Merge pull request #351 from Flagsmith/fix/secrets-fix

rolodato · web-flow · commit 5565013a145f · 2025-04-14T18:54:20.000-03:00
feat: Automatically generate API and SSE secrets using Jobs. Accept existing SSE secrets
diff --git a/charts/flagsmith/templates/_api_environment.yaml b/charts/flagsmith/templates/_api_environment.yaml
@@ -11,8 +11,7 @@
 - name: DJANGO_SECRET_KEY
   valueFrom:
     secretKeyRef:
-      name: django-secret-key
-      key: django-secret-key
+      {{ include "flagsmith.api.secretKeySecretRef" . | nindent 6 }}
 {{- if .Values.influxdb2.enabled }}
 - name: INFLUXDB_URL
   value: http://{{- template "flagsmith.influxdb.hostname" . -}}:80
@@ -112,8 +111,7 @@
 - name: SSE_AUTHENTICATION_TOKEN
   valueFrom:
     secretKeyRef:
-      name: {{ include "flagsmith.fullname" . }}-sse
-      key: SSE_AUTHENTICATION_TOKEN
+      {{ include "flagsmith.sse.authenticationTokenSecretRef" . | nindent 6}}
 - name: SSE_SERVER_BASE_URL
   value: http://{{ include "flagsmith.fullname" . }}-sse.{{ .Release.Namespace }}:{{ .Values.service.sse.port }}
-{{- end }}
+{{- end }}
diff --git a/charts/flagsmith/templates/_helpers.tpl b/charts/flagsmith/templates/_helpers.tpl
@@ -347,9 +347,28 @@ replicas: {{ . }}
 {{- end }}
 
 
-{{/*
-Real-time flag updates (SSE)
-*/}}
-{{- define "flagsmith.sse.authenticationToken" -}}
-{{- randAlphaNum 50 -}}
-{{- end }}
+{{- define "flagsmith.api.secretKeySecretName" -}}
+{{- if .Values.api.secretKeyFromExistingSecret.enabled -}}
+{{- .Values.api.secretKeyFromExistingSecret.name -}}
+{{- else }}
+{{- printf "%s-django-secret-key" (include "flagsmith.fullname" .) -}}
+{{- end }}
+{{- end }}
+
+{{- define "flagsmith.api.secretKeySecretRef" -}}
+name: {{ include "flagsmith.api.secretKeySecretName" . }}
+key: {{ default "django-secret-key" .Values.api.secretKeyFromExistingSecret.key }}
+{{- end }}
+
+{{- define "flagsmith.sse.authenticationTokenSecretName" -}}
+{{- if .Values.sse.authenticationTokenFromExistingSecret.enabled -}}
+{{- .Values.sse.authenticationTokenFromExistingSecret.name -}}
+{{- else }}
+{{- printf "%s-sse-authentication-token" (include "flagsmith.fullname" .) -}}
+{{- end }}
+{{- end }}
+
+{{- define "flagsmith.sse.authenticationTokenSecretRef" -}}
+name: {{ include "flagsmith.sse.authenticationTokenSecretName" . }}
+key: {{ default "sse-authentication-token" .Values.sse.authenticationTokenFromExistingSecret.key }}
+{{- end }}
diff --git a/charts/flagsmith/templates/_sse_environment.yaml b/charts/flagsmith/templates/_sse_environment.yaml
@@ -12,5 +12,4 @@
 - name: SSE_AUTHENTICATION_TOKEN
   valueFrom:
     secretKeyRef:
-      name: {{ include "flagsmith.fullname" . }}-sse
-      key: SSE_AUTHENTICATION_TOKEN
+      {{ include "flagsmith.sse.authenticationTokenSecretRef" . | nindent 6 }}
diff --git a/charts/flagsmith/templates/deployment-sse.yaml b/charts/flagsmith/templates/deployment-sse.yaml
@@ -23,7 +23,6 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/secrets-sse: {{ include (print $.Template.BasePath "/secrets-sse.yaml") . | sha256sum }}
 {{- if .Values.sse.podAnnotations }}
 {{ toYaml .Values.sse.podAnnotations | nindent 8 }}
 {{- end }}
diff --git a/charts/flagsmith/templates/django-secret-init/job.yaml b/charts/flagsmith/templates/django-secret-init/job.yaml
@@ -0,0 +1,46 @@
+{{- if not .Values.api.secretKeyFromExistingSecret.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "flagsmith.api.secretKeySecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "flagsmith.labels" . | nindent 4 }}
+    app.kubernetes.io/component: django-secret-init
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  template:
+    metadata:
+      name: {{ include "flagsmith.api.secretKeySecretName" . }}
+      labels:
+        {{- include "flagsmith.labels" . | nindent 8 }}
+        app.kubernetes.io/component: django-secret-init
+    spec:
+      restartPolicy: OnFailure
+      serviceAccountName: {{ include "flagsmith.api.secretKeySecretName" . }}
+      containers:
+        - name: secret-creator
+          image: bitnami/kubectl:latest
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+            - |
+              SECRET_NAME={{ include "flagsmith.api.secretKeySecretName" . }}
+              NAMESPACE={{ .Release.Namespace }}
+              echo "Checking for secret $SECRET_NAME in namespace $NAMESPACE"
+              # Attempt to get the secret; if it fails (exit code != 0), create it.
