From 414659182102d0d015df0e614d40650f65115e2d Mon Sep 17 00:00:00 2001 From: Karsten Ludwig Hauser Date: Thu, 23 Jan 2025 08:48:54 +0100 Subject: [PATCH 1/2] feat(icm): enable serviceproviderclass on keyvault (#891) --- charts/icm-as/README.md | 2 +- charts/icm-as/templates/_volumeMounts.tpl | 4 +- charts/icm-as/templates/_volumes.tpl | 6 +- .../keyvault-secretproviderclass.yaml | 67 +++++++++++++++++++ .../templates/keyvault-serviceaccount.yaml | 11 +++ .../icm-as/templates/ssl-certificate-spc.yaml | 33 --------- .../keyvault-secretproviderclass_test.yaml | 67 +++++++++++++++++++ .../tests/keyvault-serviceaccount_test.yaml | 30 +++++++++ charts/icm-as/tests/values/keyvault.yaml | 25 +++++++ charts/icm-as/values.yaml | 36 +++++++--- charts/icm/values-test-azure.tmpl | 2 +- 11 files changed, 232 insertions(+), 51 deletions(-) create mode 100644 charts/icm-as/templates/keyvault-secretproviderclass.yaml create mode 100644 charts/icm-as/templates/keyvault-serviceaccount.yaml delete mode 100644 charts/icm-as/templates/ssl-certificate-spc.yaml create mode 100644 charts/icm-as/tests/keyvault-secretproviderclass_test.yaml create mode 100644 charts/icm-as/tests/keyvault-serviceaccount_test.yaml create mode 100644 charts/icm-as/tests/values/keyvault.yaml diff --git a/charts/icm-as/README.md b/charts/icm-as/README.md index 2b2d75c0..422fd773 100644 --- a/charts/icm-as/README.md +++ b/charts/icm-as/README.md @@ -82,7 +82,7 @@ Prerequisites are: Please check the unit tests before pushing changes. ```bash -helm unittest --helm3 charts/icm-as +helm unittest charts/icm-as ``` #### ct lint & install diff --git a/charts/icm-as/templates/_volumeMounts.tpl b/charts/icm-as/templates/_volumeMounts.tpl index fa4b1f86..3e14b3e4 100644 --- a/charts/icm-as/templates/_volumeMounts.tpl +++ b/charts/icm-as/templates/_volumeMounts.tpl @@ -48,8 +48,8 @@ volumeMounts: readOnly: true subPath: newrelic.yml {{- end }} -{{- if .Values.sslCertificateRetrieval.enabled }} +{{- if .Values.keyvault.enabled }} - mountPath: /mnt/secrets - name: secrets-store-inline + name: keyvault-secrets-store-inline {{- end }} {{- end -}} diff --git a/charts/icm-as/templates/_volumes.tpl b/charts/icm-as/templates/_volumes.tpl index 882a1f80..ba7f602e 100644 --- a/charts/icm-as/templates/_volumes.tpl +++ b/charts/icm-as/templates/_volumes.tpl @@ -44,13 +44,13 @@ volumes: {{- end }} - name: customizations-volume emptyDir: {} -{{- if .Values.sslCertificateRetrieval.enabled }} -- name: secrets-store-inline +{{- if .Values.keyvault.enabled }} +- name: keyvault-secrets-store-inline csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: - secretProviderClass: {{ include "icm-as.fullname" . }}-cert + secretProviderClass: {{ .Release.Name }}-keyvault-secretproviderclass {{- end }} {{- end -}} diff --git a/charts/icm-as/templates/keyvault-secretproviderclass.yaml b/charts/icm-as/templates/keyvault-secretproviderclass.yaml new file mode 100644 index 00000000..6095b5f4 --- /dev/null +++ b/charts/icm-as/templates/keyvault-secretproviderclass.yaml @@ -0,0 +1,67 @@ +{{- if .Values.keyvault.enabled }} +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: {{ .Release.Name }}-keyvault-secretproviderclass + namespace: {{ .Release.Namespace }} +spec: + provider: azure + parameters: + tenantId: {{ .Values.keyvault.tenantId }} + userAssignedIdentityID: {{ .Values.keyvault.managedIdentity.clientID | default "" }} + keyvaultName: {{ .Values.keyvault.keyvaultName }} + usePodIdentity: "false" + useVMManagedIdentity: "true" + cloudName: "" # Leave blank for public Azure + objects: | + array: + {{- range .Values.keyvault.secrets }} + {{- range .data }} + - | + objectName: {{ .objectName }} + objectType: secret + {{- end }} + {{- end }} + {{- range .Values.keyvault.certificates }} + - | + objectName: {{ .certName }} + objectType: cert + - | + objectName: {{ .certName }} + objectType: key + - | + objectName: {{ .certName }} + objectType: secret + {{- end }} + {{- range .Values.keyvault.keys }} + - | + objectName: {{ .objectName }} + objectType: key + {{- end }} + secretObjects: + {{- range .Values.keyvault.secrets }} + - secretName: {{ .generatedSecretName }} + type: {{ .type | default "Opaque" }} + data: + {{- range .data }} + - objectName: {{ .objectName }} + key: {{ .key }} + {{- end }} + {{- end }} + {{- range .Values.keyvault.certificates }} + - secretName: {{ .generatedSecretName }} + type: kubernetes.io/tls + data: + - objectName: {{ .certName }} + key: tls.key + - objectName: {{ .certName }} + key: tls.crt + {{- end }} + {{- range .Values.keyvault.keys }} + - secretName: {{ .generatedSecretName }} + type: "Opaque" + data: + - objectName: {{ .objectName }} + key: {{ .key }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/icm-as/templates/keyvault-serviceaccount.yaml b/charts/icm-as/templates/keyvault-serviceaccount.yaml new file mode 100644 index 00000000..a91f78ee --- /dev/null +++ b/charts/icm-as/templates/keyvault-serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if .Values.keyvault.enabled }} +# service account - with annotation azure.workload.identity/client-id for getting access to the keyvault +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-keyvault-serviceaccount + annotations: + azure.workload.identity/client-id: {{ .Values.keyvault.managedIdentity.clientID | default "" }} + labels: + secret-store: {{ .Values.keyvault.keyvaultName }} +{{- end }} \ No newline at end of file diff --git a/charts/icm-as/templates/ssl-certificate-spc.yaml b/charts/icm-as/templates/ssl-certificate-spc.yaml deleted file mode 100644 index e19bc2af..00000000 --- a/charts/icm-as/templates/ssl-certificate-spc.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if .Values.sslCertificateRetrieval.enabled }} -{{- if .Values.sslCertificateRetrieval.supportV1 }} -apiVersion: secrets-store.csi.x-k8s.io/v1 -{{- else }} -apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 -{{- end }} -kind: SecretProviderClass -metadata: - name: {{ include "icm-as.fullname" . }}-cert -spec: - provider: azure - secretObjects: - - secretName: {{ .Values.sslCertificateRetrieval.secretName | default (printf "%s-cert" (include "icm-as.fullname" .)) }} - type: kubernetes.io/tls - data: - - objectName: "{{ .Values.sslCertificateRetrieval.keyvault.certificateName }}" - key: tls.key - - objectName: "{{ .Values.sslCertificateRetrieval.keyvault.certificateName }}" - key: tls.crt - parameters: - usePodIdentity: "true" # [OPTIONAL for Azure] if not provided, will default to "false" - tenantId: "{{ .Values.sslCertificateRetrieval.keyvault.tenantId }}" # the tenant ID of the KeyVault - subscriptionId: "{{ .Values.sslCertificateRetrieval.keyvault.subscriptionId }}" # [REQUIRED for version < 0.0.4] the subscription ID of the KeyVault - resourceGroup: "{{ .Values.sslCertificateRetrieval.keyvault.resourceGroup }}" # [REQUIRED for version < 0.0.4] the resource group of the KeyVault - keyvaultName: "{{ .Values.sslCertificateRetrieval.keyvault.keyvaultName }}" # the name of the KeyVault - cloudName: "" # [OPTIONAL available for version > 0.0.4] if not provided, azure environment will default to AzurePublicCloud - cloudEnvFileName: "" # [OPTIONAL available for version > 0.0.7] use to define path to file for populating azure environment - objects: | - array: - - | - objectName: {{ .Values.sslCertificateRetrieval.keyvault.certificateName }} - objectType: secret -{{- end -}} diff --git a/charts/icm-as/tests/keyvault-secretproviderclass_test.yaml b/charts/icm-as/tests/keyvault-secretproviderclass_test.yaml new file mode 100644 index 00000000..6e97343e --- /dev/null +++ b/charts/icm-as/tests/keyvault-secretproviderclass_test.yaml @@ -0,0 +1,67 @@ +suite: tests correctness of keyvault service provider class configuration +templates: + - templates/keyvault-secretproviderclass.yaml + +tests: +- it: should create a SecretProviderClass when keyvault is enabled + values: + - ../values.yaml + # use a separate values-yaml because setting array values directly does not work + - values/keyvault.yaml + asserts: + - hasDocuments: + count: 1 + - equal: + path: metadata.name + value: RELEASE-NAME-keyvault-secretproviderclass + - equal: + path: spec.provider + value: azure + - equal: + path: spec.parameters.userAssignedIdentityID + value: test-client-id + - equal: + path: spec.parameters.keyvaultName + value: test-keyvault + - matchRegex: + path: spec.parameters.objects + pattern: "objectName: test-secret-obj" + + - matchRegex: + path: spec.parameters.objects + pattern: "objectName: test-cert-name" + + - equal: + path: spec.secretObjects[0].data[0].objectName + value: "test-secret-obj" + - equal: + path: spec.secretObjects[0].data[0].key + value: "test-secret-key" + + - equal: + path: spec.secretObjects[1].data[0].objectName + value: "test-cert-name" + - equal: + path: spec.secretObjects[1].data[0].key + value: "tls.key" + - equal: + path: spec.secretObjects[1].data[1].objectName + value: "test-cert-name" + - equal: + path: spec.secretObjects[1].data[1].key + value: "tls.crt" + + - equal: + path: spec.secretObjects[2].data[0].objectName + value: "test-key-obj" + - equal: + path: spec.secretObjects[2].data[0].key + value: "test-key-name" + +- it: should not create a SecretProviderClass when keyvault is disabled + set: + keyvault: + enabled: false + asserts: + - hasDocuments: + count: 0 \ No newline at end of file diff --git a/charts/icm-as/tests/keyvault-serviceaccount_test.yaml b/charts/icm-as/tests/keyvault-serviceaccount_test.yaml new file mode 100644 index 00000000..7f698117 --- /dev/null +++ b/charts/icm-as/tests/keyvault-serviceaccount_test.yaml @@ -0,0 +1,30 @@ +suite: tests correctness of keyvault serviceaccount configuration +templates: + - templates/keyvault-serviceaccount.yaml + +tests: +- it: should create a ServiceAccount when keyvault is enabled + values: + - ../values.yaml + # use a separate values-yaml because setting array values directly does not work + - values/keyvault.yaml + asserts: + - hasDocuments: + count: 1 + - equal: + path: metadata.name + value: RELEASE-NAME-keyvault-serviceaccount + - equal: + path: metadata.annotations["azure.workload.identity/client-id"] + value: test-client-id + - equal: + path: metadata.labels["secret-store"] + value: test-keyvault + +- it: should not create a ServiceAccount when keyvault is disabled + set: + keyvault: + enabled: false + asserts: + - hasDocuments: + count: 0 \ No newline at end of file diff --git a/charts/icm-as/tests/values/keyvault.yaml b/charts/icm-as/tests/values/keyvault.yaml new file mode 100644 index 00000000..e386cd0c --- /dev/null +++ b/charts/icm-as/tests/values/keyvault.yaml @@ -0,0 +1,25 @@ +# used for test: +# keyvault-secretproviderclass_test.yaml/keyvault is provided + +keyvault: + enabled: true + tenantId: "test-tenant-id" + managedIdentity: + clientID: "test-client-id" + keyvaultName: "test-keyvault" + secrets: + - generatedSecretName: "test-secret" + type: "Opaque" + data: + - objectName: "test-secret-obj" + key: "test-secret-key" + certificates: + - generatedSecretName: "test-cert" + certName: "test-cert-name" + keys: + - objectName: "test-cert-key-obj" + key: "test-cert-key" + keys: + - generatedSecretName: "test-key" + objectName: "test-key-obj" + key: "test-key-name" \ No newline at end of file diff --git a/charts/icm-as/values.yaml b/charts/icm-as/values.yaml index 6dac8c19..457d5d45 100644 --- a/charts/icm-as/values.yaml +++ b/charts/icm-as/values.yaml @@ -220,6 +220,31 @@ secrets: # name: # name of the secret, containing the referenced key # key: # key within the secret +# configure ServiceProviderClass to access secrets, certificates and keys in a keyvault +keyvault: + enabled: false + tenantId: + subscriptionId: + resourceGroup: + managedIdentity: + clientID: + keyvaultName: +# secrets: +# - generatedSecretName: "my-secret-1" +# type: "Opaque" +# data: +# - objectName: "my-secret-obj" +# key: "my-secret-key" + +# certificates: +# - generatedSecretName: "my-tls-cert-1" +# certName: "test-intershop-com" + +# keys: +# - generatedSecretName: "my-key-secret-1" +# objectName: "key-object-1" +# key: "encryption.key" + persistence: sites: size: 1Gi @@ -438,17 +463,6 @@ webLayer: # Redisson client yaml config config: null -sslCertificateRetrieval: - enabled: false - supportV1: false - # secretName: - keyvault: - tenantId: - subscriptionId: - resourceGroup: - keyvaultName: - certificateName: - # Configure configuration of the job-server. # The job-server template inherits most properties from the configuration of the application-server. # In order to override these properties add them in the job section, e.g. add a 'resources' section to diff --git a/charts/icm/values-test-azure.tmpl b/charts/icm/values-test-azure.tmpl index cd439b7d..05ad3244 100644 --- a/charts/icm/values-test-azure.tmpl +++ b/charts/icm/values-test-azure.tmpl @@ -12,7 +12,7 @@ icm-as: shareName: icm-sites customdata: enabled: true - type: azurefiles + existingClaim: iste-nfs jgroups: size: 1Gi type: azurefiles From 700d0dc9c5531f5ab4c41f62ec39b45140d92cbd Mon Sep 17 00:00:00 2001 From: Karsten Ludwig Hauser Date: Tue, 28 Jan 2025 12:55:11 +0100 Subject: [PATCH 2/2] chore: create alpha release (#891) --- charts/icm-as/.bumpversion.toml | 2 +- charts/icm-as/Chart.yaml | 2 +- charts/icm/.bumpversion.toml | 2 +- charts/icm/Chart.yaml | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/icm-as/.bumpversion.toml b/charts/icm-as/.bumpversion.toml index cee2e41d..ed06006a 100644 --- a/charts/icm-as/.bumpversion.toml +++ b/charts/icm-as/.bumpversion.toml @@ -1,5 +1,5 @@ [tool.bumpversion] -current_version = "2.6.0" +current_version = "2.7.0-alpha" [[tool.bumpversion.files]] filename = "Chart.yaml" diff --git a/charts/icm-as/Chart.yaml b/charts/icm-as/Chart.yaml index ea62b930..d1bd0389 100644 --- a/charts/icm-as/Chart.yaml +++ b/charts/icm-as/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 # name and version must be in this exact order, otherwise bump2version won't work name: icm-as -version: 2.6.0 +version: 2.7.0-alpha description: Intershop Commerce Management - AppServer type: application appVersion: 11.10.3-LTS diff --git a/charts/icm/.bumpversion.toml b/charts/icm/.bumpversion.toml index 04c38e13..0e106aab 100644 --- a/charts/icm/.bumpversion.toml +++ b/charts/icm/.bumpversion.toml @@ -1,5 +1,5 @@ [tool.bumpversion] -current_version = "2.11.0" +current_version = "2.12.0-alpha" [[tool.bumpversion.files]] filename = "Chart.yaml" diff --git a/charts/icm/Chart.yaml b/charts/icm/Chart.yaml index b75f04f8..3ab90f0f 100644 --- a/charts/icm/Chart.yaml +++ b/charts/icm/Chart.yaml @@ -3,14 +3,14 @@ appVersion: "12.0.0" description: Intershop Commerce Management - ICM # name and version must be in this exact order, otherwise bump2version won't work name: icm -version: 2.11.0 +version: 2.12.0-alpha # test related annotations annotations: requestedMemoryQuota: 6000Mi requestedCpuQuotaInMinutes: "2200" dependencies: - name: icm-as - version: 2.6.0 + version: 2.7.0-alpha repository: file://../icm-as - name: icm-web version: 0.13.2