feat(simple-workflow): Add secretsEngine support for Sealed Secrets (#…

…275) Related to what was done for other charts as well: #261 (Ideally, `simple-workflows` would've been added to that as well). ## Test ### Original values.test.yaml ``` secretsEngine: plaintext secrets: foo: bar ``` ### New values.test.yaml (after generating a sealed secret) ``` secretsEngine: sealed secrets: foo: AgATvuwJ73WsrfdjBgy3ack++p4D8PpPIKas4B9KD4wPzKhPTkJCYZSxsA6h12cqPNdWMc4wrzgldKluVZY/g8Kmn0u54kupAr04WV9FXVUekCLtKl210MEffbZCbrUDQ58Yegpy7wSBgy6/qBynqq0Bj0qPXbHZiVNgQimefyeeB36Vw8JdZ6JoIPto8AdpIZADa6buIGBsj0+cyLbrL1RP04s7jq+uAi8V1ro6vtdtv6RPHttNBFrOHQpjBhhSNu5X/dAIlMLGfvs0oV+udHG6lDhYQdaG5DJZCImXFnIU86qUSCS318GuGSXwoSejytsZimOw5U1oFu67RBHj6FzsmEc15mkAEKy51FsqSutQL6QnpWlBTvTcLYLi/qSKMTLC0+oqw6FC8e+d2k8zZL8nDffqgtwCa9GRwtby1R1OP0+7g1GawYlHAv+URLfjdJZmZF4vKzwxMBuHzXfJqj7aVSqLmpl29eDnjkhyEue0FAgYODoHneUxHvKQ7VqoFAt8n+t+2ZBcD+/ddslqgvUYG6lshQe2xQMdONqXwbC0POGDeyD57fvkfvaDXzsJYfqo5yuMuDu9k1bicdRKvHxCMGj8tUAXdJC+Sv0KnQJoLYt+QjEizno/SeQBteMqfmc8Emf9ExlNhBpRclvDSuRuFyCdE1jfGWT44LgzZuBeeBcwaEjBB9kJX2GjTriGti6JeE8= ``` ### Resulting Helm Diff ```diff --- /tmp/orig.yaml 2024-02-28 10:34:01 +++ /tmp/new.yaml 2024-02-28 10:34:56 @@ -2,14 +2,6 @@ helm dependency update . helm template --debug --values values.yaml --values values.test.yaml simple-workflow . --- -# Source: simple-workflow/templates/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: simple-workflow-secrets -data: - FOO: YmFy ---- # Source: simple-workflow/templates/roles-and-rolebindings.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -53,6 +45,20 @@ - kind: ServiceAccount name: workflow-service-account namespace: simple-workflow +--- +# Source: simple-workflow/templates/sealedsecret.yaml +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: simple-workflow-secrets + annotations: + sealedsecrets.bitnami.com/namespace-wide: "true" +spec: + encryptedData: + foo: "AgATvuwJ73WsrfdjBgy3ack++p4D8PpPIKas4B9KD4wPzKhPTkJCYZSxsA6h12cqPNdWMc4wrzgldKluVZY/g8Kmn0u54kupAr04WV9FXVUekCLtKl210MEffbZCbrUDQ58Yegpy7wSBgy6/qBynqq0Bj0qPXbHZiVNgQimefyeeB36Vw8JdZ6JoIPto8AdpIZADa6buIGBsj0+cyLbrL1RP04s7jq+uAi8V1ro6vtdtv6RPHttNBFrOHQpjBhhSNu5X/dAIlMLGfvs0oV+udHG6lDhYQdaG5DJZCImXFnIU86qUSCS318GuGSXwoSejytsZimOw5U1oFu67RBHj6FzsmEc15mkAEKy51FsqSutQL6QnpWlBTvTcLYLi/qSKMTLC0+oqw6FC8e+d2k8zZL8nDffqgtwCa9GRwtby1R1OP0+7g1GawYlHAv+URLfjdJZmZF4vKzwxMBuHzXfJqj7aVSqLmpl29eDnjkhyEue0FAgYODoHneUxHvKQ7VqoFAt8n+t+2ZBcD+/ddslqgvUYG6lshQe2xQMdONqXwbC0POGDeyD57fvkfvaDXzsJYfqo5yuMuDu9k1bicdRKvHxCMGj8tUAXdJC+Sv0KnQJoLYt+QjEizno/SeQBteMqfmc8Emf9ExlNhBpRclvDSuRuFyCdE1jfGWT44LgzZuBeeBcwaEjBB9kJX2GjTriGti6JeE8=" + template: + metadata: + name: simple-workflow-secrets --- # Source: simple-workflow/templates/workflow-pipeline.yaml apiVersion: argoproj.io/v1alpha1 ```
Nextdoor · Feb 28, 2024 · 4031515 · 4031515
1 parent 1ecabdd
commit 4031515
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 2 deletions.
diff --git a/charts/simple-workflow/Chart.yaml b/charts/simple-workflow/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: simple-workflow
 description: Default Argo Workflow Helm Chart
 type: application
-version: 0.0.14
+version: 0.0.15
 appVersion: latest
 maintainers:
   - name: masterginger

diff --git a/charts/simple-workflow/README.md b/charts/simple-workflow/README.md
@@ -2,7 +2,7 @@
 
 Default Argo Workflow Helm Chart
 
-![Version: 0.0.14](https://img.shields.io/badge/Version-0.0.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+![Version: 0.0.15](https://img.shields.io/badge/Version-0.0.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 ## Values
 

diff --git a/charts/simple-workflow/templates/sealedsecret.yaml b/charts/simple-workflow/templates/sealedsecret.yaml
@@ -0,0 +1,21 @@
+{{- if and (.Values.secrets) (eq .Values.secretsEngine "sealed") }}
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: {{ .Release.Name }}-secrets
+  annotations:
+    {{- /*
+    Always (for now) set scope to be namespace-wide. At any time if usecases arise to
+    for cluster-wide scope, we can update these template to make it configurable (this
+    would also mean a separation of SealedSecret objects if mixing-and-matching)
+    */}}
+    sealedsecrets.bitnami.com/namespace-wide: "true"
+spec:
+  encryptedData:
+    {{- range $key, $value := .Values.secrets }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  template:
+    metadata:
+      name: {{ .Release.Name }}-secrets
+{{- end }}