Update to helm chart so we can use csi-secrets-store

2023-12-04 15:40:08 +00:00 · 2023-12-04 15:40:08 +00:00 · 5ebcfa7aad
parent 06001b4216
commit 5ebcfa7aad
3 changed files with 39 additions and 4 deletions
--- a/apps-helm/wg-access-server/templates/deployment.yaml
+++ b/apps-helm/wg-access-server/templates/deployment.yaml
@ -1,4 +1,8 @@
 {{- $fullName := include "wg-access-server.fullname" . -}}
+{{ $secretName := $fullName }}
+{{- if .Values.config.existingSecret -}}
+{{ $secretName = .Values.config.existingSecret }}
+{{ end -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -46,21 +50,21 @@ spec:
            - name: WG_WIREGUARD_PRIVATE_KEY
              valueFrom:
                secretKeyRef:
-                  name: "{{ $fullName }}"
+                  name: "{{ $secretName }}"
                  key: privateKey
            {{- end }}
            {{- if .Values.web.config.adminUsername }}
            - name: WG_ADMIN_USERNAME
              valueFrom:
                secretKeyRef:
-                  name: "{{ $fullName }}"
+                  name: "{{ $secretName }}"
                  key: adminUsername
            {{- end}}
            {{- if .Values.web.config.adminPassword }}
            - name: WG_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: "{{ $fullName }}"
+                  name: "{{ $secretName }}"
                  key: adminPassword
            {{- end}}
          volumeMounts:
@ -68,9 +72,14 @@ spec:
              mountPath: /dev/net/tun
            - name: data
              mountPath: /data
+            {{- if .Values.config.csiSecretsStore }}
+            - name: config
+              mountPath: /config.yaml
+            {{- else }}
            - name: config
              mountPath: /config.yaml
              subPath: config.yaml
+            {{- end}}
          readinessProbe:
            httpGet:
              path: /
@ -90,9 +99,18 @@ spec:
        {{- if not .Values.persistence.enabled }}
          emptyDir: {}
        {{- end }}
+        {{- if .Values.config.csiSecretsStore }}
+        - name: config
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: app-secrets
+        {{- else }}
        - name: config
          configMap:
            name: "{{ $fullName }}"
+        {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
--- a/apps-helm/wg-access-server/templates/secretProviderClass.yaml
+++ b/apps-helm/wg-access-server/templates/secretProviderClass.yaml
@ -0,0 +1,13 @@
+---
+{{- if .Values.wireguard.config.csiSecretsStore -}}
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: app-secrets
+spec:
+  provider: {{ .Values.wireguard.config.csiSecretsStore.providerName | default "1password" }}
+  parameters:
+    secrets: |
+      - resourceName: {{ .Values.wireguard.config.csiSecretsStore.resourceName | default "https://my.1password.eu/vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes" }}
+        path: "config"
+{{- end -}}
--- a/apps-helm/wg-access-server/values.yaml
+++ b/apps-helm/wg-access-server/values.yaml
@ -1,5 +1,9 @@
 # wg-access-server config
-config: {}
+config: 
+  existingSecret: ""
+  csiSecretsStore: {}
+#   providerName: 1password
+#   resourceName: https://my.1password.eu/vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes

 web:
  config: