Feature add secrets store resources (#52)

* added resources for mw server, worked through problems correcting the representation of the db secret in the cluster * feature: added secrets provider details to temporal server and mw worker templates * removed list permission from cluster role auth update template * updating chart version
Multiwoven · Nov 22, 2024 · 9d72321 · 9d72321
1 parent 96b0137
commit 9d72321
Show file tree

Hide file tree

Showing 9 changed files with 180 additions and 7 deletions.
diff --git a/charts/multiwoven/Chart.yaml b/charts/multiwoven/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: multiwoven
 description: Open-source reverse ETL, an alternative to Hightouch, Census etc. 🔥
 type: application
-version: 0.31.0
-appVersion: "0.31.0"
+version: 0.32.0
+appVersion: "0.32.0"
 maintainers:
   - name: subintp
   - name: RafaelOAiSquared

diff --git a/charts/multiwoven/templates/multiwoven-cluster-role.yaml b/charts/multiwoven/templates/multiwoven-cluster-role.yaml
@@ -0,0 +1,25 @@
+{{ if .Values.secretsStore.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: secrets-store-csi-driver-secret-access
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create", "update", "watch"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: secrets-store-csi-driver-secret-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: secrets-store-csi-driver-secret-access
+subjects:
+  - kind: ServiceAccount
+    name: secrets-store-csi-driver
+    namespace: kube-system
+{{ end }}
diff --git a/charts/multiwoven/templates/multiwoven-config.yaml b/charts/multiwoven/templates/multiwoven-config.yaml
@@ -17,10 +17,12 @@ data:
   AWS_SECRET_ACCESS_KEY: {{ .Values.multiwovenConfig.awsSecretAccessKey | quote }}
   BRAND_NAME: {{ .Values.multiwovenConfig.smtpBrandName | quote }}
   DATABRICKS_DRIVER_PATH: {{ .Values.multiwovenConfig.databricksDriverPath | quote }}
+  DB_PORT: {{ .Values.multiwovenConfig.dbPort | quote }}
   DB_HOST: {{ .Values.multiwovenConfig.dbHost | quote }}
+  {{ if not .Values.secretsStore.enabled }}
   DB_PASSWORD: {{ .Values.multiwovenConfig.dbPassword | quote }}
-  DB_PORT: {{ .Values.multiwovenConfig.dbPort | quote }}
   DB_USERNAME: {{ .Values.multiwovenConfig.dbUsername | quote }}
+  {{ end }}
   GRPC_ENABLE_FORK_SUPPORT: {{ .Values.multiwovenConfig.grpcEnableForkSupport | quote }}
   JWT_SECRET: {{ .Values.multiwovenConfig.jwtSecret | quote }}
   NEW_RELIC_KEY: {{ .Values.multiwovenConfig.newRelicKey | quote }}

