Skip to content

Commit 079050c

Browse files
authored
Merge pull request #46 from glassflow/sudopower/etl-625-encrypt-postgres-and-kafka-credentials-in-postgres-taggrs
ETL-625: create / mount secret to api deployment to secure credentials
2 parents de5b241 + 9979ee9 commit 079050c

File tree

5 files changed

+88
-13
lines changed

5 files changed

+88
-13
lines changed

charts/glassflow-etl/Chart.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,17 +15,17 @@ type: application
1515
# This is the chart version. This version number should be incremented each time you make changes
1616
# to the chart and its templates, including the app version.
1717
# Versions are expected to follow Semantic Versioning (https://semver.org/)
18-
version: 0.5.2
18+
version: 0.5.3
1919

2020
# This is the version number of the application being deployed. This version number should be
2121
# incremented each time you make changes to the application. Versions are not expected to
2222
# follow Semantic Versioning. They should reflect the version the application is using.
2323
# It is recommended to use it with quotes.
24-
appVersion: "2.6.2"
24+
appVersion: "2.7.0"
2525

2626
dependencies:
2727
- name: glassflow-operator
28-
version: "0.6.9"
28+
version: "0.7.0"
2929
repository: https://glassflow.github.io/glassflow-etl-k8s-operator
3030
- name: nats
3131
version: "1.3.6"
Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
apiVersion: rbac.authorization.k8s.io/v1
2+
kind: Role
3+
metadata:
4+
name: {{ include "glassflow-etl.fullname" . }}-secret-manager
5+
namespace: {{ .Release.Namespace }}
6+
labels:
7+
{{- include "glassflow-etl.labels" . | nindent 4 }}
8+
rules:
9+
- apiGroups:
10+
- ""
11+
resources:
12+
- secrets
13+
verbs:
14+
- create
15+
- get
16+
- update
17+
- patch
18+
- delete
19+
- list
20+
- watch
21+
---
22+
apiVersion: rbac.authorization.k8s.io/v1
23+
kind: RoleBinding
24+
metadata:
25+
name: {{ include "glassflow-etl.fullname" . }}-secret-manager-binding
26+
namespace: {{ .Release.Namespace }}
27+
labels:
28+
{{- include "glassflow-etl.labels" . | nindent 4 }}
29+
roleRef:
30+
apiGroup: rbac.authorization.k8s.io
31+
kind: Role
32+
name: {{ include "glassflow-etl.fullname" . }}-secret-manager
33+
subjects:
34+
- kind: ServiceAccount
35+
name: {{ include "glassflow-etl.serviceAccountName" . }}
36+
namespace: {{ .Release.Namespace }}

charts/glassflow-etl/templates/deployment.yaml

Lines changed: 17 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -435,6 +435,14 @@ spec:
435435
value: {{ .value | quote }}
436436
{{- end }}
437437
{{- end }}
438+
volumeMounts:
439+
- name: logs
440+
mountPath: /tmp/logs/glassflow
441+
{{- if and .Values.global.encryption.enabled (or .Values.global.encryption.existingSecret.name .Values.global.encryption.createSecret) }}
442+
- name: encryption-key
443+
mountPath: /etc/glassflow/secrets
444+
readOnly: true
445+
{{- end }}
438446
{{- with .Values.api.livenessProbe }}
439447
livenessProbe:
440448
{{- toYaml . | nindent 12 }}
@@ -444,11 +452,17 @@ spec:
444452
{{- toYaml . | nindent 12 }}
445453
{{- end }}
446454
securityContext: {{- toYaml .Values.securityContext | nindent 12 }}
447-
volumeMounts:
448-
- name: logs
449-
mountPath: /tmp/logs/glassflow
450455
serviceAccountName: {{ include "glassflow-etl.serviceAccountName" . }}
451456
securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }}
452457
volumes:
453458
- name: logs
454459
emptyDir: {}
460+
{{- if and .Values.global.encryption.enabled (or .Values.global.encryption.existingSecret.name .Values.global.encryption.createSecret) }}
461+
- name: encryption-key
462+
secret:
463+
secretName: {{ if .Values.global.encryption.existingSecret.name }}{{ .Values.global.encryption.existingSecret.name }}{{ else }}{{ .Values.global.encryption.secretName | default (printf "%s-encryption-key" .Release.Name) }}{{ end }}
464+
defaultMode: 0444
465+
items:
466+
- key: {{ .Values.global.encryption.existingSecret.key | default "encryption-key" }}
467+
path: encryption-key
468+
{{- end }}
Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
{{- if and .Values.global.encryption.enabled (not .Values.global.encryption.existingSecret.name) .Values.global.encryption.createSecret }}
2+
apiVersion: v1
3+
kind: Secret
4+
metadata:
5+
name: {{ .Values.global.encryption.secretName | default (printf "%s-encryption-key" .Release.Name) }}
6+
namespace: {{ .Release.Namespace }}
7+
labels:
8+
{{ include "glassflow-etl.labels" . | nindent 4 }}
9+
app.kubernetes.io/component: api
10+
type: Opaque
11+
stringData:
12+
encryption-key: {{ randAlphaNum 32 | quote }}
13+
{{- end }}

