feat: rudimentary sealed secrets support (no json schema)

Wojciechem · Jan 20, 2025 · 7ce8cdd · 7ce8cdd
1 parent a35d3d1
commit 7ce8cdd
Show file tree

Hide file tree

Showing 7 changed files with 77 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -22,11 +22,17 @@ appVersion: 1.0.0
 
 dependencies:
   - name: app
-    version: 0.5.11
+    version: 0.6.0
     repository: oci://ghcr.io/wojciechem/platformex
 ```
+
 For values please see [values-example.yaml](charts/app/values-example.yaml)
 
+## Gotchas
+
+In order to render templates locally, if using `sealedSecrets`, you may need to pass
+`--api-versions bitnami.com/v1alpha1/SealedSecret` to `helm template` command.
+
 ## TODO:
 - Chart
   - [ ] Minimal stable v1.0.0

diff --git a/charts/app/Chart.yaml b/charts/app/Chart.yaml
@@ -5,7 +5,7 @@ description: Flexible helm chart to deploy your apps to kubernetes cluster.
 type: application
 
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.5.11
+version: 0.6.0
 
 appVersion: 1.0.0
 
diff --git a/charts/app/templates/_sealedSecrets.tpl b/charts/app/templates/_sealedSecrets.tpl
diff --git a/charts/app/templates/secrets.yaml b/charts/app/templates/secrets.yaml
@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: List
+items:
+  {{- range $name, $secret := .Values.sealedSecrets }}
+  {{- if $.Capabilities.APIVersions.Has "bitnami.com/v1alpha1/SealedSecret" }}
+  {{- else }}
+  {{- fail "You need to install sealed-secrets operator and CRDs in order to use sealedSecrets." }}
+  {{- end }}
+  - apiVersion: bitnami.com/v1alpha1
+    kind: SealedSecret
+    metadata:
+      annotations:
+        sealedsecrets.bitnami.com/cluster-wide: "true"
+      labels:
+        {{- include "platformex.globalLabels" $ | indent 10 }}
+      name: "{{ required "name is required!" $secret.name }}"
+      {{- if $secret.namespace }}
+      namespace: {{ $secret.namespace | quote }}
+      {{- end }}
+    spec:
+      encryptedData:
+        {{- range $secret.sealedData }}
+        {{ .key }}: {{ .value | quote }}
+        {{- end }}
+      template:
+        metadata:
+          name: "{{ $secret.name }}"
+        {{- if $secret.data }}
+        data:
+          {{- range $secret.data }}
+          {{ .key }}: {{ .value | quote }}
+          {{- end }}
+        {{- end }}
+  {{- end }}
diff --git a/charts/app/values-example.yaml b/charts/app/values-example.yaml
@@ -26,8 +26,39 @@ imageRefs:
   demo:
     repository: "oci.kodzik.cloud/public/demko"
     tag: "1.0.0"
+  test:
+    repository: "oci.kodzik.cloud/public/test"
+    tag: "2.3.4"
+
+sealedSecrets:
+  secret1:
+    name: asecret
+    namespace: xyz
+    sealedData:
+      - key: password
+        value: (encrypted-value-goes-here)
+    data:
+      - key: username
+        value: unencrypted-values-go-here
+  secret2:
+    name: bsecret
+    sealedData:
+      - key: passcode
+        value: (encrypted-passcode)
 
 instances:
+  1-plain:
+    enableCrons: false
+    enableWorkers: false
+    deployments:
+      one:
+        replicas: 1
+        revisionHistoryLimit: 2
+        containers:
+          one-container:
+            image: oci.kodzik.cloud/public/one:1.0.0
+            env:
+              ONE: "1"
   default:
     enableCrons: true
     enableWorkers: true

diff --git a/charts/app/values.schema.json b/charts/app/values.schema.json
@@ -15,6 +15,9 @@
         "imageRefs": {
           "$ref": "#/definitions/ImageRefs"
         },
+        "sealedSecrets": {
+          "type": "object"
+        },
         "instances": {
           "$ref": "#/definitions/Instances"
         }

diff --git a/charts/app/values.yaml b/charts/app/values.yaml
@@ -1,6 +1,6 @@
 global:
   labels:
-    ops.kodzik.cloud/chart: "platformex"
+    ops.kodzik.cloud/chart: "app"
   defaults: { }
 
 envRefs: { }