feat: add secretNameOverride for external JWT secret management (#610)

stakewise · Jan 27, 2025 · c563e89 · c563e89
1 parent 4c79aa8
commit c563e89
Show file tree

Hide file tree

Showing 40 changed files with 101 additions and 41 deletions.
diff --git a/charts/besu/Chart.yaml b/charts/besu/Chart.yaml
@@ -19,7 +19,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.4.10
+version: 2.4.11
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/besu/templates/secret.yaml b/charts/besu/templates/secret.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.global.JWTSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,3 +8,4 @@ metadata:
 type: Opaque
 data:
   jwtsecret: {{ .Values.global.JWTSecret | b64enc | quote }}
+{{- end }}
diff --git a/charts/besu/templates/statefulset.yaml b/charts/besu/templates/statefulset.yaml
@@ -200,7 +200,7 @@ spec:
       volumes:
         - name: jwtsecret
           secret:
-            secretName: {{ include "common.names.fullname" . }}
+            secretName: {{ coalesce .Values.global.secretNameOverride (include "common.names.fullname" .) }}
         - name: env
           emptyDir: {}
   {{- if (not .Values.persistence.enabled) }}

diff --git a/charts/besu/templates/validate.yaml b/charts/besu/templates/validate.yaml
@@ -1,3 +1,3 @@
-{{- if not .Values.global.JWTSecret }}
-{{- fail ".Values.global.JWTSecret is required" }}
+{{- if or (and .Values.global.JWTSecret .Values.global.secretNameOverride) (and (not .Values.global.JWTSecret) (not .Values.global.secretNameOverride)) }}
+{{- fail ".Values.global.JWTSecret or .Values.global.secretNameOverride is required" }}
 {{- end }}
diff --git a/charts/besu/values.yaml b/charts/besu/values.yaml
@@ -16,6 +16,12 @@ global:
   ##
   JWTSecret: ""
 
+  ## If you would like the JSON Web Token (JWT) to be managed by a secret outside
+  ## of this chart, an existing secret name can be passed here. If specified, JWTSecret should not be set.
+  ## jwtsecret should be the key of the token in the secret.
+  ##
+  secretNameOverride: ""
+
   ## Server endpoints for an execution layer jwt authenticated HTTP JSON-RPC connection.
   ## Uses the same endpoint to populate the deposit cache.
   ## A separate Statefulset will be created for each specified address

diff --git a/charts/erigon/Chart.yaml b/charts/erigon/Chart.yaml
@@ -24,7 +24,7 @@ sources:
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.60.10
+version: 2.60.11
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/erigon/templates/statefulset.yaml b/charts/erigon/templates/statefulset.yaml
@@ -115,7 +115,7 @@ spec:
               --http.api={{ .Values.http.api }}
               --http.port={{ .Values.http.port }}
           {{- end }}
-          {{- if .Values.global.JWTSecret }}
+          {{- if or .Values.global.JWTSecret .Values.global.secretNameOverride }}
               --authrpc.jwtsecret=/secret/jwtsecret
               --authrpc.addr={{ .Values.authRpc.addr }}
               --authrpc.port={{ .Values.authRpc.port }}
@@ -144,7 +144,7 @@ spec:
               protocol: TCP
               containerPort: {{ .Values.http.port }}
           {{- end }}
-          {{- if .Values.global.JWTSecret }}
+          {{- if or .Values.global.JWTSecret .Values.global.secretNameOverride }}
             - name: authrpc
               protocol: TCP
               containerPort: {{ .Values.authRpc.port }}
@@ -167,7 +167,7 @@ spec:
           volumeMounts:
             - name: data
               mountPath: /data
-          {{- if .Values.global.JWTSecret }}
+          {{- if or .Values.global.JWTSecret .Values.global.secretNameOverride }}
             - name: jwtsecret
               mountPath: /secret
               readOnly: true
@@ -225,10 +225,10 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
-        {{- if .Values.global.JWTSecret }}
+        {{- if or .Values.global.JWTSecret .Values.global.secretNameOverride }}
         - name: jwtsecret
           secret:
-            secretName: {{ include "common.names.fullname" . }}
+            secretName: {{ coalesce .Values.global.secretNameOverride (include "common.names.fullname" .) }}
         {{- end }}
         - name: env-nodeport
           emptyDir: {}

diff --git a/charts/erigon/values.yaml b/charts/erigon/values.yaml
@@ -16,6 +16,12 @@ global:
   ##
   JWTSecret: ""
 
