Merge pull request #22 from eth-cscs/chart-update

Move proxy auth token to a external secret
eth-cscs · Aug 5, 2024 · 2c76823 · 2c76823
2 parents 0405c28 + 7fad7f5
commit 2c76823
Show file tree

Hide file tree

Showing 7 changed files with 39 additions and 9 deletions.
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
@@ -2,11 +2,11 @@ apiVersion: v2
 name: f7t4jhub
 description: A Helm chart to Deploy JupyterHub with the FirecREST Spawner
 type: application
-version: 0.7.0
+version: 0.8.0
 appVersion: "4.1.5"
 dependencies:
   - name: f7t4jhub
-    version: 0.7.0
+    version: 0.8.0
     repository: "file://./f7t4jhub"
   - name: reloader
     version: v1.0.51

diff --git a/chart/f7t4jhub/Chart.yaml b/chart/f7t4jhub/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: f7t4jhub
 description: A Helm chart to Deploy JupyterHub with the FirecREST Spawner
 type: application
-version: 0.7.0
+version: 0.8.0
 appVersion: "4.1.5"
diff --git a/chart/f7t4jhub/templates/deployment-hub.yaml b/chart/f7t4jhub/templates/deployment-hub.yaml
@@ -56,11 +56,6 @@ spec:
               secretKeyRef:
                 name: {{ .Release.Name }}-secret
                 key: authTokenUrl
-          - name: CONFIGPROXY_AUTH_TOKEN
-            valueFrom:
-              secretKeyRef:
-                name: {{ .Release.Name }}-secret
-                key: configProxyAuthToken
           {{- if .Values.vault.keycloak.enabled }}
           - name: KC_CLIENT_ID
             valueFrom:
@@ -73,6 +68,19 @@ spec:
                 name: {{ .Release.Name }}-common-secrets
                 key: kc_client_secret
           {{- end }}
+          {{- if .Values.vault.configProxyAuthToken.enabled }}
+          - name: CONFIGPROXY_AUTH_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Release.Name }}-common-secrets
+                key: configProxyAuthToken
+          {{- else }}
+          - name: CONFIGPROXY_AUTH_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Release.Name }}-secret
+                key: configProxyAuthToken
+          {{- end }}
         volumeMounts:
           - name: db-pvc
             mountPath: /home/juhu

diff --git a/chart/f7t4jhub/templates/deployment-proxy.yaml b/chart/f7t4jhub/templates/deployment-proxy.yaml
@@ -30,8 +30,16 @@ spec:
         ports:
         - containerPort: {{ .Values.network.appPort }}
         env:
+          {{- if .Values.vault.configProxyAuthToken.enabled }}
+          - name: CONFIGPROXY_AUTH_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Release.Name }}-common-secrets
+                key: configProxyAuthToken
+          {{- else }}
           - name: CONFIGPROXY_AUTH_TOKEN
             valueFrom:
               secretKeyRef:
                 name: {{ .Release.Name }}-secret
                 key: configProxyAuthToken
+          {{- end }}
diff --git a/chart/f7t4jhub/templates/external-secret.yaml b/chart/f7t4jhub/templates/external-secret.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.vault.keycloak.enabled }}
+{{- if or .Values.vault.keycloak.enabled .Values.vault.configProxyAuthToken.secretPath }}
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
@@ -20,4 +20,8 @@ spec:
     remoteRef:
       key: {{ .Values.vault.keycloak.secretPath }}
       property: kc_client_id
+  - secretKey: configProxyAuthToken
+    remoteRef:
+      key: {{ .Values.vault.configProxyAuthToken.secretPath }}
+      property: config_proxy_auth_token
 {{- end }}
diff --git a/chart/f7t4jhub/templates/secret.yaml b/chart/f7t4jhub/templates/secret.yaml
@@ -13,4 +13,6 @@ type: Opaque
 stringData:
   firecrestUrl: {{ .Values.setup.firecrestUrl }}
   authTokenUrl: {{ .Values.setup.authTokenUrl}}
+  {{- if not .Values.vault.configProxyAuthToken.enabled }}
   configProxyAuthToken: {{ $token }}
+  {{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -62,6 +62,14 @@ f7t4jhub:
       # Secret path in Vault (replace with your own secret path)
       secretPath: 'secret/path/containers'
 
+    # proxy authentication token
+    configProxyAuthToken:
+      # Enable or disable Vault integration
+      enabled: false
+
+      # Secret path in Vault (replace with your own secret path)
+      secretPath: 'secret/path/proxy'
+
   metricbeat:
     # Enable or disable annotations for metric beat monitoring
     enabled: false