+              if ! kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" -o name; then
+                echo "Secret $SECRET_NAME not found. Creating..."
+                # Generate a 64-character hex key (32 bytes)
+                GENERATED_KEY=$(openssl rand -hex 32)
+                kubectl create secret generic "$SECRET_NAME" -n "$NAMESPACE" \
+                  --from-literal=django-secret-key="$GENERATED_KEY" \
+                  --dry-run=client -o yaml | kubectl apply -f -
+                echo "Secret $SECRET_NAME created."
+              else
+                echo "Secret $SECRET_NAME already exists. No action taken."
+              fi
+{{- end }}
diff --git a/charts/flagsmith/templates/django-secret-init/rbac.yaml b/charts/flagsmith/templates/django-secret-init/rbac.yaml
@@ -0,0 +1,35 @@
+{{- if not .Values.api.secretKeyFromExistingSecret.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "flagsmith.api.secretKeySecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "flagsmith.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "flagsmith.api.secretKeySecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "flagsmith.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "flagsmith.api.secretKeySecretName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "flagsmith.api.secretKeySecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+{{- end }}
diff --git a/charts/flagsmith/templates/django-secret-init/serviceaccount.yaml b/charts/flagsmith/templates/django-secret-init/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if not .Values.api.secretKeyFromExistingSecret.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "flagsmith.api.secretKeySecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "flagsmith.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- end }}
diff --git a/charts/flagsmith/templates/secrets-api.yaml b/charts/flagsmith/templates/secrets-api.yaml
@@ -13,39 +13,3 @@ metadata:
 type: Opaque
 data:
   DATABASE_URL: {{ include "flagsmith.api.databaseUrl" . | trim | b64enc | quote }}
----
-{{/*
- If no secrets were provided in values, check if a previously deployed secret exists
- If none exists, create one, which will be reused in future deployments
- */}}
-{{- $secretKey := default (randAlphaNum 50) .Values.api.secretKey -}}
-{{ if ((.Values.api).secretKeyFromExistingSecret).enabled -}}
-  {{ $existingSecret := (lookup "v1" "Secret" .Release.Namespace .Values.api.secretKeyFromExistingSecret.name).data }}
-  {{ if $existingSecret }}
-    {{ $secretKey = index $existingSecret .Values.api.secretKeyFromExistingSecret.key | b64dec }}
-  {{ end }}
-{{ else }}
-  {{ $knownSecret := (lookup "v1" "Secret" .Release.Namespace "django-secret-key").data }}
-  {{ if $knownSecret }}
-    {{ $secretValue := index $knownSecret "django-secret-key" }}
-    {{ if $secretValue }}
-      {{ $secretKey = $secretValue | b64dec }}
-    {{ end }}
-  {{ end }}
-{{- end -}}
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: django-secret-key
-  {{- with $annotations }}
-  annotations:
-    {{- . | nindent 4 }}
-  {{- end }}
-  labels:
-    {{- include "flagsmith.labels" . | nindent 4 }}
-    app.kubernetes.io/component: api
-type: Opaque
-{{/* Don't use stringData https://github.com/kubernetes/kubernetes/issues/89938 */ -}}
-data:
-  django-secret-key: {{ $secretKey | b64enc | quote}}
diff --git a/charts/flagsmith/templates/secrets-sse.yaml b/charts/flagsmith/templates/secrets-sse.yaml
diff --git a/charts/flagsmith/templates/sse-secret-init/job.yaml b/charts/flagsmith/templates/sse-secret-init/job.yaml
@@ -0,0 +1,46 @@
+{{- if and .Values.sse.enabled (not .Values.sse.authenticationTokenFromExistingSecret.enabled) -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "flagsmith.sse.authenticationTokenSecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "flagsmith.labels" . | nindent 4 }}
+    app.kubernetes.io/component: sse-secret-init
