icecheng/freeleaps-ops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(authentication): integrate secret management for JWT and MongoDB URI

Browse Source 
- Added a secrets section in values.alpha.yaml to reference JWT secret key and MongoDB URI from a FreeleapsSecretStore.
- Updated deployment.yaml to inject these secrets as environment variables, enhancing security and configuration management.

Signed-off-by: zhenyus <zhenyus@mathmast.com>
This commit is contained in:
zhenyus 2025-08-18 15:25:48 +08:00
parent 335252e8ed
commit 4da0d64995
4 changed files with 77 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
freeleaps/helm-pkg/authentication/templates/authentication/deployment.yaml
View File

@ -106,6 +106,14 @@ spec:
name: authentication-config name: authentication-config
key: {{ $key | snakecase | upper }} key: {{ $key | snakecase | upper }}
{{- end }} {{- end }}
# inject from secret created by FreeleapsSecret object
{{- range .Values.secrets.data }}
- name: {{ .key | snakecase | upper }}
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.target.name }}
key: {{ .key }}
{{- end }}
{{- if .Values.logIngest.enabled }} {{- if .Values.logIngest.enabled }}
volumeMounts: volumeMounts:
- name: app-logs - name: app-logs

20
freeleaps/helm-pkg/authentication/templates/authentication/freeleapssecret.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: freeleaps.com/v1alpha1
kind: FreeleapsSecret
metadata:
name: freeleaps-authentication-secrets
namespace: {{ .Release.Namespace }}
spec:
secretStoreRef:
kind: {{ .Values.secrets.secretStoreRef.kind }}
name: {{ .Values.secrets.secretStoreRef.name }}
target:
name: {{ .Values.secrets.target.name }}
creationPolicy: {{ .Values.secrets.target.creationPolicy }}
refreshInterval: {{ .Values.secrets.refreshInterval }}
data:
{{- range .Values.secrets.data }}
- key: {{ .key }}
remoteRef:
key: {{ .remoteRef.key }}
type: {{ .remoteRef.type }}
{{- end }}

19
freeleaps/helm-pkg/authentication/values.alpha.yaml
View File

@ -80,15 +80,30 @@ authentication:
appName: authentication appName: authentication
devsvcWebapiUrlBase: http://devsvc-service.freeleaps-alpha.svc.freeleaps.cluster:8007/api/devsvc/ devsvcWebapiUrlBase: http://devsvc-service.freeleaps-alpha.svc.freeleaps.cluster:8007/api/devsvc/
notificationWebapiUrlBase: http://notification-service.freeleaps-alpha.svc.freeleaps.cluster:8003/api/notification/ notificationWebapiUrlBase: http://notification-service.freeleaps-alpha.svc.freeleaps.cluster:8003/api/notification/
jwtSecretKey: 8f87ca8c3c9c3df09a9c78e0adb0927855568f6072d9efc892534aee35f5867b
jwtAlgorithm: HS256 jwtAlgorithm: HS256
serviceApiAccessHost: 0.0.0.0 serviceApiAccessHost: 0.0.0.0
serviceApiAccessPort: 8004 serviceApiAccessPort: 8004
mongodbName: freeleaps2 mongodbName: freeleaps2
mongodbPort: 27017 mongodbPort: 27017
mongodbUri: mongodb+srv://jetli:8IHKx6dZK8BfugGp@freeleaps2.hanbj.mongodb.net/
metricsEnabled: 'false' metricsEnabled: 'false'
probesEnabled: 'true' probesEnabled: 'true'
secrets:
secretStoreRef:
kind: FreeleapsSecretStore
name: freeleaps-main-secret-store
target:
name: "freeleaps-authentication-secrets"
creationPolicy: "Owner"
refreshInterval: 30s
data:
- key: jwtSecretKey
remoteRef:
key: "freeleaps-jwt-secret-key"
type: Secret
- key: mongodbUri
remoteRef:
key: "freeleaps-mongodb-uri"
type: Secret
vpa: vpa:
minAllowed: minAllowed:
enabled: false enabled: false

32
freeleaps/manifests/freeleaps_main_secretstore.yaml Normal file
View File

@ -0,0 +1,32 @@
---
apiVersion: v1
kind: Secret
metadata:
name: freeleaps-main-secret-store-azure-creds
namespace: freeleaps-devops-system
type: Opaque
data:
client-id: N2NkMWRmMTktMjRlYS00NmQ3LWFjZDMtNTMzNjI4MzEzOWUw
client-secret: WE15OFF+WGJzZ2lYQzZZcm03dkNSQ3NIZExoUXBJTVlDU1J2Z2NMSA==
---
apiVersion: freeleaps.com/v1alpha1
kind: FreeleapsSecretStore
metadata:
name: freeleaps-main-secret-store
spec:
provider:
azurekv:
tenantId: "cf151ee8-5c2c-4fe7-a1c4-809ba43c9f24"
vaultUrl: "https://freeleaps-main.vault.azure.net/"
vaultName: "freeleaps-main"
subscriptionId: "1b7a028d-7d8b-4f41-b467-0efeb04c5b5a"
resourceGroup: "freeleaps"
authSecretRef:
clientId:
name: freeleaps-main-secret-store-azure-creds
key: client-id
namespace: freeleaps-devops-system
clientSecret:
name: freeleaps-main-secret-store-azure-creds
key: client-secret
namespace: freeleaps-devops-system