From 10d852c9093253213fe07cb19f64089d727c0586 Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Thu, 29 Aug 2024 09:49:18 +0100 Subject: [PATCH 1/4] feat: toggle creation of secrets --- charts/snyk-broker/templates/secrets.yaml | 36 +++++++++++------------ charts/snyk-broker/values.yaml | 3 ++ 2 files changed, 21 insertions(+), 18 deletions(-) diff --git a/charts/snyk-broker/templates/secrets.yaml b/charts/snyk-broker/templates/secrets.yaml index 2ff6dba..74ac911 100644 --- a/charts/snyk-broker/templates/secrets.yaml +++ b/charts/snyk-broker/templates/secrets.yaml @@ -1,5 +1,5 @@ {{ $suffix := ( .Values.disableSuffixes | default false ) | ternary "" ( printf "-%s" .Release.Name ) }} -{{- if .Values.brokerToken }} +{{- if and .Values.brokerToken .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -9,7 +9,7 @@ data: "{{ .Values.scmType}}-broker-token-key": {{ .Values.brokerToken | b64enc | quote }} --- {{- end }} -{{- if .Values.scmToken }} +{{- if and .Values.scmToken .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -19,7 +19,7 @@ data: "{{ .Values.scmType}}-token-key": {{ .Values.scmToken | b64enc | quote }} {{- end }} --- -{{- if .Values.scmTokenPool }} +{{- if and .Values.scmTokenPool .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -29,7 +29,7 @@ data: "{{ .Values.scmType }}-token-key-pool": {{ .Values.scmTokenPool | b64enc | quote }} {{- end }} --- -{{- if .Values.bitbucketPassword }} +{{- if and .Values.bitbucketPassword .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -39,7 +39,7 @@ data: "{{ .Values.scmType}}-token-key": {{ .Values.bitbucketPassword | b64enc | quote }} --- {{- end }} -{{- if .Values.bitbucketPat }} +{{- if and .Values.bitbucketPat .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -49,7 +49,7 @@ stringData: "{{ .Values.scmType}}-token-key": {{ .Values.bitbucketPat | quote }} --- {{- end }} -{{- if .Values.azureReposToken }} +{{- if and .Values.azureReposToken .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -59,7 +59,7 @@ data: "{{ .Values.scmType}}-token-key": {{ .Values.azureReposToken | b64enc | quote }} --- {{- end }} -{{- if .Values.jiraPassword }} +{{- if and .Values.jiraPassword .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -69,7 +69,7 @@ data: "{{ .Values.scmType}}-token-key": {{ .Values.jiraPassword | b64enc | quote }} --- {{- end }} -{{- if .Values.jiraPat }} +{{- if and .Values.jiraPat .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -79,7 +79,7 @@ data: "{{ .Values.scmType}}-token-key": {{ .Values.jiraPat | b64enc | quote }} --- {{- end }} -{{- if .Values.crPassword }} +{{- if and .Values.crPassword .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -89,7 +89,7 @@ data: "{{ .Values.scmType}}-token-key": {{ .Values.crPassword | b64enc | quote }} --- {{- end }} -{{- if .Values.crToken }} +{{- if and .Values.crToken .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -99,7 +99,7 @@ data: "{{ .Values.scmType}}-token-key": {{ .Values.crToken | b64enc | quote }} --- {{- end }} -{{- if .Values.snykToken }} +{{- if and .Values.snykToken .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -109,7 +109,7 @@ data: "snyk-token-key": {{ .Values.snykToken | b64enc | quote }} --- {{- end }} -{{- if .Values.artifactoryUrl }} +{{- if and .Values.artifactoryUrl .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -119,7 +119,7 @@ stringData: artifactory-url: {{ .Values.artifactoryUrl | quote }} --- {{- end }} -{{- if and (.Values.artifactoryUrl) (.Values.brokerClientValidationUrl) }} +{{- if and (.Values.artifactoryUrl) (.Values.brokerClientValidationUrl) .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -129,7 +129,7 @@ stringData: artifactory-broker-client-validation-url: {{ .Values.brokerClientValidationUrl | quote }} --- {{- end }} -{{- if .Values.baseNexusUrl }} +{{- if and .Values.baseNexusUrl .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -139,7 +139,7 @@ data: "nexus-base-nexus-url": {{ .Values.baseNexusUrl | b64enc | quote }} --- {{- end}} -{{- if .Values.nexusUrl }} +{{- if and .Values.nexusUrl .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -150,7 +150,7 @@ data: --- {{- end}} {{ if or (.Values.baseNexusUrl) (.Values.nexusUrl) }} - {{- if .Values.brokerClientValidationUrl }} + {{- if and .Values.brokerClientValidationUrl .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -161,7 +161,7 @@ stringData: --- {{- end }} {{- end }} -{{- if and (.Values.httpsCert) (.Values.httpsKey) }} +{{- if and (.Values.httpsCert) (.Values.httpsKey) .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -172,7 +172,7 @@ data: tls.key: {{ (.Files.Get .Values.httpsKey) | b64enc | quote }} --- {{- end }} -{{- if or .Values.caCert .Values.caCertFile }} +{{- if and (or .Values.caCert .Values.caCertFile) .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: diff --git a/charts/snyk-broker/values.yaml b/charts/snyk-broker/values.yaml index fee9567..68067c4 100644 --- a/charts/snyk-broker/values.yaml +++ b/charts/snyk-broker/values.yaml @@ -31,6 +31,9 @@ replicaCount: 2 # Adds additional labels to broker deployment labels: {} +# Enable or disable inbuilt secrets - disable to provide your own pre-existing secrets. +createSecrets: true + ##### SCM Generic ##### # scmType is used to define the Source Control that you are connecting to. From ebb67e701e00cf46a5435a61614f88c5414e4045 Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Fri, 30 Aug 2024 16:27:23 +0100 Subject: [PATCH 2/4] feat: support usage of external/custom name secrets --- charts/snyk-broker/templates/NOTES.txt | 14 +- charts/snyk-broker/templates/_helpers.tpl | 4 +- charts/snyk-broker/templates/_notes.tpl | 25 + charts/snyk-broker/templates/_scmConfig.tpl | 433 ++++++++++++++++++ .../templates/broker_deployment.yaml | 304 +----------- charts/snyk-broker/templates/secrets.yaml | 136 ++---- ...oker_deployment_artifactory_test.yaml.snap | 16 +- ...r_deployment_scm_token_pool_test.yaml.snap | 15 +- ...ployment_disable_secret_creation_test.yaml | 26 ++ .../tests/broker_deployment_nexus_test.yaml | 12 +- ...broker_deployment_rename_secrets_test.yaml | 384 ++++++++++++++++ .../tests/broker_deployment_test.yaml | 6 + charts/snyk-broker/values.schema.json | 154 +++++-- charts/snyk-broker/values.yaml | 65 ++- 14 files changed, 1116 insertions(+), 478 deletions(-) create mode 100644 charts/snyk-broker/templates/_notes.tpl create mode 100644 charts/snyk-broker/templates/_scmConfig.tpl create mode 100644 charts/snyk-broker/tests/broker_deployment_disable_secret_creation_test.yaml create mode 100644 charts/snyk-broker/tests/broker_deployment_rename_secrets_test.yaml diff --git a/charts/snyk-broker/templates/NOTES.txt b/charts/snyk-broker/templates/NOTES.txt index fc11c27..1c2e650 100644 --- a/charts/snyk-broker/templates/NOTES.txt +++ b/charts/snyk-broker/templates/NOTES.txt @@ -1,3 +1,15 @@ Thank you for installing the Snyk Broker - +{{- if eq .Values.brokerServerUrl "https://broker.snyk.io" }} Login to the Snyk UI to start onboarding projects: https://app.snyk.io +{{ else }} +{{ $tenant := regexFind "[a-z]+.snyk.io" .Values.brokerServerUrl }} +{{ printf "Login to the Snyk UI to start onboarding projects: https://app.%s" $tenant }} +{{ end }} +{{- if not .Values.useExternalSecrets}} +### Secret Creation Disabled ### + +Ensure secrets are present on your cluster in the {{.Release.Namespace}} namespace: + +-> NAME:KEY +{{- include "snyk-broker.requiredSecrets" . }} +{{- end }} diff --git a/charts/snyk-broker/templates/_helpers.tpl b/charts/snyk-broker/templates/_helpers.tpl index 191e2ed..081215b 100644 --- a/charts/snyk-broker/templates/_helpers.tpl +++ b/charts/snyk-broker/templates/_helpers.tpl @@ -129,11 +129,11 @@ include "snyk-broker.genericSecretName" (dict "Context" $ "secretName" "secret-n {{- end -}} {{- define "snyk-broker.tlsSecretName" -}} -{{- include "snyk-broker.genericSecretName" (dict "Context" . "secretName" "tls-secret" ) -}} +{{- .Values.httpsSecret.name | default ( include "snyk-broker.genericSecretName" (dict "Context" . "secretName" "tls-secret" ) ) -}} {{- end }} {{- define "snyk-broker.caCertSecretName" -}} -{{- include "snyk-broker.genericSecretName" (dict "Context" . "secretName" "cacert-secret" ) -}} +{{- .Values.caCertFileSecret.name | default ( include "snyk-broker.genericSecretName" (dict "Context" . "secretName" "cacert-secret" ) ) -}} {{- end }} {{/* diff --git a/charts/snyk-broker/templates/_notes.tpl b/charts/snyk-broker/templates/_notes.tpl new file mode 100644 index 0000000..d8000a0 --- /dev/null +++ b/charts/snyk-broker/templates/_notes.tpl @@ -0,0 +1,25 @@ +{{/* +*/}} +{{- define "snyk-broker.requiredSecrets" -}} +{{- $scmTemplates := (list "scmTokenOrPool") }} +{{- $artifactoryTemplates := (list "artifactoryUrl" "brokerClientValidationUrl" ) }} +{{- $nexusTemplates := (list "baseNexusUrl" "nexusUrl" "brokerClientValidationUrl" )}} +{{- $containerRegistryAgentTemplates := (list "scmToken" )}} +{{- $templatesPerType := (dict "github-com" $scmTemplates "github-enterprise" $scmTemplates "gitlab" $scmTemplates "bitbucket-server" $scmTemplates "bitbucket-server-bearer-auth" $scmTemplates "azure-repos" $scmTemplates "artifactory" $artifactoryTemplates "nexus" $nexusTemplates "jira" $scmTemplates "jira-bearer-auth" $scmTemplates "container-registry-agent" $containerRegistryAgentTemplates ) }} +{{- if not .Values.useExternalSecrets -}} +{{- range (get $templatesPerType .Values.scmType ) }} +{{- $secretObject := (first (fromYamlArray (include (printf "snyk-broker.