From 62d6d2a30c8c2f3f55fe3607d9078e9602c3f15b Mon Sep 17 00:00:00 2001 From: Guerdon Mukama Date: Thu, 2 May 2024 12:02:58 +1000 Subject: [PATCH 1/5] Ability to set an AWS region for Secret Manager --- helm/common/templates/_external_secrets.tpl | 2 +- helm/common/values.yaml | 4 ++++ helm/gen3/Chart.yaml | 2 +- helm/gen3/templates/cluster-secret-store.yaml | 2 +- helm/gen3/values.yaml | 2 ++ 5 files changed, 9 insertions(+), 3 deletions(-) diff --git a/helm/common/templates/_external_secrets.tpl b/helm/common/templates/_external_secrets.tpl index dc9f865b..214bc13e 100644 --- a/helm/common/templates/_external_secrets.tpl +++ b/helm/common/templates/_external_secrets.tpl @@ -50,7 +50,7 @@ spec: provider: aws: service: SecretsManager - region: us-east-1 + region: {{ .Values.global.aws.region }} auth: secretRef: accessKeyIDSecretRef: diff --git a/helm/common/values.yaml b/helm/common/values.yaml index 3d3d2297..51b8616b 100644 --- a/helm/common/values.yaml +++ b/helm/common/values.yaml @@ -5,6 +5,10 @@ # Global configuration global: + # -- (map) AWS configuration + aws: + # -- (string) AWS region for this deployment + region: us-east-1 # -- (bool) Whether the deployment is for development purposes. dev: true diff --git a/helm/gen3/Chart.yaml b/helm/gen3/Chart.yaml index 60b576be..476b049e 100644 --- a/helm/gen3/Chart.yaml +++ b/helm/gen3/Chart.yaml @@ -128,7 +128,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.35 +version: 0.1.36 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/gen3/templates/cluster-secret-store.yaml b/helm/gen3/templates/cluster-secret-store.yaml index 5035e4d0..28ffe29e 100644 --- a/helm/gen3/templates/cluster-secret-store.yaml +++ b/helm/gen3/templates/cluster-secret-store.yaml @@ -9,7 +9,7 @@ spec: provider: aws: service: SecretsManager - region: us-east-1 + region: {{ .Values.global.aws.region }} auth: secretRef: accessKeyIDSecretRef: diff --git a/helm/gen3/values.yaml b/helm/gen3/values.yaml index c122095b..79001c78 100644 --- a/helm/gen3/values.yaml +++ b/helm/gen3/values.yaml @@ -6,6 +6,8 @@ global: # -- (map) AWS configuration aws: + # -- (string) AWS region for this deployment + region: us-east-1 # -- (bool) Set to true if deploying to AWS. Controls ingress annotations. enabled: false # -- (string) Credentials for AWS stuff. From c6380588e80e2ffa31349d6ab8757316d353080a Mon Sep 17 00:00:00 2001 From: Guerdon Mukama Date: Mon, 13 May 2024 13:17:20 +1000 Subject: [PATCH 2/5] support for service account and IAM role --- helm/common/templates/_external_secrets.tpl | 6 ++++ .../secret-store-service-account.yaml | 29 +++++++++++++++++++ helm/gen3/values.yaml | 8 +++++ 3 files changed, 43 insertions(+) create mode 100644 helm/gen3/templates/secret-store-service-account.yaml diff --git a/helm/common/templates/_external_secrets.tpl b/helm/common/templates/_external_secrets.tpl index 214bc13e..a8a7c6be 100644 --- a/helm/common/templates/_external_secrets.tpl +++ b/helm/common/templates/_external_secrets.tpl @@ -52,6 +52,11 @@ spec: service: SecretsManager region: {{ .Values.global.aws.region }} auth: + {{- if .Values.global.aws.secretStoreServiceAccount.enabled }} + jwt: + serviceAccountRef: + name: {{ .Values.global.aws.secretStoreServiceAccount.enabled }} + {{- else }} secretRef: accessKeyIDSecretRef: name: {{.Chart.Name}}-aws-config @@ -59,6 +64,7 @@ spec: secretAccessKeySecretRef: name: {{.Chart.Name}}-aws-config key: secret-access-key + {{- end}} {{- end }} diff --git a/helm/gen3/templates/secret-store-service-account.yaml b/helm/gen3/templates/secret-store-service-account.yaml new file mode 100644 index 00000000..0284bac4 --- /dev/null +++ b/helm/gen3/templates/secret-store-service-account.yaml @@ -0,0 +1,29 @@ +{{- if .Values.global.aws.secretStoreServiceAccount.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.global.aws.secretStoreServiceAccount.name }} + annotations: + eks.amazonaws.com/role-arn: {{ .Values.global.aws.secretStoreServiceAccount.roleArn }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: external-secrets-role +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: external-secrets-rolebinding +subjects: +- kind: ServiceAccount + name: {{ .Values.global.aws.secretStoreServiceAccount.name }} +roleRef: + kind: Role + name: external-secrets-role + apiGroup: rbac.authorization.k8s.io +{{- end }} \ No newline at end of file diff --git a/helm/gen3/values.yaml b/helm/gen3/values.yaml index 79001c78..4c62b34f 100644 --- a/helm/gen3/values.yaml +++ b/helm/gen3/values.yaml @@ -14,6 +14,14 @@ global: awsAccessKeyId: # -- (string) Credentials for AWS stuff. awsSecretAccessKey: + # -- (map) Service account and AWS role for authentication to AWS Secrets Manager + secretStoreServiceAccount: + # -- (bool) Set true if deploying to AWS and want to use service account and IAM role instead of aws keys. Must provide role-arn. + enabled: false + # -- (string) Name of the service account to create + name: secret-store-sa + # -- (string) AWS Role ARN for Secret Store to use + roleArn: # -- (map) Local secret setting if using a pre-exising secret. useLocalSecret: # -- (bool) Set to true if you would like to use a secret that is already running on your cluster. From 65a87c4df60a62239902998a277bd6edaa8a9e0e Mon Sep 17 00:00:00 2001 From: Guerdon Mukama Date: Mon, 13 May 2024 13:19:11 +1000 Subject: [PATCH 3/5] version bump --- helm/common/Chart.yaml | 2 +- helm/gen3/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/helm/common/Chart.yaml b/helm/common/Chart.yaml index 93ebbc0f..11151e9d 100644 --- a/helm/common/Chart.yaml +++ b/helm/common/Chart.yaml @@ -15,7 +15,7 @@ type: library # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.10 +version: 0.1.11 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm/gen3/Chart.yaml b/helm/gen3/Chart.yaml index 476b049e..f6b02649 100644 --- a/helm/gen3/Chart.yaml +++ b/helm/gen3/Chart.yaml @@ -25,7 +25,7 @@ dependencies: repository: "file://../aws-es-proxy" condition: aws-es-proxy.enabled - name: common - version: 0.1.10 + version: 0.1.11 repository: file://../common - name: etl version: 0.1.1 From 881c8f0a342d8e66e28885f894a2018792364829 Mon Sep 17 00:00:00 2001 From: Guerdon Mukama Date: Mon, 13 May 2024 14:23:16 +1000 Subject: [PATCH 4/5] fix typo --- helm/common/templates/_external_secrets.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/common/templates/_external_secrets.tpl b/helm/common/templates/_external_secrets.tpl index a8a7c6be..d684ceed 100644 --- a/helm/common/templates/_external_secrets.tpl +++ b/helm/common/templates/_external_secrets.tpl @@ -55,7 +55,7 @@ spec: {{- if .Values.global.aws.secretStoreServiceAccount.enabled }} jwt: serviceAccountRef: - name: {{ .Values.global.aws.secretStoreServiceAccount.enabled }} + name: {{ .Values.global.aws.secretStoreServiceAccount.name }} {{- else }} secretRef: accessKeyIDSecretRef: From cdf46948646ec069d41e5bfdbf7089a914d721d0 Mon Sep 17 00:00:00 2001 From: EliseCastle23 <109446148+EliseCastle23@users.noreply.github.com> Date: Tue, 11 Jun 2024 09:04:10 -0600 Subject: [PATCH 5/5] fix trailng space --- .secrets.baseline | 8 ++++---- helm/common/README.md | 4 +++- helm/gen3/README.md | 11 ++++++++--- helm/gen3/values.yaml | 2 +- 4 files changed, 16 insertions(+), 9 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index af928ac7..3288f23a 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2024-05-31T15:29:39Z", + "generated_at": "2024-06-11T15:04:04Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -179,7 +179,7 @@ "hashed_secret": "d84ce25b0f9bc2cc263006ae39453efb22cc2900", "is_secret": false, "is_verified": false, - "line_number": 23, + "line_number": 25, "type": "Secret Keyword" } ], @@ -353,7 +353,7 @@ "hashed_secret": "1740c48fa3141d4851b14f97e3bc0f46f7670672", "is_secret": false, "is_verified": false, - "line_number": 117, + "line_number": 122, "type": "Secret Keyword" } ], @@ -362,7 +362,7 @@ "hashed_secret": "9b5925ea817163740dfb287a9894e8ab3aba2c18", "is_secret": false, "is_verified": false, - "line_number": 190, + "line_number": 200, "type": "Secret Keyword" } ], diff --git a/helm/common/README.md b/helm/common/README.md index 75e6a5d7..1fe4bdf7 100644 --- a/helm/common/README.md +++ b/helm/common/README.md @@ -1,6 +1,6 @@ # common -![Version: 0.1.10](https://img.shields.io/badge/Version-0.1.10-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.11](https://img.shields.io/badge/Version-0.1.11-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) A