build(helm): add secret parsing and helpers to helm chart build_image

PrivateAIM · Jul 2, 2024 · d8497a1 · d8497a1
1 parent 67eceef
commit d8497a1
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 3 deletions.
diff --git a/helm/node-ui/templates/_helpers.tpl b/helm/node-ui/templates/_helpers.tpl
@@ -0,0 +1,47 @@
+{{/*
+Return the secret containing the Keycloak client secret
+*/}}
+{{- define "ui.keycloak.secretName" -}}
+{{- $secretName := .Values.idp.existingSecret -}}
+{{- if and $secretName ( not .Values.idp.debug ) -}}
+    {{- printf "%s" (tpl $secretName $) -}}
+{{- else -}}
+    {{- printf "%s-node-ui-keycloak-secret" .Release.Name -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the secret key that contains the Keycloak client secret
+*/}}
+{{- define "ui.keycloak.secretKey" -}}
+{{- $secretName := .Values.idp.existingSecret -}}
+{{- if .Values.idp.debug -}}
+    {{- print "nodeUiClientSecret" -}}
+{{- else if and $secretName .Values.idp.existingSecretKey -}}
+    {{- printf "%s" .Values.idp.existingSecretKey -}}
+{{- else -}}
+    {{- print "nodeUiClientSecret" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Generate a random clientSecret value for the node-ui client in keycloak if none provided
+*/}}
+{{- define "ui.keycloak.clientSecret" -}}
+{{- if .Values.idp.debug -}}
+    {{- print "UU4ySGVPMkxlWE1ZMTBWclA0Y2YyeDVKSFRGSW5tNGY=" -}}
+{{- else -}}
+    {{- printf "%s" ( randAlphaNum 22 | b64enc | quote ) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the Keycloak endpoint
+*/}}
+{{- define "ui.keycloak.endpoint" -}}
+{{- if .Values.idp.host -}}
+    {{- .Values.idp.host -}}
+{{- else -}}
+    {{- printf "http://%s-keycloak-headless:8080" .Release.Name -}}
+{{- end -}}
+{{- end -}}
diff --git a/helm/node-ui/templates/node-ui-deployment.yaml b/helm/node-ui/templates/node-ui-deployment.yaml
@@ -36,13 +36,16 @@ spec:
             - name: HUB_ADAPTER_API_URL
               value: {{ .Values.node.adapter | default "http://localhost:5000" | quote }}
             - name: KEYCLOAK_URL
-              value: {{ .Values.idp.host | default "http://localhost:8080" | quote }}
+              value: {{ include "ui.keycloak.endpoint" . }}
             - name: KEYCLOAK_REALM
               value: {{ .Values.idp.realm | default "flame" | quote }}
             - name: KEYCLOAK_CLIENT_ID
               value: {{ .Values.idp.clientId | default "node-ui" | quote }}
             - name: KEYCLOAK_CLIENT_SECRET
-              value: {{ required "IDP secret for Node UI must be set" .Values.idp.clientSecret | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "ui.keycloak.secretName" . }}
+                  key: {{ include "ui.keycloak.secretKey" . }}
             - name: NUXT_OIDC_TOKEN_KEY
               value: {{ randAlphaNum 48 | quote }}
             - name: NUXT_OIDC_SESSION_SECRET

diff --git a/helm/node-ui/templates/node-ui-secret.yaml b/helm/node-ui/templates/node-ui-secret.yaml
@@ -0,0 +1,12 @@
+# Only created if idp.existingSecret not defined
+
+{{- if not .Values.idp.existingSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-node-ui-keycloak-secret
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  nodeUiClientSecret: {{- include "ui.keycloak.clientSecret" . | b64dec | indent 2 -}}
+{{- end }}
diff --git a/helm/node-ui/values.yaml b/helm/node-ui/values.yaml
@@ -9,14 +9,21 @@ url: http://localhost:3000
 idp:
   ## @param idp.debug If true, the clientId and clientSecret will use pre-defined values
   ## The clientSecret will be defined using the "static" k8s secret key
-  url: false
+  debug: false
   ## @param idp.clientId Keycloak client ID for this service
   clientId: node-ui
   ## @param idp.clientSecret Keycloak client secret. Ignored if `idp.existingSecret` is provided
   ## If not defined and no existingSecret provided, a random string is generated
   clientSecret: ""
+  ## @param idp.existingSecret Existing k8s secret containing Keycloak secret for this client
+  ## idp.existingSecretKey should also be defined for custom k8s secret. Defaults to hub-adapter-kc-secret
+  existingSecret: ""
+  ## @param idp.existingSecretKey Key where the Keycloak secret is being stored inside the existing k8s secret
+  existingSecretKey: ""
   ## @param idp.realm Keycloak realm that the client exists in
   realm: flame
+  ## @param idp.host URL to keycloak service
+  ## Will be inferred using the Release.Name if not defined
   host: ""
 
 ## Downstream node services