diff --git a/charts/rstuf-worker/Chart.yaml b/charts/rstuf-worker/Chart.yaml index bc38395..e7c8db7 100644 --- a/charts/rstuf-worker/Chart.yaml +++ b/charts/rstuf-worker/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.3 +version: 0.1.4 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/rstuf-worker/templates/deployment.yaml b/charts/rstuf-worker/templates/deployment.yaml index 06d9c0c..bf91916 100644 --- a/charts/rstuf-worker/templates/deployment.yaml +++ b/charts/rstuf-worker/templates/deployment.yaml @@ -42,10 +42,17 @@ spec: {{- toYaml .Values.readinessProbe | nindent 12 }} resources: {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} volumeMounts: + {{- with .Values.volumeMounts }} {{- toYaml . | nindent 12 }} - {{- end }} + {{- end }} + {{- if .Values.onlineKeyFile }} + {{- range .Values.onlineKeyFile }} + - name: {{ .keyid | printf "%.7s" }}-keyfile-volume + mountPath: /run/secrets/{{ .keyid }} + subPath: {{ .keyid }} + {{- end }} + {{- end }} env: - name: RSTUF_BROKER_SERVER value: {{ .Values.backend.brokerServer | quote }} @@ -59,9 +66,9 @@ spec: - name: RSTUF_LOCAL_STORAGE_BACKEND_PATH value: {{ required "storage.backendPath is required when storage.type is 'LocalStorage'." .Values.storage.storagePath | quote }} {{- end }} - {{- if and (eq .Values.storage.type "LocalStorage") .Values.storage.onlineKeyDir }} + {{- if .Values.onlineKeyDir }} - name: RSTUF_ONLINE_KEY_DIR - value: {{ .Values.storage.onlineKeyDir | quote }} + value: {{ .Values.onlineKeyDir | quote }} {{- end }} {{- if eq .Values.storage.type "AWSS3" }} - name: RSTUF_AWS_STORAGE_BUCKET @@ -103,10 +110,17 @@ spec: - name: RSTUF_LOCK_TIMEOUT value: {{ .Values.backend.lockTimeOut | quote }} {{- end }} - {{- with .Values.volumes }} volumes: + {{- with .Values.volumes }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} + {{- if .Values.onlineKeyFile }} + {{- range .Values.onlineKeyFile }} + - name: {{ .keyid | printf "%.7s" }}-keyfile-volume + secret: + secretName: {{ .keyid }}-keyfile-secret + {{- end }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/rstuf-worker/templates/secrets.yaml b/charts/rstuf-worker/templates/secrets.yaml new file mode 100644 index 0000000..cc6be89 --- /dev/null +++ b/charts/rstuf-worker/templates/secrets.yaml @@ -0,0 +1,13 @@ +# templates/secrets.yaml +{{- if and (.Values.onlineKeyDir) (.Values.onlineKeyFile) }} +{{- range .Values.onlineKeyFile }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .keyid }}-keyfile-secret +type: Opaque +data: + {{ .keyid }}: {{ .pem | quote }} +--- +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/rstuf-worker/values.yaml b/charts/rstuf-worker/values.yaml index d70bc84..4bc9c4f 100644 --- a/charts/rstuf-worker/values.yaml +++ b/charts/rstuf-worker/values.yaml @@ -43,7 +43,6 @@ storage: s3Region: "" s3Endpoint: "" - backend: brokerServer: "redis://redis" redisServer: "redis://redis" @@ -53,6 +52,14 @@ backend: redisDbResult: "" # default is 0 redisDbSettings: "" # default is 1 +# using online key as file +# onlineKeyDir: "/run/secrets" +# onlineKeyFile: +# - keyid: 0d9d3d4bad91c455bc03921daa95774576b86625ac45570d0cac025b08e65043 +# # pem must be base64 encoded +# pem: | +# LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd0pOdG1KeTBia3kwVlpIaEpvVndWUjBvSXRvOG5kTExpY25hSFBEVWZGc3YyZFRQCjUwdUxpWXVZaFUvUkxUaCtQSU1tOWRVNWd2ZlNRMFlJVUZIT2ZkY0RDQmFNTllSOXo5YzlrdldrZmd4UDRIN2MKTWR5OWV2M3loNHBMK3VhNjRBVDE1OThReG1GMFJTcDlwOFA0VURQSkM0WHNnVnoza0tlQ1NRQWd6MDJNSitLZApIeVREUCtyZ091V1FmVkw4Yno1M3B1TVNTRm9qaWFFSlRtWlE3ZUJuSTJuNlVGNkFBVjZlbzZEYzRjZ1BRTFNqCmhEcWNmb0hDeWsvQXpwVFFPNUVWK2Fob2ZZbVYva1FRdHI3Z3o4TVFYb0tSd0NiZkljV2hQeWZQTlJlT283ZnEKVkszdUsza2tEMW91b05TcjlERlJjblVic1g0UVIvQ1FMY29QWHdJREFRQUJBb0lCQUVXVndCZFNJSHh1cVFiMgpoSFhINTlSSmlkUTJLWXNadlVSWHRNR2FZQjFqVWNJVGZPQmwwdERycVR3YW9Fb0h6TTJPMG9nbitQVVRHVjRICnN6OWFvQk9tbXNqVVpPdDlxWHh0bVNrK0s2Y0VTZVNqMG1zT0NVV2s5M3IwaFFudlQzMWRMWUlRZjE0L25xVFQKZXI0aE9OdTZLcDVJVVRKWlpuZFZuK1ZDNzVnWUc3Y2NPYys3ODkwb085ZTdvaFBmRUJ4Z3IrV0ZlYVNQZ2xhSwpybXFobkN4czV5b1B2bGl0aW1VVDMzdjJkMUtQYzJYOEo1RkpQdXlNcUU5RXdOQ01pZlByNjc3R1FUNlU2ZGxKCkFtRHpJNk9LM0F5c3B2UXhLS2Zva1NuQzhuNm90bk1MYll6RktoY3RBQlVUZkRvZENhVXg2NzB1ZGl5ZzdaaTYKdXZtQzhha0NnWUVBNko5Z2lQWWVRMEJsdnZwbFBjZmlqMTQ4dHVLU0x5bThqVGRSWHhnNW8zZE5XZWl5NjQ0WQpYY3dyTXVRQTdYb2RaU0licHVqTU1Zb2VZNE5lSzNnQU90MVlDREVmZTZyYXZ2ZnJad1BhWHV0ZGtTTDFDUjNBCjREUC9RcFJYN3BXV3RmVVBoTmhMbTY3b0l4dFdNa3BtK2JmME1ZK3Q4dGMwc0dWdXlNRG52WlVDZ1lFQTArM0gKdUV0WENwNDhraCtMMFFoNDAyekhNMzZ4ZWRaUWROZGdLWFQ0dWFLZ001VzZldWx6c0FzMTVyVVFSZmFTT1FjWApCTWtzQkxEZkNJa2Z2aDlWN3BwQkRwNTR4ak1Jc09JN0FMNkUyZHdHSEdDQmdYMkxjY3lGRXhFZXViTUF3TnZlCk52cERUdzVYMHpFdmF4MmJQaXcrZjRqbUJQQ1F6cE5oNXdnOWxDTUNnWUVBNFBXUUU2Ti83S1dRUDdwQ3doWlYKZ1RRdkh1WEpYUmJOb3Z0R0UrS0hpdy9LbkJJdlJTRXJhem9RNUt3ZVFZb0FkMWNleXJFREZ6MXMyZXVtMi82MgpxalozOWFRYndDcWdWR0hKSXR4VkI4b3h1RFBJSjhMQVRaRzdYeFc2VzU0S0cza2NRdW94WkNNbmx4dk9wZC9SCjZkajlyQmc0cmtsMFNNb3U4ckdxNm1rQ2dZRUFnSWNhc3ZodUozQmtCN0srRnQzdWVUcmxiS09QZXZheEFNdUYKOUY2T1lmYnc5WmYrNm9BZXUwdHhPeVBnWkszdmJFcVNlVUtRUWFBTEE2QTE4aFlMQlpQamxMd2pQd0RBYXBZcApkb0FWRGhOVVdXMWwzV1NJWjFIRCt4Wk03ZzVUaktOTGwwZ2IvaHdTdzNCMjg1MlhBeFBPSzRhWkNiSGtBSVI5CndhSEx4c1VDZ1lBNGxyR2VlMDM1SjVseGd3M0xJaThhZEpPZlBGNmw2bEZBY0VxMDJyaloyU014QmZlOGRzOWMKVUIrUTdTNnFwTi9yWEVqYmREMHpRZEhRMDN5czN3NVhtVVZCeW1FVDZXOTR0d0F2RW9RNUJsU2VzZ3lRdjVWYwpDMEc0ajN1ZEUzNUhNUVBKbjAwdmJIOG5yemdseENGMVc1MkF5QVZNYjNIbllRdk9BM0lCa3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ== + serviceAccount: # Specifies whether a service account should be created create: true