From 69a2c112d1fb9642e26abb2c60b7f3f1c44fcebd Mon Sep 17 00:00:00 2001 From: Nicolas Date: Mon, 18 Aug 2025 16:24:11 +0800 Subject: [PATCH] feat(centralStorage): migrate alpha environment to use Azure Key Vault for sensitive data - Add FreeleapsSecret configuration for Azure Key Vault integration - Move sensitive data (mongodbUri, azureStorageDocumentApiKey, azureStorageDocumentApiEndpoint) from config to secrets - Update deployment template to read from both config and FreeleapsSecret - Comment out sensitive fields in central-storage-config.yaml - Create freeleapssecret.yaml template for secret management --- .../central-storage-config.yaml | 3 --- .../templates/central-storage/deployment.yaml | 11 +++++++++ .../central-storage/freeleapssecret.yaml | 20 ++++++++++++++++ .../helm-pkg/centralStorage/values.alpha.yaml | 24 ++++++++++++++++--- 4 files changed, 52 insertions(+), 6 deletions(-) create mode 100644 freeleaps/helm-pkg/centralStorage/templates/central-storage/freeleapssecret.yaml diff --git a/freeleaps/helm-pkg/centralStorage/templates/central-storage/central-storage-config.yaml b/freeleaps/helm-pkg/centralStorage/templates/central-storage/central-storage-config.yaml index 76e25aa8..ed2879e0 100644 --- a/freeleaps/helm-pkg/centralStorage/templates/central-storage/central-storage-config.yaml +++ b/freeleaps/helm-pkg/centralStorage/templates/central-storage/central-storage-config.yaml @@ -11,9 +11,6 @@ data: SERVICE_API_ACCESS_PORT: {{ .Values.centralStorage.configs.serviceApiAccessPort | toString | b64enc }} MONGODB_NAME: {{ .Values.centralStorage.configs.mongodbName | b64enc | quote }} MONGODB_PORT: {{ .Values.centralStorage.configs.mongodbPort | toString | b64enc }} - MONGODB_URI: {{ .Values.centralStorage.configs.mongodbUri | b64enc | quote }} - AZURE_STORAGE_DOCUMENT_API_KEY: {{ .Values.centralStorage.configs.azureStorageDocumentApiKey | b64enc | quote }} - AZURE_STORAGE_DOCUMENT_API_ENDPOINT: {{ .Values.centralStorage.configs.azureStorageDocumentApiEndpoint | b64enc | quote }} METRICS_ENABLED: {{ .Values.centralStorage.configs.metricsEnabled | default false | toString | b64enc }} PROBES_ENABLED: {{ .Values.centralStorage.configs.probesEnabled | default false | toString | b64enc }} DEBUG_MODE: {{ .Values.centralStorage.configs.debugMode | default false | toString | b64enc }} diff --git a/freeleaps/helm-pkg/centralStorage/templates/central-storage/deployment.yaml b/freeleaps/helm-pkg/centralStorage/templates/central-storage/deployment.yaml index 3e47c058..4ebf5979 100644 --- a/freeleaps/helm-pkg/centralStorage/templates/central-storage/deployment.yaml +++ b/freeleaps/helm-pkg/centralStorage/templates/central-storage/deployment.yaml @@ -106,6 +106,17 @@ spec: name: central-storage-config key: {{ $key | snakecase | upper }} {{- end }} + # Inject secrets from FreeleapsSecret object + {{- if .Values.centralStorage.secrets }} + {{ $targetSecretName := .Values.centralStorage.secrets.target.name }} + {{- range .Values.centralStorage.secrets.data }} + - name: {{ .key | snakecase | upper }} + valueFrom: + secretKeyRef: + name: {{ $targetSecretName }} + key: {{ .key }} + {{- end }} + {{- end }} {{- if .Values.logIngest.enabled }} volumeMounts: - name: app-logs diff --git a/freeleaps/helm-pkg/centralStorage/templates/central-storage/freeleapssecret.yaml b/freeleaps/helm-pkg/centralStorage/templates/central-storage/freeleapssecret.yaml new file mode 100644 index 00000000..68874ae9 --- /dev/null +++ b/freeleaps/helm-pkg/centralStorage/templates/central-storage/freeleapssecret.yaml @@ -0,0 +1,20 @@ +apiVersion: freeleaps.com/v1alpha1 +kind: FreeleapsSecret +metadata: + name: freeleaps-central-storage-alpha-secrets + namespace: {{ .Release.Namespace }} +spec: + secretStoreRef: + kind: {{ .Values.centralStorage.secrets.secretStoreRef.kind }} + name: {{ .Values.centralStorage.secrets.secretStoreRef.name }} + target: + name: {{ .Values.centralStorage.secrets.target.name }} + creationPolicy: {{ .Values.centralStorage.secrets.target.creationPolicy }} + refreshInterval: {{ .Values.centralStorage.secrets.refreshInterval }} + data: +{{- range .Values.centralStorage.secrets.data }} + - secretKey: {{ .key }} + remoteRef: + key: {{ .remoteRef.key }} + type: {{ .remoteRef.type }} +{{- end }} \ No newline at end of file diff --git a/freeleaps/helm-pkg/centralStorage/values.alpha.yaml b/freeleaps/helm-pkg/centralStorage/values.alpha.yaml index 8150bf9d..6636a925 100644 --- a/freeleaps/helm-pkg/centralStorage/values.alpha.yaml +++ b/freeleaps/helm-pkg/centralStorage/values.alpha.yaml @@ -82,12 +82,30 @@ centralStorage: serviceApiAccessPort: 8005 mongodbName: freeleaps2 mongodbPort: 27017 - mongodbUri: mongodb+srv://jetli:8IHKx6dZK8BfugGp@freeleaps2.hanbj.mongodb.net/ - azureStorageDocumentApiKey: xbiFtFeQ6v5dozgVM99fZ9huUomL7QcLu6s0y8zYHtIXZ8XdneKDMcg4liQr/9oNlVoRFcZhWjLY+ASt9cjICQ== - azureStorageDocumentApiEndpoint: https://freeleaps1document.blob.core.windows.net/ metricsEnabled: 'false' probesEnabled: 'true' debugMode: 'false' + secrets: + secretStoreRef: + kind: FreeleapsSecretStore + name: freeleaps-main-secret-store + target: + name: "freeleaps-central-storage-secrets" + creationPolicy: "Owner" + refreshInterval: 30s + data: + - key: mongodbUri + remoteRef: + key: "freeleaps-alpha-mongodb-uri" + type: Secret + - key: azureStorageDocumentApiKey + remoteRef: + key: "freeleaps-alpha-azure-storage-document-api-key" + type: Secret + - key: azureStorageDocumentApiEndpoint + remoteRef: + key: "freeleaps-alpha-azure-storage-document-api-endpoint" + type: Secret vpa: minAllowed: enabled: false