Merge pull request #217 from uc-cdis/fix/ssjdispatcher

fix(ssjdispatcher): Updated ssjdispatcher to include service account, rolebinding and external secrets to work correctly/privately in gitops
uc-cdis · Dec 4, 2024 · 93fd600 · 93fd600
2 parents cee2356 + e012359
commit 93fd600
Show file tree

Hide file tree

Showing 10 changed files with 68 additions and 6 deletions.
diff --git a/helm/gen3/Chart.yaml b/helm/gen3/Chart.yaml
@@ -80,7 +80,7 @@ dependencies:
     repository: "file://../sheepdog"
     condition: sheepdog.enabled
   - name: ssjdispatcher
-    version: 0.1.13
+    version: 0.1.14
     repository: "file://../ssjdispatcher"
     condition: ssjdispatcher.enabled
   - name: sower
@@ -128,7 +128,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.49
+version: 0.1.50
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/helm/gen3/README.md b/helm/gen3/README.md
@@ -1,6 +1,6 @@
 # gen3
 
-![Version: 0.1.49](https://img.shields.io/badge/Version-0.1.49-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
+![Version: 0.1.50](https://img.shields.io/badge/Version-0.1.50-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
 
 Helm chart to deploy Gen3 Data Commons
 
@@ -40,7 +40,7 @@ Helm chart to deploy Gen3 Data Commons
 | file://../revproxy | revproxy | 0.1.19 |
 | file://../sheepdog | sheepdog | 0.1.19 |
 | file://../sower | sower | 0.1.15 |
-| file://../ssjdispatcher | ssjdispatcher | 0.1.13 |
+| file://../ssjdispatcher | ssjdispatcher | 0.1.14 |
 | file://../wts | wts | 0.1.18 |
 | https://charts.bitnami.com/bitnami | postgresql | 11.9.13 |
 | https://helm.elastic.co | elasticsearch | 7.10.2 |

diff --git a/helm/ssjdispatcher/Chart.yaml b/helm/ssjdispatcher/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.13
+version: 0.1.14
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/helm/ssjdispatcher/README.md b/helm/ssjdispatcher/README.md
@@ -1,6 +1,6 @@
 # ssjdispatcher
 
-![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
+![Version: 0.1.14](https://img.shields.io/badge/Version-0.1.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
 
 A Helm chart for gen3 ssjdispatcher
 
@@ -32,6 +32,8 @@ A Helm chart for gen3 ssjdispatcher
 | commonLabels | map | `nil` | Will completely override the commonLabels defined in the common chart's _label_setup.tpl |
 | criticalService | string | `"true"` | Valid options are "true" or "false". If invalid option is set- the value will default to "false". |
 | dispatcherJobNum | string | `"10"` | Ssjdispater job number. |
+| externalSecrets | map | `{"credsFile":null}` | External secrets configuration |
+| externalSecrets.credsFile | string | `nil` | Will override the name of the aws secrets manager secret. Default is "credentials.json" |
 | fullnameOverride | string | `""` | Override the full name of the deployment. |
 | gen3Namespace | string | `"default"` | Namespace to deploy the job. |
 | global.aws | map | `{"awsAccessKeyId":null,"awsSecretAccessKey":null,"enabled":false}` | AWS configuration |

diff --git a/helm/ssjdispatcher/templates/_helpers.tpl b/helm/ssjdispatcher/templates/_helpers.tpl
@@ -66,3 +66,10 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+  ssjdispatcher credentials.json Secrets Manager Name
+*/}}
+{{- define "creds-file" -}}
+{{- default "credentials.json" .Values.externalSecrets.credsFile }}
+{{- end }}
diff --git a/helm/ssjdispatcher/templates/external-secret.yaml b/helm/ssjdispatcher/templates/external-secret.yaml
@@ -0,0 +1,19 @@
+{{ if .Values.global.externalSecrets.deploy }}
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: ssjdispatcher-creds
+spec:
+  refreshInterval: 5m
+  secretStoreRef:
+    name: {{include "common.SecretStore" .}}
+    kind: SecretStore
+  target:
+    name: ssjdispatcher-creds
+    creationPolicy: Owner
+  data:
+  - secretKey: credentials.json
+    remoteRef:
+      #name of secret in secrets manager
+      key: {{include "credsFile" .}}
+{{- end }}
diff --git a/helm/ssjdispatcher/templates/role-binding.yaml b/helm/ssjdispatcher/templates/role-binding.yaml
@@ -0,0 +1,12 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ssjdispatcher-binding
+subjects:
+- kind: ServiceAccount
+  name: {{ include "ssjdispatcher.serviceAccountName" . }}
+  apiGroup: ""
+roleRef:
+  kind: ClusterRole
+  name: admin
+  apiGroup: rbac.authorization.k8s.io
diff --git a/helm/ssjdispatcher/templates/secret-store.yaml b/helm/ssjdispatcher/templates/secret-store.yaml
@@ -0,0 +1,3 @@
+{{ if .Values.global.externalSecrets.separateSecretStore }}
+{{ include "common.secretstore" . }}
+{{- end  }}
diff --git a/helm/ssjdispatcher/templates/serviceaccount.yaml b/helm/ssjdispatcher/templates/serviceaccount.yaml
@@ -10,3 +10,10 @@ metadata:
     eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Values.global.aws.account }}:role/{{ .Values.global.aws.hatchery_role }}
   {{- end }}
 {{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ssjdispatcher-job-sa
+  labels:
+    {{- include "ssjdispatcher.labels" . | nindent 4 }}
diff --git a/helm/ssjdispatcher/values.yaml b/helm/ssjdispatcher/values.yaml
@@ -57,6 +57,12 @@ global:
   pdb: false
   # -- (int) The minimum amount of pods that are available at all times if the PDB is deployed.
   minAvialable: 1
+  # -- (map) External Secrets settings.
+  externalSecrets:
+    # -- (bool) Will use ExternalSecret resources to pull secrets from Secrets Manager instead of creating them locally. Be cautious as this will override any indexd secrets you have deployed.
+    deploy: false
+    # -- (string) Will deploy a separate External Secret Store for this service.
+    separateSecretStore: false
 
 # -- (bool) Whether Metrics are enabled.
 metricsEnabled: false
@@ -240,3 +246,9 @@ partOf: "Workspace-Tab"
 selectorLabels:
 # -- (map) Will completely override the commonLabels defined in the common chart's _label_setup.tpl
 commonLabels:
+
+
+# -- (map) External secrets configuration
+externalSecrets:
+  # -- (string) Will override the name of the aws secrets manager secret. Default is "credentials.json"
+  credsFile: