refactor

chanzuckerberg · May 20, 2024 · e5ea9b2 · e5ea9b2
1 parent c96de44
commit e5ea9b2
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 33 deletions.
diff --git a/stack/templates/external_secrets_env.yaml b/stack/templates/external_secrets_env.yaml
@@ -1,25 +1,3 @@
-{{- define "service.externalSecretsTarget" -}}
-target:
-  # Enum with values: 'Owner', 'Merge', or 'None'
-  # Default value of 'Owner'
-  # Owner creates the secret and sets .metadata.ownerReferences of the resource
-  # Merge does not create the secret, but merges in the data fields to the secret
-  # None does not create a secret (future use with injector)
-  # TODO: make this secret by default
-  creationPolicy: 'Merge'
-  deletionPolicy: "Delete"
-{{- end}}
-
-{{- define "service.externalSecretsData" -}}
-data:
-  - remoteRef:
-      conversionStrategy: Default
-      decodingStrategy: None
-      key: {{ . }}
-      metadataPolicy: None
-      version: AWSCURRENT
-{{- end}}
-
 {{ $global := . }}
 {{ range $serviceName, $serviceValues := .Values.services }}
   {{- $globalValuesDict := $global.Values.global | toYaml -}}
@@ -28,22 +6,28 @@ data:
   {{- $values := mergeOverwrite $values $serviceValues -}}
   {{- $service := dict "Chart" $global.Chart "Release" $global.Release "Capabilities" $global.Capabilities "Values" $values -}}
 
-{{ range $appConfigKey, $secretName := .Values.appConfig }}
+{{ range $secretsKey, $secretValue := .Values.appSecrets }}
 {{- with $service -}}
 --- 
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: {{ $secretName }}
+  name: {{ $secretValue.kubeSecretName }}
   labels:
-  {{- include "service.labels" . | nindent 4 }}
+    {{- include "service.labels" . | nindent 4 }}
+  annotations:
+    {{- include "stack.annotations" $service | nindent 4 }}
 spec:
   secretStoreRef:
-    # TODO: make this
     name: aws-secretsmanager
-    kind: SecretStore
-  refreshInterval: "30s"
-  {{- include "service.externalSecretsTarget" . | nindent 2 -}}
-  {{- include "service.externalSecretsData" $secretName | nindent 2 -}}
+    kind: ClusterSecretStore
+  refreshInterval: "10m"
+  target:
+    deletionPolicy: Delete
+  data:
+    - secretKey: {{ $secretValue.kubeSecretName }}
+      remoteRef:
+        key: {{ $secretValue.remoteRefKey }}
+
 {{end}}
 {{end}}
diff --git a/stack/values.yaml b/stack/values.yaml
@@ -66,11 +66,17 @@ global:
   initContainers: []
   sidecars: []
 
-  appConfig:
+  appContext:
     envContextConfigMapName: "" # App environment level configuration configmap name
     stackContextConfigMapName: "" # Stack level configuration configmap name
-    envSecretName: "" # App environment level configuration secret name
-    stackSecretName: "" # Stack level configuration secret name
+
+  appSecrets:
+    envSecret: # App environment level configuration secret
+      kubeSecretName: ""
+      remoteRefKey: ""
+    stackSecret: # Stack level configuration secret
+      kubeSecretName: ""
+      remoteRefKey: ""
 
   # Global annotations to add to all resources
   annotations: {}