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  template:
+    metadata:
+      name: {{ include "flagsmith.sse.authenticationTokenSecretName" . }}
+      labels:
+        {{- include "flagsmith.labels" . | nindent 8 }}
+        app.kubernetes.io/component: sse-secret-init
+    spec:
+      restartPolicy: OnFailure
+      serviceAccountName: {{ include "flagsmith.fullname" . }}-sse-secret-init
+      containers:
+        - name: secret-creator
+          image: bitnami/kubectl:latest
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+            - |
+              SECRET_NAME={{ include "flagsmith.sse.authenticationTokenSecretName" . }}
+              NAMESPACE={{ .Release.Namespace }}
+              echo "Checking for secret $SECRET_NAME in namespace $NAMESPACE"
+              # Attempt to get the secret; if it fails (exit code != 0), create it.
+              if ! kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" -o name; then
+                echo "Secret $SECRET_NAME not found. Creating..."
+                # Generate a 64-character hex key (32 bytes)
+                GENERATED_KEY=$(openssl rand -hex 32)
+                kubectl create secret generic "$SECRET_NAME" -n "$NAMESPACE" \
+                  --from-literal=sse-authentication-token="$GENERATED_KEY" \
+                  --dry-run=client -o yaml | kubectl apply -f -
+                echo "Secret $SECRET_NAME created."
+              else
+                echo "Secret $SECRET_NAME already exists. No action taken."
+              fi
+{{- end }}
diff --git a/charts/flagsmith/templates/sse-secret-init/rbac.yaml b/charts/flagsmith/templates/sse-secret-init/rbac.yaml
@@ -0,0 +1,35 @@
+{{- if and .Values.sse.enabled (not .Values.api.secretKeyFromExistingSecret.enabled) -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "flagsmith.fullname" . }}-sse-secret-init
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "flagsmith.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "flagsmith.fullname" . }}-sse-secret-init
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "flagsmith.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "flagsmith.fullname" . }}-sse-secret-init
+subjects:
+- kind: ServiceAccount
+  name: {{ include "flagsmith.fullname" . }}-sse-secret-init
+  namespace: {{ .Release.Namespace | quote }}
+{{- end }}
diff --git a/charts/flagsmith/templates/sse-secret-init/serviceaccount.yaml b/charts/flagsmith/templates/sse-secret-init/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if and .Values.sse.enabled (not .Values.api.secretKeyFromExistingSecret.enabled) -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "flagsmith.fullname" . }}-django-secret-init
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "flagsmith.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- end }}
diff --git a/charts/flagsmith/values.yaml b/charts/flagsmith/values.yaml
@@ -88,6 +88,14 @@ api:
     projectName: null
     extraSpec: {} # Will be added to `spec` for `flagsmith-api` deployment.
 
+  # secretKeyFromExistingSecret points to the Secret that contains the Django secret key. If none is provided, a Job
+  # will be created to generate one.
+  # See https://docs.djangoproject.com/en/4.2/topics/signing/
+  secretKeyFromExistingSecret:
+    enabled: false
+    name: ""
+    key: ""
+
 frontend:
   # Set this to `false` to switch off the frontend (deployment,
   # service and ingress). Set api.separateApiAndFrontend to false to
@@ -327,6 +335,13 @@ sse:
   #   REDIS_PASSWORD:
   #    secretName: my_redis_secrets
   #    secretKey: my_redis_password
+
+  # authenticationTokenFromExistingSecret is a shared secret between the API and SSE service. If none is provided, a Job
+  # will be created to generate one.
+  authenticationTokenFromExistingSecret:
+    enabled: false
+    name: ""
+    key: ""
   replicaCount: 1
   deploymentStrategy: null
   podAnnotations: {}
