Merge pull request #182 from uc-cdis/fix/secret_store_service_account

Fix/secret store service account

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-05-31T15:29:39Z",
+  "generated_at": "2024-06-11T15:04:04Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -179,7 +179,7 @@
         "hashed_secret": "d84ce25b0f9bc2cc263006ae39453efb22cc2900",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 23,
+        "line_number": 25,
         "type": "Secret Keyword"
       }
     ],
@@ -353,7 +353,7 @@
         "hashed_secret": "1740c48fa3141d4851b14f97e3bc0f46f7670672",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 117,
+        "line_number": 122,
         "type": "Secret Keyword"
       }
     ],
@@ -362,7 +362,7 @@
         "hashed_secret": "9b5925ea817163740dfb287a9894e8ab3aba2c18",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 190,
+        "line_number": 200,
         "type": "Secret Keyword"
       }
     ],

helm/common/Chart.yaml

@@ -15,7 +15,7 @@ type: library
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.10
+version: 0.1.11
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

helm/common/README.md

@@ -1,13 +1,15 @@
 # common
 
-![Version: 0.1.10](https://img.shields.io/badge/Version-0.1.10-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
+![Version: 0.1.11](https://img.shields.io/badge/Version-0.1.11-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
 
 A Helm chart for provisioning databases in gen3
 
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| global.aws | map | `{"region":"us-east-1"}` | AWS configuration |
+| global.aws.region | string | `"us-east-1"` | AWS region for this deployment |
 | global.ddEnabled | bool | `false` | Whether Datadog is enabled. |
 | global.dev | bool | `true` | Whether the deployment is for development purposes. |
 | global.dictionaryUrl | string | `"https://s3.amazonaws.com/dictionary-artifacts/datadictionary/develop/schema.json"` | URL of the data dictionary. |

helm/common/templates/_external_secrets.tpl

@@ -50,15 +50,21 @@ spec:
   provider:
     aws:
       service: SecretsManager
-      region: us-east-1
+      region: {{ .Values.global.aws.region }}
       auth:
+        {{- if .Values.global.aws.secretStoreServiceAccount.enabled }}
+        jwt:
+          serviceAccountRef:
+            name: {{ .Values.global.aws.secretStoreServiceAccount.name }}
+        {{- else }}
         secretRef:
           accessKeyIDSecretRef:
             name: {{.Chart.Name}}-aws-config
             key: access-key
           secretAccessKeySecretRef:
             name: {{.Chart.Name}}-aws-config
             key: secret-access-key
+        {{- end}}
 {{- end }}
 
 

helm/common/values.yaml

@@ -5,6 +5,10 @@
 
 # Global configuration
 global:
+  # -- (map) AWS configuration
+  aws:
+    # -- (string) AWS region for this deployment
+    region: us-east-1
   # -- (bool) Whether the deployment is for development purposes.
   dev: true
 

helm/gen3/Chart.yaml

@@ -25,7 +25,7 @@ dependencies:
   repository: "file://../aws-es-proxy"
   condition: aws-es-proxy.enabled
 - name: common
-  version: 0.1.10
+  version: 0.1.11
   repository: file://../common
 - name: etl
   version: 0.1.1
@@ -128,7 +128,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.35
+version: 0.1.36
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

helm/gen3/README.md

@@ -1,6 +1,6 @@
 # gen3
 
-![Version: 0.1.35](https://img.shields.io/badge/Version-0.1.35-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
+![Version: 0.1.36](https://img.shields.io/badge/Version-0.1.36-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
 
