From e898a18b4d45393f0fe7f8e14771938dedbee7cc Mon Sep 17 00:00:00 2001 From: zhenyus Date: Mon, 18 Aug 2025 16:17:16 +0800 Subject: [PATCH] refactor(devsvc): implement secret management for sensitive configurations - Removed direct references to sensitive data (e.g., MongoDB URI, Gitea token, RabbitMQ password) in values files and replaced them with a structured secrets section. - Updated deployment and configuration templates to inject secrets from FreeleapsSecretStore, enhancing security and maintainability. - This change aligns with the new secret management strategy across the application. Signed-off-by: zhenyus --- .../authentication/authentication-config.yaml | 2 -- .../devsvc/templates/devsvc/deployment.yaml | 9 +++++ .../templates/devsvc/devsvc-config.yaml | 7 +--- .../templates/devsvc/freeleapssecret.yaml | 20 +++++++++++ freeleaps/helm-pkg/devsvc/values.alpha.yaml | 33 +++++++++++++++--- freeleaps/helm-pkg/devsvc/values.prod.yaml | 34 ++++++++++++++++--- 6 files changed, 88 insertions(+), 17 deletions(-) create mode 100644 freeleaps/helm-pkg/devsvc/templates/devsvc/freeleapssecret.yaml diff --git a/freeleaps/helm-pkg/authentication/templates/authentication/authentication-config.yaml b/freeleaps/helm-pkg/authentication/templates/authentication/authentication-config.yaml index 688f65ca..afeb2257 100644 --- a/freeleaps/helm-pkg/authentication/templates/authentication/authentication-config.yaml +++ b/freeleaps/helm-pkg/authentication/templates/authentication/authentication-config.yaml @@ -9,13 +9,11 @@ data: APP_NAME: {{ .Values.authentication.configs.appName | b64enc | quote }} DEVSVC_WEBAPI_URL_BASE: {{ .Values.authentication.configs.devsvcWebapiUrlBase | b64enc | quote }} NOTIFICATION_WEBAPI_URL_BASE: {{ .Values.authentication.configs.notificationWebapiUrlBase | b64enc | quote }} - JWT_SECRET_KEY: {{ .Values.authentication.configs.jwtSecretKey | b64enc | quote }} JWT_ALGORITHM: {{ .Values.authentication.configs.jwtAlgorithm | b64enc | quote }} SERVICE_API_ACCESS_HOST: {{ .Values.authentication.configs.serviceApiAccessHost | b64enc | quote }} SERVICE_API_ACCESS_PORT: {{ .Values.authentication.configs.serviceApiAccessPort | toString | b64enc }} MONGODB_NAME: {{ .Values.authentication.configs.mongodbName | b64enc | quote }} MONGODB_PORT: {{ .Values.authentication.configs.mongodbPort | toString | b64enc }} - MONGODB_URI: {{ .Values.authentication.configs.mongodbUri | b64enc | quote }} METRICS_ENABLED: {{ .Values.authentication.configs.metricsEnabled | default false | toString | b64enc }} PROBES_ENABLED: {{ .Values.authentication.configs.probesEnabled | default false | toString | b64enc }} \ No newline at end of file diff --git a/freeleaps/helm-pkg/devsvc/templates/devsvc/deployment.yaml b/freeleaps/helm-pkg/devsvc/templates/devsvc/deployment.yaml index 8af898f7..5de7e5b3 100644 --- a/freeleaps/helm-pkg/devsvc/templates/devsvc/deployment.yaml +++ b/freeleaps/helm-pkg/devsvc/templates/devsvc/deployment.yaml @@ -109,6 +109,15 @@ spec: name: devsvc-config key: {{ $key | snakecase | upper }} {{- end }} + # inject from secret created by FreeleapsSecret object + {{ $targetSecretName := .Values.devsvc.secrets.target.name }} + {{- range .Values.devsvc.secrets.data }} + - name: {{ .key | snakecase | upper }} + valueFrom: + secretKeyRef: + name: {{ $targetSecretName }} + key: {{ .key }} + {{- end }} {{- if .Values.logIngest.enabled }} volumeMounts: - name: app-logs diff --git a/freeleaps/helm-pkg/devsvc/templates/devsvc/devsvc-config.yaml b/freeleaps/helm-pkg/devsvc/templates/devsvc/devsvc-config.yaml index 2be0a7ce..ca57aa00 100644 --- a/freeleaps/helm-pkg/devsvc/templates/devsvc/devsvc-config.yaml +++ b/freeleaps/helm-pkg/devsvc/templates/devsvc/devsvc-config.yaml @@ -10,8 +10,6 @@ data: SERVICE_API_ACCESS_HOST: {{ .Values.devsvc.configs.serviceApiAccessHost | b64enc | quote }} SERVICE_API_ACCESS_PORT: {{ .Values.devsvc.configs.serviceApiAccessPort | toString | b64enc }} MONGODB_NAME: {{ .Values.devsvc.configs.mongodbName | b64enc | quote }} - MONGODB_URI: {{ .Values.devsvc.configs.mongodbUri | b64enc | quote }} - GITEA_TOKEN: {{ .Values.devsvc.configs.giteaToken | b64enc | quote }} GITEA_URL: {{ .Values.devsvc.configs.giteaUrl | b64enc | quote }} GITEA_DEPOT_ORGANIZATION: {{ .Values.devsvc.configs.giteaDepotOrganization | b64enc | quote }} CODE_DEPOT_HTTP_PORT: {{ .Values.devsvc.configs.codeDepotHttpPort | toString | b64enc }} @@ -24,11 +22,8 @@ data: RABBITMQ_HOST: {{ .Values.devsvc.configs.rabbitmqHost | b64enc | quote }} RABBITMQ_PORT: {{ .Values.devsvc.configs.rabbitmqPort | toString | b64enc }} RABBITMQ_USERNAME: {{ .Values.devsvc.configs.rabbitmqUsername | b64enc | quote }} - RABBITMQ_PASSWORD: {{ .Values.devsvc.configs.rabbitmqPassword | b64enc | quote }} RABBITMQ_VIRTUAL_HOST: {{ .Values.devsvc.configs.rabbitmqVirtualHost | b64enc | quote }} DEFAULT_GIT_USERNAME: {{ .Values.devsvc.configs.defaultGitUsername | b64enc | quote }} - DEFAULT_GIT_PASSWORD: {{ .Values.devsvc.configs.defaultGitPassword | b64enc | quote }} DEVOPS_DOCKER_REGISTRY_URL: {{ .Values.devsvc.configs.devopsDockerRegistryUrl | b64enc | quote }} DEVOPS_DOCKER_REGISTRY_REPOSITORY_NAME: {{ .Values.devsvc.configs.devopsDockerRegistryRepositoryName | b64enc | quote }} - DEVOPS_DOCKER_REGISTRY_USERNAME: {{ .Values.devsvc.configs.devopsDockerRegistryUsername | b64enc | quote }} - DEVOPS_DOCKER_REGISTRY_PASSWORD: {{ .Values.devsvc.configs.devopsDockerRegistryPassword | b64enc | quote }} \ No newline at end of file + DEVOPS_DOCKER_REGISTRY_USERNAME: {{ .Values.devsvc.configs.devopsDockerRegistryUsername | b64enc | quote }} \ No newline at end of file diff --git a/freeleaps/helm-pkg/devsvc/templates/devsvc/freeleapssecret.yaml b/freeleaps/helm-pkg/devsvc/templates/devsvc/freeleapssecret.yaml new file mode 100644 index 00000000..04a9d2cf --- /dev/null +++ b/freeleaps/helm-pkg/devsvc/templates/devsvc/freeleapssecret.yaml @@ -0,0 +1,20 @@ +apiVersion: freeleaps.com/v1alpha1 +kind: FreeleapsSecret +metadata: + name: freeleaps-devsvc-secrets + namespace: {{ .Release.Namespace }} +spec: + secretStoreRef: + kind: {{ .Values.devsvc.secrets.secretStoreRef.kind }} + name: {{ .Values.devsvc.secrets.secretStoreRef.name }} + target: + name: {{ .Values.devsvc.secrets.target.name }} + creationPolicy: {{ .Values.devsvc.secrets.target.creationPolicy }} + refreshInterval: {{ .Values.devsvc.secrets.refreshInterval }} + data: +{{- range .Values.devsvc.secrets.data }} + - secretKey: {{ .key }} + remoteRef: + key: {{ .remoteRef.key }} + type: {{ .remoteRef.type }} +{{- end }} \ No newline at end of file diff --git a/freeleaps/helm-pkg/devsvc/values.alpha.yaml b/freeleaps/helm-pkg/devsvc/values.alpha.yaml index c19d62ad..984763e9 100644 --- a/freeleaps/helm-pkg/devsvc/values.alpha.yaml +++ b/freeleaps/helm-pkg/devsvc/values.alpha.yaml @@ -81,8 +81,6 @@ devsvc: serviceApiAccessHost: 0.0.0.0 serviceApiAccessPort: 8007 mongodbName: freeleaps2 - mongodbUri: mongodb+srv://jetli:8IHKx6dZK8BfugGp@freeleaps2.hanbj.mongodb.net/ - giteaToken: 65bc8b16705414abbdaf8e6262ad698015ce49d9 giteaUrl: http://freeleaps-alpha-gitea-http.freeleaps-alpha.svc.freeleaps.cluster:3000 giteaDepotOrganization: products codeDepotHttpPort: 443 @@ -94,14 +92,41 @@ devsvc: rabbitmqHost: freeleaps-alpha-rabbitmq.freeleaps-alpha.svc.freeleaps.cluster rabbitmqPort: 5672 rabbitmqUsername: user - rabbitmqPassword: NjlhHFvnDuC7K0ir rabbitmqVirtualHost: / defaultGitUsername: freeleaps defaultGitPassword: r8sA8CPHD9!bt6d devopsDockerRegistryUrl: https://hub.docker.com devopsDockerRegistryRepositoryName: freeleapsdevops devopsDockerRegistryUsername: freeleapsdevops - devopsDockerRegistryPassword: dckr_pat_y-KsBOwcEGTdCQDsAb-NBz9_beg + secrets: + secretStoreRef: + kind: FreeleapsSecretStore + name: freeleaps-main-secret-store + target: + name: "freeleaps-devsvc-secrets" + creationPolicy: "Owner" + refreshInterval: 30s + data: + - key: giteaToken + remoteRef: + key: "freeleaps-alpha-gitea-token" + type: Secret + - key: mongodbUri + remoteRef: + key: "freeleaps-alpha-mongodb-uri" + type: Secret + - key: rabbitmqPassword + remoteRef: + key: "freeleaps-alpha-rabbitmq-password" + type: Secret + - key: defaultGitPassword + remoteRef: + key: "freeleaps-alpha-gitea-password" + type: Secret + - key: devopsDockerRegistryPassword + remoteRef: + key: "freeleaps-alpha-devops-docker-registry-password" + type: Secret vpa: minAllowed: enabled: false diff --git a/freeleaps/helm-pkg/devsvc/values.prod.yaml b/freeleaps/helm-pkg/devsvc/values.prod.yaml index a0b577be..2d7600ea 100644 --- a/freeleaps/helm-pkg/devsvc/values.prod.yaml +++ b/freeleaps/helm-pkg/devsvc/values.prod.yaml @@ -72,8 +72,6 @@ devsvc: serviceApiAccessHost: 0.0.0.0 serviceApiAccessPort: 8007 mongodbName: freeleaps2 - mongodbUri: mongodb+srv://freeadmin:0eMV0bt8oyaknA0m@freeleaps2.zmsmpos.mongodb.net/?retryWrites=true&w=majority - giteaToken: 87f8cf4bf9e6b7beb422967e079fadbdfb70e0be giteaUrl: http://freeleaps-prod-gitea-http.freeleaps-prod.svc.freeleaps.cluster:3000 giteaDepotOrganization: products codeDepotHttpPort: 443 @@ -85,14 +83,40 @@ devsvc: rabbitmqHost: freeleaps-prod-rabbitmq-headless.freeleaps-prod.svc.freeleaps.cluster rabbitmqPort: 5672 rabbitmqUsername: user - rabbitmqPassword: D3b0HKz71T0OcYF8 rabbitmqVirtualHost: / defaultGitUsername: freeleaps-admin - defaultGitPassword: r8sA8CPHD9!bt6d devopsDockerRegistryUrl: https://hub.docker.com devopsDockerRegistryRepositoryName: freeleapsdevops devopsDockerRegistryUsername: freeleapsdevops - devopsDockerRegistryPassword: dckr_pat_y-KsBOwcEGTdCQDsAb-NBz9_beg + secrets: + secretStoreRef: + kind: FreeleapsSecretStore + name: freeleaps-main-secret-store + target: + name: "freeleaps-devsvc-secrets" + creationPolicy: "Owner" + refreshInterval: 30s + data: + - key: giteaToken + remoteRef: + key: "freeleaps-prod-gitea-token" + type: Secret + - key: mongodbUri + remoteRef: + key: "freeleaps-prod-mongodb-uri" + type: Secret + - key: rabbitmqPassword + remoteRef: + key: "freeleaps-prod-rabbitmq-password" + type: Secret + - key: defaultGitPassword + remoteRef: + key: "freeleaps-prod-gitea-password" + type: Secret + - key: devopsDockerRegistryPassword + remoteRef: + key: "freeleaps-prod-devops-docker-registry-password" + type: Secret vpa: minAllowed: enabled: true