diff --git a/charts/multiwoven/templates/multiwoven-secret-provider-class.yaml b/charts/multiwoven/templates/multiwoven-secret-provider-class.yaml
@@ -0,0 +1,30 @@
+{{ if .Values.secretsStore.enabled }}
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+    name: {{ include "chart.fullname" . }}-secret-provider-class
+    namespace: {{ .Values.kubernetesNamespace }}
+    labels:
+      app: {{ include "chart.fullname" . }}-secret-provider-class
+      io.kompose.service: {{ include "chart.fullname" . }}-secret-provider-class
+  {{- include "chart.labels" . | nindent 4 }}
+spec:
+    provider: aws
+    parameters:
+        objects: |
+            - objectName: {{ .Values.secretsStore.aws.dbCredsSecretName }}
+              objectType: secretsmanager
+              jmesPath:
+                - path: u
+                  objectAlias: DB_USERNAME
+                - path: p
+                  objectAlias: DB_PASSWORD
+    secretObjects:
+    - secretName: {{ .Values.secretsStore.aws.dbCredsSecretName }}
+      type: Opaque
+      data:
+        - objectName: DB_PASSWORD
+          key: DB_PASSWORD   # Maps the password field from AWS Secrets Manager
+        - objectName: DB_USERNAME
+          key: DB_USERNAME   # Maps the username field from AWS Secrets Manager
+{{ end }}
diff --git a/charts/multiwoven/templates/multiwoven-server-deployment.yaml b/charts/multiwoven/templates/multiwoven-server-deployment.yaml
@@ -21,8 +21,23 @@ spec:
         io.kompose.service: {{ include "chart.fullname" . }}-server
       {{- include "chart.selectorLabels" . | nindent 8 }}
     spec:
+      {{ if .Values.serviceAccount.enabled }}
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+      {{ end }}
       containers:
       - env:
+        {{ if .Values.secretsStore.enabled }}
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secretsStore.aws.dbCredsSecretName }}
+              key: DB_PASSWORD
+        - name: DB_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secretsStore.aws.dbCredsSecretName }}
+              key: DB_USERNAME
+        {{ end }}
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: {{ quote .Values.kubernetesClusterDomain }}
         envFrom:
@@ -45,13 +60,20 @@ spec:
           initialDelaySeconds: 5
           periodSeconds: 10
         resources: {{- toYaml .Values.multiwovenServer.multiwovenServer.resources | nindent 10 }}
-{{ if not .Values.temporal.enabled }}
         imagePullPolicy: Always
         volumeMounts:
+        {{ if .Values.secretsStore.enabled }}
+        - name: multiwoven-secrets-store
+          mountPath: /run/secrets/store
+          readOnly: true
+        {{ end }}
+        {{ if not .Values.temporal.enabled }}
         - name: ssl
           mountPath: /certs
           readOnly: false
+        {{ end }}
       volumes:
+      {{ if not .Values.temporal.enabled }}
       - name: ssl
         secret:
           secretName: temporal-cloud
@@ -60,7 +82,15 @@ spec:
             path: ./temporal.key
           - key: temporal-root-cert
             path: ./temporal.pem
-{{ end }}
+      {{ end }}
+      {{ if .Values.secretsStore.enabled }}
+      - name: multiwoven-secrets-store
+        csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: {{ include "chart.fullname" . }}-secret-provider-class
+      {{ end }}
       restartPolicy: Always
       {{ if .Values.multiwovenConfig.privateRepo }}
       imagePullSecrets:

diff --git a/charts/multiwoven/templates/multiwoven-service-account.yaml b/charts/multiwoven/templates/multiwoven-service-account.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name }}
+  namespace: {{ .Values.kubernetesNamespace }}
+  {{- if .Values.serviceAccount.annotations }}
+  annotations:
+    {{- range $key, $value := .Values.serviceAccount.annotations }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/charts/multiwoven/templates/multiwoven-worker-deployment.yaml b/charts/multiwoven/templates/multiwoven-worker-deployment.yaml
@@ -21,13 +21,28 @@ spec:
         io.kompose.service: {{ include "chart.fullname" . }}-worker
       {{- include "chart.selectorLabels" . | nindent 8 }}
     spec:
+      {{ if .Values.serviceAccount.enabled }}
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+      {{ end }}
       containers:
       - args: {{- toYaml .Values.multiwovenWorker.multiwovenWorker.args | nindent 8 }}
         env:
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: {{ quote .Values.kubernetesClusterDomain }}
         - name: MULTIWOVEN_WORKER_HEALTH_CHECK_PORT
           value: {{ quote .Values.multiwovenWorker.healthPort }}
+        {{ if .Values.secretsStore.enabled }}
+        - name: DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secretsStore.aws.dbCredsSecretName }}
+              key: DB_PASSWORD
+        - name: DB_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.secretsStore.aws.dbCredsSecretName }}
+              key: DB_USERNAME
+        {{ end }}
         envFrom:
         - configMapRef:
             name: {{ include "chart.fullname" . }}-config
@@ -48,13 +63,20 @@ spec:
           initialDelaySeconds: 5
           periodSeconds: 10
         resources: {{- toYaml .Values.multiwovenWorker.multiwovenWorker.resources | nindent 10 }}
-{{ if not .Values.temporal.enabled }}
         imagePullPolicy: Always
         volumeMounts:
+        {{ if not .Values.temporal.enabled }}
         - name: ssl
           mountPath: /certs
           readOnly: false
+        {{ end }}
+        {{ if .Values.secretsStore.enabled }}
+        - name: multiwoven-secrets-store
+          mountPath: /run/secrets/store
+          readOnly: true
+        {{ end }}
       volumes:
+      {{ if not .Values.temporal.enabled }}
       - name: ssl
         secret:
           secretName: temporal-cloud
@@ -63,7 +85,15 @@ spec:
             path: ./temporal.key
           - key: temporal-root-cert
             path: ./temporal.pem
-{{ end }}
+      {{ end }}
+      {{ if .Values.secretsStore.enabled }}
+      - name: multiwoven-secrets-store
+        csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: {{ include "chart.fullname" . }}-secret-provider-class
+      {{ end }}
       restartPolicy: Always
       {{ if .Values.multiwovenConfig.privateRepo }}
       imagePullSecrets:

diff --git a/charts/multiwoven/templates/temporal-deployment.yaml b/charts/multiwoven/templates/temporal-deployment.yaml
@@ -20,6 +20,9 @@ spec:
         io.kompose.service: temporal
       {{- include "chart.selectorLabels" . | nindent 8 }}
     spec:
+      {{ if .Values.serviceAccount.enabled }}
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+      {{ end }}
       containers:
       - env:
         - name: DB
@@ -31,19 +34,33 @@ spec:
               name: {{ include "chart.fullname" . }}-config
         - name: POSTGRES_PWD
           valueFrom:
+            {{ if not .Values.secretsStore.enabled }}
             configMapKeyRef:
               key: DB_PASSWORD
               name: {{ include "chart.fullname" . }}-config
+            {{ end }}
+            {{ if .Values.secretsStore.enabled}}
+            secretKeyRef:
+              name: {{ .Values.secretsStore.aws.dbCredsSecretName }}
+              key: DB_PASSWORD
+            {{ end }}
         - name: POSTGRES_SEEDS
           valueFrom:
             configMapKeyRef:
               key: DB_HOST
               name: {{ include "chart.fullname" . }}-config
         - name: POSTGRES_USER
           valueFrom:
+            {{ if not .Values.secretsStore.enabled }}
             configMapKeyRef:
               key: DB_USERNAME
               name: {{ include "chart.fullname" . }}-config
+            {{ end }}
+            {{ if .Values.secretsStore.enabled}}
+            secretKeyRef:
+              name: {{ .Values.secretsStore.aws.dbCredsSecretName }}
+              key: DB_USERNAME
+            {{ end }}
         {{ if .Values.multiwovenConfig.temporalPostgresSsl }}
         - name: TEMPORAL_TLS_REQUIRE_CLIENT_AUTH
           value: 'true'
@@ -63,5 +80,20 @@ spec:
         ports:
         - containerPort: 7233
         resources: {{- toYaml .Values.temporal.temporal.resources | nindent 10 }}
+        volumeMounts:
+        {{ if .Values.secretsStore.enabled }}
+        - name: multiwoven-secrets-store
+          mountPath: /run/secrets/store
+          readOnly: true
+        {{ end }}
+      volumes:
+      {{ if .Values.secretsStore.enabled }}
+      - name: multiwoven-secrets-store
+        csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: {{ include "chart.fullname" . }}-secret-provider-class
+      {{ end }}
       restartPolicy: Always
 {{ end }}
diff --git a/charts/multiwoven/values.yaml b/charts/multiwoven/values.yaml
@@ -64,6 +64,17 @@ multiwovenConfig:
   viteFavIconUrl: ""
   workerHost: worker.multiwoven.com
 
+serviceAccount:
+  enabled: false
+  name: multiwoven-service-account
+  annotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/example-role
+
+secretsStore:
+  enabled: false
+  aws:
+    dbCredsSecretName: ""
+
 hpa:
   enabled: true
   multiwovenUI: