[WIP]: seg 26 fev 2024 22:55:38 WET

Signed-off-by: Gabriel Santos <[email protected]>

charts/perses/templates/_helpers.tpl

@@ -64,3 +64,46 @@ Create the name of the service account to use
 {{- define "perses.dns" -}}
 http://{{ include "perses.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.targetPort }}
 {{- end -}}
+
+{{/*
+TODO
+*/}}
+{{- define "perses.createEncryptionKeyFileSecret" -}}
+{{- if and .Values.config.security.encryptionKey .Values.config.security.encryptionKeyFile }}
+{{- printf "true" }}
+{{- else }}
+{{- printf "false" }}
+{{- end }}
+{{- end }}
+
+{{/*
+TODO
+*/}}
+{{- define "perses.mountEncryptionKeyFileSecret" -}}
+{{- if or (include "perses.createEncryptionKeyFileSecret" .) .Values.existingEncryptionKeySecret }}
+{{- printf "true" }}
+{{- else }}
+{{- printf "false" }}
+{{- end }}
+{{- end }}
+
+{{/*
+TODO
+*/}}
+{{- define "perses.encryptionKeyVolume" -}}
+- name: encryptionkey
+  secret:
+    secretName: {{ include "perses.fullname" . }}-encryption-key
+    items:
+      - key: key
+        path: "key"
+{{- end }}
+
+{{/*
+TODO
+*/}}
+{{- define "perses.encryptionKeyVolumeMount" -}}
+- name: encryptionkey
+  mountPath: {{ .Values.config.security.encryptionKeyFile }}
+  readOnly: true
+{{- end }}

charts/perses/templates/secrets.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }}
+{{- if eq (include "perses.createEncryptionKeyFileSecret" .) "true" }}
 apiVersion: v1
 kind: Secret
 metadata:

charts/perses/templates/statefulset.yaml

@@ -50,10 +50,8 @@ spec:
           - name: datasources
             mountPath: /etc/perses/datasources
           {{- end }}
-          {{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }}
-          - name: encryptionkey
-            mountPath: {{ .Values.config.security.encryptionKeyFile }}
-            readOnly: true
+          {{- if eq (include "perses.mountEncryptionKeyFileSecret" .) "true" }}
+          {{- include "perses.encryptionKeyVolumeMount" . | nindent 10 }}
           {{- end }}
         ports:
           - name: http
@@ -103,11 +101,6 @@ spec:
           configMap:
             name: {{ include "perses.fullname" . }}-datasources
         {{- end }}
-        {{- if and .Values.config.security.encryptionKeyFile .Values.config.security.encryptionKey }}
-        - name: encryptionkey
-          secret:
-            secretName: {{ include "perses.fullname" . }}-encryption-key
-            items:
-              - key: key
-                path: "key"
+        {{- if eq (include "perses.mountEncryptionKeyFileSecret" .) "true" }}
+        {{- include "perses.encryptionKeyVolume" . | nindent 8 }}
         {{- end }}

charts/perses/values.schema.json

@@ -451,6 +451,20 @@
     "volumeMounts": {
       "type": "array"
     },
+    "existingEncryptionKeySecret": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "secretName": {
+          "type": "string",
+          "default": ""
+        },
+        "secretKey": {
+          "type": "string",
+          "default": "key"
+        }
+      }
+    },
     "readinessProbe": {
       "type": "object",
       "additionalProperties": false,

charts/perses/values.yaml

@@ -82,6 +82,12 @@ volumes: []
 # -- Additional VolumeMounts on the output StatefulSet definition.
 volumeMounts: []
 
+
+# -- Mount encryption key with an existing secret
+existingEncryptionKeySecret:
+  secretName: ""
+  secretKey: ""
+
 # -- Resource limits & requests.
 # Update according to your own use case as these values might be too low for a typical deployment.
 # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
@@ -97,9 +103,9 @@ config:
     # -- Configure Perses instance as readonly
     readOnly: false
     # -- Encryption key
-    encryptionKey: ""
+    encryptionKey: "111234123423411234123423412341234234"
     # -- Encryption key file path
-    encryptionKeyFile: ""
+    encryptionKeyFile: "/tmp/perses"
     # -- Enable Authentication
     enableAuth: false