $global.Release "Capabilities" $global.Capabilities "Values" $values -}}
+
+{{- with $service -}}
+{{ range $secretsKey, $secretValue := .Values.appSecrets }}
+--- 
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ $secretValue.secretName }}
+spec:
+  secretStoreRef:
+    name: aws-secretsmanager
+    kind: ClusterSecretStore
+  refreshInterval: "10m"
+  target:
+    deletionPolicy: Delete
+    template:
+      engineVersion: v2
+      mergePolicy: Replace
+      templateFrom:
+        - target: Data
+          literal: "{{ `{{ range $key, $value := . }}\n{{ range $name, $val := $value | fromJson }}\n{{$name | upper}}: {{$val}}\n{{ end }}\n{{ end }}\n` }}"
+  data:
+    - secretKey: {{ $secretValue.secretName }}
+      remoteRef:
+        key: {{ $secretValue.secretKey }}
+{{end}}
+{{end}}
+{{end}}
diff --git a/stack/values.yaml b/stack/values.yaml
index 04b37f9..9beab32 100644
--- a/stack/values.yaml
+++ b/stack/values.yaml
@@ -66,11 +66,17 @@ global:
   initContainers: []
   sidecars: []
 
-  appConfig:
+  appContext:
     envContextConfigMapName: "" # App environment level configuration configmap name
     stackContextConfigMapName: "" # Stack level configuration configmap name
-    envSecretName: "" # App environment level configuration secret name
-    stackSecretName: "" # Stack level configuration secret name
+
+  appSecrets:
+    envSecret: # App environment level configuration secret
+      secretName: ""
+      secretKey: ""
+    stackSecret: # Stack level configuration secret
+      secretName: ""
+      secretKey: ""
 
   # Global annotations to add to all resources
   annotations: {}