Skip to content

Commit

Permalink
Enable using an existing secret with to enable encryption of sensitive
Browse files Browse the repository at this point in the history 
data

Signed-off-by: Gabriel Santos <[email protected]>
  • Loading branch information
@Gabrielopesantos
Gabrielopesantos committed Apr 19, 2024
1 parent 88edc9b commit 0f0d417
Show file tree
Hide file tree
Showing 5 changed files with 71 additions and 13 deletions.
43 changes: 43 additions & 0 deletions charts/perses/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,3 +64,46 @@ Create the name of the service account to use
{{- define "perses.dns" -}}
http://{{ include "perses.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.targetPort }}
{{- end -}}

{{/*
TODO
*/}}
{{- define "perses.createEncryptionKeyFileSecret" -}}
{{- if (and .Values.config.security.encryptionKey .Values.config.security.encryptionKeyFile) }}
{{- printf "true" }}
{{- else }}
{{- printf "false" }}
{{- end }}
{{- end }}

{{/*
TODO
*/}}
{{- define "perses.mountEncryptionKeyFileSecret" -}}
{{- if or (eq (include "perses.createEncryptionKeyFileSecret" .) "true") .Values.overrideEncryptionKeySecret.secretName }}
{{- printf "true" }}
{{- else }}
{{- printf "false" }}
{{- end }}
{{- end }}

{{/*
TODO
*/}}
{{- define "perses.encryptionKeyVolume" -}}
- name: encryptionkey
secret:
secretName: {{ .Values.overrideEncryptionKeySecret.secretName | default (printf "%s-encryption-key" (include "perses.fullname" .)) | quote }}
items:
- key: {{ .Values.overrideEncryptionKeySecret.secretKey | default "key" | quote }}
path: "key"
{{- end }}

{{/*
TODO
*/}}
{{- define "perses.encryptionKeyVolumeMount" -}}
- name: encryptionkey
mountPath: {{ {{ .Values.config.security.encryptionKeyFile }} | default "etc/perses/security/encryptionkey" }}
readOnly: true
{{- end }}
2 changes: 1 addition & 1 deletion charts/perses/templates/secrets.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }}
{{- if eq (include "perses.createEncryptionKeyFileSecret" .) "true" }}
apiVersion: v1
kind: Secret
metadata:
Expand Down
15 changes: 4 additions & 11 deletions charts/perses/templates/statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,10 +50,8 @@ spec:
- name: datasources
mountPath: /etc/perses/datasources
{{- end }}
{{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }}
- name: encryptionkey
mountPath: {{ .Values.config.security.encryptionKeyFile }}
readOnly: true
{{- if eq (include "perses.mountEncryptionKeyFileSecret" .) "true" }}
{{- include "perses.encryptionKeyVolumeMount" . | nindent 10 }}
{{- end }}
ports:
- name: http
Expand Down Expand Up @@ -103,11 +101,6 @@ spec:
configMap:
name: {{ include "perses.fullname" . }}-datasources
{{- end }}
{{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }}
- name: encryptionkey
secret:
secretName: {{ include "perses.fullname" . }}-encryption-key
items:
- key: key
path: "key"
{{- if eq (include "perses.mountEncryptionKeyFileSecret" .) "true" }}
{{- include "perses.encryptionKeyVolume" . | nindent 8 }}
{{- end }}
14 changes: 14 additions & 0 deletions charts/perses/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -451,6 +451,20 @@
"volumeMounts": {
"type": "array"
},
"overrideEncryptionKeySecret": {
"type": "object",
"additionalProperties": false,
"properties": {
"secretName": {
"type": "string",
"default": ""
},
"secretKey": {
"type": "string",
"default": "key"
}
}
},
"readinessProbe": {
"type": "object",
"additionalProperties": false,
Expand Down
10 changes: 9 additions & 1 deletion charts/perses/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,14 @@ volumes: []
# -- Additional VolumeMounts on the output StatefulSet definition.
volumeMounts: []


# -- Enable encryption with an existing secret.
# The key that holds that encryption key can also be provided with `secretKey`.
# If not set, `key` is assumed.
overrideEncryptionKeySecret:
# -- SecretName is name of the K8s secret where the encryption key to be used is stored
secretName: ""

# -- Resource limits & requests.
# Update according to your own use case as these values might be too low for a typical deployment.
# ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Expand Down Expand Up @@ -195,4 +203,4 @@ datasources:
# plugin:
# kind: PrometheusDatasource
# spec:
# directUrl: https://prometheus.demo.do.prometheus.io
# directUrl: https://prometheus.demo.do.prometheus.io

0 comments on commit 0f0d417

Please sign in to comment.