From 6e6cb19298d33295689304158f45a65581f9d858 Mon Sep 17 00:00:00 2001
From: Gabriel Santos <gabrielopesantos97@gmail.com>
Date: Mon, 22 Jan 2024 23:23:31 +0000
Subject: [PATCH 1/8] Support encryption_key and encryption_key_file values
 being set

encryption key is loaded as a env var or file depending if encryption_key_file is set or not

Signed-off-by: Gabriel Santos <gabrielopesantos97@gmail.com>
---
 charts/perses/templates/config.yaml      |  9 +++++++--
 charts/perses/templates/secrets.yaml     | 17 +++++++++++++++++
 charts/perses/templates/statefulset.yaml | 13 ++++++++++++-
 charts/perses/values.schema.json         | 14 ++++++++++++++
 charts/perses/values.yaml                |  2 +-
 5 files changed, 51 insertions(+), 4 deletions(-)
 create mode 100644 charts/perses/templates/secrets.yaml

diff --git a/charts/perses/templates/config.yaml b/charts/perses/templates/config.yaml
index 24f5222..13a81b1 100644
--- a/charts/perses/templates/config.yaml
+++ b/charts/perses/templates/config.yaml
@@ -12,6 +12,11 @@ data:
   config.yaml: |-
     security:
       readonly: {{ .Values.config.security.readOnly }}
+      {{- if .Values.config.security.encryptionKeyFile }}
+      encryption_key_file: {{ .Values.config.security.encryptionKeyFile }}
+      {{- else }}
+      encryption_key: {{ .Values.config.security.encryptionKey }}
+      {{- end }}
       enable_auth: {{ .Values.config.security.enableAuth }}
 
     database:
@@ -24,12 +29,12 @@ data:
       sql:
         {{- tpl (toYaml .) $ | nindent 8 }}
       {{ end -}}
-    
+
     {{- with .Values.config.important_dashboards }}
     important_dashboards:
       {{- toYaml . | nindent 6 }}
     {{- end }}
-    
+
     {{- with .Values.config.schemas }}
     schemas:
       {{- toYaml . | nindent 6 }}
diff --git a/charts/perses/templates/secrets.yaml b/charts/perses/templates/secrets.yaml
new file mode 100644
index 0000000..7032c55
--- /dev/null
+++ b/charts/perses/templates/secrets.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.config.security.encryptionKeyFile }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "perses.fullname" . }}-encryption-key
+  labels:
+    {{- include "perses.labels" . | nindent 4 }}
+  {{- with .Values.config.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+type: Opaque
+data:
+  encryption_key: {{ .Values.config.security.encryptionKey }}
+{{- end }}
+
+---
diff --git a/charts/perses/templates/statefulset.yaml b/charts/perses/templates/statefulset.yaml
index c59ba66..750f510 100644
--- a/charts/perses/templates/statefulset.yaml
+++ b/charts/perses/templates/statefulset.yaml
@@ -50,6 +50,11 @@ spec:
           - name: datasources
             mountPath: /etc/perses/datasources
           {{- end }}
+          {{- if .Values.config.security.encryptionKeyFile }}
+          - name: encryptionKey
+            mountPath: {{ .Values.config.security.encryptionKeyFile }}
+            readOnly: true
+          {{- end }}
         ports:
           - name: http
             containerPort: {{ .Values.service.targetPort }}
@@ -97,4 +102,10 @@ spec:
         - name: datasources
           configMap:
             name: {{ include "perses.fullname" . }}-datasources
-        {{- end }}
\ No newline at end of file
+        {{- end }}
+        {{- if .Values.config.security.encryptionKeyFile }}
+        - name: encryptionKey
+          secret:
+            secretName: {{ include "perses.fullname" . }}-encryption-key
+            items: encryption_key
+        {{- end }}
diff --git a/charts/perses/values.schema.json b/charts/perses/values.schema.json
index 335a412..b6209b4 100644
--- a/charts/perses/values.schema.json
+++ b/charts/perses/values.schema.json
@@ -102,6 +102,14 @@
               "type": "boolean",
               "default": false
             },
+            "encryptionKey": {
+              "type": "string",
+              "default": ""
+            },
+            "encryptionKeyFile": {
+              "type": "string",
+              "default": ""
+            },
             "enableAuth": {
               "type": "boolean",
               "default": false
@@ -175,6 +183,12 @@
                 "disable_sign_up": {
                   "type": "boolean",
                   "default": false
+                },
+                "providers": {
+                  "type": "object",
+                  "additionalProperties": false,
+                  "properties": {
+                  }
                 }
               }
             }
diff --git a/charts/perses/values.yaml b/charts/perses/values.yaml
index f82fc0b..906a972 100644
--- a/charts/perses/values.yaml
+++ b/charts/perses/values.yaml
@@ -191,4 +191,4 @@ datasources:
   #     plugin:
   #       kind: PrometheusDatasource
   #       spec:
-  #         directUrl: https://prometheus.demo.do.prometheus.io
\ No newline at end of file
+  #         directUrl: https://prometheus.demo.do.prometheus.io

From e5c43cbff159d6975d3421f1897f3fcd236d6cc7 Mon Sep 17 00:00:00 2001
From: Gabriel Santos <gabrielopesantos97@gmail.com>
Date: Mon, 5 Feb 2024 22:58:00 +0000
Subject: [PATCH 2/8] Fix errors with names and file paths

Signed-off-by: Gabriel Santos <gabrielopesantos97@gmail.com>
---
 charts/perses/Chart.yaml                 | 2 +-
 charts/perses/templates/config.yaml      | 2 +-
 charts/perses/templates/secrets.yaml     | 2 +-
 charts/perses/templates/statefulset.yaml | 8 +++++---
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/charts/perses/Chart.yaml b/charts/perses/Chart.yaml
index 67e7fd3..57a4400 100644
--- a/charts/perses/Chart.yaml
+++ b/charts/perses/Chart.yaml
@@ -4,7 +4,7 @@ description: Perses helm chart
 icon: https://avatars.githubusercontent.com/u/77209215?s=200&v=4
 type: application
 version: 0.3.0
-appVersion: "0.42.1"
+appVersion: "0.43.0"
 sources:
   - https://github.com/perses/perses
 annotations:
diff --git a/charts/perses/templates/config.yaml b/charts/perses/templates/config.yaml
index 13a81b1..9b8b696 100644
--- a/charts/perses/templates/config.yaml
+++ b/charts/perses/templates/config.yaml
@@ -13,7 +13,7 @@ data:
     security:
       readonly: {{ .Values.config.security.readOnly }}
       {{- if .Values.config.security.encryptionKeyFile }}
-      encryption_key_file: {{ .Values.config.security.encryptionKeyFile }}
+      encryption_key_file: {{ printf "%s/key" (.Values.config.security.encryptionKeyFile | trimSuffix "/") }}
       {{- else }}
       encryption_key: {{ .Values.config.security.encryptionKey }}
       {{- end }}
diff --git a/charts/perses/templates/secrets.yaml b/charts/perses/templates/secrets.yaml
index 7032c55..523da8c 100644
--- a/charts/perses/templates/secrets.yaml
+++ b/charts/perses/templates/secrets.yaml
@@ -11,7 +11,7 @@ metadata:
   {{- end }}
 type: Opaque
 data:
-  encryption_key: {{ .Values.config.security.encryptionKey }}
+  key: {{ .Values.config.security.encryptionKey | b64enc }}
 {{- end }}
 
 ---
diff --git a/charts/perses/templates/statefulset.yaml b/charts/perses/templates/statefulset.yaml
index 750f510..bdb0ac5 100644
--- a/charts/perses/templates/statefulset.yaml
+++ b/charts/perses/templates/statefulset.yaml
@@ -51,7 +51,7 @@ spec:
             mountPath: /etc/perses/datasources
           {{- end }}
           {{- if .Values.config.security.encryptionKeyFile }}
-          - name: encryptionKey
+          - name: encryptionkey
             mountPath: {{ .Values.config.security.encryptionKeyFile }}
             readOnly: true
           {{- end }}
@@ -104,8 +104,10 @@ spec:
             name: {{ include "perses.fullname" . }}-datasources
         {{- end }}
         {{- if .Values.config.security.encryptionKeyFile }}
-        - name: encryptionKey
+        - name: encryptionkey
           secret:
             secretName: {{ include "perses.fullname" . }}-encryption-key
-            items: encryption_key
+            items:
+              - key: key
+                path: "key"
         {{- end }}

From 45de2e2fe1ef96d523c202a7d0e61e681f4e27d4 Mon Sep 17 00:00:00 2001
From: Gabriel Santos <gabrielopesantos97@gmail.com>
Date: Sun, 18 Feb 2024 22:02:15 +0000
Subject: [PATCH 3/8] Remove providers from schema json

Signed-off-by: Gabriel Santos <gabrielopesantos97@gmail.com>
---
 charts/perses/values.schema.json | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/charts/perses/values.schema.json b/charts/perses/values.schema.json
index b6209b4..64e7756 100644
--- a/charts/perses/values.schema.json
+++ b/charts/perses/values.schema.json
@@ -183,12 +183,6 @@
                 "disable_sign_up": {
                   "type": "boolean",
                   "default": false
-                },
-                "providers": {
-                  "type": "object",
-                  "additionalProperties": false,
-                  "properties": {
-                  }
                 }
               }
             }

From 18aaacb1a8006cbfde15cb2dc53cbad4fe0eb20a Mon Sep 17 00:00:00 2001
From: Gabriel Santos <gabrielopesantos97@gmail.com>
Date: Sun, 18 Feb 2024 22:28:55 +0000
Subject: [PATCH 4/8] Add missing checks to secret to be mount

Signed-off-by: Gabriel Santos <gabrielopesantos97@gmail.com>
---
 charts/perses/templates/config.yaml      | 2 +-
 charts/perses/templates/secrets.yaml     | 2 +-
 charts/perses/templates/statefulset.yaml | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/charts/perses/templates/config.yaml b/charts/perses/templates/config.yaml
index 9b8b696..f013365 100644
--- a/charts/perses/templates/config.yaml
+++ b/charts/perses/templates/config.yaml
@@ -12,7 +12,7 @@ data:
   config.yaml: |-
     security:
       readonly: {{ .Values.config.security.readOnly }}
-      {{- if .Values.config.security.encryptionKeyFile }}
+      {{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encriptionKey }}
       encryption_key_file: {{ printf "%s/key" (.Values.config.security.encryptionKeyFile | trimSuffix "/") }}
       {{- else }}
       encryption_key: {{ .Values.config.security.encryptionKey }}
diff --git a/charts/perses/templates/secrets.yaml b/charts/perses/templates/secrets.yaml
index 523da8c..9a16561 100644
--- a/charts/perses/templates/secrets.yaml
+++ b/charts/perses/templates/secrets.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.config.security.encryptionKeyFile }}
+{{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }}
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/charts/perses/templates/statefulset.yaml b/charts/perses/templates/statefulset.yaml
index bdb0ac5..0a04604 100644
--- a/charts/perses/templates/statefulset.yaml
+++ b/charts/perses/templates/statefulset.yaml
@@ -50,7 +50,7 @@ spec:
           - name: datasources
             mountPath: /etc/perses/datasources
           {{- end }}
-          {{- if .Values.config.security.encryptionKeyFile }}
+          {{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }}
           - name: encryptionkey
             mountPath: {{ .Values.config.security.encryptionKeyFile }}
             readOnly: true
@@ -103,7 +103,7 @@ spec:
           configMap:
             name: {{ include "perses.fullname" . }}-datasources
         {{- end }}
-        {{- if .Values.config.security.encryptionKeyFile }}
+        {{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }}
         - name: encryptionkey
           secret:
             secretName: {{ include "perses.fullname" . }}-encryption-key

From 209a860aaaf4c3d9584ee4c0f22b6b652072ea85 Mon Sep 17 00:00:00 2001
From: Gabriel Santos <gabrielopesantos97@gmail.com>
Date: Sun, 18 Feb 2024 22:53:19 +0000
Subject: [PATCH 5/8] Fix typos in 'if' conditions and move set of
 encryption_key to its on block

