From a61e5aa91b2b985570133841c722d1484ebdbaab Mon Sep 17 00:00:00 2001
From: PatStLouis <patrick.st-louis@opsecid.ca>
Date: Wed, 9 Oct 2024 19:49:42 +0000
Subject: [PATCH] added secret generation

Signed-off-by: PatStLouis <patrick.st-louis@opsecid.ca>
---
 .../{release.yaml => chart-release.yaml}        |  0
 charts/tdw-server/templates/_helpers.tpl        | 17 +++++++++++++++++
 .../tdw-server/templates/server/deployment.yaml | 14 +++++++++++---
 charts/tdw-server/templates/server/secret.yaml  | 13 +++++++++++++
 charts/tdw-server/values.yaml                   |  4 ++++
 5 files changed, 45 insertions(+), 3 deletions(-)
 rename .github/workflows/{release.yaml => chart-release.yaml} (100%)
 create mode 100644 charts/tdw-server/templates/server/secret.yaml

diff --git a/.github/workflows/release.yaml b/.github/workflows/chart-release.yaml
similarity index 100%
rename from .github/workflows/release.yaml
rename to .github/workflows/chart-release.yaml
diff --git a/charts/tdw-server/templates/_helpers.tpl b/charts/tdw-server/templates/_helpers.tpl
index 72b847f..1f00748 100644
--- a/charts/tdw-server/templates/_helpers.tpl
+++ b/charts/tdw-server/templates/_helpers.tpl
@@ -32,6 +32,23 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 
+{{/*
+Returns a secret if it already in Kubernetes, otherwise it creates
+it randomly.
+*/}}
+{{- define "getOrGeneratePass" }}
+{{- $len := (default 16 .Length) | int -}}
+{{- $obj := (lookup "v1" .Kind .Namespace .Name).data -}}
+{{- if $obj }}
+{{- index $obj .Key -}}
+{{- else if (eq (lower .Kind) "secret") -}}
+{{- randAlphaNum $len | b64enc -}}
+{{- else -}}
+{{- randAlphaNum $len -}}
+{{- end -}}
+{{- end }}
+
+
 {{/* SERVER */}}
 
 {{- define "server.fullname" -}}
diff --git a/charts/tdw-server/templates/server/deployment.yaml b/charts/tdw-server/templates/server/deployment.yaml
index 9ca9ebe..21f63af 100644
--- a/charts/tdw-server/templates/server/deployment.yaml
+++ b/charts/tdw-server/templates/server/deployment.yaml
@@ -28,14 +28,22 @@ spec:
           image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag }}"
           imagePullPolicy: {{ .Values.server.image.pullPolicy }}
           env:
+            - name: SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "server.fullname" . }}
+                  key: SECRET_KEY
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.postgresql.nameOverride }}
+                  key: password
             - name: DOMAIN
               value: {{ .Values.server.host }}
             - name: ENDORSER_MULTIKEY
               value: {{ .Values.server.environment.ENDORSER_MULTIKEY }}
-            - name: SECRET_KEY
-              value: {{ .Values.server.environment.SECRET_KEY }}
             - name: POSTGRES_URI
-              value: postgres://{{ .Values.postgresql.auth.username }}:{{ .Values.postgresql.auth.password }}@{{ include "global.postgresql.fullname" . }}:{{ .Values.postgresql.primary.service.ports.postgresql }}
+              value: postgres://{{ .Values.postgresql.auth.username }}:$(POSTGRES_PASSWORD)@{{ include "global.postgresql.fullname" . }}:{{ .Values.postgresql.primary.service.ports.postgresql }}
           ports:
             - name: api
               containerPort: {{ .Values.server.service.apiPort }}
diff --git a/charts/tdw-server/templates/server/secret.yaml b/charts/tdw-server/templates/server/secret.yaml
new file mode 100644
index 0000000..bb69e00
--- /dev/null
+++ b/charts/tdw-server/templates/server/secret.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  name: {{ include "server.fullname" . }}
+  labels:
+    {{- include "server.labels" . | nindent 4 }}
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  SECRET_KEY: {{ include "getOrGeneratePass" (dict "Namespace" .Release.Namespace "Kind" "Secret" "Name" (include "server.fullname" .) "Key" "SECRET_KEY" "Length" 32) }}
diff --git a/charts/tdw-server/values.yaml b/charts/tdw-server/values.yaml
index c6fe8be..2e53691 100644
--- a/charts/tdw-server/values.yaml
+++ b/charts/tdw-server/values.yaml
@@ -52,6 +52,10 @@ postgresql:
   architecture: standalone
   auth:
     enablePostgresUser: true
+    existingSecret: ""
+    secretKeys:
+      adminPasswordKey: admin-password
+      userPasswordKey: database-password
     username: "tdw-server"
 
   ## PostgreSQL Primary parameters