Merge branch 'generic-secret' into 'main'

Generic secret See merge request !4

Merge branch 'generic-secret' into 'main'
Generic secret See merge request !4
232a8c15 · Joshua David Akers · c46042d0 · 69b8e212 · 232a8c15 · 232a8c15
Commit 232a8c15 authored 2 years ago by Joshua David Akers
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,7 +4,7 @@ stages:

 Lint chart:
  stage: validate
-  image: 
+  image:
    name: alpine/helm
    entrypoint: [""]
  script:
@@ -15,13 +15,20 @@ Deploy chart:
  image:
    name: alpine/helm
    entrypoint: [""]
-  rules:
-    - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
-      changes:
-        - Chart.yaml
  before_script:
    - apk add curl
+  variables:
+    # Path in the repo that the helm chart is located
+    HELM_CHART_LOCATION: "."
  script:
-    - helm package .
-    - FILENAME=$(find . -type f -name "vault-secret*.tgz")
-    - 'curl --request POST --user gitlab-ci-token:$CI_JOB_TOKEN --form "chart=@${FILENAME}" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts"'
+    - |
+      set -ex
+      helm package $HELM_CHART_LOCATION
+      FILENAME=$(find . -type f -name "*.tgz")
+      ls -l $FILENAME
+      if [ $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH ]; then \
+        CHANNEL=stable
+      else
+        CHANNEL=${CI_COMMIT_BRANCH}
+      fi
+      curl --request POST --user gitlab-ci-token:$CI_JOB_TOKEN --form "chart=@${FILENAME}" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/${CHANNEL}/charts"
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -3,5 +3,5 @@ name: vault-secret-syncer
 description: A Helm chart that syncs secrets from Vault into Kubernetes

 type: application
-version: 0.4.1
+version: 0.4.18
 appVersion: "1.16.0"
--- a/files/script.sh
+++ b/files/script.sh
@@ -65,6 +65,29 @@ if [ $SECRET_TYPE == "kubernetes.io/dockercfg" ]; then
    --docker-username=$USERNAME \
    --docker-password=$PASSWORD \
    --docker-email=""
+
+elif [ $SECRET_TYPE == "generic" ]; then
+
+  set -x
+  if [ "$SECRET_KEY" == "" ]; then
+    echo "Error: No SECRET_KEY specified"
+    exit 1
+  fi
+
+  # Static secrets have a different path from other secrets
+  if [ $(echo $VAULT_SECRET | grep -c '/static-creds/') -ne 0 ]; then
+    SECRET_VALUE=$(echo $SECRET | jq -r ".data.${SECRET_KEY}")
+  else
+    SECRET_VALUE=$(echo $SECRET | jq -r ".data.data.${SECRET_KEY}")
+  fi
+
+  echo "- Deleting any existing secret (since upgrading isn't possible via kubectl)"
+  kubectl delete secret $K8S_SECRET_NAME || true
+
+  echo "- Defining new secret"
+  kubectl create secret generic $K8S_SECRET_NAME \
+    --from-literal=${SECRET_KEY}=${SECRET_VALUE} \
+
 else
  echo "Secret type (${SECRET_TYPE}) is currently unsupported"
  exit 1

--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -84,6 +84,8 @@ spec:
              value: {{ .Values.vault.secret.path }}
            - name: USERNAME_KEY
              value: {{ .Values.vault.secret.usernameKey }}
+            - name: SECRET_KEY
+              value: {{ .Values.vault.secret.secretKey }}
            - name: PASSWORD_KEY
              value: {{ .Values.vault.secret.passwordKey }}
            - name: REGISTRY_URL

--- a/values.yaml
+++ b/values.yaml
@@ -22,16 +22,23 @@ vault:
  # The Vault role the Job should assume/authenticate as
  role: ""

-  secret: 
+  secret:
    # The secret path to load data from (eg, path/to/secret)
    path: ""

+    ## When secret.type == 'kubernetes.io/dockercfg' (Default)
+    #
    # The key within the Vault secret that contains the username for registry auth
    usernameKey: username

    # The key within the Vault secret that contains the password for registry auth
    passwordKey: password

+    ## When secret.type == 'generic'
+    #
+    # The key within the Vault secret that contains the generic secret.
+    secretKey: "password"
+
 secret:
  # The type of Kubernetes secret to create. Defaults to a Docker registry secret
  type: kubernetes.io/dockercfg