charts/glassflow-etl/values.yaml

Lines changed: 19 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,18 @@ global:
4646
secret:
4747
name: ""
4848
key: "connection_url"
49+
50+
# Encryption configuration for connection credentials
51+
encryption:
52+
# Enable credential encryption (encrypts Kafka and ClickHouse connection details)
53+
enabled: true
54+
# Use existing secret - Your own secret (recommended for production)
55+
existingSecret:
56+
name: "" # e.g., "glassflow-encryption-key"
57+
key: "encryption-key" # Key name in secret
58+
# Or let Helm generate a secret (for development/testing)
59+
createSecret: true
60+
secretName: "" # Defaults to "{{ .Release.Name }}-encryption-key" if empty
4961
# =============================================================================
5062
# API COMPONENT CONFIGURATION
5163
# =============================================================================
@@ -55,7 +67,7 @@ api:
5567
logLevel: "info"
5668
image:
5769
repository: glassflow-etl-be
58-
tag: v2.6.2
70+
tag: v2.7.0
5971
pullPolicy: IfNotPresent
6072
resources:
6173
requests:
@@ -89,7 +101,7 @@ ui:
89101
replicas: 1
90102
image:
91103
repository: glassflow-etl-fe
92-
tag: v2.6.2
104+
tag: v2.7.0
93105
pullPolicy: IfNotPresent
94106
logLevel: "info"
95107
resources:
@@ -165,7 +177,7 @@ glassflow-operator:
165177
manager:
166178
image:
167179
repository: glassflow-etl-k8s-operator
168-
tag: v1.4.3
180+
tag: v1.5.0
169181
pullPolicy: IfNotPresent
170182
resources:
171183
limits:
@@ -181,7 +193,7 @@ glassflow-operator:
181193
ingestor:
182194
image:
183195
repository: glassflow-etl-ingestor
184-
tag: v2.6.2
196+
tag: v2.7.0
185197
pullPolicy: IfNotPresent
186198
logLevel: "INFO"
187199
resources:
@@ -196,7 +208,7 @@ glassflow-operator:
196208
join:
197209
image:
198210
repository: glassflow-etl-join
199-
tag: v2.6.2
211+
tag: v2.7.0
200212
pullPolicy: IfNotPresent
201213
logLevel: "INFO"
202214
resources:
@@ -211,7 +223,7 @@ glassflow-operator:
211223
sink:
212224
image:
213225
repository: glassflow-etl-sink
214-
tag: v2.6.2
226+
tag: v2.7.0
215227
pullPolicy: IfNotPresent
216228
logLevel: "INFO"
217229
resources:
@@ -226,7 +238,7 @@ glassflow-operator:
226238
dedup:
227239
image:
228240
repository: glassflow-etl-dedup
229-
tag: v2.6.2
241+
tag: v2.7.0
230242
pullPolicy: IfNotPresent
231243
logLevel: "INFO"
232244
resources:

0 commit comments

Comments
 (0)