From 377250ce6a7c7c4ad7e06935a1f5e8cd61c714e3 Mon Sep 17 00:00:00 2001 From: Nicolas Date: Mon, 18 Aug 2025 17:05:05 +0800 Subject: [PATCH] feat(chat): migrate alpha and prod environments to use Azure Key Vault for sensitive data - Add FreeleapsSecret configuration for Azure Key Vault integration - Move sensitive data (mongodbUri, jwtSecretKey, stripeApiKey, etc.) from config to secrets - Update deployment template to read from both config and FreeleapsSecret - Comment out sensitive fields in chat-config.yaml - Create freeleapssecret.yaml template for secret management - Update both alpha and prod environment configurations --- .../chat/templates/chat/chat-config.yaml | 7 --- .../chat/templates/chat/deployment.yaml | 10 +++++ .../chat/templates/chat/freeleapssecret.yaml | 20 +++++++++ freeleaps/helm-pkg/chat/values.alpha.yaml | 45 ++++++++++++++++--- freeleaps/helm-pkg/chat/values.prod.yaml | 44 +++++++++++++++--- freeleaps/helm-pkg/chat/values.yaml | 38 ++++++++++++++++ 6 files changed, 143 insertions(+), 21 deletions(-) create mode 100644 freeleaps/helm-pkg/chat/templates/chat/freeleapssecret.yaml diff --git a/freeleaps/helm-pkg/chat/templates/chat/chat-config.yaml b/freeleaps/helm-pkg/chat/templates/chat/chat-config.yaml index b5c147a4..42d898b8 100644 --- a/freeleaps/helm-pkg/chat/templates/chat/chat-config.yaml +++ b/freeleaps/helm-pkg/chat/templates/chat/chat-config.yaml @@ -10,19 +10,13 @@ data: SERVICE_API_ACCESS_HOST: {{ .Values.chat.configs.serviceApiAccessHost | b64enc | quote }} SERVICE_API_ACCESS_PORT: {{ .Values.chat.configs.serviceApiAccessPort | toString | b64enc }} MONGODB_NAME: {{ .Values.chat.configs.mongodbName | b64enc | quote }} - MONGODB_URI: {{ .Values.chat.configs.mongodbUri | b64enc | quote }} MONGODB_PORT: {{ .Values.chat.configs.mongodbPort | toString | b64enc }} EMAIL_FROM: {{ .Values.chat.configs.emailFrom | b64enc | quote }} SITE_URL_ROOT: {{ .Values.chat.configs.siteUrlRoot | b64enc | quote }} - JWT_SECRET_KEY: {{ .Values.chat.configs.jwtSecretKey | b64enc | quote }} JWT_ALGORITHM: {{ .Values.chat.configs.jwtAlgorithm | b64enc | quote }} - STRIPE_API_KEY: {{ .Values.chat.configs.stripeApiKey | b64enc | quote }} - STRIPE_WEBHOOK_SECRET: {{ .Values.chat.configs.stripeWebhookSecret | b64enc | quote }} - STRIPE_ACCOUNT_WEBHOOK_SECRET: {{ .Values.chat.configs.stripeAccountWebhookSecret | b64enc | quote }} RABBITMQ_HOST: {{ .Values.chat.configs.rabbitmqHost | b64enc | quote }} RABBITMQ_PORT: {{ .Values.chat.configs.rabbitmqPort | toString | b64enc }} RABBITMQ_USERNAME: {{ .Values.chat.configs.rabbitmqUsername | b64enc | quote }} - RABBITMQ_PASSWORD: {{ .Values.chat.configs.rabbitmqPassword | b64enc | quote }} FREELEAPS_DEVSVC_ENDPOINT: {{ .Values.chat.configs.freeleapsDevsvcEndpoint | b64enc | quote }} FREELEAPS_CONTENT_ENDPOINT: {{ .Values.chat.configs.freeleapsContentEndpoint | b64enc | quote }} FREELEAPS_CENTRAL_STORAGE_ENDPOINT: {{ .Values.chat.configs.freeleapsCentralStorageEndpoint | b64enc | quote }} @@ -32,7 +26,6 @@ data: FREELEAPS_NOTIFICATION_ENDPOINT: {{ .Values.chat.configs.freeleapsNotificationEndpoint | b64enc | quote }} FREELEAPS_ENV: {{ .Values.chat.configs.freeleapsEnv | b64enc | quote }} CERT_PATH: {{ .Values.chat.configs.certPath | b64enc | quote }} - REDIS_URL: {{ .Values.chat.configs.redisUrl | b64enc | quote }} REDIS_IS_CLUSTER: {{ .Values.chat.configs.redisIsCluster | b64enc | quote }} METRICS_ENABLED: {{ .Values.chat.configs.metricsEnabled | default false | toString | b64enc }} PROBES_ENABLED: {{ .Values.chat.configs.probesEnabled | default false | toString | b64enc }} \ No newline at end of file diff --git a/freeleaps/helm-pkg/chat/templates/chat/deployment.yaml b/freeleaps/helm-pkg/chat/templates/chat/deployment.yaml index 41d0d439..f57f7cb3 100644 --- a/freeleaps/helm-pkg/chat/templates/chat/deployment.yaml +++ b/freeleaps/helm-pkg/chat/templates/chat/deployment.yaml @@ -109,6 +109,16 @@ spec: name: chat-config key: {{ $key | snakecase | upper }} {{- end }} + {{- if .Values.chat.secrets }} + {{ $targetSecretName := .Values.chat.secrets.target.name }} + {{- range .Values.chat.secrets.data }} + - name: {{ .key | snakecase | upper }} + valueFrom: + secretKeyRef: + name: {{ $targetSecretName }} + key: {{ .key }} + {{- end }} + {{- end }} {{- if .Values.logIngest.enabled }} volumeMounts: - name: app-logs diff --git a/freeleaps/helm-pkg/chat/templates/chat/freeleapssecret.yaml b/freeleaps/helm-pkg/chat/templates/chat/freeleapssecret.yaml new file mode 100644 index 00000000..bafaccc5 --- /dev/null +++ b/freeleaps/helm-pkg/chat/templates/chat/freeleapssecret.yaml @@ -0,0 +1,20 @@ +apiVersion: freeleaps.com/v1alpha1 +kind: FreeleapsSecret +metadata: + name: freeleaps-chat-alpha-secrets + namespace: {{ .Release.Namespace }} +spec: + secretStoreRef: + kind: {{ .Values.chat.secrets.secretStoreRef.kind }} + name: {{ .Values.chat.secrets.secretStoreRef.name }} + target: + name: {{ .Values.chat.secrets.target.name }} + creationPolicy: {{ .Values.chat.secrets.target.creationPolicy }} + refreshInterval: {{ .Values.chat.secrets.refreshInterval }} + data: +{{- range .Values.chat.secrets.data }} + - secretKey: {{ .key }} + remoteRef: + key: {{ .remoteRef.key }} + type: {{ .remoteRef.type }} +{{- end }} \ No newline at end of file diff --git a/freeleaps/helm-pkg/chat/values.alpha.yaml b/freeleaps/helm-pkg/chat/values.alpha.yaml index f15554f9..f524acb5 100644 --- a/freeleaps/helm-pkg/chat/values.alpha.yaml +++ b/freeleaps/helm-pkg/chat/values.alpha.yaml @@ -82,19 +82,13 @@ chat: serviceApiAccessHost: 0.0.0.0 serviceApiAccessPort: 8012 mongodbName: freeleaps2 - mongodbUri: mongodb+srv://jetli:8IHKx6dZK8BfugGp@freeleaps2.hanbj.mongodb.net/ mongodbPort: 27017 emailFrom: freeleaps@freeleaps.com siteUrlRoot: https://freeleaps-alpha.com - jwtSecretKey: 8f87ca8c3c9c3df09a9c78e0adb0927855568f6072d9efc892534aee35f5867b jwtAlgorithm: HS256 - stripeApiKey: sk_test_51Ogsw5B0IyqaSJBrwczlr820jnmvA1qQQGoLZ2XxOsIzikpmXo4pRLjw4XVMTEBR8DdVTYySiAv1XX53Zv5xqynF00GfMqttFd - stripeWebhookSecret: whsec_hUbnahlGtAvN2yckBk45a236LmrODOdm - stripeAccountWebhookSecret: whsec_PgPnkWGhEUiQfnV8aIb5Wmruz7XETJLm rabbitmqHost: freeleaps-alpha-rabbitmq.freeleaps-alpha.svc.freeleaps.cluster rabbitmqPort: 5672 rabbitmqUsername: user - rabbitmqPassword: NjlhHFvnDuC7K0ir freeleapsDevsvcEndpoint: http://devsvc-service.freeleaps-alpha.svc.freeleaps.cluster:8007/api/devsvc/ freeleapsContentEndpoint: http://content-service.freeleaps-alpha.svc.freeleaps.cluster:8013/api/content/ freeleapsCentralStorageEndpoint: http://central-storage-service.freeleaps-alpha.svc.freeleaps.cluster:8005/api/central_storage/ @@ -104,10 +98,47 @@ chat: freeleapsAilabEndpoint: '' freeleapsEnv: alpha certPath: '' - redisUrl: redis://:4sTqfZvUwR@freeleaps-alpha-redis-headless.freeleaps-alpha.svc.freeleaps.cluster:6379 redisIsCluster: 'false' metricsEnabled: 'true' probesEnabled: 'true' + + secrets: + secretStoreRef: + kind: FreeleapsSecretStore + name: freeleaps-main-secret-store + target: + name: "freeleaps-chat-alpha-secrets" + creationPolicy: "Owner" + refreshInterval: 30s + data: + - key: mongodbUri + remoteRef: + key: "freeleaps-alpha-mongodb-uri" + type: Secret + - key: jwtSecretKey + remoteRef: + key: "freeleaps-alpha-jwt-secret-key" + type: Secret + - key: stripeApiKey + remoteRef: + key: "freeleaps-alpha-stripe-api-key" + type: Secret + - key: stripeWebhookSecret + remoteRef: + key: "freeleaps-alpha-stripe-webhook-secret" + type: Secret + - key: stripeAccountWebhookSecret + remoteRef: + key: "freeleaps-alpha-stripe-account-webhook-secret" + type: Secret + - key: rabbitmqPassword + remoteRef: + key: "freeleaps-alpha-rabbitmq-password" + type: Secret + - key: redisUrl + remoteRef: + key: "freeleaps-alpha-redis-url" + type: Secret vpa: minAllowed: enabled: false diff --git a/freeleaps/helm-pkg/chat/values.prod.yaml b/freeleaps/helm-pkg/chat/values.prod.yaml index e8e8dd70..a148f676 100644 --- a/freeleaps/helm-pkg/chat/values.prod.yaml +++ b/freeleaps/helm-pkg/chat/values.prod.yaml @@ -74,18 +74,12 @@ chat: serviceApiAccessPort: 8012 mongodbName: freeleaps2 mongodbPort: 27017 - mongodbUri: mongodb+srv://freeadmin:0eMV0bt8oyaknA0m@freeleaps2.zmsmpos.mongodb.net/?retryWrites=true&w=majority emailFrom: freeleaps@freeleaps.com siteUrlRoot: https://freeleaps.com - jwtSecretKey: ea84edf152976b2fcec12b78aa8e45bc26a5cf0ef61bf16f5c317ae33b3fd8b0 jwtAlgorithm: HS256 - stripeApiKey: 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 - stripeWebhookSecret: whsec_yWObkdtJTP4FOrmN2vPNEAv0EBGXbU3n - stripeAccountWebhookSecret: whsec_cFhia4hz65OQLdhv26LZAAmjoBc6WNgg rabbitmqHost: freeleaps-prod-rabbitmq-headless.freeleaps-prod.svc.freeleaps.cluster rabbitmqPort: 5672 rabbitmqUsername: user - rabbitmqPassword: D3b0HKz71T0OcYF8 freeleapsDevsvcEndpoint: http://devsvc-service.freeleaps-prod.svc.freeleaps.cluster:8007/api/devsvc/ freeleapsContentEndpoint: http://content-service.freeleaps-prod.svc.freeleaps.cluster:8013/api/content/ freeleapsCentralStorageEndpoint: http://central-storage-service.freeleaps-prod.svc.freeleaps.cluster:8005/api/central_storage/ @@ -95,10 +89,46 @@ chat: freeleapsAilabEndpoint: '' freeleapsEnv: chat certPath: '' - redisUrl: redis://:izrZtCmYk8@freeleaps-prod-redis-redis-cluster-headless.freeleaps-prod.svc.freeleaps.cluster:6379/0 redisIsCluster: 'true' metricsEnabled: 'false' probesEnabled: 'true' + secrets: + secretStoreRef: + kind: FreeleapsSecretStore + name: freeleaps-main-secret-store + target: + name: "freeleaps-chat-prod-secrets" + creationPolicy: "Owner" + refreshInterval: 30s + data: + - key: mongodbUri + remoteRef: + key: "freeleaps-prod-mongodb-uri" + type: Secret + - key: jwtSecretKey + remoteRef: + key: "freeleaps-prod-jwt-secret-key" + type: Secret + - key: stripeApiKey + remoteRef: + key: "freeleaps-prod-stripe-api-key" + type: Secret + - key: stripeWebhookSecret + remoteRef: + key: "freeleaps-prod-stripe-webhook-secret" + type: Secret + - key: stripeAccountWebhookSecret + remoteRef: + key: "freeleaps-prod-stripe-account-webhook-secret" + type: Secret + - key: rabbitmqPassword + remoteRef: + key: "freeleaps-prod-rabbitmq-password" + type: Secret + - key: redisUrl + remoteRef: + key: "freeleaps-prod-redis-url" + type: Secret vpa: minAllowed: enabled: true diff --git a/freeleaps/helm-pkg/chat/values.yaml b/freeleaps/helm-pkg/chat/values.yaml index 6b062ac9..999b4922 100644 --- a/freeleaps/helm-pkg/chat/values.yaml +++ b/freeleaps/helm-pkg/chat/values.yaml @@ -126,6 +126,44 @@ chat: metricsEnabled: "false" # PROBES_ENABLED probesEnabled: "true" + + secrets: + secretStoreRef: + kind: FreeleapsSecretStore + name: freeleaps-main-secret-store + target: + name: "freeleaps-chat-secrets" + creationPolicy: "Owner" + refreshInterval: 30s + data: + - key: mongodbUri + remoteRef: + key: "freeleaps-mongodb-uri" + type: Secret + - key: jwtSecretKey + remoteRef: + key: "freeleaps-jwt-secret-key" + type: Secret + - key: stripeApiKey + remoteRef: + key: "freeleaps-stripe-api-key" + type: Secret + - key: stripeWebhookSecret + remoteRef: + key: "freeleaps-stripe-webhook-secret" + type: Secret + - key: stripeAccountWebhookSecret + remoteRef: + key: "freeleaps-stripe-account-webhook-secret" + type: Secret + - key: rabbitmqPassword + remoteRef: + key: "freeleaps-rabbitmq-password" + type: Secret + - key: redisUrl + remoteRef: + key: "freeleaps-redis-url" + type: Secret vpa: minAllowed: enabled: false