From 0f0d417bf6e4456a58e4281af2dbeefe0280dad3 Mon Sep 17 00:00:00 2001
From: Gabriel Santos <gabrielopesantos97@gmail.com>
Date: Mon, 26 Feb 2024 22:55:38 +0000
Subject: [PATCH] Enable using an existing secret with to enable encryption of
 sensitive data

Signed-off-by: Gabriel Santos <gabrielopesantos97@gmail.com>
---
 charts/perses/templates/_helpers.tpl     | 43 ++++++++++++++++++++++++
 charts/perses/templates/secrets.yaml     |  2 +-
 charts/perses/templates/statefulset.yaml | 15 +++------
 charts/perses/values.schema.json         | 14 ++++++++
 charts/perses/values.yaml                | 10 +++++-
 5 files changed, 71 insertions(+), 13 deletions(-)

diff --git a/charts/perses/templates/_helpers.tpl b/charts/perses/templates/_helpers.tpl
index 1742304..88ab55a 100644
--- a/charts/perses/templates/_helpers.tpl
+++ b/charts/perses/templates/_helpers.tpl
@@ -64,3 +64,46 @@ Create the name of the service account to use
 {{- define "perses.dns" -}}
 http://{{ include "perses.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.targetPort }}
 {{- end -}}
+
+{{/*
+TODO
+*/}}
+{{- define "perses.createEncryptionKeyFileSecret" -}}
+{{- if (and .Values.config.security.encryptionKey .Values.config.security.encryptionKeyFile) }}
+{{- printf "true" }}
+{{- else }}
+{{- printf "false" }}
+{{- end }}
+{{- end }}
+
+{{/*
+TODO
+*/}}
+{{- define "perses.mountEncryptionKeyFileSecret" -}}
+{{- if or (eq (include "perses.createEncryptionKeyFileSecret" .) "true") .Values.overrideEncryptionKeySecret.secretName }}
+{{- printf "true" }}
+{{- else }}
+{{- printf "false" }}
+{{- end }}
+{{- end }}
+
+{{/*
+TODO
+*/}}
+{{- define "perses.encryptionKeyVolume" -}}
+- name: encryptionkey
+  secret:
+    secretName: {{ .Values.overrideEncryptionKeySecret.secretName | default (printf "%s-encryption-key" (include "perses.fullname" .)) | quote }}
+    items:
+      - key: {{ .Values.overrideEncryptionKeySecret.secretKey | default "key" | quote }}
+        path: "key"
+{{- end }}
+
+{{/*
+TODO
+*/}}
+{{- define "perses.encryptionKeyVolumeMount" -}}
+- name: encryptionkey
+  mountPath: {{ {{ .Values.config.security.encryptionKeyFile }} | default "etc/perses/security/encryptionkey" }}
+  readOnly: true
+{{- end }}
diff --git a/charts/perses/templates/secrets.yaml b/charts/perses/templates/secrets.yaml
index 9a16561..cd9e29a 100644
--- a/charts/perses/templates/secrets.yaml
+++ b/charts/perses/templates/secrets.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }}
+{{- if eq (include "perses.createEncryptionKeyFileSecret" .) "true" }}
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/charts/perses/templates/statefulset.yaml b/charts/perses/templates/statefulset.yaml
index 0a04604..823e172 100644
--- a/charts/perses/templates/statefulset.yaml
+++ b/charts/perses/templates/statefulset.yaml
@@ -50,10 +50,8 @@ spec:
           - name: datasources
             mountPath: /etc/perses/datasources
           {{- end }}
-          {{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }}
-          - name: encryptionkey
-            mountPath: {{ .Values.config.security.encryptionKeyFile }}
-            readOnly: true
+          {{- if eq (include "perses.mountEncryptionKeyFileSecret" .) "true" }}
+          {{- include "perses.encryptionKeyVolumeMount" . | nindent 10 }}
           {{- end }}
         ports:
           - name: http
@@ -103,11 +101,6 @@ spec:
           configMap:
             name: {{ include "perses.fullname" . }}-datasources
         {{- end }}
-        {{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }}
-        - name: encryptionkey
-          secret:
-            secretName: {{ include "perses.fullname" . }}-encryption-key
-            items:
-              - key: key
-                path: "key"
+        {{- if eq (include "perses.mountEncryptionKeyFileSecret" .) "true" }}
+        {{- include "perses.encryptionKeyVolume" . | nindent 8 }}
         {{- end }}
diff --git a/charts/perses/values.schema.json b/charts/perses/values.schema.json
index 64e7756..53f0fdc 100644
--- a/charts/perses/values.schema.json
+++ b/charts/perses/values.schema.json
@@ -451,6 +451,20 @@
     "volumeMounts": {
       "type": "array"
     },
+    "overrideEncryptionKeySecret": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "secretName": {
+          "type": "string",
+          "default": ""
+        },
+        "secretKey": {
+          "type": "string",
+          "default": "key"
+        }
+      }
+    },
     "readinessProbe": {
       "type": "object",
       "additionalProperties": false,
diff --git a/charts/perses/values.yaml b/charts/perses/values.yaml
index d4e69d6..ae623e2 100644
--- a/charts/perses/values.yaml
+++ b/charts/perses/values.yaml
@@ -82,6 +82,14 @@ volumes: []
 # -- Additional VolumeMounts on the output StatefulSet definition.
 volumeMounts: []
 
+
+# -- Enable encryption with an existing secret.
+#    The key that holds that encryption key can also be provided with `secretKey`.
+#    If not set, `key` is assumed.
+overrideEncryptionKeySecret:
+  # -- SecretName is name of the K8s secret where the encryption key to be used is stored
+  secretName: ""
+
 # -- Resource limits & requests.
 # Update according to your own use case as these values might be too low for a typical deployment.
 # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
@@ -195,4 +203,4 @@ datasources:
   #     plugin:
   #       kind: PrometheusDatasource
   #       spec:
-  #         directUrl: https://prometheus.demo.do.prometheus.io
\ No newline at end of file
+  #         directUrl: https://prometheus.demo.do.prometheus.io