[KMIP] Support secret-injector (#7701)

Co-authored-by: Vlad Gusev <[email protected]>
sapcc · Jan 23, 2025 · 52d9135 · 52d9135
1 parent 1c2f697
commit 52d9135
Show file tree

Hide file tree

Showing 8 changed files with 123 additions and 58 deletions.
diff --git a/openstack/kmip/Chart.lock b/openstack/kmip/Chart.lock
@@ -10,9 +10,9 @@ dependencies:
   version: 0.21.0
 - name: mariadb
   repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
-  version: 0.14.2
+  version: 0.15.3
 - name: mysql_metrics
   repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
-  version: 0.3.5
-digest: sha256:11a2527a2f73497204ea9ba1814c4967a0dd5c329ff2d2d80082d002a08b6a69
-generated: "2025-01-14T14:19:54.499578+05:30"
+  version: 0.4.2
+digest: sha256:f3f8f5703a69d225a2736842b145fd4a59e04f82c26e613b37fe9e755e018c27
+generated: "2025-01-20T14:47:51.708911+05:30"
diff --git a/openstack/kmip/Chart.yaml b/openstack/kmip/Chart.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: v2
 name: kmip
 description: A Helm chart for kmip-barbican integration
@@ -15,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.2
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -36,8 +37,8 @@ dependencies:
   - condition: mariadb.enabled
     name: mariadb
     repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
-    version: 0.14.2
+    version: 0.15.3
   - condition: mariadb.enabled
     name: mysql_metrics
     repository: oci://keppel.eu-de-1.cloud.sap/ccloud-helm
-    version: 0.3.5
+    version: 0.4.2
diff --git a/openstack/kmip/ci/test-values.yaml b/openstack/kmip/ci/test-values.yaml
@@ -1,4 +1,7 @@
+---
 global:
+  tld: test.corp
+  region: regionOne
   registry: myImage
   dbPassword: topSecret
   barbican_service_password: topSecret
@@ -11,6 +14,7 @@ certs:
   server_cert: topSecret
   server_key: topSecret
   ca_crt: topSecret
+
 kmip:
   openstack_env:
     username: topSecret
@@ -25,3 +29,12 @@ kmip:
     user_domain_name: topSecret
   database:
     password: topSecret
+
+mariadb:
+  users:
+    kmip:
+      user: kmip
+      password: topSecret
+    barbican:
+      user: barbican
+      password: topSecret
diff --git a/openstack/kmip/templates/_helpers.tpl b/openstack/kmip/templates/_helpers.tpl
@@ -61,15 +61,6 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-*/}}
-{{- define "fullname" -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | replace "_" "-" | trimSuffix "-" -}}
-{{- end -}}
-
-{{- define "db_host" -}}
-{{.Release.Name}}-mariadb.{{.Release.Namespace}}.svc.kubernetes.{{.Values.global.region}}.{{.Values.global.tld}}
+{{- define "kmip.db_host" -}}
+{{ include "utils.db_host" . }}.{{ .Release.Namespace }}.svc.kubernetes.{{ .Values.global.region }}.{{ .Values.global.tld }}
 {{- end -}}
diff --git a/openstack/kmip/templates/deployment.yaml b/openstack/kmip/templates/deployment.yaml
@@ -37,11 +37,11 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       annotations:
-        configmap-etc-hash: {{ include (print $.Template.BasePath "/etc-configmap.yaml") . | sha256sum }}
+        secrets-etc-hash: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
         {{- if .Values.proxysql.mode }}
         prometheus.io/scrape: "true"
         prometheus.io/targets: {{ required ".Values.alerts.prometheus missing" .Values.alerts.prometheus | quote }}
-        {{- end }}        
+        {{- end }}
     spec:
       serviceAccountName: {{ include "kmip.serviceAccountName" . }}-barbican
       containers:
@@ -56,26 +56,38 @@ spec:
             - name: KMIP_MARIADB_SERVICE_PORT
               value: "3306"
             - name: KMIP_MARIADB_SERVICE_USER
-              value: {{ .Values.mariadb.users.kmip.user | quote }}
-            - name: KMIP_MARIADB_SERVICE_PASSWORD
-              value: {{ .Values.mariadb.users.kmip.password | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: kmip-secrets
+                  key: mariadb_user
+            - name: KMIP_MARIADB_SERVICE_USER
+              valueFrom:
+                secretKeyRef:
+                  name: kmip-secrets
+                  key: mariadb_password
             - name: KMIP_MARIADB_NAME
               value: "kmip"
             - name: BARBICAN_MARIADB_SERVICE_HOST
               value: "barbican-mariadb"
             - name: BARBICAN_MARIADB_SERVICE_PORT
               value: "3306"
             - name: BARBICAN_MARIADB_SERVICE_USER
-              value: {{ .Values.mariadb.users.barbican.user | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: kmip-secrets
+                  key: barbican_mariadb_service_user
             - name: BARBICAN_MARIADB_SERVICE_PASSWORD
-              value: {{ .Values.mariadb.users.barbican.password | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: kmip-secrets
+                  key: barbican_mariadb_service_password
             - name: BARBICAN_MARIADB_NAME
               value: "barbican"
           command: ["sh", "-c"]
           args:
           - |
-            echo "Sleeping for 30 seconds before starting the application...";
-            sleep 30;
+            echo "Sleeping for 15 seconds before starting the application...";
+            sleep 15;
             echo "Starting the application...";
             python /app/app.py;
             echo "Application exited. Keeping container alive...";
@@ -93,31 +105,61 @@ spec:
             - name: OS_AUTH_URL
               value: "https://{{ include "keystone_api_endpoint_host_public" . }}:443/v3"
             - name: OS_USERNAME
-              value: {{ .Values.kmip.openstack_env.username | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: kmip-secrets
+                  key: os_username
             - name: OS_PASSWORD
-              value: {{ .Values.kmip.openstack_env.password | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: kmip-secrets
+                  key: os_password
             - name: OS_PROJECT_ID
-              value: {{ .Values.kmip.openstack_env.project_id | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: kmip-secrets
+                  key: os_project_id
             - name: OS_APPLICATION_CREDENTIAL_NAME
-              value: {{ .Values.kmip.openstack_env.appl_cred_name | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: kmip-secrets
+                  key: os_application_credential_name
             - name: OS_APPLICATION_CREDENTIAL_SECRET
-              value: {{ .Values.kmip.openstack_env.appl_cred_secret | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: kmip-secrets
+                  key: os_application_credential_secret
             - name: OS_AUTH_TYPE
               value: "v3applicationcredential"
             - name: OS_REGION_NAME
-              value: {{ .Values.kmip.openstack_env.region_name | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: kmip-secrets
+                  key: os_region_name
             - name: OS_PROJECT_DOMAIN_NAME
-              value: {{ .Values.kmip.openstack_env.project_domain_name | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: kmip-secrets
+                  key: os_project_domain_name
             - name: OS_IDENTITY_API_VERSION
-              value: {{ .Values.kmip.openstack_env.identity_api_version | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: kmip-secrets
+                  key: os_identity_api_version
             - name: OS_PROJECT_NAME
-              value: {{ .Values.kmip.openstack_env.project_name | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: kmip-secrets
+                  key: os_project_name
             - name: OS_USER_DOMAIN_NAME
-              value: {{ .Values.kmip.openstack_env.user_domain_name | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: kmip-secrets
+                  key: os_user_domain_name
           ports:
             - name: http
               containerPort: {{ .Values.service.ports.port }}
-              protocol: TCP           
+              protocol: TCP
           resources:
             requests:
               memory: 0
@@ -141,8 +183,8 @@ spec:
               readOnly: true
       volumes:
         - name: kmip-barbican-etc
-          configMap:
-            name: kmip-barbican-etc
+          secret:
+            secretName: kmip-barbican-etc
         - name: kmip-certificates
           secret:
             secretName: kmip-certificates
diff --git a/openstack/kmip/templates/etc-configmap.yaml b/openstack/kmip/templates/etc-configmap.yaml
diff --git a/openstack/kmip/templates/etc/_kmip-server.conf.tpl b/openstack/kmip/templates/etc/_kmip-server.conf.tpl
@@ -1,5 +1,5 @@
 [server]
-database_path=mysql://kmip:{{ .Values.kmip.database.password }}@{{include "db_host" .}}:3306/kmip
+database_path=mysql://kmip:{{ .Values.kmip.database.password | include "resolve_secret" }}@{{include "kmip.db_host" . }}:3306/kmip
 hostname=0.0.0.0
 port=5696
 certificate_path=/etc/pykmip/certs/server.crt

