fix(deployment): properly expose service account key for secret manager

zaibon · zaibon · commit 338baadf0027 · 2023-08-14T13:23:07.000+01:00
We need to mount the service account key as a file into the controlplane and cas container when using GCP secret manager.

- use proper key in sercret manager service account configuration
- update helm chart README
- be consitent in chart template and use 'serviceaccountkey' everywhere

Signed-off-by: Christophe de Carvalho &lt;christophe@archipelo.co&gt;
diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md
@@ -99,7 +99,7 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
     # Secrets backend
     --set secretsBackend.backend=gcpSecretManager \
     --set secretsBackend.gcpSecretManager.projectId=[GCP Project ID] \
-    --set secretsBackend.gcpSecretManager.authKey=[GCP Auth KEY] \
+    --set secretsBackend.gcpSecretManager.serviceAccountKey=[GCP Auth KEY] \
     # Server Auth KeyPair
     # ...
 ```
@@ -317,7 +317,7 @@ secretsBackend:
     backend: gcpSecretManager
     gcpSecretManager:
         projectId: [PROJECT_ID]
-        authKey: [KEY]
+        serviceAccountKey: [KEY]
 ```
 
 ### Send exceptions to Sentry
@@ -370,7 +370,7 @@ chainloop config save \
 | `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key                                                            |             |
 | `secretsBackend.awsSecretManager.region`    | AWS Secret Manager Region                                                 |             |
 | `secretsBackend.gcpSecretManager.projectId` | GCP Project ID                                                            |             |
-| `secretsBackend.gcpSecretManager.authKey`   | GCP Auth Key                                                              |             |
+| `secretsBackend.gcpSecretManager.serviceAccountKey`   | GCP Auth Key                                                              |             |
 
 ### Authentication
 
diff --git a/deployment/chainloop/templates/_helpers.tpl b/deployment/chainloop/templates/_helpers.tpl
@@ -82,7 +82,7 @@ awsSecretManager:
 gcpSecretManager:
   secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }}
   projectId: {{ required "project id required" .gcpSecretManager.projectId | quote }}
-  authKey: {{ required "auth key required" .gcpSecretManager.authKey | quote }}
+  serviceAccountKey: "/gcp-secrets/serviceAccountKey.json"
 
 {{- end }}
 {{- end }}
diff --git a/deployment/chainloop/templates/cas/deployment.yaml b/deployment/chainloop/templates/cas/deployment.yaml
@@ -58,6 +58,10 @@ spec:
               mountPath: "/data/conf"
             - name: jwt-public-key
               mountPath: "/tmp"
+            {{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
+            - name: gcp-secretmanager-serviceaccountkey
+              mountPath: /gcp-secrets
+            {{- end }}
       volumes:
         - name: config
           projected:
@@ -69,3 +73,8 @@ spec:
         - name: jwt-public-key
           secret:
             secretName: {{ include "chainloop.cas.fullname" . }}-jwt-public-key
+        {{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
+        - name: gcp-secretmanager-serviceaccountkey
+          secret:
+            secretName: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey
+        {{- end }}
diff --git a/deployment/chainloop/templates/cas/gcp_secret_manager.secret.yaml b/deployment/chainloop/templates/cas/gcp_secret_manager.secret.yaml
@@ -0,0 +1,11 @@
+{{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.cas.fullname" . }}-gcp-secretmanager-serviceaccountkey
+  labels:
+    {{- include "chainloop.cas.labels" . | nindent 4 }}
+type: Opaque
+data:
+  serviceAccountKey.json: {{ .Values.secretsBackend.gcpSecretManager.serviceAccountKey | b64enc | quote  }}
+{{- end }}
diff --git a/deployment/chainloop/templates/controlplane/deployment.yaml b/deployment/chainloop/templates/controlplane/deployment.yaml
@@ -85,6 +85,10 @@ spec:
               mountPath: /tmp
             - name: jwt-cas-private-key
               mountPath: /secrets
+            {{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
+            - name: gcp-secretmanager-serviceaccountkey
+              mountPath: /gcp-secrets
+            {{- end }}
       volumes:
         - name: config
           projected:
@@ -99,3 +103,8 @@ spec:
         - name: jwt-cas-private-key
           secret:
             secretName: {{ include "chainloop.controlplane.fullname" . }}-jwt-cas
+        {{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
+        - name: gcp-secretmanager-serviceaccountkey
+          secret:
+            secretName: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey
+        {{- end }}
diff --git a/deployment/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml b/deployment/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml
@@ -0,0 +1,11 @@
+{{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey
+  labels:
+    {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+type: Opaque
+data:
+  serviceAccountKey.json: {{ .Values.secretsBackend.gcpSecretManager.serviceAccountKey | b64enc | quote  }}
+{{- end }}
diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml
@@ -55,11 +55,11 @@ secretsBackend:
   #   region: ""
 
   ## @extra secretsBackend.gcpSecretManager.projectId GCP Project ID
-  ## @extra secretsBackend.gcpSecretManager.authKey GCP Auth Key
+  ## @extra secretsBackend.gcpSecretManager.serviceAccountKey GCP Auth Key
   ##
   # gcpSecretManager:
   #   projectId: ""
-  #   authKey: ""
+  #   serviceAccountKey: ""
 
 ## @section Authentication
 ##