Helm chart for provisioning databases in gen3 @@ -8,6 +8,8 @@ A Helm chart for provisioning databases in gen3 | Key | Type | Default | Description | |-----|------|---------|-------------| +| global.aws | map | `{"region":"us-east-1"}` | AWS configuration | +| global.aws.region | string | `"us-east-1"` | AWS region for this deployment | | global.ddEnabled | bool | `false` | Whether Datadog is enabled. | | global.dev | bool | `true` | Whether the deployment is for development purposes. | | global.dictionaryUrl | string | `"https://s3.amazonaws.com/dictionary-artifacts/datadictionary/develop/schema.json"` | URL of the data dictionary. | diff --git a/helm/gen3/README.md b/helm/gen3/README.md index ee8d2c43..37cf5432 100644 --- a/helm/gen3/README.md +++ b/helm/gen3/README.md @@ -1,6 +1,6 @@ # gen3 -![Version: 0.1.35](https://img.shields.io/badge/Version-0.1.35-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) +![Version: 0.1.36](https://img.shields.io/badge/Version-0.1.36-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square) Helm chart to deploy Gen3 Data Commons @@ -23,7 +23,7 @@ Helm chart to deploy Gen3 Data Commons | file://../argo-wrapper | argo-wrapper | 0.1.7 | | file://../audit | audit | 0.1.12 | | file://../aws-es-proxy | aws-es-proxy | 0.1.9 | -| file://../common | common | 0.1.10 | +| file://../common | common | 0.1.11 | | file://../etl | etl | 0.1.1 | | file://../fence | fence | 0.1.18 | | file://../frontend-framework | frontend-framework | 0.1.1 | @@ -80,10 +80,15 @@ Helm chart to deploy Gen3 Data Commons | frontend-framework.image | map | `{"repository":"quay.io/cdis/frontend-framework","tag":"develop"}` | Docker image information. | | frontend-framework.image.repository | string | `"quay.io/cdis/frontend-framework"` | The Docker image repository for the frontend-framework. | | frontend-framework.image.tag | string | `"develop"` | Overrides the image tag whose default is the chart appVersion. | -| global.aws | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null,"enabled":false,"useLocalSecret":{"enabled":false,"localSecretName":null}}` | AWS configuration | +| global.aws | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null,"enabled":false,"region":"us-east-1","secretStoreServiceAccount":{"enabled":false,"name":"secret-store-sa","roleArn":null},"useLocalSecret":{"enabled":false,"localSecretName":null}}` | AWS configuration | | global.aws.awsAccessKeyId | string | `nil` | Credentials for AWS stuff. | | global.aws.awsSecretAccessKey | string | `nil` | Credentials for AWS stuff. | | global.aws.enabled | bool | `false` | Set to true if deploying to AWS. Controls ingress annotations. | +| global.aws.region | string | `"us-east-1"` | AWS region for this deployment | +| global.aws.secretStoreServiceAccount | map | `{"enabled":false,"name":"secret-store-sa","roleArn":null}` | Service account and AWS role for authentication to AWS Secrets Manager | +| global.aws.secretStoreServiceAccount.enabled | bool | `false` | Set true if deploying to AWS and want to use service account and IAM role instead of aws keys. Must provide role-arn. | +| global.aws.secretStoreServiceAccount.name | string | `"secret-store-sa"` | Name of the service account to create | +| global.aws.secretStoreServiceAccount.roleArn | string | `nil` | AWS Role ARN for Secret Store to use | | global.aws.useLocalSecret | map | `{"enabled":false,"localSecretName":null}` | Local secret setting if using a pre-exising secret. | | global.aws.useLocalSecret.enabled | bool | `false` | Set to true if you would like to use a secret that is already running on your cluster. | | global.aws.useLocalSecret.localSecretName | string | `nil` | Name of the local secret. | diff --git a/helm/gen3/values.yaml b/helm/gen3/values.yaml index 4c62b34f..e5f528b2 100644 --- a/helm/gen3/values.yaml +++ b/helm/gen3/values.yaml @@ -21,7 +21,7 @@ global: # -- (string) Name of the service account to create name: secret-store-sa # -- (string) AWS Role ARN for Secret Store to use - roleArn: + roleArn: # -- (map) Local secret setting if using a pre-exising secret. useLocalSecret: # -- (bool) Set to true if you would like to use a secret that is already running on your cluster.