+  ## If you would like the JSON Web Token (JWT) to be managed by a secret outside
+  ## of this chart, an existing secret name can be passed here. If specified, JWTSecret should not be set.
+  ## jwtsecret should be the key of the token in the secret.
+  ##
+  secretNameOverride: ""
+
   ## Credentials to fetch images from private registry
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
   ##

diff --git a/charts/geth/Chart.yaml b/charts/geth/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: geth
-version: 2.4.15
+version: 2.4.16
 kubeVersion: "^1.20.0-0"
 description: Official Golang implementation of the Ethereum v1 protocol.
 type: application

diff --git a/charts/geth/templates/service.yaml b/charts/geth/templates/service.yaml
@@ -18,7 +18,7 @@ spec:
 {{- end }}
   type: ClusterIP
   ports:
-  {{- if .Values.global.JWTSecret }}
+  {{- if or .Values.global.JWTSecret .Values.global.secretNameOverride }}
     - name: authrpc
       port: {{ .Values.authRpc.port }}
       targetPort: authrpc

diff --git a/charts/geth/templates/statefulset.yaml b/charts/geth/templates/statefulset.yaml
@@ -106,7 +106,7 @@ spec:
               . /env/init-nodeport;
             {{- end }}
               exec geth
-          {{- if .Values.global.JWTSecret }}
+          {{- if or .Values.global.JWTSecret .Values.global.secretNameOverride }}
               --authrpc.jwtsecret=/secret/jwtsecret
               --authrpc.addr={{ .Values.authRpc.addr }}
               --authrpc.port={{ .Values.authRpc.port }}
@@ -157,7 +157,7 @@ spec:
                 fieldRef:
                   fieldPath: status.podIP
           ports:
-          {{- if .Values.global.JWTSecret }}
+          {{- if or .Values.global.JWTSecret .Values.global.secretNameOverride }}
             - name: authrpc
               containerPort: {{ .Values.authRpc.port }}
           {{- end }}
@@ -184,7 +184,7 @@ spec:
           volumeMounts:
             - name: data
               mountPath: /data/ethereum
-          {{- if .Values.global.JWTSecret }}
+          {{- if or .Values.global.JWTSecret .Values.global.secretNameOverride }}
             - name: jwtsecret
               mountPath: /secret
               readOnly: true
@@ -234,10 +234,10 @@ spec:
         {{- end }}
       {{- end }}
       volumes:
-        {{- if .Values.global.JWTSecret }}
+        {{- if or .Values.global.JWTSecret .Values.global.secretNameOverride }}
         - name: jwtsecret
           secret:
-            secretName: {{ include "common.names.fullname" . }}
+            secretName: {{ coalesce .Values.global.secretNameOverride (include "common.names.fullname" .) }}
         {{- end }}
         - name: env-nodeport
           emptyDir: {}

diff --git a/charts/geth/values.yaml b/charts/geth/values.yaml
@@ -27,6 +27,12 @@ global:
   ##
   JWTSecret: ""
 
+  ## If you would like the JSON Web Token (JWT) to be managed by a secret outside
+  ## of this chart, an existing secret name can be passed here. If specified, JWTSecret should not be set.
+  ## jwtsecret should be the key of the token in the secret.
+  ##
+  secretNameOverride: ""
+
   ## Credentials to fetch images from private registry
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
   ##

diff --git a/charts/lighthouse/Chart.yaml b/charts/lighthouse/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: lighthouse
-version: 6.0.1
+version: 6.0.2
 kubeVersion: "^1.20.0-0"
 description: Rust Ethereum 2.0 Client.
 type: application

diff --git a/charts/lighthouse/templates/secret.yaml b/charts/lighthouse/templates/secret.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.global.JWTSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,3 +8,4 @@ metadata:
 type: Opaque
 data:
   jwtsecret: {{ .Values.global.JWTSecret | b64enc | quote }}
+{{- end }}
diff --git a/charts/lighthouse/templates/statefulset.yaml b/charts/lighthouse/templates/statefulset.yaml
@@ -223,7 +223,7 @@ spec:
       volumes:
         - name: jwtsecret
           secret:
-            secretName: {{ include "common.names.fullname" . }}
+            secretName: {{ coalesce .Values.global.secretNameOverride (include "common.names.fullname" .) }}
         - name: env-nodeport
           emptyDir: {}
         - name: configs

diff --git a/charts/lighthouse/templates/validate.yaml b/charts/lighthouse/templates/validate.yaml
@@ -1,5 +1,5 @@
-{{- if not .Values.global.JWTSecret }}
-{{- fail ".Values.global.JWTSecret is required" }}
+{{- if or (and .Values.global.JWTSecret .Values.global.secretNameOverride) (and (not .Values.global.JWTSecret) (not .Values.global.secretNameOverride)) }}
+{{- fail ".Values.global.JWTSecret or .Values.global.secretNameOverride is required" }}
 {{- end }}
 
 {{- $endpoints := uniq .Values.global.executionEndpoints -}}

diff --git a/charts/lighthouse/values.yaml b/charts/lighthouse/values.yaml
@@ -14,6 +14,12 @@ global:
   ##
   JWTSecret: ""
 
+  ## If you would like the JSON Web Token (JWT) to be managed by a secret outside
+  ## of this chart, an existing secret name can be passed here. If specified, JWTSecret should not be set.
+  ## jwtsecret should be the key of the token in the secret.
+  ##
+  secretNameOverride: ""
+
   ## Server endpoints for an execution layer jwt authenticated HTTP JSON-RPC connection.
   ## Uses the same endpoint to populate the deposit cache.
   ## A separate Statefulset will be created for each specified address

diff --git a/charts/lodestar/Chart.yaml b/charts/lodestar/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: lodestar
-version: 1.1.6
+version: 1.1.7
 kubeVersion: "^1.20.0-0"
 description: Rust Ethereum 2.0 Client.
 icon: https://storage.googleapis.com/stakewise-charts/stakewise.png

diff --git a/charts/lodestar/templates/secret.yaml b/charts/lodestar/templates/secret.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.global.JWTSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,3 +8,4 @@ metadata:
 type: Opaque
 data:
   jwtsecret: {{ .Values.global.JWTSecret | b64enc | quote }}
+{{- end }}
diff --git a/charts/lodestar/templates/statefulset.yaml b/charts/lodestar/templates/statefulset.yaml
@@ -221,7 +221,7 @@ spec:
       volumes:
         - name: jwtsecret
           secret:
-            secretName: {{ include "common.names.fullname" . }}
+            secretName: {{ coalesce .Values.global.secretNameOverride (include "common.names.fullname" .) }}
         - name: env-nodeport
           emptyDir: {}
         - name: configs

diff --git a/charts/lodestar/templates/validate.yaml b/charts/lodestar/templates/validate.yaml
@@ -1,5 +1,5 @@
-{{- if not .Values.global.JWTSecret }}
-{{- fail ".Values.global.JWTSecret is required" }}
+{{- if or (and .Values.global.JWTSecret .Values.global.secretNameOverride) (and (not .Values.global.JWTSecret) (not .Values.global.secretNameOverride)) }}
+{{- fail ".Values.global.JWTSecret or .Values.global.secretNameOverride is required" }}
 {{- end }}
 
 {{- $endpoints := uniq .Values.global.executionEndpoints -}}

diff --git a/charts/lodestar/values.yaml b/charts/lodestar/values.yaml
@@ -14,6 +14,12 @@ global:
   ##
   JWTSecret: ""
 
+  ## If you would like the JSON Web Token (JWT) to be managed by a secret outside
+  ## of this chart, an existing secret name can be passed here. If specified, JWTSecret should not be set.
+  ## jwtsecret should be the key of the token in the secret.
+  ##
+  secretNameOverride: ""
+
   ## Server endpoints for an execution layer jwt authenticated HTTP JSON-RPC connection.
   ## Uses the same endpoint to populate the deposit cache.
   ## A separate Statefulset will be created for each specified address

diff --git a/charts/nethermind/Chart.yaml b/charts/nethermind/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: nethermind
 description: .NET Core Ethereum client
 type: application
-version: 2.7.3
+version: 2.7.4
 appVersion: "v1.30.3"
 icon: https://storage.googleapis.com/stakewise-charts/stakewise.png
 keywords:

diff --git a/charts/nethermind/templates/service.yaml b/charts/nethermind/templates/service.yaml
@@ -27,7 +27,7 @@ spec:
       protocol: TCP
       name: json-ws
   {{- end }}
-  {{- if .Values.global.JWTSecret }}
+  {{- if or .Values.global.JWTSecret .Values.global.secretNameOverride }}
     - port: {{ .Values.jsonrpc.engine.port }}
       targetPort: engine
       protocol: TCP

diff --git a/charts/nethermind/values.yaml b/charts/nethermind/values.yaml
@@ -16,8 +16,8 @@ global:
   ##
   JWTSecret: ""
 