diff --git a/openstack/kmip/templates/secrets.yaml b/openstack/kmip/templates/secrets.yaml
@@ -1,12 +1,41 @@
+---
 apiVersion: v1
 kind: Secret
 metadata:
   name: kmip-certificates
 type: kubernetes.io/tls
 data:
-  tls.crt: |
-    {{ .Values.certs.server_cert | indent 4 }}
-  tls.key: |
-    {{ .Values.certs.server_key | indent 4 }}
-  ca.crt: |
-    {{ .Values.certs.ca_crt | indent 4 }}
+  tls.crt: {{ .Values.certs.server_cert | b64enc | quote }}
+  tls.key: {{ .Values.certs.server_key | b64enc | quote }}
+  ca.crt: {{ .Values.certs.ca_crt | b64enc | quote }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kmip-secrets
+data:
+  mariadb_user: {{ .Values.mariadb.users.kmip.user | b64enc | quote }}
+  mariadb_password: {{ .Values.mariadb.users.kmip.password | b64enc | quote }}
+  os_username: {{ .Values.kmip.openstack_env.username | b64enc | quote }}
+  os_password: {{ .Values.kmip.openstack_env.password | b64enc | quote }}
+  os_project_id: {{ .Values.kmip.openstack_env.project_id | b64enc | quote }}
+  os_application_credential_name: {{ .Values.kmip.openstack_env.appl_cred_name | b64enc | quote }}
+  os_application_credential_secret: {{ .Values.kmip.openstack_env.appl_cred_secret | b64enc | quote }}
+  os_region_name: {{ .Values.kmip.openstack_env.region_name | b64enc | quote }}
+  os_project_domain_name: {{ .Values.kmip.openstack_env.project_domain_name | b64enc | quote }}
+  os_identity_api_version: {{ .Values.kmip.openstack_env.identity_api_version | b64enc | quote }}
+  os_project_name: {{ .Values.kmip.openstack_env.project_name | b64enc | quote }}
+  os_user_domain_name: {{ .Values.kmip.openstack_env.user_domain_name | b64enc | quote }}
+  barbican_mariadb_service_user: {{ .Values.mariadb.users.barbican.user | b64enc | quote }}
+  barbican_mariadb_service_password: {{ .Values.mariadb.users.barbican.password | b64enc | quote }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kmip-barbican-etc
+  labels:
+    system: openstack
+    type: configuration
+    component: barbican
+data:
+  kmip-server.conf: {{ include (print .Template.BasePath "/etc/_kmip-server.conf.tpl") . | b64enc | indent 4 }}