Skip to content

Commit

Permalink
feat(jans-pycloudlib): add AWS Secrets Manager support for configurat…
Browse files Browse the repository at this point in the history 
…ion layers (#3112)

* feat(jans-pycloudlib): add AWS Secrets Manager support for configuration layers

Ref: #3026

* chore(jans-pycloudlib): updated build (#3113)

Signed-off-by: mo-auto <54212639+mo-auto@users.noreply.github.com>

Signed-off-by: mo-auto <54212639+mo-auto@users.noreply.github.com>

* feat: add aws secret setup to helm chart

* ci: add update of pycloud exception

Signed-off-by: mo-auto <54212639+mo-auto@users.noreply.github.com>
Co-authored-by: mo-auto <54212639+mo-auto@users.noreply.github.com>
Co-authored-by: moabu <47318409+moabu@users.noreply.github.com>
  • Loading branch information
@iromli @mo-auto @moabu
3 people committed Nov 30, 2022
1 parent d4c63d7 commit 0522e61
Show file tree
Hide file tree
Showing 39 changed files with 914 additions and 33 deletions.
1 change: 1 addition & 0 deletions .github/workflows/pr-ref-issue.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ on:
- "release-please-**"
- "dependabot/**"
- "snyk-**"
- "update-pycloud-in-**"
workflow_dispatch:
jobs:
check-prs-issue:
Expand Down
31 changes: 31 additions & 0 deletions charts/janssen/charts/auth-server-key-rotation/templates/cronjobs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,17 @@ spec:
{{- include "auth-server-key-rotation.usr-secret-envs" . | indent 16 }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
- mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }}
name: aws-shared-credential-file
subPath: aws_shared_credential_file
- mountPath: {{ .Values.global.cnAwsConfigFile }}
name: aws-config-file
subPath: aws_config_file
- mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }}
name: aws-secrets-replica-regions
subPath: aws_secrets_replica_regions
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
name: google-sa
Expand Down Expand Up @@ -80,6 +91,26 @@ spec:
{{- with .Values.volumes }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
- name: aws-shared-credential-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_shared_credential_file
path: aws_shared_credential_file
- name: aws-config-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_config_file
path: aws_config_file
- name: aws-secrets-replica-regions
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_secrets_replica_regions
path: aws_secrets_replica_regions
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- name: google-sa
secret:
Expand Down
31 changes: 31 additions & 0 deletions charts/janssen/charts/auth-server/templates/deployment.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,17 @@ spec:
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
- mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }}
name: aws-shared-credential-file
subPath: aws_shared_credential_file
- mountPath: {{ .Values.global.cnAwsConfigFile }}
name: aws-config-file
subPath: aws_config_file
- mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }}
name: aws-secrets-replica-regions
subPath: aws_secrets_replica_regions
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
name: google-sa
Expand Down Expand Up @@ -121,6 +132,26 @@ spec:
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
- name: aws-shared-credential-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_shared_credential_file
path: aws_shared_credential_file
- name: aws-config-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_config_file
path: aws_config_file
- name: aws-secrets-replica-regions
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_secrets_replica_regions
path: aws_secrets_replica_regions
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- name: google-sa
secret:
Expand Down
31 changes: 31 additions & 0 deletions charts/janssen/charts/config-api/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,17 @@ spec:
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
- mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }}
name: aws-shared-credential-file
subPath: aws_shared_credential_file
- mountPath: {{ .Values.global.cnAwsConfigFile }}
name: aws-config-file
subPath: aws_config_file
- mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }}
name: aws-secrets-replica-regions
subPath: aws_secrets_replica_regions
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
name: google-sa
Expand Down Expand Up @@ -106,6 +117,26 @@ spec:
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
- name: aws-shared-credential-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_shared_credential_file
path: aws_shared_credential_file
- name: aws-config-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_config_file
path: aws_config_file
- name: aws-secrets-replica-regions
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_secrets_replica_regions
path: aws_secrets_replica_regions
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- name: google-sa
secret:
Expand Down
31 changes: 31 additions & 0 deletions charts/janssen/charts/config/templates/load-init-config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,26 @@ spec:
volumes:
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
- name: aws-shared-credential-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_shared_credential_file
path: aws_shared_credential_file
- name: aws-config-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_config_file
path: aws_config_file
- name: aws-secrets-replica-regions
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_secrets_replica_regions
path: aws_secrets_replica_regions
{{- end }}
- name: {{ include "config.fullname" . }}-mount-gen-file
secret:
Expand All @@ -59,6 +79,17 @@ spec:
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
- mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }}
name: aws-shared-credential-file
subPath: aws_shared_credential_file
- mountPath: {{ .Values.global.cnAwsConfigFile }}
name: aws-config-file
subPath: aws_config_file
- mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }}
name: aws-secrets-replica-regions
subPath: aws_secrets_replica_regions
{{- end }}
- mountPath: /app/db/generate.json
name: {{ include "config.fullname" . }}-mount-gen-file
subPath: generate.json
Expand Down
27 changes: 27 additions & 0 deletions charts/janssen/charts/config/templates/secrets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,33 @@ data:
couchbase.crt: {{ .Values.configmap.cnCouchbaseCrt }}
{{- end }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-aws-config-creds
labels:
{{ include "config.labels" . | indent 4 }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | indent 4 }}
{{- end }}
type: Opaque
stringData:
aws_shared_credential_file: |-
[{{ .Values.configmap.cnAwsProfile | quote }}]
aws_access_key_id = {{ .Values.configmap.cnAwsAccessKeyId }}
aws_secret_access_key = {{ .Values.configmap.cnAwsSecretAccessKey }}
aws_config_file: |-
[{{ .Values.configmap.cnAwsProfile | quote }}]
region = {{ .Values.configmap.cnAwsDefaultRegion | quote }}
aws_secrets_replica_regions: |-
{{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
---
apiVersion: v1
Expand Down
31 changes: 31 additions & 0 deletions charts/janssen/charts/fido2/templates/deployment.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,17 @@ spec:
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
- mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }}
name: aws-shared-credential-file
subPath: aws_shared_credential_file
- mountPath: {{ .Values.global.cnAwsConfigFile }}
name: aws-config-file
subPath: aws_config_file
- mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }}
name: aws-secrets-replica-regions
subPath: aws_secrets_replica_regions
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
name: google-sa
Expand Down Expand Up @@ -121,6 +132,26 @@ spec:
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
- name: aws-shared-credential-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_shared_credential_file
path: aws_shared_credential_file
- name: aws-config-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_config_file
path: aws_config_file
- name: aws-secrets-replica-regions
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_secrets_replica_regions
path: aws_secrets_replica_regions
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- name: google-sa
secret:
Expand Down
31 changes: 31 additions & 0 deletions charts/janssen/charts/persistence/templates/jobs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,17 @@ spec:
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
- mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }}
name: aws-shared-credential-file
subPath: aws_shared_credential_file
- mountPath: {{ .Values.global.cnAwsConfigFile }}
name: aws-config-file
subPath: aws_config_file
- mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }}
name: aws-secrets-replica-regions
subPath: aws_secrets_replica_regions
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
name: google-sa
Expand All @@ -83,6 +94,26 @@ spec:
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
- name: aws-shared-credential-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_shared_credential_file
path: aws_shared_credential_file
- name: aws-config-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_config_file
path: aws_config_file
- name: aws-secrets-replica-regions
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_secrets_replica_regions
path: aws_secrets_replica_regions
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- name: google-sa
secret:
Expand Down
31 changes: 31 additions & 0 deletions charts/janssen/charts/scim/templates/deployment.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,17 @@ spec:
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
- mountPath: {{ .Values.global.cnAwsSharedCredentialsFile }}
name: aws-shared-credential-file
subPath: aws_shared_credential_file
- mountPath: {{ .Values.global.cnAwsConfigFile }}
name: aws-config-file
subPath: aws_config_file
- mountPath: {{ .Values.global.cnAwsSecretsReplicaRegionsFile }}
name: aws-secrets-replica-regions
subPath: aws_secrets_replica_regions
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- mountPath: {{ .Values.global.cnGoogleApplicationCredentials }}
name: google-sa
Expand Down Expand Up @@ -119,6 +130,26 @@ spec:
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "aws") (eq .Values.global.configAdapterName "aws") }}
- name: aws-shared-credential-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_shared_credential_file
path: aws_shared_credential_file
- name: aws-config-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_config_file
path: aws_config_file
- name: aws-secrets-replica-regions
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_secrets_replica_regions
path: aws_secrets_replica_regions
{{- end }}
{{ if or (eq .Values.global.configSecretAdapter "google") (eq .Values.global.cnPersistenceType "spanner") }}
- name: google-sa
secret:
Expand Down
8 changes: 4 additions & 4 deletions charts/janssen/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -458,14 +458,14 @@
}
},
"configAdapterName": {
"description": "The config backend adapter that will hold Janssen configuration layer. google|kubernetes",
"description": "The config backend adapter that will hold Janssen configuration layer. aws|google|kubernetes",
"type": "string",
"pattern": "^(kubernetes|google)$"
"pattern": "^(kubernetes|google|aws)$"
},
"configSecretAdapter": {
"description": "The config backend adapter that will hold Janssen secret layer. google|kubernetes",
"description": "The config backend adapter that will hold Janssen secret layer. aws|google|kubernetes",
"type": "string",
"pattern": "^(kubernetes|google)$"
"pattern": "^(kubernetes|google|aws)$"
},
"cnGoogleApplicationCredentials": {
"description": "Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets and roles/spanner.databaseUser to use Spanner.",
Expand Down
Loading

0 comments on commit 0522e61

Please sign in to comment.