 Helm chart to deploy Gen3 Data Commons
 
@@ -23,7 +23,7 @@ Helm chart to deploy Gen3 Data Commons
 | file://../argo-wrapper | argo-wrapper | 0.1.7 |
 | file://../audit | audit | 0.1.12 |
 | file://../aws-es-proxy | aws-es-proxy | 0.1.9 |
-| file://../common | common | 0.1.10 |
+| file://../common | common | 0.1.11 |
 | file://../etl | etl | 0.1.1 |
 | file://../fence | fence | 0.1.18 |
 | file://../frontend-framework | frontend-framework | 0.1.1 |
@@ -80,10 +80,15 @@ Helm chart to deploy Gen3 Data Commons
 | frontend-framework.image | map | `{"repository":"quay.io/cdis/frontend-framework","tag":"develop"}` | Docker image information. |
 | frontend-framework.image.repository | string | `"quay.io/cdis/frontend-framework"` | The Docker image repository for the frontend-framework. |
 | frontend-framework.image.tag | string | `"develop"` | Overrides the image tag whose default is the chart appVersion. |
-| global.aws | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null,"enabled":false,"useLocalSecret":{"enabled":false,"localSecretName":null}}` | AWS configuration |
+| global.aws | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null,"enabled":false,"region":"us-east-1","secretStoreServiceAccount":{"enabled":false,"name":"secret-store-sa","roleArn":null},"useLocalSecret":{"enabled":false,"localSecretName":null}}` | AWS configuration |
 | global.aws.awsAccessKeyId | string | `nil` | Credentials for AWS stuff. |
 | global.aws.awsSecretAccessKey | string | `nil` | Credentials for AWS stuff. |
 | global.aws.enabled | bool | `false` | Set to true if deploying to AWS. Controls ingress annotations. |
+| global.aws.region | string | `"us-east-1"` | AWS region for this deployment |
+| global.aws.secretStoreServiceAccount | map | `{"enabled":false,"name":"secret-store-sa","roleArn":null}` | Service account and AWS role for authentication to AWS Secrets Manager |
+| global.aws.secretStoreServiceAccount.enabled | bool | `false` | Set true if deploying to AWS and want to use service account and IAM role instead of aws keys. Must provide role-arn. |
+| global.aws.secretStoreServiceAccount.name | string | `"secret-store-sa"` | Name of the service account to create |
+| global.aws.secretStoreServiceAccount.roleArn | string | `nil` | AWS Role ARN for Secret Store to use |
 | global.aws.useLocalSecret | map | `{"enabled":false,"localSecretName":null}` | Local secret setting if using a pre-exising secret. |
 | global.aws.useLocalSecret.enabled | bool | `false` | Set to true if you would like to use a secret that is already running on your cluster. |
 | global.aws.useLocalSecret.localSecretName | string | `nil` | Name of the local secret. |

helm/gen3/templates/cluster-secret-store.yaml

@@ -9,7 +9,7 @@ spec:
   provider:
     aws:
       service: SecretsManager
-      region: us-east-1
+      region: {{ .Values.global.aws.region }}
       auth:
         secretRef:
           accessKeyIDSecretRef:

helm/gen3/templates/secret-store-service-account.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.global.aws.secretStoreServiceAccount.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.global.aws.secretStoreServiceAccount.name }}
+  annotations:
+    eks.amazonaws.com/role-arn: {{ .Values.global.aws.secretStoreServiceAccount.roleArn }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: external-secrets-role
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: external-secrets-rolebinding
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.global.aws.secretStoreServiceAccount.name }}
+roleRef:
+  kind: Role
+  name: external-secrets-role
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

helm/gen3/values.yaml

@@ -6,12 +6,22 @@
 global:
   # -- (map) AWS configuration
   aws:
+    # -- (string) AWS region for this deployment
+    region: us-east-1
     # -- (bool) Set to true if deploying to AWS. Controls ingress annotations.
     enabled: false
     # -- (string) Credentials for AWS stuff.
     awsAccessKeyId:
     # -- (string) Credentials for AWS stuff.
     awsSecretAccessKey:
+    # -- (map) Service account and AWS role for authentication to AWS Secrets Manager
+    secretStoreServiceAccount:
+      # -- (bool) Set true if deploying to AWS and want to use service account and IAM role instead of aws keys. Must provide role-arn.
+      enabled: false
+      # -- (string) Name of the service account to create
+      name: secret-store-sa
+      # -- (string) AWS Role ARN for Secret Store to use
+      roleArn:
     # -- (map) Local secret setting if using a pre-exising secret.
     useLocalSecret:
       # -- (bool) Set to true if you would like to use a secret that is already running on your cluster.