From 5ebcfa7aadaa6b4f7e45d2f3a7a4c508b58f27fc Mon Sep 17 00:00:00 2001 From: Martyn Date: Mon, 4 Dec 2023 15:40:08 +0000 Subject: [PATCH] Update to helm chart so we can use csi-secrets-store --- .../templates/deployment.yaml | 24 ++++++++++++++++--- .../templates/secretProviderClass.yaml | 13 ++++++++++ apps-helm/wg-access-server/values.yaml | 6 ++++- 3 files changed, 39 insertions(+), 4 deletions(-) create mode 100644 apps-helm/wg-access-server/templates/secretProviderClass.yaml diff --git a/apps-helm/wg-access-server/templates/deployment.yaml b/apps-helm/wg-access-server/templates/deployment.yaml index 2c315fc..7498c54 100644 --- a/apps-helm/wg-access-server/templates/deployment.yaml +++ b/apps-helm/wg-access-server/templates/deployment.yaml @@ -1,4 +1,8 @@ {{- $fullName := include "wg-access-server.fullname" . -}} +{{ $secretName := $fullName }} +{{- if .Values.config.existingSecret -}} +{{ $secretName = .Values.config.existingSecret }} +{{ end -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -46,21 +50,21 @@ spec: - name: WG_WIREGUARD_PRIVATE_KEY valueFrom: secretKeyRef: - name: "{{ $fullName }}" + name: "{{ $secretName }}" key: privateKey {{- end }} {{- if .Values.web.config.adminUsername }} - name: WG_ADMIN_USERNAME valueFrom: secretKeyRef: - name: "{{ $fullName }}" + name: "{{ $secretName }}" key: adminUsername {{- end}} {{- if .Values.web.config.adminPassword }} - name: WG_ADMIN_PASSWORD valueFrom: secretKeyRef: - name: "{{ $fullName }}" + name: "{{ $secretName }}" key: adminPassword {{- end}} volumeMounts: @@ -68,9 +72,14 @@ spec: mountPath: /dev/net/tun - name: data mountPath: /data + {{- if .Values.config.csiSecretsStore }} + - name: config + mountPath: /config.yaml + {{- else }} - name: config mountPath: /config.yaml subPath: config.yaml + {{- end}} readinessProbe: httpGet: path: / @@ -90,9 +99,18 @@ spec: {{- if not .Values.persistence.enabled }} emptyDir: {} {{- end }} + {{- if .Values.config.csiSecretsStore }} + - name: config + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: app-secrets + {{- else }} - name: config configMap: name: "{{ $fullName }}" + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/apps-helm/wg-access-server/templates/secretProviderClass.yaml b/apps-helm/wg-access-server/templates/secretProviderClass.yaml new file mode 100644 index 0000000..72f1276 --- /dev/null +++ b/apps-helm/wg-access-server/templates/secretProviderClass.yaml @@ -0,0 +1,13 @@ +--- +{{- if .Values.wireguard.config.csiSecretsStore -}} +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: app-secrets +spec: + provider: {{ .Values.wireguard.config.csiSecretsStore.providerName | default "1password" }} + parameters: + secrets: | + - resourceName: {{ .Values.wireguard.config.csiSecretsStore.resourceName | default "https://my.1password.eu/vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes" }} + path: "config" +{{- end -}} \ No newline at end of file diff --git a/apps-helm/wg-access-server/values.yaml b/apps-helm/wg-access-server/values.yaml index dccc4e4..b99a9a6 100644 --- a/apps-helm/wg-access-server/values.yaml +++ b/apps-helm/wg-access-server/values.yaml @@ -1,5 +1,9 @@ # wg-access-server config -config: {} +config: + existingSecret: "" + csiSecretsStore: {} +# providerName: 1password +# resourceName: https://my.1password.eu/vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes web: config: