fix(PL-2554): separate secrets from envvars in chart

chart/templates/deployment.yaml

@@ -47,8 +47,14 @@ spec:
             - mountPath: /etc/joy/config
               name: github-app-private-key
             {{- end }}
-          {{- if .Values.env.GH_APP_ID }}
           env:
+          {{- range $key, $value := .Values.env }}
+          {{- if $value }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+          {{- end -}}
+          {{- end }}
+          {{- if .Values.env.GH_APP_ID }}
             - name: JOY_GITHUB_APP_PRIVATE_KEY_PATH
               value: /etc/joy/config/githubApp.pem
           {{- end }}

chart/templates/secret.yaml

@@ -1,55 +1,56 @@
-{{- and (required ".Values.env.PLUGIN_TOKEN is required" .Values.env.PLUGIN_TOKEN) "" -}}
+{{- and (required ".Values.secretEnv.values.PLUGIN_TOKEN is required" .Values.secretEnv.values.PLUGIN_TOKEN) "" -}}
 {{- and (required ".Values.env.CATALOG_URL is required" .Values.env.CATALOG_URL) "" -}}
-{{- if eq .Values.secretType "secret" }}
-apiVersion: v1
-kind: Secret
-{{- else if eq .Values.secretType "sealedSecret" }}
+
+{{- $sealedSecret := (eq .Values.secretEnv.type "sealedSecret") -}}
+
+{{- if $sealedSecret }}
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
+{{- else }}
+apiVersion: v1
+kind: Secret
 {{- end }}
 metadata:
   name: {{ include "joy-generator.fullname" . }}-config
-{{- if eq .Values.secretType "sealedSecret" }}
-  {{- with .Values.sealedSecretAnnotations }}
+{{- if $sealedSecret }}
   annotations:
-{{ toYaml . | indent 4 }}
-  {{- end }}
+{{ toYaml .Values.sealedSecretAnnotations | indent 4 }}
 {{- end }}
-{{- if eq .Values.secretType "secret" }}
-stringData:
-{{ toYaml .Values.env | indent 2 }}
-{{- else if eq .Values.secretType "sealedSecret" }}
+{{- if $sealedSecret }}
 spec:
   encryptedData:
-{{ toYaml .Values.env | indent 4 }}
+{{ toYaml .Values.secretEnv.values | indent 4 }}
+{{- else }}
+stringData:
+{{ toYaml .Values.secretEnv.values | indent 2 }}
 {{- end }}
 
 ---
+
 {{- if .Values.env.GH_APP_ID }}
 {{- and (required ".Values.env.GH_APP_INSTALLATION_ID is required" .Values.env.GH_APP_INSTALLATION_ID) "" |  -}}
-{{- if eq .Values.secretType "secret" }}
-apiVersion: v1
-kind: Secret
-{{- else if eq .Values.secretType "sealedSecret" }}
+{{- and (required ".Values.githubAppPrivateKey is required" .Values.githubAppPrivateKey) "" -}}
+{{- if $sealedSecret }}
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
+{{- else }}
+apiVersion: v1
+kind: Secret
 {{- end }}
 metadata:
   name: {{ include "joy-generator.fullname" . }}-github-app-key
-{{- if eq .Values.secretType "sealedSecret" }}
-  {{- with .Values.sealedSecretAnnotations }}
+{{- if $sealedSecret }}
   annotations:
-{{ toYaml . | indent 4 }}
-  {{- end }}
+{{ toYaml .Values.sealedSecretAnnotations | indent 4 }}
 {{- end }}
-{{- if eq .Values.secretType "secret" }}
-stringData:
-  githubApp.pem: |
-{{ required ".Values.githubApp.privateKey key is required" .Values.githubApp.privateKey | indent 4 }}
-{{- else if eq .Values.secretType "sealedSecret" }}
+{{- if $sealedSecret }}
 spec:
   encryptedData:
     githubApp.pem: |
-{{ required " .Values.githubApp.privateKey key is required" .Values.githubApp.privateKey | indent 6 }}
+{{ .Values.githubAppPrivateKey | indent 6 }}
+{{- else }}
+stringData:
+  githubApp.pem: |
+{{ .Values.githubAppPrivateKey | indent 4 }}
 {{- end }}
 {{- end }}

chart/tests/with-github-app-and-sealed-secrets/expected.yaml

@@ -73,6 +73,18 @@ spec:
             - mountPath: /etc/joy/config
               name: github-app-private-key
           env:
+            - name: CATALOG_DIR
+              value: "/tmp/catalog"
+            - name: CATALOG_URL
+              value: "https://github.com/example/foobar.git"
+            - name: GH_APP_ID
+              value: "123456"
+            - name: GH_APP_INSTALLATION_ID
+              value: "789101112"
+            - name: GRACE_PERIOD
+              value: "10s"
+            - name: PORT
+              value: ":8080"
             - name: JOY_GITHUB_APP_PRIVATE_KEY_PATH
               value: /etc/joy/config/githubApp.pem
           envFrom:
@@ -102,13 +114,7 @@ metadata:
     sealedsecrets.bitnami.com/cluster-wide: "true"
 spec:
   encryptedData:
-    CATALOG_DIR: /tmp/catalog
-    CATALOG_URL: https://github.com/example/foobar.git
-    GH_APP_ID: "123456"
-    GH_APP_INSTALLATION_ID: "789101112"
-    GRACE_PERIOD: 10s
     PLUGIN_TOKEN: '@very!l0ngands3curet0ken'
-    PORT: :8080
 ---
 # Source: joy-generator/templates/secret.yaml
 apiVersion: bitnami.com/v1alpha1

chart/tests/with-github-app-and-sealed-secrets/values.yaml

@@ -1,14 +1,15 @@
 env:
   CATALOG_URL: https://github.com/example/foobar.git
-  PLUGIN_TOKEN: "@very!l0ngands3curet0ken"
   GH_APP_ID: "123456"
   GH_APP_INSTALLATION_ID: "789101112"
 
-githubApp:
-  privateKey: |
-    FOOBARLOREMISPUM
+secretEnv:
+  type: sealedSecret
+  values:
+    PLUGIN_TOKEN: "@very!l0ngands3curet0ken"
 
-secretType: "sealedSecret"
+githubAppPrivateKey: |
+  FOOBARLOREMISPUM
 
 sealedSecretAnnotations:
   sealedsecrets.bitnami.com/cluster-wide: "true"

chart/tests/with-github-app/expected.yaml

@@ -5,13 +5,7 @@ kind: Secret
 metadata:
   name: my-release-joy-generator-config
 stringData:
-  CATALOG_DIR: /tmp/catalog
-  CATALOG_URL: https://github.com/example/foobar.git
-  GH_APP_ID: "123"
-  GH_APP_INSTALLATION_ID: "666"
-  GRACE_PERIOD: 10s
   PLUGIN_TOKEN: '@very!l0ngands3curet0ken'
-  PORT: :8080
 ---
 # Source: joy-generator/templates/secret.yaml
 apiVersion: v1
@@ -96,6 +90,18 @@ spec:
             - mountPath: /etc/joy/config
               name: github-app-private-key
           env:
+            - name: CATALOG_DIR
+              value: "/tmp/catalog"
+            - name: CATALOG_URL
+              value: "https://github.com/example/foobar.git"
+            - name: GH_APP_ID
+              value: "123"
+            - name: GH_APP_INSTALLATION_ID
+              value: "666"
+            - name: GRACE_PERIOD
+              value: "10s"
+            - name: PORT
+              value: ":8080"
             - name: JOY_GITHUB_APP_PRIVATE_KEY_PATH
               value: /etc/joy/config/githubApp.pem
           envFrom:

chart/tests/with-github-app/values.yaml

@@ -1,19 +1,20 @@
 # Configuration settings for the joy-generator instance
 env:
-  PLUGIN_TOKEN: "@very!l0ngands3curet0ken"
-
   GH_APP_ID: "123"
   GH_APP_INSTALLATION_ID: "666"
 
   # The HTTPS Git URL of your joy catalog
   CATALOG_URL: "https://github.com/example/foobar.git"
 
+secretEnv:
+  values:
+    PLUGIN_TOKEN: "@very!l0ngands3curet0ken"
+
 # The GitHub app configuration.
 # Required if githubToken is not set.
-githubApp:
-  # The GitHub application private key (PEM format)
-  privateKey: |
-    FOOBARLOREMISPUM
+# The GitHub application private key (PEM format)
+githubAppPrivateKey: |
+  FOOBARLOREMISPUM
 
 image:
   tag: 0.1.2

chart/tests/with-github-token/expected.yaml

@@ -5,13 +5,8 @@ kind: Secret
 metadata:
   name: my-release-joy-generator-config
 stringData:
-  CATALOG_DIR: /tmp/catalog
-  CATALOG_URL: https://github.com/example/foobar.git
   GH_TOKEN: "12312312312312"
-  GH_USER: username
-  GRACE_PERIOD: 10s
   PLUGIN_TOKEN: '@very!l0ngands3curet0ken'
-  PORT: :8080
 ---
 # Source: joy-generator/templates/argocd-config.yaml
 apiVersion: v1
@@ -81,6 +76,17 @@ spec:
           volumeMounts:
             - mountPath: /tmp/catalog
               name: catalog-dir
+          env:
+            - name: CATALOG_DIR
+              value: "/tmp/catalog"
+            - name: CATALOG_URL
+              value: "https://github.com/example/foobar.git"
+            - name: GH_USER
+              value: "username"
+            - name: GRACE_PERIOD
+              value: "10s"
+            - name: PORT
+              value: ":8080"
           envFrom:
             - secretRef:
                 name: my-release-joy-generator-config

chart/tests/with-github-token/values.yaml

@@ -3,10 +3,13 @@
 # Declare variables to be passed into your templates.
 
 env:
-  PLUGIN_TOKEN: "@very!l0ngands3curet0ken"
   CATALOG_URL: https://github.com/example/foobar.git
   GH_USER: username
-  GH_TOKEN: "12312312312312"
+
+secretEnv:
+  values:
+    PLUGIN_TOKEN: "@very!l0ngands3curet0ken"
+    GH_TOKEN: "12312312312312"
 
 image:
   tag: 0.1.2

chart/values.yaml

@@ -5,44 +5,22 @@
 env:
   PORT: :8080
   GRACE_PERIOD: 10s
-  CATALOG_DIR: /tmp/catalog
 
-  # PLUGIN_TOKEN: ""
+  CATALOG_DIR: /tmp/catalog
   # CATALOG_URL: ""
   # CATALOG_REVISION: ""
   # GH_USER: ""
-  # GH_TOKEN: ""
   # GH_APP_ID: ""
   # GH_APP_INSTALLATION_ID: ""
 
-# Configuration settings for the joy-generator instance
-applicationConfig:
-  # The shared token that ArgoCD will use to call the joy-generator plugin API
-  # This should be some long and secure random string
-  pluginToken: ""
-  # The HTTPS Git URL of your joy catalog
-  repoUrl: ""
-
-  # joy-generator supports authenticating with GitHub using either a personal access token or a GitHub App
-  # Provide either the githubUser or githubApp section, but not both
-
-#  githubUser:
-#    # The GitHub username to use for the joy-generator instance
-#    username: ""
-#    # The GitHub personal access token to use for the joy-generator instance
-#    token: ""
-
-#  githubApp:
-#    # The GitHub application ID
-#    appId: ""
-#    # The GitHub application installation ID
-#    installationId: ""
-#    # The GitHub application private key (PEM format)
-#    privateKey: ""
-
-# The secret type to use for applicationConfig values.
-# Can be either 'secret' or 'sealedSecret'.
-secretType: "secret"
+secretEnv:
+  type: secret
+  values:
+    # PLUGIN_TOKEN: ""
+    # GH_TOKEN: ""
+
+githubAppPrivateKey: ""
+
 # Additional annotations for sealed secrets
 sealedSecretAnnotations: {}
 

go.mod

@@ -4,7 +4,7 @@ go 1.22.0
 
 require (
 	github.com/bradleyfalzon/ghinstallation/v2 v2.9.0
-	github.com/davidmdm/conf v0.0.4
+	github.com/davidmdm/conf v0.0.7
 	github.com/davidmdm/x/xcontext v0.0.2
 	github.com/gin-gonic/gin v1.9.1
 	github.com/go-git/go-git/v5 v5.11.0

go.sum

@@ -41,8 +41,8 @@ github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxG
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davidmdm/conf v0.0.4 h1:RluYzOw+d/H112lY2OCHWPIQemtOGhidLk0wi3QWqms=
-github.com/davidmdm/conf v0.0.4/go.mod h1:xcNNsALh9qR2toeuYnXfyMuOPMVuEAfWN0Nb4lqugzw=
+github.com/davidmdm/conf v0.0.7 h1:5VbSi6nStd7X04FuA9ArD00FRTtcPMhvb6BzKbAWoSM=
+github.com/davidmdm/conf v0.0.7/go.mod h1:xcNNsALh9qR2toeuYnXfyMuOPMVuEAfWN0Nb4lqugzw=
 github.com/davidmdm/x/xcontext v0.0.2 h1:8US+zdRCPmnWeSa/28U+dvbhdkBd8mI6XhP7meIZCdk=
 github.com/davidmdm/x/xcontext v0.0.2/go.mod h1:lfAacRD741WjdRwwuTrCaKtvEgPsGMSlmfwgib2SpVA=
 github.com/davidmdm/x/xerr v0.0.3 h1:WwHvo6qzR+eRmHq69Ftgb7PL9832iwy313XpQyJRGtM=

local.smoketest.sh

@@ -0,0 +1,27 @@
+set -eux
+
+kind delete cluster
+kind create cluster
+
+kubectl config set-context kind-kind
+
+docker build -t local-generator-test:latest .
+
+kind load docker-image local-generator-test:latest
+
+helm install generator ./chart --values - <<EOF
+env:
+  CATALOG_URL: $CATALOG_URL
+  CATALOG_REVISION: $CATALOG_REVISION
+  GH_USER: $GH_USER
+
+secretEnv:
+  type: secret
+  values:
+    PLUGIN_TOKEN: token
+    GH_TOKEN: $GH_TOKEN
+
+image:
+  repository: local-generator-test
+  tag: latest
+EOF