-  ## If you would like the JSON Web Token (JWT) to be managed by a secert outside
-  ## of this chart, an existing secret name can be passed here. If specified, JWTSecret should not be set. 
+  ## If you would like the JSON Web Token (JWT) to be managed by a secret outside
+  ## of this chart, an existing secret name can be passed here. If specified, JWTSecret should not be set.
   ## jwtsecret should be the key of the token in the secret.
   ##
   secretNameOverride: ""

diff --git a/charts/nimbus/Chart.yaml b/charts/nimbus/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: nimbus
-version: 2.2.11
+version: 2.2.12
 kubeVersion: "^1.18.0-0"
 description: Nim implementation of the Ethereum Beacon Chain
 type: application

diff --git a/charts/nimbus/templates/secret.yaml b/charts/nimbus/templates/secret.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.global.JWTSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,3 +8,4 @@ metadata:
 type: Opaque
 data:
   jwtsecret: {{ .Values.global.JWTSecret | b64enc | quote }}
+{{- end }}
diff --git a/charts/nimbus/templates/statefulset.yaml b/charts/nimbus/templates/statefulset.yaml
@@ -216,7 +216,7 @@ spec:
       volumes:
         - name: jwtsecret
           secret:
-            secretName: {{ include "common.names.fullname" . }}
+            secretName: {{ coalesce .Values.global.secretNameOverride (include "common.names.fullname" .) }}
         - name: env-nodeport
           emptyDir: {}
         - name: configs

diff --git a/charts/nimbus/templates/validate.yaml b/charts/nimbus/templates/validate.yaml
@@ -1,5 +1,5 @@
-{{- if not .Values.global.JWTSecret }}
-{{- fail ".Values.global.JWTSecret is required" }}
+{{- if or (not .Values.global.JWTSecret) (not .Values.global.secretNameOverride) }}
+{{- fail ".Values.global.JWTSecret or .Values.global.secretNameOverride is required" }}
 {{- end }}
 
 {{- $endpoints := uniq .Values.global.executionEndpoints -}}

diff --git a/charts/nimbus/values.yaml b/charts/nimbus/values.yaml
@@ -14,6 +14,12 @@ global:
   ##
   JWTSecret: ""
 
+  ## If you would like the JSON Web Token (JWT) to be managed by a secret outside
+  ## of this chart, an existing secret name can be passed here. If specified, JWTSecret should not be set.
+  ## jwtsecret should be the key of the token in the secret.
+  ##
+  secretNameOverride: ""
+
   ## Server endpoints for an execution layer jwt authenticated HTTP JSON-RPC connection.
   ## Uses the same endpoint to populate the deposit cache.
   ## A separate Statefulset will be created for each specified address

diff --git a/charts/prysm/Chart.yaml b/charts/prysm/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: prysm
-version: 5.2.0
+version: 5.2.1
 appVersion: v5.2.0
 kubeVersion: "^1.18.0-0"
 description: Go implementation of Ethereum proof of stake.

diff --git a/charts/prysm/templates/secret.yaml b/charts/prysm/templates/secret.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.global.JWTSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,3 +8,4 @@ metadata:
 type: Opaque
 data:
   jwtsecret: {{ .Values.global.JWTSecret | b64enc | quote }}
+{{- end }}
diff --git a/charts/prysm/templates/statefulset.yaml b/charts/prysm/templates/statefulset.yaml
@@ -264,7 +264,7 @@ spec:
       volumes:
         - name: jwtsecret
           secret:
-            secretName: {{ include "common.names.fullname" . }}
+            secretName: {{ coalesce .Values.global.secretNameOverride (include "common.names.fullname" .) }}
         - name: config
           emptyDir: {}
       {{- if eq .Values.global.network "gnosis" }}

diff --git a/charts/prysm/templates/validate.yaml b/charts/prysm/templates/validate.yaml
@@ -1,5 +1,5 @@
-{{- if not .Values.global.JWTSecret }}
-{{- fail ".Values.global.JWTSecret is required" }}
+{{- if or (and .Values.global.JWTSecret .Values.global.secretNameOverride) (and (not .Values.global.JWTSecret) (not .Values.global.secretNameOverride)) }}
+{{- fail ".Values.global.JWTSecret or .Values.global.secretNameOverride is required" }}
 {{- end }}
 
 {{- $endpoints := uniq .Values.global.executionEndpoints -}}