%s" . ) $ ))) }} +{{- $envName := $secretObject.name }} +{{- $name := $secretObject.valueFrom.secretKeyRef.name }} +{{- $key := $secretObject.valueFrom.secretKeyRef.key }} +{{ printf "-> %s:%s <%s>" $name $key $envName }} +{{- end }} +{{- if .Values.httpsSecret.name }} +{{ printf "-> %s:%s " .Values.httpsSecret.name "tls.crt" }} +{{ printf "-> %s:%s " .Values.httpsSecret.name "tls.key" }} +{{- end }} +{{- if (and .Values.caCertFileSecret.name .Values.caCertFileSecret.key ) }} +{{ printf "-> %s:%s " .Values.caCertFileSecret.name .Values.caCertFileSecret.key }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/snyk-broker/templates/_scmConfig.tpl b/charts/snyk-broker/templates/_scmConfig.tpl new file mode 100644 index 0000000..3cc8cd0 --- /dev/null +++ b/charts/snyk-broker/templates/_scmConfig.tpl @@ -0,0 +1,433 @@ +{{/* +Return broker client url +*/}} +{{- define "snyk-broker.brokerClientUrl" }} +- name: BROKER_CLIENT_URL +{{- if eq .Values.scmType "container-registry-agent" }} + value: "http://{{ include "snyk-broker.brokerServiceName" . }}:{{ .Values.service.port }}" +{{- else }} + value: {{ .Values.brokerClientUrl }} +{{- end }} +{{- end }} + +{{/* +Return broker client port +*/}} +{{- define "snyk-broker.brokerClientPort" }} +- name: PORT + value: {{ .Values.deployment.container.containerPort | squote }} +{{- end }} + +{{/* +Return broker token secret name and key +*/}} +{{- define "snyk-broker.brokerTokenSecretName" -}} +{{- $suffix := ( .Values.disableSuffixes | default false ) | ternary "" ( printf "-%s" .Release.Name ) }} +{{- .Values.brokerTokenSecret.name | default ( printf "%s-broker-token%s" .Values.scmType $suffix ) }} +{{- end }} + +{{/* +Return broker token secret name and key +*/}} +{{- define "snyk-broker.brokerTokenSecretKey" -}} +{{- $suffix := ( .Values.disableSuffixes | default false ) | ternary "" ( printf "-%s" .Release.Name ) }} +{{- .Values.brokerTokenSecret.key | default ( printf "%s-broker-token-key" .Values.scmType ) }} +{{- end }} + +{{/* +Return broker token +*/}} +{{- define "snyk-broker.brokerToken" }} +- name: BROKER_TOKEN + valueFrom: + secretKeyRef: + name: {{ include "snyk-broker.brokerTokenSecretName" . }} + key: {{ include "snyk-broker.brokerTokenSecretKey" . }} +{{- end }} + +{{/* +Return the scm token secret name and key +*/}} +{{- define "snyk-broker.scmTokenSecretName" -}} +{{- $suffix := ( .Values.disableSuffixes | default false ) | ternary "" ( printf "-%s" .Release.Name ) }} +{{- .Values.externalCredentialSecret.name | default (printf "%s-token%s" .Values.scmType $suffix ) }} +{{- end }} + +{{- define "snyk-broker.scmTokenSecretKey" -}} +{{- $suffix := ( .Values.disableSuffixes | default false ) | ternary "" ( printf "-%s" .Release.Name ) }} +{{- .Values.externalCredentialSecret.key | default (printf "%s-token-key" .Values.scmType ) }} +{{- end }} + +{{/* +Return the scm-specific config for token/credentials +*/}} +{{- define "snyk-broker.scmToken" }} +{{- $scm := (.Values.scmType | split "-")._0 | upper }} +{{- $envVarName := "" -}} +{{- if has .Values.scmType (list "github-com" "github-enterprise" "gitlab") }} +{{- $envVarName = (printf "%s_TOKEN" $scm) }} +{{- end }} +{{- if eq .Values.scmType "bitbucket-server" }} +{{- $envVarName = "BITBUCKET_PASSWORD" }} +{{- end }} +{{- if eq .Values.scmType "bitbucket-server-bearer-auth" }} +{{- $envVarName = "BITBUCKET_PAT" }} +{{- end }} +{{- if eq .Values.scmType "azure-repos" }} +{{- $envVarName = "AZURE_REPOS_TOKEN" }} +{{- end }} +{{- if eq .Values.scmType "jira" }} +{{- $envVarName = "JIRA_PASSWORD" }} +{{- end }} +{{- if eq .Values.scmType "jira-bearer-auth" }} +{{- $envVarName = "JIRA_PAT" }} +{{- end }} +{{- if eq .Values.scmType "container-registry-agent" }} +{{- if not (has .Values.crType (list "ecr" "digitalocean-cr")) }} +{{- $envVarName = "CR_PASSWORD" }} +{{- else }} +{{- if eq .Values.crType "digitalocean-cr" }} +{{- $envVarName = "CR_TOKEN" }} +{{- end }} +{{- end }} +{{- end }} +{{- if not (and .Values.scmTokenPool .Values.useExternalSecretScmTokenPool ) }} +{{- if $envVarName }} +- name: {{ $envVarName }} + valueFrom: + secretKeyRef: + name: {{ include "snyk-broker.scmTokenSecretName" . }} + key: {{ include "snyk-broker.scmTokenSecretKey" . }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Return the Artifactory URL secret name and key +*/}} +{{- define "snyk-broker.artifactoryUrlSecretName" -}} +{{- $suffix := ( .Values.disableSuffixes | default false ) | ternary "" ( printf "-%s" .Release.Name ) }} +{{- .Values.artifactoryUrlSecret.name | default (printf "artifactory-url%s" $suffix ) }} +{{- end }} + +{{- define "snyk-broker.artifactoryUrlSecretKey" -}} +{{- $suffix := ( .Values.disableSuffixes | default false ) | ternary "" ( printf "-%s" .Release.Name ) }} +{{- .Values.artifactoryUrlSecret.key | default "artifactory-url" }} +{{- end }} + +{{/* +Artifactory URL +*/}} +{{- define "snyk-broker.artifactoryUrl" }} +- name: ARTIFACTORY_URL + valueFrom: + secretKeyRef: + name: {{ include "snyk-broker.artifactoryUrlSecretName" . }} + key: {{ include "snyk-broker.artifactoryUrlSecretKey" . }} +{{- end }} + +{{/* +Return the Nexus Base URL secret name and key +*/}} +{{- define "snyk-broker.baseNexusUrlSecretName" -}} +{{- $suffix := ( .Values.disableSuffixes | default false ) | ternary "" ( printf "-%s" .Release.Name ) }} +{{- .Values.baseNexusUrlSecret.name | default (printf "nexus-base-nexus-url%s" $suffix) }} +{{- end }} + +{{- define "snyk-broker.baseNexusUrlSecretKey" -}} +{{- $suffix := ( .Values.disableSuffixes | default false ) | ternary "" ( printf "-%s" .Release.Name ) }} +{{- .Values.baseNexusUrlSecret.key | default "nexus-base-nexus-url" }} +{{- end }} + +{{/* +Nexus Urls +*/}} +{{- define "snyk-broker.baseNexusUrl" }} +- name: BASE_NEXUS_URL + valueFrom: + secretKeyRef: + name: {{ include "snyk-broker.baseNexusUrlSecretName" . }} + key: {{ include "snyk-broker.baseNexusUrlSecretKey" . }} +{{- end }} + +{{/* +Return the Nexus URL secret name and key +*/}} +{{- define "snyk-broker.nexusUrlSecretName" -}} +{{- $suffix := ( .Values.disableSuffixes | default false ) | ternary "" ( printf "-%s" .Release.Name ) }} +{{- .Values.nexusUrlSecret.name | default (printf "nexus-nexus-url%s" $suffix) }} +{{- end }} + +{{- define "snyk-broker.nexusUrlSecretKey" -}} +{{- $suffix := ( .Values.disableSuffixes | default false ) | ternary "" ( printf "-%s" .Release.Name ) }} +{{- .Values.nexusUrlSecret.key | default "nexus-nexus-url" }} +{{- end }} + +{{- define "snyk-broker.nexusUrl" }} +{{- $suffix := ( .Values.disableSuffixes | default false ) | ternary "" ( printf "-%s" .Release.Name ) }} +- name: NEXUS_URL + valueFrom: + secretKeyRef: + name: {{ include "snyk-broker.nexusUrlSecretName" . }} + key: {{ include "snyk-broker.nexusUrlSecretKey" . }} +{{- end }} + +{{/* +Return the Broker Client Validation URL secret name and key +*/}} +{{- define "snyk-broker.brokerClientValidationUrlSecretName" -}} +{{- $suffix := ( .Values.disableSuffixes | default false ) | ternary "" ( printf "-%s" .Release.Name ) }} +{{- .Values.brokerClientValidationUrlSecret.name | default (printf "%s-broker-client-validation-url%s" .Values.scmType $suffix ) }} +{{- end }} + +{{- define "snyk-broker.brokerClientValidationUrlSecretKey" -}} +{{- $suffix := ( .Values.disableSuffixes | default false ) | ternary "" ( printf "-%s" .Release.Name ) }} +{{- .Values.brokerClientValidationUrlSecret.key | default ( printf "%s-broker-client-validation-url" .Values.scmType ) }} +{{- end }} + + +{{/* +Broker Client Validation URL +*/}} +{{- define "snyk-broker.brokerClientValidationUrl" }} +{{- if or (eq .Values.scmType "artifactory") (contains "nexus" .Values.scmType ) }} +- name: BROKER_CLIENT_VALIDATION_URL + valueFrom: + secretKeyRef: + name: {{ include "snyk-broker.brokerClientValidationUrlSecretName" . }} + key: {{ include "snyk-broker.brokerClientValidationUrlSecretKey" . }} +{{- end }} +{{- end }} + +{{/* +Return the SCM Token Pool secret name and key +*/}} +{{- define "snyk-broker.scmTokenPoolSecretName" -}} +{{- $suffix := ( .Values.disableSuffixes | default false ) | ternary "" ( printf "-%s" .Release.Name ) }} +{{- .Values.scmTokenPoolSecret.name | default (printf "%s-token-pool%s" .Values.scmType $suffix ) }} +{{- end }} + +{{- define "snyk-broker.scmTokenPoolSecretKey" -}} +{{- $suffix := ( .Values.disableSuffixes | default false ) | ternary "" ( printf "-%s" .Release.Name ) }} +{{- .Values.scmTokenPoolSecret.key | default ( printf "%s-token-pool-key" .Values.scmType ) }} +{{- end }} + +{{/* +SCM Token pooling +*/}} +{{- define "snyk-broker.scmTokenPool" }} +{{- $scm := (.Values.scmType | split "-")._0 | upper -}} +{{- if has .Values.scmType (list "github-com" "github-enterprise" "gitlab") }} +{{- if or .Values.scmTokenPool .Values.useExternalSecretScmTokenPool }} +- name: {{ printf "%s_TOKEN_POOL" $scm }} + valueFrom: + secretKeyRef: + name: {{ include "snyk-broker.scmTokenPoolSecretName" . }} + key: {{ include "snyk-broker.scmTokenPoolSecretKey" . }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +If supported, return a token pool or a single token +Only the following SCMs support pooling: +GITHUB_TOKEN (github-com, github-enterprise) +GITLAB_TOKEN (gitlab) +*/}} +{{- define "snyk-broker.scmTokenOrPool" -}} +{{- include "snyk-broker.scmToken" . }} +{{- include "snyk-broker.scmTokenPool" . }} +{{- end }} + +{{/* +Define github-com values +*/}} +{{- define "snyk-broker.githubCom" -}} +{{- if eq .Values.scmType "github-com" }} +{{- include "snyk-broker.brokerToken" . }} +{{- include "snyk-broker.scmTokenOrPool" . }} +{{- include "snyk-broker.brokerClientPort" . }} +{{- include "snyk-broker.brokerClientUrl" . }} +{{- end }} +{{- end }} + +{{/* +Define github-enterprise values +*/}} +{{- define "snyk-broker.githubEnterprise" -}} +{{- if eq .Values.scmType "github-enterprise" }} +{{- include "snyk-broker.brokerToken" . }} +{{- include "snyk-broker.scmTokenOrPool" . }} +{{- include "snyk-broker.brokerClientPort" . }} +{{- include "snyk-broker.brokerClientUrl" . }} +- name: GITHUB + value: {{ .Values.github }} +- name: GITHUB_API + value: {{ .Values.githubApi }} +- name: GITHUB_GRAPHQL + value: {{ .Values.githubGraphQl}} +{{- end }} +{{- end }} + +{{/* +Define gitlab values +*/}} +{{- define "snyk-broker.gitlab" -}} +{{- if eq .Values.scmType "gitlab" }} +{{- include "snyk-broker.brokerToken" . }} +{{- include "snyk-broker.scmTokenOrPool" . }} +- name: GITLAB + value: {{ .Values.gitlab }} +{{- include "snyk-broker.brokerClientPort" . }} +{{- include "snyk-broker.brokerClientUrl" . }} +{{- end }} +{{- end }} + +{{/* +Define bitbucket-server values +*/}} +{{- define "snyk-broker.bitbucketServer" -}} +{{- if eq .Values.scmType "bitbucket-server" }} +{{- include "snyk-broker.brokerToken" . }} +{{- include "snyk-broker.brokerClientPort" . }} +{{- include "snyk-broker.brokerClientUrl" . }} +{{- include "snyk-broker.scmTokenOrPool" . }} +- name: BITBUCKET_USERNAME + value: {{ .Values.bitbucketUsername }} +{{- include "snyk-broker.scmTokenOrPool" . }} +- name: BITBUCKET + value: {{ .Values.bitbucket }} +- name: BITBUCKET_API + value: {{ .Values.bitbucketApi }} +{{- end }} +{{- end }} + +{{/* +Define bitbucket-server-bearer-auth values +*/}} +{{- define "snyk-broker.bitbucketServerBearerAuth" -}} +{{- if eq .Values.scmType "bitbucket-server-bearer-auth" }} +{{- include "snyk-broker.brokerToken" . -}} +{{- include "snyk-broker.brokerClientPort" . }} +{{- include "snyk-broker.brokerClientUrl" . }} +{{- include "snyk-broker.scmTokenOrPool" . }} +- name: BITBUCKET + value: {{ .Values.bitbucket }} +- name: BITBUCKET_API + value: {{ .Values.bitbucketApi }} +{{- end }} +{{- end }} + +{{/* +Define azure-repos values +*/}} +{{- define "snyk-broker.azureRepos" -}} +{{- if eq .Values.scmType "azure-repos" }} +{{- include "snyk-broker.brokerToken" . }} +{{- include "snyk-broker.brokerClientPort" . }} +{{- include "snyk-broker.brokerClientUrl" . }} +{{- include "snyk-broker.scmTokenOrPool" . }} +- name: AZURE_REPOS_ORG + value: {{ .Values.azureReposOrg }} +- name: AZURE_REPOS_HOST + value: {{ .Values.azureReposHost }} +{{- end }} +{{- end }} + +{{/* +Define artifactory values +*/}} +{{- define "snyk-broker.artifactory" -}} +{{- if eq .Values.scmType "artifactory" }} +{{- include "snyk-broker.brokerToken" . }} +{{- include "snyk-broker.brokerClientPort" . }} +{{- include "snyk-broker.brokerClientUrl" . }} +{{- include "snyk-broker.artifactoryUrl" . }} +{{- if .Values.brokerClientValidationUrl }} +{{- include "snyk-broker.brokerClientValidationUrl" . }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Define Nexus 3/2 values +*/}} +{{- define "snyk-broker.nexus" -}} +{{- if contains "nexus" .Values.scmType }} +{{- if and .Values.nexusUrlSecret.name .Values.baseNexusUrlSecret.name -}} +{{- if eq .Values.nexusUrlSecret.name .Values.baseNexusUrlSecret.name -}} +{{- fail "Secret names for nexusUrlSecret and baseNexusUrlSecret must be unique" -}} +{{- end }} +{{- end }} +{{- include "snyk-broker.brokerToken" . }} +{{- include "snyk-broker.brokerClientPort" . }} +{{- include "snyk-broker.baseNexusUrl" . }} +{{- include "snyk-broker.nexusUrl" . }} +{{- if .Values.brokerClientValidationUrl }} +{{- include "snyk-broker.brokerClientValidationUrl" . }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Define Jira +*/}} +{{- define "snyk-broker.jira" -}} +{{- if eq .Values.scmType "jira" }} +{{- include "snyk-broker.brokerToken" . }} +{{- include "snyk-broker.brokerClientPort" . }} +{{- include "snyk-broker.brokerClientUrl" . }} +- name: JIRA_USERNAME + value: {{ .Values.jiraUsername }} +{{- include "snyk-broker.scmTokenOrPool" . }} +- name: JIRA_HOSTNAME + value: {{ .Values.jiraHostname }} +{{- end }} +{{- end }} + +{{/* +Define Jira Bearer Auth +*/}} +{{- define "snyk-broker.jiraBearerAuth" -}} +{{- if eq .Values.scmType "jira-bearer-auth" }} +{{- include "snyk-broker.brokerToken" . }} +{{- include "snyk-broker.brokerClientPort" . }} +{{- include "snyk-broker.brokerClientUrl" . }} +{{- include "snyk-broker.scmTokenOrPool" . }} +- name: JIRA_HOSTNAME + value: {{ .Values.jiraHostname }} +{{- end }} +{{- end }} + +{{/* +Define Container Registry Agent +*/}} +{{- define "snyk-broker.containerRegistryAgent" }} +{{- if eq .Values.scmType "container-registry-agent" }} +{{- include "snyk-broker.brokerToken" . }} +- name: CR_AGENT_URL + value: http://cra-service{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}:{{ .Values.deployment.container.crSnykPort | toString }} +- name: CR_TYPE + value: {{ .Values.crType }} +{{- if not (has .Values.crType (list "ecr")) }} +- name: CR_BASE + value: {{ .Values.crBase }} +{{- else }} +- name: CR_ROLE_ARN + value: {{ .Values.crRoleArn }} +- name: CR_REGION + value: {{ .Values.crRegion }} +- name: CR_EXTERNAL_ID + value: {{ .Values.crExternalId }} +{{- end }} +{{- if not (has .Values.crType (list "ecr" "digitalocean-cr")) }} +- name: CR_USERNAME + value: {{ .Values.crUsername }} +{{- end }} +{{- include "snyk-broker.scmToken" . }} +{{- include "snyk-broker.brokerClientPort" . }} +{{- include "snyk-broker.brokerClientUrl" . }} +- name: BROKER_CLIENT_VALIDATION_URL + value: http://cra-service{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}:{{ .Values.deployment.container.crSnykPort | toString }}/healthcheck +{{- end }} +{{- end }} diff --git a/charts/snyk-broker/templates/broker_deployment.yaml b/charts/snyk-broker/templates/broker_deployment.yaml index 4e627b1..3e4e7ae 100644 --- a/charts/snyk-broker/templates/broker_deployment.yaml +++ b/charts/snyk-broker/templates/broker_deployment.yaml @@ -107,293 +107,17 @@ spec: value: {{ .Values.healthCheckPath }} - name: BROKER_SYSTEMCHECK_PATH value: {{ .Values.systemCheckPath }} - {{- if eq .Values.scmType "github-com" }} - # GitHub - - name: BROKER_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" - {{- if not .Values.useExternalSecretScmTokenPool }} - - name: GITHUB_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" - {{- end }} - {{- if or (.Values.scmTokenPool) (.Values.useExternalSecretScmTokenPool) }} - - name: GITHUB_TOKEN_POOL - valueFrom: - secretKeyRef: - name: {{ .Values.scmType }}-token-pool{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key-pool" - {{- end }} - - name: PORT - value: {{ .Values.deployment.container.containerPort | squote }} - - name: BROKER_CLIENT_URL - value: {{ .Values.brokerClientUrl }} - {{- end }} - {{- if eq .Values.scmType "github-enterprise" }} - # GitHub Enterprise - - name: BROKER_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" - {{- if not .Values.useExternalSecretScmTokenPool }} - - name: GITHUB_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" - {{- end }} - {{- if or (.Values.scmTokenPool) (.Values.useExternalSecretScmTokenPool) }} - - name: GITHUB_TOKEN_POOL - valueFrom: - secretKeyRef: - name: {{ .Values.scmType }}-token-pool{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key-pool" - {{- end }} - - name: GITHUB - value: {{ .Values.github }} - - name: GITHUB_API - value: {{ .Values.githubApi }} - - name: GITHUB_GRAPHQL - value: {{ .Values.githubGraphQl}} - - name: PORT - value: {{ .Values.deployment.container.containerPort | squote }} - - name: BROKER_CLIENT_URL - value: {{ .Values.brokerClientUrl }} - - {{- end }} - {{- if eq .Values.scmType "bitbucket-server" }} - # Bitbucket - - name: BROKER_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" - - name: BITBUCKET_USERNAME - value: {{ .Values.bitbucketUsername }} - - name: BITBUCKET_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" - - name: BITBUCKET - value: {{ .Values.bitbucket }} - - name: BITBUCKET_API - value: {{ .Values.bitbucketApi }} - - name: PORT - value: {{ .Values.deployment.container.containerPort | squote }} - - name: BROKER_CLIENT_URL - value: {{ .Values.brokerClientUrl }} - {{- end }} - {{- if eq .Values.scmType "bitbucket-server-bearer-auth" }} - # Bitbucket Bearer Auth - - name: BROKER_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" - - name: BITBUCKET_PAT - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" - - name: BITBUCKET - value: {{ .Values.bitbucket }} - - name: BITBUCKET_API - value: {{ .Values.bitbucketApi }} - - name: PORT - value: {{ .Values.deployment.container.containerPort | squote }} - - name: BROKER_CLIENT_URL - value: {{ .Values.brokerClientUrl }} - {{- end }} - {{- if eq .Values.scmType "gitlab" }} - # GitLab - - name: BROKER_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" - {{- if not .Values.useExternalSecretScmTokenPool }} - - name: GITLAB_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" - {{- end }} - {{- if or (.Values.scmTokenPool) (.Values.useExternalSecretScmTokenPool) }} - - name: GITLAB_TOKEN_POOL - valueFrom: - secretKeyRef: - name: {{ .Values.scmType }}-token-pool{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key-pool" - {{- end }} - - name: GITLAB - value: {{ .Values.gitlab }} - - name: PORT - value: {{ .Values.deployment.container.containerPort | squote }} - - name: BROKER_CLIENT_URL - value: {{ .Values.brokerClientUrl }} - {{- end }} - {{- if eq .Values.scmType "azure-repos" }} - # Azure Repos - - name: BROKER_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" - - name: AZURE_REPOS_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" - - name: AZURE_REPOS_ORG - value: {{ .Values.azureReposOrg }} - - name: AZURE_REPOS_HOST - value: {{ .Values.azureReposHost }} - - name: PORT - value: {{ .Values.deployment.container.containerPort | squote }} - - name: BROKER_CLIENT_URL - value: {{ .Values.brokerClientUrl }} - {{- end }} - {{- if eq .Values.scmType "artifactory" }} - # Artifactory - - name: BROKER_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" - - name: ARTIFACTORY_URL - valueFrom: - secretKeyRef: - name: artifactory-url{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "artifactory-url" - - name: PORT - value: {{ .Values.deployment.container.containerPort | squote }} - - name: BROKER_CLIENT_URL - value: {{ .Values.brokerClientUrl }} - {{- if .Values.brokerClientValidationUrl }} - - name: BROKER_CLIENT_VALIDATION_URL - valueFrom: - secretKeyRef: - name: artifactory-broker-client-validation-url{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "artifactory-broker-client-validation-url" - {{- end }} - {{- end }} - {{- if or (eq .Values.scmType "nexus") (eq .Values.scmType "nexus2") }} - # Nexus (3 or 2) - - name: BROKER_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.scmType }}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" - - name: BASE_NEXUS_URL - valueFrom: - secretKeyRef: - name: {{ .Values.scmType }}-base-nexus-url{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-base-nexus-url" - - name: NEXUS_URL - valueFrom: - secretKeyRef: - name: {{ .Values.scmType }}-nexus-url{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-nexus-url" - - name: BROKER_CLIENT_VALIDATION_URL - valueFrom: - secretKeyRef: - name: nexus-broker-client-validation-url{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "nexus-broker-client-validation-url" - - name: PORT - value: {{ .Values.deployment.container.containerPort | squote }} - {{- end }} - {{- if eq .Values.scmType "jira" }} - # Jira - - name: BROKER_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" - - name: JIRA_USERNAME - value: {{ .Values.jiraUsername }} - - name: JIRA_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" - - name: JIRA_HOSTNAME - value: {{ .Values.jiraHostname }} - - name: PORT - value: {{ .Values.deployment.container.containerPort | squote }} - - name: BROKER_CLIENT_URL - value: {{ .Values.brokerClientUrl }} - {{- end }} - {{- if eq .Values.scmType "jira-bearer-auth" }} - # Jira - - name: BROKER_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" - - name: JIRA_PAT - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" - - name: JIRA_HOSTNAME - value: {{ .Values.jiraHostname }} - - name: PORT - value: {{ .Values.deployment.container.containerPort | squote }} - - name: BROKER_CLIENT_URL - value: {{ .Values.brokerClientUrl }} - {{- end }} - {{- if eq .Values.scmType "container-registry-agent" }} - # Container Registry Agent - - name: BROKER_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-broker-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-broker-token-key" - - name: CR_AGENT_URL - value: http://cra-service{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}:{{ .Values.deployment.container.crSnykPort | toString }} - - name: CR_TYPE - value: {{ .Values.crType }} - {{- if not (has .Values.crType (list "ecr")) }} - - name: CR_BASE - value: {{ .Values.crBase }} - {{- end }} - {{- if not (has .Values.crType (list "ecr" "digitalocean-cr")) }} - - name: CR_USERNAME - value: {{ .Values.crUsername }} - - name: CR_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" - {{- end }} - {{- if has .Values.crType (list "digitalocean-cr") }} - - name: CR_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.scmType}}-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - key: "{{ .Values.scmType}}-token-key" - {{- end }} - {{- if has .Values.crType (list "ecr") }} - - name: CR_ROLE_ARN - value: {{ .Values.crRoleArn }} - - name: CR_REGION - value: {{ .Values.crRegion }} - - name: CR_EXTERNAL_ID - value: {{ .Values.crExternalId }} - {{- end }} - - name: PORT - value: {{ .Values.deployment.container.containerPort | squote }} - - name: BROKER_CLIENT_URL - value: "http://{{ include "snyk-broker.brokerServiceName" . }}:{{ .Values.service.port }}" - - name: BROKER_CLIENT_VALIDATION_URL - value: http://cra-service{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }}:{{ .Values.deployment.container.crSnykPort | toString }}/healthcheck - {{- end }} +{{- include "snyk-broker.githubCom" . | indent 12 }} +{{- include "snyk-broker.githubEnterprise" . | indent 12 }} +{{- include "snyk-broker.gitlab" . | indent 12 }} +{{- include "snyk-broker.bitbucketServer" . | indent 12 }} +{{- include "snyk-broker.bitbucketServerBearerAuth" . | indent 12 }} +{{- include "snyk-broker.azureRepos" . | indent 12 }} +{{- include "snyk-broker.artifactory" . | indent 12 }} +{{- include "snyk-broker.nexus" . | indent 12 }} +{{- include "snyk-broker.jira" . | indent 12 }} +{{- include "snyk-broker.jiraBearerAuth" . | indent 12 }} +{{- include "snyk-broker.containerRegistryAgent" . | indent 12 }} {{- if .Values.enableCodeAgent }} # Code Agent - name: GIT_CLIENT_URL @@ -476,7 +200,7 @@ spec: {{- if not .Values.preflightChecks.enabled }} - name: PREFLIGHT_CHECKS_ENABLED value: "false" - {{- end}} + {{- end }} {{- if .Values.highAvailabilityMode.enabled }} - name: BROKER_HA_MODE_ENABLED value: "true" @@ -495,12 +219,12 @@ spec: configMap: name: {{ include "snyk-broker.fullname" . }}-accept-configmap{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} {{- end }} - {{- if or (.Values.caCert) (.Values.caCertFile) }} + {{- if or (.Values.caCert) ( or ( and .Values.caCertFileSecret.name .Values.caCertFileSecret.key ) .Values.caCertFile) }} - name: {{ include "snyk-broker.fullname" . }}-cacert-volume secret: secretName: {{ include "snyk-broker.caCertSecretName" . }} {{- end }} - {{- if and (.Values.httpsCert) (.Values.httpsKey) }} + {{- if or .Values.httpsSecret.name ( and (.Values.httpsCert) (.Values.httpsKey) ) }} - name: {{ include "snyk-broker.fullname" . }}-tls-secret-volume secret: secretName: {{ include "snyk-broker.tlsSecretName" . }} diff --git a/charts/snyk-broker/templates/secrets.yaml b/charts/snyk-broker/templates/secrets.yaml index 74ac911..1fa08e1 100644 --- a/charts/snyk-broker/templates/secrets.yaml +++ b/charts/snyk-broker/templates/secrets.yaml @@ -1,167 +1,85 @@ -{{ $suffix := ( .Values.disableSuffixes | default false ) | ternary "" ( printf "-%s" .Release.Name ) }} -{{- if and .Values.brokerToken .Values.createSecrets }} +{{- $scmToken := coalesce .Values.scmToken .Values.bitbucketPassword .Values.bitbucketPat .Values.azureReposToken .Values.jiraPassword .Values.jiraPat .Values.crPassword .Values.crToken | default "" }} +{{- if .Values.brokerToken }} apiVersion: v1 kind: Secret metadata: - name: {{ .Values.scmType}}-broker-token{{ $suffix }} + name: {{ include "snyk-broker.brokerTokenSecretName" . }} type: Opaque data: - "{{ .Values.scmType}}-broker-token-key": {{ .Values.brokerToken | b64enc | quote }} + {{ include "snyk-broker.brokerTokenSecretKey" . }} : {{ .Values.brokerToken | b64enc | quote }} --- {{- end }} -{{- if and .Values.scmToken .Values.createSecrets }} +{{- if .Values.scmTokenPool }} apiVersion: v1 kind: Secret metadata: - name: {{ .Values.scmType}}-token{{ $suffix }} + name: {{ include "snyk-broker.scmTokenPoolSecretName" . }} type: Opaque data: - "{{ .Values.scmType}}-token-key": {{ .Values.scmToken | b64enc | quote }} -{{- end }} ---- -{{- if and .Values.scmTokenPool .Values.createSecrets }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.scmType }}-token-pool{{ $suffix }} -type: Opaque -data: - "{{ .Values.scmType }}-token-key-pool": {{ .Values.scmTokenPool | b64enc | quote }} -{{- end }} ---- -{{- if and .Values.bitbucketPassword .Values.createSecrets }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.scmType}}-token{{ $suffix }} -type: Opaque -data: - "{{ .Values.scmType}}-token-key": {{ .Values.bitbucketPassword | b64enc | quote }} ---- -{{- end }} -{{- if and .Values.bitbucketPat .Values.createSecrets }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.scmType}}-token{{ $suffix }} -type: Opaque -stringData: - "{{ .Values.scmType}}-token-key": {{ .Values.bitbucketPat | quote }} ---- -{{- end }} -{{- if and .Values.azureReposToken .Values.createSecrets }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.scmType}}-token{{ $suffix }} -type: Opaque -data: - "{{ .Values.scmType}}-token-key": {{ .Values.azureReposToken | b64enc | quote }} + {{ include "snyk-broker.scmTokenPoolSecretKey" . }} : {{ .Values.scmTokenPool | b64enc | quote }} --- {{- end }} -{{- if and .Values.jiraPassword .Values.createSecrets }} +{{- if $scmToken }} apiVersion: v1 kind: Secret metadata: - name: {{ .Values.scmType}}-token{{ $suffix }} + name: {{ include "snyk-broker.scmTokenSecretName" . }} type: Opaque data: - "{{ .Values.scmType}}-token-key": {{ .Values.jiraPassword | b64enc | quote }} + {{ include "snyk-broker.scmTokenSecretKey" . }} : {{ $scmToken | b64enc | quote }} --- {{- end }} -{{- if and .Values.jiraPat .Values.createSecrets }} +{{- if .Values.snykToken }} apiVersion: v1 kind: Secret metadata: - name: {{ .Values.scmType}}-token{{ $suffix }} + name: snyk-token{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} type: Opaque data: - "{{ .Values.scmType}}-token-key": {{ .Values.jiraPat | b64enc | quote }} + snyk-token-key : {{ .Values.snykToken | b64enc | quote }} --- {{- end }} -{{- if and .Values.crPassword .Values.createSecrets }} +{{- if .Values.artifactoryUrl }} apiVersion: v1 kind: Secret metadata: - name: {{ .Values.scmType}}-token{{ $suffix }} + name: {{ include "snyk-broker.artifactoryUrlSecretName" . }} type: Opaque data: - "{{ .Values.scmType}}-token-key": {{ .Values.crPassword | b64enc | quote }} + {{ include "snyk-broker.artifactoryUrlSecretKey" . }} : {{ .Values.artifactoryUrl | b64enc | quote }} --- {{- end }} -{{- if and .Values.crToken .Values.createSecrets }} +{{- if and ( or .Values.baseNexusUrl .Values.nexusUrl .Values.artifactoryUrl) (.Values.brokerClientValidationUrl) }} apiVersion: v1 kind: Secret metadata: - name: {{ .Values.scmType}}-token{{ $suffix }} + name: {{ include "snyk-broker.brokerClientValidationUrlSecretName" . }} type: Opaque data: - "{{ .Values.scmType}}-token-key": {{ .Values.crToken | b64enc | quote }} + {{ include "snyk-broker.brokerClientValidationUrlSecretKey" . }} : {{ .Values.brokerClientValidationUrl | b64enc | quote }} --- {{- end }} -{{- if and .Values.snykToken .Values.createSecrets }} +{{- if .Values.baseNexusUrl }} apiVersion: v1 kind: Secret metadata: - name: snyk-token{{ $suffix }} + name: {{ include "snyk-broker.baseNexusUrlSecretName" . }} type: Opaque data: - "snyk-token-key": {{ .Values.snykToken | b64enc | quote }} ---- -{{- end }} -{{- if and .Values.artifactoryUrl .Values.createSecrets }} -apiVersion: v1 -kind: Secret -metadata: - name: artifactory-url{{ $suffix }} -type: Opaque -stringData: - artifactory-url: {{ .Values.artifactoryUrl | quote }} ---- -{{- end }} -{{- if and (.Values.artifactoryUrl) (.Values.brokerClientValidationUrl) .Values.createSecrets }} -apiVersion: v1 -kind: Secret -metadata: - name: artifactory-broker-client-validation-url{{ $suffix }} -type: Opaque -stringData: - artifactory-broker-client-validation-url: {{ .Values.brokerClientValidationUrl | quote }} + {{ include "snyk-broker.baseNexusUrlSecretKey" . }} : {{ .Values.baseNexusUrl | b64enc | quote }} --- {{- end }} -{{- if and .Values.baseNexusUrl .Values.createSecrets }} +{{- if .Values.nexusUrl }} apiVersion: v1 kind: Secret metadata: - name: nexus-base-nexus-url{{ $suffix }} + name: {{ include "snyk-broker.nexusUrlSecretName" . }} type: Opaque data: - "nexus-base-nexus-url": {{ .Values.baseNexusUrl | b64enc | quote }} + {{ include "snyk-broker.nexusUrlSecretKey" . }} : {{ .Values.nexusUrl | b64enc | quote }} --- {{- end}} -{{- if and .Values.nexusUrl .Values.createSecrets }} -apiVersion: v1 -kind: Secret -metadata: - name: nexus-nexus-url{{ $suffix }} -type: Opaque -data: - "nexus-nexus-url": {{ .Values.nexusUrl | b64enc | quote }} ---- -{{- end}} -{{ if or (.Values.baseNexusUrl) (.Values.nexusUrl) }} - {{- if and .Values.brokerClientValidationUrl .Values.createSecrets }} -apiVersion: v1 -kind: Secret -metadata: - name: nexus-broker-client-validation-url{{ $suffix }} -type: Opaque -stringData: - nexus-broker-client-validation-url: {{ .Values.brokerClientValidationUrl | quote }} ---- - {{- end }} -{{- end }} -{{- if and (.Values.httpsCert) (.Values.httpsKey) .Values.createSecrets }} +{{- if and (.Values.httpsCert) (.Values.httpsKey) }} apiVersion: v1 kind: Secret metadata: @@ -172,7 +90,7 @@ data: tls.key: {{ (.Files.Get .Values.httpsKey) | b64enc | quote }} --- {{- end }} -{{- if and (or .Values.caCert .Values.caCertFile) .Values.createSecrets }} +{{- if or .Values.caCert .Values.caCertFile }} apiVersion: v1 kind: Secret metadata: diff --git a/charts/snyk-broker/tests/__snapshot__/broker_deployment_artifactory_test.yaml.snap b/charts/snyk-broker/tests/__snapshot__/broker_deployment_artifactory_test.yaml.snap index 968001c..088f2d8 100644 --- a/charts/snyk-broker/tests/__snapshot__/broker_deployment_artifactory_test.yaml.snap +++ b/charts/snyk-broker/tests/__snapshot__/broker_deployment_artifactory_test.yaml.snap @@ -35,15 +35,15 @@ should render artifactoryUrl and brokerClientValidationUrl as secrets: secretKeyRef: key: artifactory-broker-token-key name: artifactory-broker-token-RELEASE-NAME + - name: PORT + value: "8000" + - name: BROKER_CLIENT_URL + value: http://brokerclient - name: ARTIFACTORY_URL valueFrom: secretKeyRef: key: artifactory-url name: artifactory-url-RELEASE-NAME - - name: PORT - value: "8000" - - name: BROKER_CLIENT_URL - value: http://brokerclient - name: BROKER_CLIENT_VALIDATION_URL valueFrom: secretKeyRef: @@ -135,19 +135,19 @@ should render artifactoryUrl and brokerClientValidationUrl as secrets: type: Opaque 5: | apiVersion: v1 + data: + artifactory-url: dXNlcm5hbWU6cGFzc3dvcmRAeW91ci1kb21haW4uY29tL2FydGlmYWN0b3J5 kind: Secret metadata: name: artifactory-url-RELEASE-NAME - stringData: - artifactory-url: username:password@your-domain.com/artifactory type: Opaque 6: | apiVersion: v1 + data: + artifactory-broker-client-validation-url: aHR0cHM6Ly91c2VybmFtZTpwYXNzd29yZEB5b3VyLWRvbWFpbi5jb20vYXJ0aWZhY3RvcnkvYXBpL3N5c3RlbS9waW5n kind: Secret metadata: name: artifactory-broker-client-validation-url-RELEASE-NAME - stringData: - artifactory-broker-client-validation-url: https://username:password@your-domain.com/artifactory/api/system/ping type: Opaque 7: | apiVersion: v1 diff --git a/charts/snyk-broker/tests/__snapshot__/broker_deployment_scm_token_pool_test.yaml.snap b/charts/snyk-broker/tests/__snapshot__/broker_deployment_scm_token_pool_test.yaml.snap index 217ec69..23079b5 100644 --- a/charts/snyk-broker/tests/__snapshot__/broker_deployment_scm_token_pool_test.yaml.snap +++ b/charts/snyk-broker/tests/__snapshot__/broker_deployment_scm_token_pool_test.yaml.snap @@ -43,7 +43,7 @@ github token pool configured: - name: GITHUB_TOKEN_POOL valueFrom: secretKeyRef: - key: github-com-token-key-pool + key: github-com-token-pool-key name: github-com-token-pool-RELEASE-NAME - name: PORT value: "8000" @@ -132,7 +132,7 @@ github token pool configured: 4: | apiVersion: v1 data: - github-com-token-key-pool: Z2hfdG9rZW4xLGdoX3Rva2VuMixnaF90b2tlbjM= + github-com-token-pool-key: Z2hfdG9rZW4xLGdoX3Rva2VuMixnaF90b2tlbjM= kind: Secret metadata: name: github-com-token-pool-RELEASE-NAME @@ -193,10 +193,15 @@ github token pool configured with enabled useExternalSecretScmTokenPool: secretKeyRef: key: github-com-broker-token-key name: github-com-broker-token-RELEASE-NAME + - name: GITHUB_TOKEN + valueFrom: + secretKeyRef: + key: github-com-token-key + name: github-com-token-RELEASE-NAME - name: GITHUB_TOKEN_POOL valueFrom: secretKeyRef: - key: github-com-token-key-pool + key: github-com-token-pool-key name: github-com-token-pool-RELEASE-NAME - name: PORT value: "8000" @@ -346,7 +351,7 @@ gitlab token pool configured: - name: GITLAB_TOKEN_POOL valueFrom: secretKeyRef: - key: gitlab-token-key-pool + key: gitlab-token-pool-key name: gitlab-token-pool-RELEASE-NAME - name: GITLAB value: null @@ -437,7 +442,7 @@ gitlab token pool configured: 4: | apiVersion: v1 data: - gitlab-token-key-pool: Z2xfdG9rZW5fMSxnbF90b2tlbl8y + gitlab-token-pool-key: Z2xfdG9rZW5fMSxnbF90b2tlbl8y kind: Secret metadata: name: gitlab-token-pool-RELEASE-NAME diff --git a/charts/snyk-broker/tests/broker_deployment_disable_secret_creation_test.yaml b/charts/snyk-broker/tests/broker_deployment_disable_secret_creation_test.yaml new file mode 100644 index 0000000..71f4702 --- /dev/null +++ b/charts/snyk-broker/tests/broker_deployment_disable_secret_creation_test.yaml @@ -0,0 +1,26 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json +suite: test secrets +chart: + version: 0.0.0 +templates: + - secrets.yaml + - broker_deployment.yaml +values: + - ./fixtures/default_values.yaml +set: + useExternalSecrets: true + +tests: + - it: Does not create any secrets + set: + brokerToken: "" + snykToken: "" + asserts: + - hasDocuments: + count: 0 + template: secrets.yaml + - it: Does not error with empty broker token + set: + brokerToken: "" + asserts: + - notFailedTemplate: {} diff --git a/charts/snyk-broker/tests/broker_deployment_nexus_test.yaml b/charts/snyk-broker/tests/broker_deployment_nexus_test.yaml index ac657e6..c9a6b53 100644 --- a/charts/snyk-broker/tests/broker_deployment_nexus_test.yaml +++ b/charts/snyk-broker/tests/broker_deployment_nexus_test.yaml @@ -27,8 +27,8 @@ tests: path: metadata.name value: nexus-broker-client-validation-url - equal: - path: stringData.nexus-broker-client-validation-url - value: https://username:password@your-domain.com/service/rest/v1/status/check + path: data.nexus-broker-client-validation-url + value: aHR0cHM6Ly91c2VybmFtZTpwYXNzd29yZEB5b3VyLWRvbWFpbi5jb20vc2VydmljZS9yZXN0L3YxL3N0YXR1cy9jaGVjaw== documentSelector: path: metadata.name value: nexus-broker-client-validation-url @@ -74,8 +74,8 @@ tests: path: metadata.name value: nexus-broker-client-validation-url - equal: - path: stringData.nexus-broker-client-validation-url - value: https://username:password@your-domain.com/service/rest/v1/status/check + path: data.nexus-broker-client-validation-url + value: aHR0cHM6Ly91c2VybmFtZTpwYXNzd29yZEB5b3VyLWRvbWFpbi5jb20vc2VydmljZS9yZXN0L3YxL3N0YXR1cy9jaGVjaw== documentSelector: path: metadata.name value: nexus-broker-client-validation-url @@ -114,8 +114,8 @@ tests: path: metadata.name value: nexus-broker-client-validation-url - equal: - path: stringData.nexus-broker-client-validation-url - value: https://username:password@your-domain.com/service/rest/v1/status/check + path: data.nexus-broker-client-validation-url + value: aHR0cHM6Ly91c2VybmFtZTpwYXNzd29yZEB5b3VyLWRvbWFpbi5jb20vc2VydmljZS9yZXN0L3YxL3N0YXR1cy9jaGVjaw== documentSelector: path: metadata.name value: nexus-broker-client-validation-url diff --git a/charts/snyk-broker/tests/broker_deployment_rename_secrets_test.yaml b/charts/snyk-broker/tests/broker_deployment_rename_secrets_test.yaml new file mode 100644 index 0000000..57826b5 --- /dev/null +++ b/charts/snyk-broker/tests/broker_deployment_rename_secrets_test.yaml @@ -0,0 +1,384 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json +suite: test secrets +chart: + version: 0.0.0 +templates: + - secrets.yaml + - broker_deployment.yaml +values: + - ./fixtures/default_values.yaml + +tests: + - it: Sets the name and key for scm token + set: + externalCredentialSecret.name: my-cool-secret + externalCredentialSecret.key: my-cool-key + scmToken: fake_token + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: GITHUB_TOKEN + valueFrom: + secretKeyRef: + name: my-cool-secret + key: my-cool-key + documentSelector: + path: kind + value: Deployment + - exists: + path: data.my-cool-key + documentSelector: + path: metadata.name + value: my-cool-secret + template: secrets.yaml + + - it: Sets the name and key for scm token via bitbucket pat + set: + externalCredentialSecret.name: my-cool-secret + externalCredentialSecret.key: my-cool-key + scmType: bitbucket-server-bearer-auth + bitbucketPat: fake_token + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: BITBUCKET_PAT + valueFrom: + secretKeyRef: + name: my-cool-secret + key: my-cool-key + documentSelector: + path: kind + value: Deployment + - exists: + path: data.my-cool-key + documentSelector: + path: metadata.name + value: my-cool-secret + template: secrets.yaml + + - it: Sets the name and key for scm token via bitbucket password + set: + externalCredentialSecret.name: my-cool-secret + externalCredentialSecret.key: my-cool-key + scmType: bitbucket-server + bitbucketPassword: fake_pwd + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: BITBUCKET_PASSWORD + valueFrom: + secretKeyRef: + name: my-cool-secret + key: my-cool-key + documentSelector: + path: kind + value: Deployment + - exists: + path: data.my-cool-key + documentSelector: + path: metadata.name + value: my-cool-secret + template: secrets.yaml + + - it: Sets the name and key for scm token via gitlab + set: + externalCredentialSecret.name: my-cool-secret + externalCredentialSecret.key: my-cool-key + scmType: gitlab + scmToken: gl_token + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: GITLAB_TOKEN + valueFrom: + secretKeyRef: + name: my-cool-secret + key: my-cool-key + documentSelector: + path: kind + value: Deployment + - exists: + path: data.my-cool-key + documentSelector: + path: metadata.name + value: my-cool-secret + template: secrets.yaml + + - it: Sets the name and key for scm token via azure-repos + set: + externalCredentialSecret.name: my-cool-secret + externalCredentialSecret.key: my-cool-key + scmType: azure-repos + azureReposToken: fake_token + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: AZURE_REPOS_TOKEN + valueFrom: + secretKeyRef: + name: my-cool-secret + key: my-cool-key + documentSelector: + path: kind + value: Deployment + - exists: + path: data.my-cool-key + documentSelector: + path: metadata.name + value: my-cool-secret + template: secrets.yaml + + - it: Sets the name and key for scm token via jira + set: + externalCredentialSecret.name: my-cool-secret + externalCredentialSecret.key: my-cool-key + scmType: jira + jiraPassword: fake_pwd + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: JIRA_PASSWORD + valueFrom: + secretKeyRef: + name: my-cool-secret + key: my-cool-key + documentSelector: + path: kind + value: Deployment + - exists: + path: data.my-cool-key + documentSelector: + path: metadata.name + value: my-cool-secret + template: secrets.yaml + + - it: Sets the name and key for scm token via jira-pat + set: + externalCredentialSecret.name: my-cool-secret + externalCredentialSecret.key: my-cool-key + scmType: jira-bearer-auth + jiraPat: fake_jira_pat + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: JIRA_PAT + valueFrom: + secretKeyRef: + name: my-cool-secret + key: my-cool-key + documentSelector: + path: kind + value: Deployment + - exists: + path: data.my-cool-key + documentSelector: + path: metadata.name + value: my-cool-secret + template: secrets.yaml + + - it: Sets the name and key for scm token via cr password + set: + externalCredentialSecret.name: my-cool-secret + externalCredentialSecret.key: my-cool-key + scmType: container-registry-agent + crType: "gcr" + crPassword: fake_pwd + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: CR_PASSWORD + valueFrom: + secretKeyRef: + name: my-cool-secret + key: my-cool-key + documentSelector: + path: kind + value: Deployment + - exists: + path: data.my-cool-key + documentSelector: + path: metadata.name + value: my-cool-secret + template: secrets.yaml + + - it: Sets the name and key for scm token via cr token + set: + externalCredentialSecret.name: my-cool-secret + externalCredentialSecret.key: my-cool-key + scmType: container-registry-agent + crType: "digitalocean-cr" + crToken: fake_token + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: CR_TOKEN + valueFrom: + secretKeyRef: + name: my-cool-secret + key: my-cool-key + documentSelector: + path: kind + value: Deployment + - exists: + path: data.my-cool-key + documentSelector: + path: metadata.name + value: my-cool-secret + template: secrets.yaml + + - it: Sets the name and key for scm token pool + set: + scmTokenPoolSecret.name: my-external-pool + scmTokenPoolSecret.key: my-pool-of-keys + scmToken: "" + scmTokenPool: fake_token,another_fake_token + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: GITHUB_TOKEN_POOL + valueFrom: + secretKeyRef: + name: my-external-pool + key: my-pool-of-keys + documentSelector: + path: kind + value: Deployment + - exists: + path: data.my-pool-of-keys + documentSelector: + path: metadata.name + value: my-external-pool + template: secrets.yaml + + - it: Sets the name and key for artifactory secrets + set: + scmType: artifactory + artifactoryUrl: artifactory.corp.io + brokerClientValidationUrl: https://artifactory.corp.io/api/system/ping + artifactoryUrlSecret.name: external-artifactory-url + artifactoryUrlSecret.key: my-custom-key + brokerClientValidationUrlSecret.name: artifactory-url-for-validation + key: my-other-custom-key + scmToken: "" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ARTIFACTORY_URL + valueFrom: + secretKeyRef: + name: external-artifactory-url + key: my-custom-key + documentSelector: + path: kind + value: Deployment + - exists: + path: data.my-custom-key + documentSelector: + path: metadata.name + value: external-artifactory-url + template: secrets.yaml + - exists: + path: data.artifactory-broker-client-validation-url + documentSelector: + path: metadata.name + value: artifactory-url-for-validation + template: secrets.yaml + + - it: Rejects duplicative names for nexus secrets + set: + scmType: nexus + nexusUrl: https://user:@nexus.corp.io/repository + baseNexusUrl: https://user:@nexus.corp.io + brokerClientValidationUrl: https://nexus.corp.io/service/rest/v1/status/check + nexusUrlSecret.name: private-nexus + baseNexusUrlSecret.name: private-nexus + asserts: + - failedTemplate: + errorMessage: Secret names for nexusUrlSecret and baseNexusUrlSecret must be unique + template: broker_deployment.yaml + + - it: Sets names for nexus secrets, retaining default keys + set: + scmType: nexus + nexusUrl: https://user:@nexus.corp.io/repository + baseNexusUrl: https://user:@nexus.corp.io + brokerClientValidationUrl: https://nexus.corp.io/service/rest/v1/status/check + nexusUrlSecret.name: private-nexus-url + baseNexusUrlSecret.name: private-nexus-base-url + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: NEXUS_URL + valueFrom: + secretKeyRef: + name: private-nexus-url + key: nexus-nexus-url + documentSelector: + path: kind + value: Deployment + - contains: + path: spec.template.spec.containers[0].env + content: + name: BASE_NEXUS_URL + valueFrom: + secretKeyRef: + name: private-nexus-base-url + key: nexus-base-nexus-url + documentSelector: + path: kind + value: Deployment + - exists: + path: data.nexus-base-nexus-url + documentSelector: + path: metadata.name + value: private-nexus-base-url + template: secrets.yaml + - exists: + path: data.nexus-nexus-url + documentSelector: + path: metadata.name + value: private-nexus-url + template: secrets.yaml + + - it: References an external tls style secret + set: + httpsSecret.name: "my-external-secret" + enableBrokerLocalWebserverOverHttps: true + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: RELEASE-NAME-snyk-broker-tls-secret-volume + secret: + secretName: my-external-secret + documentSelector: + path: kind + value: Deployment + + + - it: References an external CA secret + set: + caCertFileSecret.name: my-ca + caCertFileSecret.key: ca.pem + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: RELEASE-NAME-snyk-broker-cacert-volume + secret: + secretName: my-ca + documentSelector: + path: kind + value: Deployment diff --git a/charts/snyk-broker/tests/broker_deployment_test.yaml b/charts/snyk-broker/tests/broker_deployment_test.yaml index 458cc10..6b6d310 100644 --- a/charts/snyk-broker/tests/broker_deployment_test.yaml +++ b/charts/snyk-broker/tests/broker_deployment_test.yaml @@ -35,3 +35,9 @@ tests: - ./fixtures/default_values_ha_on_4_replicas.yaml asserts: - matchSnapshot: {} + - it: Does not fail if no broker token is specified + set: + brokerToken: "" + asserts: + - notFailedTemplate: {} + template: broker_deployment.yaml diff --git a/charts/snyk-broker/values.schema.json b/charts/snyk-broker/values.schema.json index 9edf1e1..d212d4d 100644 --- a/charts/snyk-broker/values.schema.json +++ b/charts/snyk-broker/values.schema.json @@ -7,21 +7,42 @@ "pattern": "^http(s?):\/\/.*" } }, - "urlWithSchema":{ - "type":"string", + "urlWithSchema": { + "type": "string", "pattern": "^$|^http(s?):\/\/.*" + }, + "secretNameKey": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "key": { + "type": "string" + } + }, + "additionalProperties": false } }, "type": "object", "properties": { "brokerToken": { - "type": "string", - "format": "uuid" + "anyOf": [ + { + "type": "string", + "maxLength": 0 + }, + { + "type": "string", + "format": "uuid" + } + ] + }, + "brokerTokenSecret": { + "$ref": "#/$defs/secretNameKey" }, "brokerClientUrl": { - "type": "string", - "default": "", - "pattern": "^$|^http(s?):\/\/.*" + "$ref": "#/$defs/urlWithSchema" }, "brokerServerUrl": { "type": "string", @@ -77,16 +98,22 @@ "container-registry-agent" ] }, - "scmToken":{ + "scmToken": { "type": "string" }, - "scmTokenPool":{ - "type":"string" + "externalCredentialSecret": { + "$ref": "#/$defs/secretNameKey" }, - "useExternalSecretScmTokenPool":{ + "scmTokenPool": { + "type": "string" + }, + "scmTokenPoolSecret": { + "$ref": "#/$defs/secretNameKey" + }, + "useExternalSecretScmTokenPool": { "type": "boolean" }, - "github":{ + "github": { "$ref": "#/$defs/urlNoSchema" }, "githubApi": { @@ -110,30 +137,33 @@ "bitbucketApi": { "$ref": "#/$defs/urlNoSchema" }, - "gitlab":{ + "gitlab": { "$ref": "#/$defs/urlNoSchema" }, "azureReposOrg": { "type": "string" }, - "azureReposHost":{ + "azureReposHost": { "$ref": "#/$defs/urlNoSchema" }, - "azureReposToken":{ + "azureReposToken": { "type": "string" }, - "artifactoryUrl":{ + "artifactoryUrl": { "$ref": "#/$defs/urlNoSchema" }, - "baseNexusUrl":{ + "baseNexusUrl": { "$ref": "#/$defs/urlWithSchema" }, - "nexusUrl":{ + "nexusUrl": { "$ref": "#/$defs/urlWithSchema" }, "brokerClientValidationUrl": { "$ref": "#/$defs/urlWithSchema" }, + "brokerClientValidationUrlSecret": { + "$ref": "#/$defs/secretNameKey" + }, "jiraUsername": { "type": "string" }, @@ -148,7 +178,7 @@ }, "crType": { "type": "string", - "enum":[ + "enum": [ "", "artifactory-cr", "harbor-cr", @@ -183,7 +213,17 @@ "type": "string" }, "crToken": { - "type": "string" + "if": { + "crType": { + "const": "digitalocean-cr" + } + }, + "then": { + "type": "string", + "required": [ + "crToken" + ] + } }, "crImage": { "type": "string", @@ -201,7 +241,7 @@ "" ] }, - "enableCodeAgent":{ + "enableCodeAgent": { "type": [ "boolean", "string" @@ -214,9 +254,9 @@ ] }, "upstreamUrlCodeAgent": { - + "type": "string" }, - "snykToken":{ + "snykToken": { "anyOf": [ { "type": "string", @@ -228,6 +268,9 @@ } ] }, + "snykTokenSecret": { + "$ref": "#/$defs/secretNameKey" + }, "caImage": { "type": "string", "default": "latest" @@ -235,29 +278,37 @@ "gitClientUrl": { "type": "string" }, - "logLevel":{ + "logLevel": { "type": "string", - "enum":[ + "enum": [ "info", "debug" ] }, - "logEnableBody":{ + "logEnableBody": { "type": "string", - "enum":[ + "enum": [ "false", "true" ] }, - "enableBrokerLocalWebserverOverHttps":{ + "enableBrokerLocalWebserverOverHttps": { "type": "boolean" }, - "httpsCert":{ + "httpsCert": { "type": "string" }, "httpsKey": { "type": "string" }, + "httpsSecret": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + }, "caCert": { "type": "string" }, @@ -265,16 +316,19 @@ "type": "string", "pattern": "^$|^\\s*-----BEGIN CERTIFICATE-----(?:.|\\s)*-----END CERTIFICATE-----\\s*$" }, + "caCertFileSecret": { + "$ref": "#/$defs/secretNameKey" + }, "disableCaCertTrust": { "type": "boolean" }, - "tlsRejectUnauthorized":{ + "tlsRejectUnauthorized": { "type": [ "string", "boolean", "integer" ], - "enum":[ + "enum": [ "", 0, "0", @@ -283,32 +337,32 @@ "disable" ] }, - "httpProxy":{ + "httpProxy": { "$ref": "#/$defs/urlWithSchema" }, - "httpsProxy":{ + "httpsProxy": { "$ref": "#/$defs/urlWithSchema" }, "noProxy": { "type": "string" }, - "acceptJson":{ + "acceptJson": { "type": "string" }, "image": { "type": "object", "additionalProperties": false, - "properties":{ - "repository":{ + "properties": { + "repository": { "type": "string" }, - "crRepository":{ + "crRepository": { "type": "string" }, - "caRepository":{ + "caRepository": { "type": "string" }, - "pullPolicy":{ + "pullPolicy": { "type": "string", "enum": [ "Always", @@ -324,7 +378,7 @@ "imagePullSecrets": { "type": "array" }, - "healthCheckPath":{ + "healthCheckPath": { "type": "string" }, "systemCheckPath": { @@ -372,7 +426,7 @@ "deployment": { "type": "object" }, - "serviceAccount":{ + "serviceAccount": { "type": "object", "additionalProperties": false, "properties": { @@ -402,10 +456,10 @@ "securityContextCa": { "type": "object" }, - "service":{ + "service": { "type": "object", "additionalProperties": false, - "properties":{ + "properties": { "brokerType": { "type": "string" }, @@ -419,7 +473,7 @@ "type": "integer" }, "tls": { - "type" :"array" + "type": "array" } } }, @@ -429,7 +483,7 @@ "enabled": { "type": "boolean" }, - "ingressClassName":{ + "ingressClassName": { "type": "string" }, "annotations": { @@ -444,18 +498,18 @@ "pathType": { "type": "string" }, - "hosts":{ + "hosts": { "type": "array" }, - "extraPaths":{ + "extraPaths": { "type": "array" }, - "tls":{ + "tls": { "type": "array" } } }, - "extraObjects":{ + "extraObjects": { "type": "array" }, "extraVolumes": { @@ -470,7 +524,7 @@ "extraPodSpecs": { "nullable": true }, - "extraPodSpecsCr":{ + "extraPodSpecsCr": { "nullable": true } }, diff --git a/charts/snyk-broker/values.yaml b/charts/snyk-broker/values.yaml index 68067c4..fa0a818 100644 --- a/charts/snyk-broker/values.yaml +++ b/charts/snyk-broker/values.yaml @@ -6,6 +6,10 @@ # Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative brokerToken: "" +# If using external secrets specify the secret name and key to fetch the broker token from: +brokerTokenSecret: + name: "" + key: "" # brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup. # Ex: http://kubernetes-ingress.domain.com:8000 @@ -31,9 +35,6 @@ replicaCount: 2 # Adds additional labels to broker deployment labels: {} -# Enable or disable inbuilt secrets - disable to provide your own pre-existing secrets. -createSecrets: true - ##### SCM Generic ##### # scmType is used to define the Source Control that you are connecting to. @@ -57,8 +58,35 @@ scmType: "github-com" # scmToken is used for SCMs that require a personal Access Token: GitHub & Gitlab scmToken: "" +# Enable or disable creating secrets - set to `true` to provide your own pre-existing secrets. +useExternalSecrets: false + +# The following types are supported via externalCredentialSecret: +# GitHub.com: github-com +# GitHub Enterprise: github-enterprise +# Bitbucket Server: bitbucket-server +# Bitbucket Server with Bearer Auth: bitbucket-server-bearer-auth +# GitLab: gitlab +# Azure Repos: azure-repos +# Jira: jira +# Jira with bearer auth: jira-bearer-auth +# Container Registry Agent: container-registry-agent + +# For the following types, specify external secrets separately +# Artifactory: artifactory -> artifactoryUrlSecret, brokerClientValidationUrlSecret +# Nexus: nexus -> baseNexusUrlSecret, nexusUrlSecret, brokerClientValidationUrlSecret +# Nexus2: nexus2 -> baseNexusUrlSecret, nexusUrlSecret, brokerClientValidationUrlSecret + +externalCredentialSecret: + name: "" + key: "" + # scmTokenPool is used by credential pooling for SCMs that require a personal Access Token: GitHub & Gitlab scmTokenPool: "" +# If using external secrets specify the secret name and key to fetch the pool of scm tokens from: +scmTokenPoolSecret: + name: "" + key: "" # useExternalSecretScmTokenPool forces credential pooling for SCMs, e.g. by using Secrets Store CSI Driver (default is false). useExternalSecretScmTokenPool: false @@ -110,24 +138,36 @@ azureReposHost: "" # Azure Repos Token azureReposToken: "" - ##### Artifactory ##### # Artifactory URL - do not prepend HTTPS artifactoryUrl: "" - +artifactoryUrlSecret: + name: "" + key: "" ##### Nexus 2 & 3 ##### # Nexus Base URL - include HTTPS baseNexusUrl: "" +# If using external secrets specify the secret name and key to fetch the base nexus url from: +baseNexusUrlSecret: + name: "" + key: "" # Nexus URL - include HTTPS nexusUrl: "" +# If using external secrets specify the secret name and key to fetch the nexus url from: +nexusUrlSecret: + name: "" + key: "" -# Nexus Validation URL, checked by broker client systemcheck endpoint. +# Nexus or Artifactory Validation URL, checked by broker client systemcheck endpoint. brokerClientValidationUrl: "" - +# If using external secrets specify the secret name and key to fetch the broker client validation url from: +brokerClientValidationUrlSecret: + name: "" + key: "" ##### Jira ##### @@ -187,6 +227,10 @@ upstreamUrlCodeAgent: "" # Snyk API token. Allows Code Agent to upload source code. Group > Settings > Service Accounts snykToken: "" +# If using external secrets specify the secret name and key to fetch the Snyk API token from: +snykTokenSecret: + name: "" + key: "" #CA Image Tag. Do not touch unless instructed by Snyk Representative caImage: "latest" @@ -213,6 +257,10 @@ httpsCert: "" # Location of mounted HTTPS key httpsKey: "" +# Optionally provide an external tls-type certificate name. +httpsSecret: + name: "" + ##### HTTPS Inspection ##### # Not supported by Snyk Container Registry Agent or Snyk Code Agent (use tlsRejectUnauthorized instead) @@ -237,6 +285,9 @@ caCert: "" # # caCertFile: "----- BEGIN CERTIFICATE -----\n.....\n----- END CERTIFICATE -----" caCertFile: "" +caCertFileSecret: + name: "" + key: "" # Set to `true` to disable trust validation when providing your own CA certificate. disableCaCertTrust: false From 29d29f3e47e6d47a401b02ec6742a697b3470a51 Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Mon, 2 Sep 2024 09:51:47 +0100 Subject: [PATCH 3/4] fix: update chart version --- charts/snyk-broker/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/snyk-broker/Chart.yaml b/charts/snyk-broker/Chart.yaml index abe1a4e..d390c19 100644 --- a/charts/snyk-broker/Chart.yaml +++ b/charts/snyk-broker/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 name: snyk-broker -version: 2.7.5 +version: 2.8.0 description: A Helm chart for Kubernetes type: application From f097f39ceaefffae118863a67d92b6b8398029ad Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Mon, 2 Sep 2024 10:04:34 +0100 Subject: [PATCH 4/4] chore: pin helm unittest, update to match 0.6.1 spec --- .github/workflows/helm-validation.yaml | 4 +- ...roker_cra_deployment_disable_tls_test.yaml | 6 ++ ...broker_deployment_rename_secrets_test.yaml | 60 +++++-------------- 3 files changed, 23 insertions(+), 47 deletions(-) diff --git a/.github/workflows/helm-validation.yaml b/.github/workflows/helm-validation.yaml index 165449c..5103463 100644 --- a/.github/workflows/helm-validation.yaml +++ b/.github/workflows/helm-validation.yaml @@ -21,5 +21,5 @@ jobs: - name: Run helm unittest run: | - helm plugin install https://github.com/helm-unittest/helm-unittest - helm unittest charts/snyk-broker \ No newline at end of file + helm plugin install https://github.com/helm-unittest/helm-unittest --version 0.6.1 + helm unittest charts/snyk-broker diff --git a/charts/snyk-broker/tests/broker_cra_deployment_disable_tls_test.yaml b/charts/snyk-broker/tests/broker_cra_deployment_disable_tls_test.yaml index d2434a7..d666c19 100644 --- a/charts/snyk-broker/tests/broker_cra_deployment_disable_tls_test.yaml +++ b/charts/snyk-broker/tests/broker_cra_deployment_disable_tls_test.yaml @@ -25,6 +25,7 @@ tests: documentSelector: path: kind value: Deployment + matchMany: true - it: disables tls trust with "0" (string) set: tlsRejectUnauthorized: "0" @@ -37,6 +38,7 @@ tests: documentSelector: path: kind value: Deployment + matchMany: true - it: disables tls trust with "false" (string) set: tlsRejectUnauthorized: "false" @@ -49,6 +51,7 @@ tests: documentSelector: path: kind value: Deployment + matchMany: true - it: disables tls trust with false (boolean) set: tlsRejectUnauthorized: false @@ -61,6 +64,7 @@ tests: documentSelector: path: kind value: Deployment + matchMany: true - it: disables tls trust with '0' (integer) set: tlsRejectUnauthorized: 0 @@ -73,6 +77,7 @@ tests: documentSelector: path: kind value: Deployment + matchMany: true - it: enables tls trust by default "" (string) set: tlsRejectUnauthorized: "" @@ -85,6 +90,7 @@ tests: documentSelector: path: kind value: Deployment + matchMany: true - it: does not allow true (bool) set: tlsRejectUnauthorized: true diff --git a/charts/snyk-broker/tests/broker_deployment_rename_secrets_test.yaml b/charts/snyk-broker/tests/broker_deployment_rename_secrets_test.yaml index 57826b5..32e56ae 100644 --- a/charts/snyk-broker/tests/broker_deployment_rename_secrets_test.yaml +++ b/charts/snyk-broker/tests/broker_deployment_rename_secrets_test.yaml @@ -23,9 +23,7 @@ tests: secretKeyRef: name: my-cool-secret key: my-cool-key - documentSelector: - path: kind - value: Deployment + template: broker_deployment.yaml - exists: path: data.my-cool-key documentSelector: @@ -48,9 +46,7 @@ tests: secretKeyRef: name: my-cool-secret key: my-cool-key - documentSelector: - path: kind - value: Deployment + template: broker_deployment.yaml - exists: path: data.my-cool-key documentSelector: @@ -73,9 +69,7 @@ tests: secretKeyRef: name: my-cool-secret key: my-cool-key - documentSelector: - path: kind - value: Deployment + template: broker_deployment.yaml - exists: path: data.my-cool-key documentSelector: @@ -98,9 +92,7 @@ tests: secretKeyRef: name: my-cool-secret key: my-cool-key - documentSelector: - path: kind - value: Deployment + template: broker_deployment.yaml - exists: path: data.my-cool-key documentSelector: @@ -123,9 +115,7 @@ tests: secretKeyRef: name: my-cool-secret key: my-cool-key - documentSelector: - path: kind - value: Deployment + template: broker_deployment.yaml - exists: path: data.my-cool-key documentSelector: @@ -148,9 +138,7 @@ tests: secretKeyRef: name: my-cool-secret key: my-cool-key - documentSelector: - path: kind - value: Deployment + template: broker_deployment.yaml - exists: path: data.my-cool-key documentSelector: @@ -173,9 +161,7 @@ tests: secretKeyRef: name: my-cool-secret key: my-cool-key - documentSelector: - path: kind - value: Deployment + template: broker_deployment.yaml - exists: path: data.my-cool-key documentSelector: @@ -199,9 +185,7 @@ tests: secretKeyRef: name: my-cool-secret key: my-cool-key - documentSelector: - path: kind - value: Deployment + template: broker_deployment.yaml - exists: path: data.my-cool-key documentSelector: @@ -225,9 +209,7 @@ tests: secretKeyRef: name: my-cool-secret key: my-cool-key - documentSelector: - path: kind - value: Deployment + template: broker_deployment.yaml - exists: path: data.my-cool-key documentSelector: @@ -250,9 +232,7 @@ tests: secretKeyRef: name: my-external-pool key: my-pool-of-keys - documentSelector: - path: kind - value: Deployment + template: broker_deployment.yaml - exists: path: data.my-pool-of-keys documentSelector: @@ -279,9 +259,7 @@ tests: secretKeyRef: name: external-artifactory-url key: my-custom-key - documentSelector: - path: kind - value: Deployment + template: broker_deployment.yaml - exists: path: data.my-custom-key documentSelector: @@ -325,9 +303,7 @@ tests: secretKeyRef: name: private-nexus-url key: nexus-nexus-url - documentSelector: - path: kind - value: Deployment + template: broker_deployment.yaml - contains: path: spec.template.spec.containers[0].env content: @@ -336,9 +312,7 @@ tests: secretKeyRef: name: private-nexus-base-url key: nexus-base-nexus-url - documentSelector: - path: kind - value: Deployment + template: broker_deployment.yaml - exists: path: data.nexus-base-nexus-url documentSelector: @@ -363,9 +337,7 @@ tests: name: RELEASE-NAME-snyk-broker-tls-secret-volume secret: secretName: my-external-secret - documentSelector: - path: kind - value: Deployment + template: broker_deployment.yaml - it: References an external CA secret @@ -379,6 +351,4 @@ tests: name: RELEASE-NAME-snyk-broker-cacert-volume secret: secretName: my-ca - documentSelector: - path: kind - value: Deployment + template: broker_deployment.yaml