Signed-off-by: Gabriel Santos <gabrielopesantos97@gmail.com>
---
 charts/perses/templates/config.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/charts/perses/templates/config.yaml b/charts/perses/templates/config.yaml
index f013365..12bf974 100644
--- a/charts/perses/templates/config.yaml
+++ b/charts/perses/templates/config.yaml
@@ -12,9 +12,10 @@ data:
   config.yaml: |-
     security:
       readonly: {{ .Values.config.security.readOnly }}
-      {{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encriptionKey }}
+      {{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }}
       encryption_key_file: {{ printf "%s/key" (.Values.config.security.encryptionKeyFile | trimSuffix "/") }}
-      {{- else }}
+      {{- end }}
+      {{- if and (not .Values.config.security.encryptionKeyFile) .Values.config.security.encryptionKey }}
       encryption_key: {{ .Values.config.security.encryptionKey }}
       {{- end }}
       enable_auth: {{ .Values.config.security.enableAuth }}

From 29efaccf1288fcf316e47e460012fb2e2d9b4c09 Mon Sep 17 00:00:00 2001
From: Gabriel Santos <gabrielopesantos97@gmail.com>
Date: Mon, 26 Feb 2024 20:49:04 +0000
Subject: [PATCH 6/8] Remove new line at end of values.yaml

Signed-off-by: Gabriel Santos <gabrielopesantos97@gmail.com>
---
 charts/perses/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/perses/values.yaml b/charts/perses/values.yaml
index 906a972..f82fc0b 100644
--- a/charts/perses/values.yaml
+++ b/charts/perses/values.yaml
@@ -191,4 +191,4 @@ datasources:
   #     plugin:
   #       kind: PrometheusDatasource
   #       spec:
-  #         directUrl: https://prometheus.demo.do.prometheus.io
+  #         directUrl: https://prometheus.demo.do.prometheus.io
\ No newline at end of file

From 88edc9b0161c72845e9a3375c4652dc1c1583dd4 Mon Sep 17 00:00:00 2001
From: Gabriel Santos <gabrielopesantos97@gmail.com>
Date: Mon, 26 Feb 2024 20:51:36 +0000
Subject: [PATCH 7/8] Add encryption key fields with an empty string to
 values.yaml

Signed-off-by: Gabriel Santos <gabrielopesantos97@gmail.com>
---
 charts/perses/values.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/charts/perses/values.yaml b/charts/perses/values.yaml
index f82fc0b..d4e69d6 100644
--- a/charts/perses/values.yaml
+++ b/charts/perses/values.yaml
@@ -96,6 +96,10 @@ config:
   security:
     # -- Configure Perses instance as readonly
     readOnly: false
+    # -- Encryption key
+    encryptionKey: ""
+    # -- Encryption key file path
+    encryptionKeyFile: ""
     # -- Enable Authentication
     enableAuth: false
 

From 84ccd5d83e046f35ef99c3f68402dbf34e1bfc87 Mon Sep 17 00:00:00 2001
From: Gabriel Santos <gabrielopesantos97@gmail.com>
Date: Mon, 26 Feb 2024 22:55:38 +0000
Subject: [PATCH 8/8] Enable using an existing secret with to enable encryption
 of sensitive data

Signed-off-by: Gabriel Santos <gabrielopesantos97@gmail.com>
---
 charts/perses/templates/_helpers.tpl     | 43 ++++++++++++++++++++++++
 charts/perses/templates/secrets.yaml     |  2 +-
 charts/perses/templates/statefulset.yaml | 15 +++------
 charts/perses/values.schema.json         | 14 ++++++++
 charts/perses/values.yaml                | 10 +++++-
 5 files changed, 71 insertions(+), 13 deletions(-)

