fix: missing secrets

infra/api_chart/templates/deployment.yaml

@@ -32,6 +32,11 @@ spec:
           {{- with .Values.command }}
           command: {{ toYaml . | nindent 12 }}
           {{- end }}
+          {{- if .Values.envFromSecret }}
+          envFrom:
+            - secretRef:
+                name: {{ .Values.envFromSecret }}
+          {{- end }}
           securityContext: {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}

infra/api_chart/values.example.yaml

@@ -12,6 +12,8 @@ appSettings:
   App:
     Mode: Server
 
+envFromSecret: sulfone-zinc
+
 configMountPath: /app/App/Config
 
 command:

infra/migration_chart/templates/migration.yaml

@@ -9,6 +9,9 @@ metadata:
 spec:
   backoffLimit: {{ .Values.backoffLimit }}
   template:
+    metadata:
+      annotations: {{- include "dotnet-migration.annotations" . | nindent 6 }}
+      labels: {{- include "dotnet-migration.labels" . | nindent 6 }}
     spec:
       restartPolicy: Never
       {{- with .Values.imagePullSecrets }}
@@ -24,6 +27,11 @@ spec:
                    {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.envFromSecret }}
+          envFrom:
+            - secretRef:
+                name: {{ .Values.envFromSecret }}
+          {{- end }}
           env:
             - name: ASPNETCORE_ENVIRONMENT
               value: {{ .Values.aspNetEnv }}

infra/migration_chart/values.example.yaml

@@ -12,6 +12,8 @@ appSettings:
   App:
     Mode: Migration
 
+envFromSecret: sulfone-zinc
+
 configMountPath: /app/App/Config/settings.yaml
 
 image:

infra/root_chart/Chart.yaml

@@ -17,6 +17,11 @@ dependencies:
     repository: file://../migration_chart
     condition: migration.enabled
     alias: migration
+  - name: sulfoxide-bromine
+    version: 1.1.1
+    condition: bromine.enable
+    alias: bromine
+    repository: oci://ghcr.io/atomicloud/sulfoxide.bromine
   - name: postgresql
     version: 12.5.5
     repository: oci://registry-1.docker.io/bitnamicharts

infra/root_chart/README.md

@@ -10,6 +10,7 @@ Root Chart to a single Service
 |------------|------|---------|
 | file://../api_chart | api(dotnet-chart) | 0.1.0 |
 | file://../migration_chart | migration(dotnet-migration) | 0.1.0 |
+| oci://ghcr.io/atomicloud/sulfoxide.bromine | bromine(sulfoxide-bromine) | 1.1.1 |
 | oci://registry-1.docker.io/bitnamicharts | maindb(postgresql) | 12.5.5 |
 
 ## Values
@@ -63,6 +64,10 @@ Root Chart to a single Service
 | api.serviceTree.module | string | `"api"` |  |
 | api.tolerations | list | `[]` |  |
 | api.topologySpreadConstraints | object | `{}` |  |
+| bromine.enable | bool | `false` |  |
+| bromine.rootSecret | object | `{"ref":"SULFONE_ZINC"}` | Secret of Secrets reference |
+| bromine.rootSecret.ref | string | `"SULFONE_ZINC"` | DOPPLER Token Reference |
+| bromine.storeName | string | `"sulfone-zinc"` | Store name to create |
 | maindb.auth.database | string | `"sulfone-zinc"` |  |
 | maindb.auth.password | string | `"supersecret"` |  |
 | maindb.auth.username | string | `"admin"` |  |

infra/root_chart/templates/_helpers.tpl

@@ -0,0 +1,86 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "root-chart.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+allows triming of names
+*/}}
+{{- define "root-chart.fullname-with-suffix" -}}
+{{ $fname := (include "root-chart.fullname" .root) }}
+{{- printf "%s-%s" $fname .arg | trunc 63 | trimSuffix "-" }}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "root-chart.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "root-chart.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "root-chart.labels" -}}
+helm.sh/chart: {{ include "root-chart.chart" . }}
+{{ include "root-chart.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+atomi.cloud/chart: {{ include "root-chart.chart" . }}
+{{- range $k, $v := .Values.serviceTree }}
+"atomi.cloud/{{ $k }}": "{{ $v }}"
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Common annotations
+*/}}
+{{- define "root-chart.annotations" -}}
+{{- range $k, $v := .Values.serviceTree }}
+"atomi.cloud/{{ $k }}": "{{ $v }}"
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "root-chart.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "root-chart.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- range $k, $v := .Values.atomiLabels }}
+"atomi.cloud/{{ $k }}": "{{ $v }}"
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "root-chart.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "root-chart.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

infra/root_chart/templates/externalsecret.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.bromine.enable }}
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ template "root-chart.fullname-with-suffix" (dict "arg" .Values.secret.name "root" .) }}
+  labels: {{- include "root-chart.labels" . | nindent 4 }}
+  annotations: {{- include "root-chart.annotations" . | nindent 4 }}
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-2"
+spec:
+  secretStoreRef:
+    kind: SecretStore
+    name: {{ .Values.bromine.storeName }}
+
+  target:
+    name: {{ .Values.bromine.target }}
+
+  dataFrom:
+    - find:
+        name:
+          regexp: .*
+  {{- end }}

infra/root_chart/values.pichu.yaml

@@ -1,11 +1,16 @@
 serviceTree:
   landscape: &landscape pichu
 
+bromine:
+  enable: true
+
+  target: &target "sulfone-zinc"
+
 api:
   enabled: true
+  envFromSecret: *target
   sericeTree:
     landscape: *landscape
-
   image:
     repository: ghcr.io/atomicloud/sulfone.zinc/api-amd
   imagePullSecrets: []
@@ -36,6 +41,7 @@ api:
 
 migration:
   enabled: true
+  envFromSecret: *target
   image:
     repository: ghcr.io/atomicloud/sulfone.zinc/api-amd
   serviceTree:

infra/root_chart/values.yaml

@@ -4,6 +4,15 @@ serviceTree: &serviceTree
   service: zinc
   layer: "2"
 
+bromine:
+  enable: false
+  # -- Store name to create
+  storeName: sulfone-zinc
+  # -- Secret of Secrets reference
+  rootSecret:
+    # -- DOPPLER Token Reference
+    ref: "SULFONE_ZINC"
+
 api:
   enabled: true