From e470134bac19d21e81263bb58d0f541180c8c2af Mon Sep 17 00:00:00 2001
From: Christophe de Carvalho <christophe@archipelo.co>
Date: Mon, 14 Aug 2023 11:04:34 +0100
Subject: [PATCH] fix(deployment): properly expose service account key for
 secret manager

We need to mount the service account key as a file into the controlplane and cas container when using GCP secret manager.

- use proper key in sercret manager service account configuration
- update helm chart README
- be consitent in chart template and use 'serviceaccountkey' everywhere

Signed-off-by: Christophe de Carvalho <christophe@archipelo.co>
---
 deployment/chainloop/README.md                        |  6 +++---
 deployment/chainloop/templates/_helpers.tpl           |  5 ++++-
 deployment/chainloop/templates/cas/deployment.yaml    |  9 +++++++++
 .../templates/cas/gcp_secret_manager.secret.yaml      | 11 +++++++++++
 .../chainloop/templates/controlplane/deployment.yaml  |  9 +++++++++
 .../controlplane/gcp_secret_manager.secret.yaml       | 11 +++++++++++
 deployment/chainloop/values.yaml                      |  4 ++--
 7 files changed, 49 insertions(+), 6 deletions(-)
 create mode 100644 deployment/chainloop/templates/cas/gcp_secret_manager.secret.yaml
 create mode 100644 deployment/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml

diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md
index a534aa40b..1b862b709 100644
--- a/deployment/chainloop/README.md
+++ b/deployment/chainloop/README.md
@@ -99,7 +99,7 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
     # Secrets backend
     --set secretsBackend.backend=gcpSecretManager \
     --set secretsBackend.gcpSecretManager.projectId=[GCP Project ID] \
-    --set secretsBackend.gcpSecretManager.authKey=[GCP Auth KEY] \
+    --set secretsBackend.gcpSecretManager.serviceAccountKey=[GCP Auth KEY] \
     # Server Auth KeyPair
     # ...
 ```
@@ -317,7 +317,7 @@ secretsBackend:
     backend: gcpSecretManager
     gcpSecretManager:
         projectId: [PROJECT_ID]
-        authKey: [KEY]
+        serviceAccountKey: [KEY]
 ```
 
 ### Send exceptions to Sentry
@@ -370,7 +370,7 @@ chainloop config save \
 | `secretsBackend.awsSecretManager.secretKey` | AWS Secret Key                                                            |             |
 | `secretsBackend.awsSecretManager.region`    | AWS Secret Manager Region                                                 |             |
 | `secretsBackend.gcpSecretManager.projectId` | GCP Project ID                                                            |             |
-| `secretsBackend.gcpSecretManager.authKey`   | GCP Auth Key                                                              |             |
+| `secretsBackend.gcpSecretManager.serviceAccountKey`   | GCP Auth Key                                                              |             |
 
 ### Authentication
 
diff --git a/deployment/chainloop/templates/_helpers.tpl b/deployment/chainloop/templates/_helpers.tpl
index eba94483c..ea85df5dd 100644
--- a/deployment/chainloop/templates/_helpers.tpl
+++ b/deployment/chainloop/templates/_helpers.tpl
@@ -82,7 +82,10 @@ awsSecretManager:
 gcpSecretManager:
   secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }}
   projectId: {{ required "project id required" .gcpSecretManager.projectId | quote }}
-  authKey: {{ required "auth key required" .gcpSecretManager.authKey | quote }}
+  serviceAccountKey: "/gcp-secrets/serviceAccountKey.json"
+  {{- if eq .gcpSecretManager.serviceAccountKey "" }}
+  {{- fail ".Values.secretsBackend.gcpSecretManager.serviceAccountKey not set" }}
+  {{- end }}
 
 {{- end }}
 {{- end }}
diff --git a/deployment/chainloop/templates/cas/deployment.yaml b/deployment/chainloop/templates/cas/deployment.yaml
index 1726aa7fe..b61490f1c 100644
--- a/deployment/chainloop/templates/cas/deployment.yaml
+++ b/deployment/chainloop/templates/cas/deployment.yaml
@@ -58,6 +58,10 @@ spec:
               mountPath: "/data/conf"
             - name: jwt-public-key
               mountPath: "/tmp"
+            {{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
+            - name: gcp-secretmanager-serviceaccountkey
+              mountPath: /gcp-secrets
+            {{- end }}
       volumes:
         - name: config
           projected:
@@ -69,3 +73,8 @@ spec:
         - name: jwt-public-key
           secret:
             secretName: {{ include "chainloop.cas.fullname" . }}-jwt-public-key
+        {{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
+        - name: gcp-secretmanager-serviceaccountkey
+          secret:
+            secretName: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey
+        {{- end }}
\ No newline at end of file
diff --git a/deployment/chainloop/templates/cas/gcp_secret_manager.secret.yaml b/deployment/chainloop/templates/cas/gcp_secret_manager.secret.yaml
new file mode 100644
index 000000000..00335194d
--- /dev/null
+++ b/deployment/chainloop/templates/cas/gcp_secret_manager.secret.yaml
@@ -0,0 +1,11 @@
+{{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.cas.fullname" . }}-gcp-secretmanager-serviceaccountkey
+  labels:
+    {{- include "chainloop.cas.labels" . | nindent 4 }}
+type: Opaque
+data:
+  serviceAccountKey.json: {{ .Values.secretsBackend.gcpSecretManager.serviceAccountKey | b64enc | quote  }}
+{{- end }}
\ No newline at end of file
diff --git a/deployment/chainloop/templates/controlplane/deployment.yaml b/deployment/chainloop/templates/controlplane/deployment.yaml
index efc289836..28240856a 100644
--- a/deployment/chainloop/templates/controlplane/deployment.yaml
+++ b/deployment/chainloop/templates/controlplane/deployment.yaml
@@ -85,6 +85,10 @@ spec:
               mountPath: /tmp
             - name: jwt-cas-private-key
               mountPath: /secrets
+            {{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
+            - name: gcp-secretmanager-serviceaccountkey
+              mountPath: /gcp-secrets
+            {{- end }}
       volumes:
         - name: config
           projected:
@@ -99,3 +103,8 @@ spec:
         - name: jwt-cas-private-key
           secret:
             secretName: {{ include "chainloop.controlplane.fullname" . }}-jwt-cas
+        {{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
+        - name: gcp-secretmanager-serviceaccountkey
+          secret:
+            secretName: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey
+        {{- end }}
\ No newline at end of file
diff --git a/deployment/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml b/deployment/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml
new file mode 100644
index 000000000..9d8666a4c
--- /dev/null
+++ b/deployment/chainloop/templates/controlplane/gcp_secret_manager.secret.yaml
@@ -0,0 +1,11 @@
+{{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey
+  labels:
+    {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+type: Opaque
+data:
+  serviceAccountKey.json: {{ .Values.secretsBackend.gcpSecretManager.serviceAccountKey | b64enc | quote  }}
+{{- end }}
\ No newline at end of file
diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml
index 293d517b5..2ebfb9e97 100644
--- a/deployment/chainloop/values.yaml
+++ b/deployment/chainloop/values.yaml
@@ -55,11 +55,11 @@ secretsBackend:
   #   region: ""
 
   ## @extra secretsBackend.gcpSecretManager.projectId GCP Project ID
-  ## @extra secretsBackend.gcpSecretManager.authKey GCP Auth Key
+  ## @extra secretsBackend.gcpSecretManager.serviceAccountKey GCP Auth Key
   ##
   # gcpSecretManager:
   #   projectId: ""
-  #   authKey: ""
+  #   serviceAccountKey: ""
 
 ## @section Authentication
 ##