diff --git a/charts/perses/templates/_helpers.tpl b/charts/perses/templates/_helpers.tpl
index 1742304..39456fc 100644
--- a/charts/perses/templates/_helpers.tpl
+++ b/charts/perses/templates/_helpers.tpl
@@ -64,3 +64,46 @@ Create the name of the service account to use
 {{- define "perses.dns" -}}
 http://{{ include "perses.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.targetPort }}
 {{- end -}}
+
+{{/*
+TODO
+*/}}
+{{- define "perses.createEncryptionKeyFileSecret" -}}
+{{- if (and .Values.config.security.encryptionKey .Values.config.security.encryptionKeyFile) }}
+{{- printf "true" }}
+{{- else }}
+{{- printf "false" }}
+{{- end }}
+{{- end }}
+
+{{/*
+TODO
+*/}}
+{{- define "perses.mountEncryptionKeyFileSecret" -}}
+{{- if or (eq (include "perses.createEncryptionKeyFileSecret" .) "true") .Values.overrideEncryptionKeySecret.secretName }}
+{{- printf "true" }}
+{{- else }}
+{{- printf "false" }}
+{{- end }}
+{{- end }}
+
+{{/*
+TODO
+*/}}
+{{- define "perses.encryptionKeyVolume" -}}
+- name: encryptionkey
+  secret:
+    secretName: {{ .Values.overrideEncryptionKeySecret.secretName | default (printf "%s-encryption-key" (include "perses.fullname" .)) | quote }}
+    items:
+      - key: {{ .Values.overrideEncryptionKeySecret.secretKey | default "key" | quote }}
+        path: "key"
+{{- end }}
+
+{{/*
+TODO
+*/}}
+{{- define "perses.encryptionKeyVolumeMount" -}}
+- name: encryptionkey
+  mountPath: {{ .Values.config.security.encryptionKeyFile | default "etc/perses/security/encryptionkey" | quote }}
+  readOnly: true
+{{- end }}
diff --git a/charts/perses/templates/secrets.yaml b/charts/perses/templates/secrets.yaml
index 9a16561..cd9e29a 100644
--- a/charts/perses/templates/secrets.yaml
+++ b/charts/perses/templates/secrets.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }}
+{{- if eq (include "perses.createEncryptionKeyFileSecret" .) "true" }}
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/charts/perses/templates/statefulset.yaml b/charts/perses/templates/statefulset.yaml
index 0a04604..823e172 100644
--- a/charts/perses/templates/statefulset.yaml
+++ b/charts/perses/templates/statefulset.yaml
@@ -50,10 +50,8 @@ spec:
           - name: datasources
             mountPath: /etc/perses/datasources
           {{- end }}
-          {{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }}
-          - name: encryptionkey
-            mountPath: {{ .Values.config.security.encryptionKeyFile }}
-            readOnly: true
+          {{- if eq (include "perses.mountEncryptionKeyFileSecret" .) "true" }}
+          {{- include "perses.encryptionKeyVolumeMount" . | nindent 10 }}
           {{- end }}
         ports:
           - name: http
@@ -103,11 +101,6 @@ spec:
           configMap:
             name: {{ include "perses.fullname" . }}-datasources
         {{- end }}
-        {{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }}
-        - name: encryptionkey
-          secret:
-            secretName: {{ include "perses.fullname" . }}-encryption-key
-            items:
-              - key: key
-                path: "key"
+        {{- if eq (include "perses.mountEncryptionKeyFileSecret" .) "true" }}
+        {{- include "perses.encryptionKeyVolume" . | nindent 8 }}
         {{- end }}
diff --git a/charts/perses/values.schema.json b/charts/perses/values.schema.json
index 64e7756..53f0fdc 100644
--- a/charts/perses/values.schema.json
+++ b/charts/perses/values.schema.json
@@ -451,6 +451,20 @@
     "volumeMounts": {
       "type": "array"
     },
+    "overrideEncryptionKeySecret": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "secretName": {
+          "type": "string",
+          "default": ""
+        },
+        "secretKey": {
+          "type": "string",
+          "default": "key"
+        }
+      }
+    },
     "readinessProbe": {
       "type": "object",
       "additionalProperties": false,
diff --git a/charts/perses/values.yaml b/charts/perses/values.yaml
index d4e69d6..ae623e2 100644
--- a/charts/perses/values.yaml
+++ b/charts/perses/values.yaml
@@ -82,6 +82,14 @@ volumes: []
 # -- Additional VolumeMounts on the output StatefulSet definition.
 volumeMounts: []
 
+
+# -- Enable encryption with an existing secret.
+#    The key that holds that encryption key can also be provided with `secretKey`.
+#    If not set, `key` is assumed.
+overrideEncryptionKeySecret:
+  # -- SecretName is name of the K8s secret where the encryption key to be used is stored
+  secretName: ""
+
 # -- Resource limits & requests.
 # Update according to your own use case as these values might be too low for a typical deployment.
 # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
@@ -195,4 +203,4 @@ datasources:
   #     plugin:
   #       kind: PrometheusDatasource
   #       spec:
-  #         directUrl: https://prometheus.demo.do.prometheus.io
\ No newline at end of file
+  #         directUrl: https://prometheus.demo.do.prometheus.io