From e7f129dbb69bb35fc6ea857823c18b2a85c0a100 Mon Sep 17 00:00:00 2001
From: Guerdon Mukama <guerdon@biocommons.org.au>
Date: Thu, 2 May 2024 12:02:58 +1000
Subject: [PATCH 1/4] Ability to set an AWS region for Secret Manager

---
 helm/common/Chart.yaml                        | 2 +-
 helm/common/templates/_external_secrets.tpl   | 2 +-
 helm/common/values.yaml                       | 4 ++++
 helm/gen3/Chart.yaml                          | 2 +-
 helm/gen3/templates/cluster-secret-store.yaml | 2 +-
 helm/gen3/values.yaml                         | 2 ++
 6 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/helm/common/Chart.yaml b/helm/common/Chart.yaml
index 0903cde4..93ebbc0f 100644
--- a/helm/common/Chart.yaml
+++ b/helm/common/Chart.yaml
@@ -15,7 +15,7 @@ type: library
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.9
+version: 0.1.10
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/helm/common/templates/_external_secrets.tpl b/helm/common/templates/_external_secrets.tpl
index dc9f865b..214bc13e 100644
--- a/helm/common/templates/_external_secrets.tpl
+++ b/helm/common/templates/_external_secrets.tpl
@@ -50,7 +50,7 @@ spec:
   provider:
     aws:
       service: SecretsManager
-      region: us-east-1
+      region: {{ .Values.global.aws.region }}
       auth:
         secretRef:
           accessKeyIDSecretRef:
diff --git a/helm/common/values.yaml b/helm/common/values.yaml
index 3d3d2297..51b8616b 100644
--- a/helm/common/values.yaml
+++ b/helm/common/values.yaml
@@ -5,6 +5,10 @@
 
 # Global configuration
 global:
+  # -- (map) AWS configuration
+  aws:
+    # -- (string) AWS region for this deployment
+    region: us-east-1
   # -- (bool) Whether the deployment is for development purposes.
   dev: true
 
diff --git a/helm/gen3/Chart.yaml b/helm/gen3/Chart.yaml
index 7a4107f9..c984c387 100644
--- a/helm/gen3/Chart.yaml
+++ b/helm/gen3/Chart.yaml
@@ -115,7 +115,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.30
+version: 0.1.31
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/helm/gen3/templates/cluster-secret-store.yaml b/helm/gen3/templates/cluster-secret-store.yaml
index 5035e4d0..28ffe29e 100644
--- a/helm/gen3/templates/cluster-secret-store.yaml
+++ b/helm/gen3/templates/cluster-secret-store.yaml
@@ -9,7 +9,7 @@ spec:
   provider:
     aws:
       service: SecretsManager
-      region: us-east-1
+      region: {{ .Values.global.aws.region }}
       auth:
         secretRef:
           accessKeyIDSecretRef:
diff --git a/helm/gen3/values.yaml b/helm/gen3/values.yaml
index 8c2a3bbd..7713ba06 100644
--- a/helm/gen3/values.yaml
+++ b/helm/gen3/values.yaml
@@ -6,6 +6,8 @@
 global:
   # -- (map) AWS configuration
   aws:
+    # -- (string) AWS region for this deployment
+    region: us-east-1
     # -- (bool) Set to true if deploying to AWS. Controls ingress annotations.
     enabled: false
     # -- (string) Credentials for AWS stuff.

From fa26a6c32fd678faf97cbd65ba517e0c6030cc8f Mon Sep 17 00:00:00 2001
From: Guerdon Mukama <guerdon@biocommons.org.au>
Date: Mon, 13 May 2024 13:17:20 +1000
Subject: [PATCH 2/4] support for service account and IAM role

---
 helm/common/templates/_external_secrets.tpl   |  6 ++++
 .../secret-store-service-account.yaml         | 29 +++++++++++++++++++
 helm/gen3/values.yaml                         |  8 +++++
 3 files changed, 43 insertions(+)
 create mode 100644 helm/gen3/templates/secret-store-service-account.yaml

diff --git a/helm/common/templates/_external_secrets.tpl b/helm/common/templates/_external_secrets.tpl
index 214bc13e..a8a7c6be 100644
--- a/helm/common/templates/_external_secrets.tpl
+++ b/helm/common/templates/_external_secrets.tpl
@@ -52,6 +52,11 @@ spec:
       service: SecretsManager
       region: {{ .Values.global.aws.region }}
       auth:
+        {{- if .Values.global.aws.secretStoreServiceAccount.enabled }}
+        jwt:
+          serviceAccountRef:
+            name: {{ .Values.global.aws.secretStoreServiceAccount.enabled }}
+        {{- else }}
         secretRef:
           accessKeyIDSecretRef:
             name: {{.Chart.Name}}-aws-config
@@ -59,6 +64,7 @@ spec:
           secretAccessKeySecretRef:
             name: {{.Chart.Name}}-aws-config
             key: secret-access-key
+        {{- end}}
 {{- end }}
 
 
diff --git a/helm/gen3/templates/secret-store-service-account.yaml b/helm/gen3/templates/secret-store-service-account.yaml
new file mode 100644
index 00000000..0284bac4
--- /dev/null
+++ b/helm/gen3/templates/secret-store-service-account.yaml
@@ -0,0 +1,29 @@
+{{- if .Values.global.aws.secretStoreServiceAccount.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.global.aws.secretStoreServiceAccount.name }}
+  annotations:
+    eks.amazonaws.com/role-arn: {{ .Values.global.aws.secretStoreServiceAccount.roleArn }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: external-secrets-role
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: external-secrets-rolebinding
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.global.aws.secretStoreServiceAccount.name }}
+roleRef:
+  kind: Role
+  name: external-secrets-role
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
\ No newline at end of file
diff --git a/helm/gen3/values.yaml b/helm/gen3/values.yaml
index 7713ba06..cee9db7a 100644
--- a/helm/gen3/values.yaml
+++ b/helm/gen3/values.yaml
@@ -14,6 +14,14 @@ global:
     awsAccessKeyId:
     # -- (string) Credentials for AWS stuff.
     awsSecretAccessKey:
+    # -- (map) Service account and AWS role for authentication to AWS Secrets Manager
+    secretStoreServiceAccount:
+      # -- (bool) Set true if deploying to AWS and want to use service account and IAM role instead of aws keys. Must provide role-arn.
+      enabled: false
+      # -- (string) Name of the service account to create
+      name: secret-store-sa
+      # -- (string) AWS Role ARN for Secret Store to use
+      roleArn: 
     # -- (map) Local secret setting if using a pre-exising secret.
     useLocalSecret:
       # -- (bool) Set to true if you would like to use a secret that is already running on your cluster.

From 97c6f71726b2ae1731b698e35792dbae11b4adf0 Mon Sep 17 00:00:00 2001
From: Guerdon Mukama <guerdon@biocommons.org.au>
Date: Mon, 13 May 2024 13:19:11 +1000
Subject: [PATCH 3/4] version bump

---
 helm/common/Chart.yaml | 2 +-
 helm/gen3/Chart.yaml   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/helm/common/Chart.yaml b/helm/common/Chart.yaml
index 93ebbc0f..11151e9d 100644
--- a/helm/common/Chart.yaml
+++ b/helm/common/Chart.yaml
@@ -15,7 +15,7 @@ type: library
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.10
+version: 0.1.11
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/helm/gen3/Chart.yaml b/helm/gen3/Chart.yaml
index c984c387..d2a68350 100644
--- a/helm/gen3/Chart.yaml
+++ b/helm/gen3/Chart.yaml
@@ -25,7 +25,7 @@ dependencies:
   repository: "file://../aws-es-proxy"
   condition: aws-es-proxy.enabled
 - name: common
-  version: 0.1.9
+  version: 0.1.11
   repository: file://../common
 - name: etl
   version: 0.1.0
@@ -115,7 +115,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.31
+version: 0.1.33
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

From 82fd0f24be6fe38e467cec30dc38d4e890406fad Mon Sep 17 00:00:00 2001
From: Guerdon Mukama <guerdon@biocommons.org.au>
Date: Mon, 13 May 2024 14:23:16 +1000
Subject: [PATCH 4/4] fix typo

---
 helm/common/templates/_external_secrets.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helm/common/templates/_external_secrets.tpl b/helm/common/templates/_external_secrets.tpl
index a8a7c6be..d684ceed 100644
--- a/helm/common/templates/_external_secrets.tpl
+++ b/helm/common/templates/_external_secrets.tpl
@@ -55,7 +55,7 @@ spec:
         {{- if .Values.global.aws.secretStoreServiceAccount.enabled }}
         jwt:
           serviceAccountRef:
-            name: {{ .Values.global.aws.secretStoreServiceAccount.enabled }}
+            name: {{ .Values.global.aws.secretStoreServiceAccount.name }}
         {{- else }}
         secretRef:
           accessKeyIDSecretRef: