feat(icm): enable serviceproviderclass on keyvault (#891)

charts/icm-as/.bumpversion.toml

@@ -1,5 +1,5 @@
 [tool.bumpversion]
-current_version = "2.6.0"
+current_version = "2.7.0-alpha"
 
 [[tool.bumpversion.files]]
 filename = "Chart.yaml"

charts/icm-as/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 # name and version must be in this exact order, otherwise bump2version won't work
 name: icm-as
-version: 2.6.0
+version: 2.7.0-alpha
 description: Intershop Commerce Management - AppServer
 type: application
 appVersion: 11.10.3-LTS

charts/icm-as/README.md

@@ -82,7 +82,7 @@ Prerequisites are:
 Please check the unit tests before pushing changes.
 
 ```bash
-helm unittest --helm3 charts/icm-as
+helm unittest charts/icm-as
 ```
 
 #### ct lint & install

charts/icm-as/templates/_volumeMounts.tpl

@@ -48,8 +48,8 @@ volumeMounts:
   readOnly: true
   subPath: newrelic.yml
 {{- end }}
-{{- if .Values.sslCertificateRetrieval.enabled }}
+{{- if .Values.keyvault.enabled }}
 - mountPath: /mnt/secrets
-  name: secrets-store-inline
+  name: keyvault-secrets-store-inline
 {{- end }}
 {{- end -}}

charts/icm-as/templates/_volumes.tpl

@@ -44,13 +44,13 @@ volumes:
 {{- end }}
 - name: customizations-volume
   emptyDir: {}
-{{- if .Values.sslCertificateRetrieval.enabled }}
-- name: secrets-store-inline
+{{- if .Values.keyvault.enabled }}
+- name: keyvault-secrets-store-inline
   csi:
     driver: secrets-store.csi.k8s.io
     readOnly: true
     volumeAttributes:
-      secretProviderClass: {{ include "icm-as.fullname" . }}-cert
+      secretProviderClass: {{ .Release.Name }}-keyvault-secretproviderclass
 {{- end }}
 {{- end -}}
 

charts/icm-as/templates/keyvault-secretproviderclass.yaml

@@ -0,0 +1,67 @@
+{{- if .Values.keyvault.enabled }}
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: {{ .Release.Name }}-keyvault-secretproviderclass
+  namespace: {{ .Release.Namespace }}
+spec:
+  provider: azure
+  parameters:
+    tenantId: {{ .Values.keyvault.tenantId }}
+    userAssignedIdentityID: {{ .Values.keyvault.managedIdentity.clientID | default "" }}
+    keyvaultName: {{ .Values.keyvault.keyvaultName }}
+    usePodIdentity: "false"
+    useVMManagedIdentity: "true"
+    cloudName: "" # Leave blank for public Azure
+    objects: |
+      array:
+        {{- range .Values.keyvault.secrets }}
+        {{- range .data }}
+        - |
+          objectName: {{ .objectName }}
+          objectType: secret
+        {{- end }}
+        {{- end }}
+        {{- range .Values.keyvault.certificates }}
+        - |
+          objectName: {{ .certName }}
+          objectType: cert
+        - |
+          objectName: {{ .certName }}
+          objectType: key
+        - |
+          objectName: {{ .certName }}
+          objectType: secret
+        {{- end }}
+        {{- range .Values.keyvault.keys }}
+        - |
+          objectName: {{ .objectName }}
+          objectType: key
+        {{- end }}
+  secretObjects:
+    {{- range .Values.keyvault.secrets }}
+    - secretName: {{ .generatedSecretName }}
+      type: {{ .type | default "Opaque" }}
+      data:
+        {{- range .data }}
+        - objectName: {{ .objectName }}
+          key: {{ .key }}
+        {{- end }}
+    {{- end }}
+    {{- range .Values.keyvault.certificates }}
+    - secretName: {{ .generatedSecretName }}
+      type: kubernetes.io/tls
+      data:
+        - objectName: {{ .certName }}
+          key: tls.key
+        - objectName: {{ .certName }}
+          key: tls.crt
+    {{- end }}
+    {{- range .Values.keyvault.keys }}
+    - secretName: {{ .generatedSecretName }}
+      type: "Opaque"
+      data:
+        - objectName: {{ .objectName }}
+          key: {{ .key }}
+    {{- end }}
+{{- end }}

charts/icm-as/templates/keyvault-serviceaccount.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.keyvault.enabled }}
+# service account - with annotation azure.workload.identity/client-id for getting access to the keyvault
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-keyvault-serviceaccount
+  annotations:
+    azure.workload.identity/client-id: {{ .Values.keyvault.managedIdentity.clientID | default "" }}
+  labels:
+    secret-store: {{ .Values.keyvault.keyvaultName }}
+{{- end }}

charts/icm-as/tests/keyvault-secretproviderclass_test.yaml

@@ -0,0 +1,67 @@
+suite: tests correctness of keyvault service provider class configuration
+templates:
+  - templates/keyvault-secretproviderclass.yaml
+
+tests:
+- it: should create a SecretProviderClass when keyvault is enabled
+  values:
+  - ../values.yaml
+  # use a separate values-yaml because setting array values directly does not work
+  - values/keyvault.yaml
+  asserts:
+  - hasDocuments:
+      count: 1
+  - equal:
+      path: metadata.name
+      value: RELEASE-NAME-keyvault-secretproviderclass
+  - equal:
+      path: spec.provider
+      value: azure
+  - equal:
+      path: spec.parameters.userAssignedIdentityID
+      value: test-client-id
+  - equal:
+      path: spec.parameters.keyvaultName
+      value: test-keyvault
+  - matchRegex:
+      path: spec.parameters.objects
+      pattern: "objectName: test-secret-obj"
+
+  - matchRegex:
+      path: spec.parameters.objects
+      pattern: "objectName: test-cert-name"
+
+  - equal:
+      path: spec.secretObjects[0].data[0].objectName
+      value: "test-secret-obj"
+  - equal:
+      path: spec.secretObjects[0].data[0].key
+      value: "test-secret-key"
+
+  - equal:
+      path: spec.secretObjects[1].data[0].objectName
+      value: "test-cert-name"
+  - equal:
+      path: spec.secretObjects[1].data[0].key
+      value: "tls.key"
+  - equal:
+      path: spec.secretObjects[1].data[1].objectName
+      value: "test-cert-name"
+  - equal:
+      path: spec.secretObjects[1].data[1].key
+      value: "tls.crt"
+
+  - equal:
+      path: spec.secretObjects[2].data[0].objectName
+      value: "test-key-obj"
+  - equal:
+      path: spec.secretObjects[2].data[0].key
+      value: "test-key-name"
+
+- it: should not create a SecretProviderClass when keyvault is disabled
+  set:
+    keyvault:
+      enabled: false
+  asserts:
+    - hasDocuments:
+        count: 0

charts/icm-as/tests/keyvault-serviceaccount_test.yaml

@@ -0,0 +1,30 @@
+suite: tests correctness of keyvault serviceaccount configuration
+templates:
+  - templates/keyvault-serviceaccount.yaml
+
+tests:
+- it: should create a ServiceAccount when keyvault is enabled
+  values:
+  - ../values.yaml
+  # use a separate values-yaml because setting array values directly does not work
+  - values/keyvault.yaml
+  asserts:
+  - hasDocuments:
+      count: 1
+  - equal:
+      path: metadata.name
+      value: RELEASE-NAME-keyvault-serviceaccount
+  - equal:
+      path: metadata.annotations["azure.workload.identity/client-id"]
+      value: test-client-id
+  - equal:
+      path: metadata.labels["secret-store"]
+      value: test-keyvault
+
+- it: should not create a ServiceAccount when keyvault is disabled
+  set:
+    keyvault:
+      enabled: false
+  asserts:
+    - hasDocuments:
+        count: 0

charts/icm-as/tests/values/keyvault.yaml

@@ -0,0 +1,25 @@
+# used for test:
+# keyvault-secretproviderclass_test.yaml/keyvault is provided
+
+keyvault:
+  enabled: true
+  tenantId: "test-tenant-id"
+  managedIdentity:
+    clientID: "test-client-id"
+  keyvaultName: "test-keyvault"
+  secrets:
+    - generatedSecretName: "test-secret"
+      type: "Opaque"
+      data:
+        - objectName: "test-secret-obj"
+          key: "test-secret-key"
+  certificates:
+    - generatedSecretName: "test-cert"
+      certName: "test-cert-name"
+      keys:
+        - objectName: "test-cert-key-obj"
+          key: "test-cert-key"
+  keys:
+    - generatedSecretName: "test-key"
+      objectName: "test-key-obj"
+      key: "test-key-name"

charts/icm-as/values.yaml

@@ -220,6 +220,31 @@ secrets:
   #  name: <emailSecrets> # name of the secret, containing the referenced key
   #  key: <smtpPassword> # key within the secret
 
+# configure ServiceProviderClass to access secrets, certificates and keys in a keyvault
+keyvault:
+  enabled: false
+  tenantId: <tenant-ID-of-the-KeyVault>
+  subscriptionId: <subscription-ID-of-the-KeyVault>
+  resourceGroup: <resource-group-of-the-KeyVault>
+  managedIdentity:
+    clientID: <client-id-to access-keyvault>
+  keyvaultName: <name-of-the-KeyVault>
+#  secrets:
+#  - generatedSecretName: "my-secret-1"
+#    type: "Opaque"
+#    data:
+#    - objectName: "my-secret-obj"
+#      key: "my-secret-key"
+
+#  certificates:
+#  - generatedSecretName: "my-tls-cert-1"
+#    certName: "test-intershop-com"
+
+#  keys:
+#  - generatedSecretName: "my-key-secret-1"
+#    objectName: "key-object-1"
+#    key: "encryption.key"
+
 persistence:
   sites:
     size: 1Gi
@@ -438,17 +463,6 @@ webLayer:
     # Redisson client yaml config
     config: null
 
-sslCertificateRetrieval:
-  enabled: false
-  supportV1: false
-  # secretName: <explicit-ssl-secret-name>
-  keyvault:
-    tenantId: <tenant-ID-of-the-KeyVault>
-    subscriptionId: <subscription-ID-of-the-KeyVault>
-    resourceGroup: <resource-group-of-the-KeyVault>
-    keyvaultName: <name-of-the-KeyVault>
-    certificateName: <name-of-the-certificate>
-
 # Configure configuration of the job-server.
 # The job-server template inherits most properties from the configuration of the application-server.
 # In order to override these properties add them in the job section, e.g. add a 'resources' section to

charts/icm/.bumpversion.toml

@@ -1,5 +1,5 @@
 [tool.bumpversion]
-current_version = "2.11.0"
+current_version = "2.12.0-alpha"
 
 [[tool.bumpversion.files]]
 filename = "Chart.yaml"

charts/icm/Chart.yaml

@@ -3,14 +3,14 @@ appVersion: "12.0.0"
 description: Intershop Commerce Management - ICM
 # name and version must be in this exact order, otherwise bump2version won't work
 name: icm
-version: 2.11.0
+version: 2.12.0-alpha
 # test related annotations
 annotations:
   requestedMemoryQuota: 6000Mi
   requestedCpuQuotaInMinutes: "2200"
 dependencies:
   - name: icm-as
-    version: 2.6.0
+    version: 2.7.0-alpha
     repository: file://../icm-as
   - name: icm-web
     version: 0.13.2

charts/icm/values-test-azure.tmpl

@@ -12,7 +12,7 @@ icm-as:
         shareName: icm-sites
     customdata:
       enabled: true
-      type: azurefiles
+      existingClaim: iste-nfs
     jgroups:
       size: 1Gi
       type: azurefiles