From 7ce593cf2959ad00a173c1bdbe2505b2dd5d19bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marco=20Vidal=20Garc=C3=ADa?= <marco.vidal@cern.ch>
Date: Mon, 18 May 2020 16:28:43 +0200
Subject: [PATCH] helm: add reana db secret key

closes reanahub/reana-db#66
---
 helm/reana/README.md                   |  1 +
 helm/reana/templates/reana-server.yaml |  5 +++++
 helm/reana/templates/secrets.yaml      | 10 ++++++++++
 helm/reana/values.yaml                 |  1 +
 4 files changed, 17 insertions(+)

diff --git a/helm/reana/README.md b/helm/reana/README.md
index a98d4752..30c54842 100644
--- a/helm/reana/README.md
+++ b/helm/reana/README.md
@@ -40,6 +40,7 @@ This Helm automatically prefixes all names using the release name to avoid colli
 | `secrets.gitlab.REANA_GITLAB_HOST`                       | Hostname of the GitLab instance                                                      | None                                            |
 | `secrets.gitlab.REANA_GITLAB_OAUTH_APP_ID`               | GitLab OAuth application id                                                          | None                                            |
 | `secrets.gitlab.REANA_GITLAB_OAUTH_APP_SECRET`           | **[Do not use in production, use secrets instead]** GitLab OAuth application secret  | None                                            |
+| `secrets.reana.REANA_SECRET_KEY`                         | **[Do not use in production, use secrets instead]** REANA encrypytion secret key     | None                                            |
 | `serviceAccount.create`                                  | Create a service account for the REANA system user                                   | true                                            |
 | `serviceAccount.name`                                    | Service account name                                                                 | reana                                           |
 | `serviceAccount.namespace`                               | Service account namespace                                                            | default                                         |
diff --git a/helm/reana/templates/reana-server.yaml b/helm/reana/templates/reana-server.yaml
index a0c868a1..7de2f298 100644
--- a/helm/reana/templates/reana-server.yaml
+++ b/helm/reana/templates/reana-server.yaml
@@ -93,6 +93,11 @@ spec:
               secretKeyRef:
                 name: {{ include "reana.prefix" . }}-cern-gitlab-secrets
                 key: REANA_GITLAB_HOST
+          - name: REANA_SECRET_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "reana.prefix" . }}-secrets
+                key: REANA_SECRET_KEY
           {{- if .Values.debug.enabled }}
           # Disable CORS in development environment, for example
           # to connect from an external React application.
diff --git a/helm/reana/templates/secrets.yaml b/helm/reana/templates/secrets.yaml
index 44c89896..57d6a122 100644
--- a/helm/reana/templates/secrets.yaml
+++ b/helm/reana/templates/secrets.yaml
@@ -32,3 +32,13 @@ data:
   REANA_GITLAB_OAUTH_APP_ID: {{ .Values.secrets.gitlab.REANA_GITLAB_OAUTH_APP_ID | default "reana_gitlab_oauth_app_id" | b64enc }}
   REANA_GITLAB_OAUTH_APP_SECRET: {{ .Values.secrets.gitlab.REANA_GITLAB_OAUTH_APP_SECRET | default "reana_gitlab_oauth_app_secret" | b64enc }}
   REANA_GITLAB_HOST: {{ .Values.secrets.gitlab.REANA_GITLAB_HOST | default "gitlab.cern.ch" | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "reana.prefix" . }}-secrets
+  annotations:
+    "helm.sh/resource-policy": keep
+type: Opaque
+data:
+  REANA_SECRET_KEY: {{ .Values.secrets.reana.REANA_SECRET_KEY | default "secret_key" | b64enc }}
diff --git a/helm/reana/values.yaml b/helm/reana/values.yaml
index 8b1eccfb..31ea0663 100644
--- a/helm/reana/values.yaml
+++ b/helm/reana/values.yaml
@@ -32,6 +32,7 @@ secrets:
   gitlab: {}
   cern:
     sso: {}
+  reana: {}
 
 # External database service configuration
 db_env_config: