From 5de3967695c291fdf8ce7ae8481c44ab1ce1279a Mon Sep 17 00:00:00 2001 From: Martin McKeaveney Date: Mon, 19 Aug 2024 09:10:56 +0100 Subject: [PATCH] auto generate encryption key, and use secrets --- charts/budibase/templates/app-service-deployment.yaml | 10 ++++++++-- .../automation-worker-service-deployment.yaml | 10 ++++++++-- charts/budibase/templates/secrets.yaml | 4 ++++ .../budibase/templates/worker-service-deployment.yaml | 10 ++++++++-- 4 files changed, 28 insertions(+), 6 deletions(-) diff --git a/charts/budibase/templates/app-service-deployment.yaml b/charts/budibase/templates/app-service-deployment.yaml index 42178e4165..a60b2797ea 100644 --- a/charts/budibase/templates/app-service-deployment.yaml +++ b/charts/budibase/templates/app-service-deployment.yaml @@ -65,7 +65,10 @@ spec: - name: ENABLE_ANALYTICS value: {{ .Values.globals.enableAnalytics | quote }} - name: API_ENCRYPTION_KEY - value: {{ .Values.globals.apiEncryptionKey | quote }} + valueFrom: + secretKeyRef: + name: {{ template "budibase.fullname" . }} + key: apiEncryptionKey - name: HTTP_LOGGING value: {{ .Values.services.apps.httpLogging | quote }} - name: INTERNAL_API_KEY @@ -161,7 +164,10 @@ spec: - name: TENANT_FEATURE_FLAGS value: {{ .Values.globals.tenantFeatureFlags | quote }} - name: ENCRYPTION_KEY - value: {{ .Values.globals.bbEncryptionKey | quote }} + valueFrom: + secretKeyRef: + name: {{ template "budibase.fullname" . }} + key: bbEncryptionKey {{ if .Values.globals.bbAdminUserEmail }} - name: BB_ADMIN_USER_EMAIL value: {{ .Values.globals.bbAdminUserEmail | quote }} diff --git a/charts/budibase/templates/automation-worker-service-deployment.yaml b/charts/budibase/templates/automation-worker-service-deployment.yaml index f456cc85ad..71089bd7ee 100644 --- a/charts/budibase/templates/automation-worker-service-deployment.yaml +++ b/charts/budibase/templates/automation-worker-service-deployment.yaml @@ -58,7 +58,10 @@ spec: - name: ENABLE_ANALYTICS value: {{ .Values.globals.enableAnalytics | quote }} - name: API_ENCRYPTION_KEY - value: {{ .Values.globals.apiEncryptionKey | quote }} + valueFrom: + secretKeyRef: + name: {{ template "budibase.fullname" . }} + key: apiEncryptionKey - name: HTTP_LOGGING value: {{ .Values.services.automationWorkers.httpLogging | quote }} - name: INTERNAL_API_KEY @@ -154,7 +157,10 @@ spec: - name: TENANT_FEATURE_FLAGS value: {{ .Values.globals.tenantFeatureFlags | quote }} - name: ENCRYPTION_KEY - value: {{ .Values.globals.bbEncryptionKey | quote }} + valueFrom: + secretKeyRef: + name: {{ template "budibase.fullname" . }} + key: bbEncryptionKey {{ if .Values.globals.bbAdminUserEmail }} - name: BB_ADMIN_USER_EMAIL value: {{ .Values.globals.bbAdminUserEmail | quote }} diff --git a/charts/budibase/templates/secrets.yaml b/charts/budibase/templates/secrets.yaml index 263934187e..861442acac 100644 --- a/charts/budibase/templates/secrets.yaml +++ b/charts/budibase/templates/secrets.yaml @@ -16,10 +16,14 @@ data: jwtSecret: {{ index $existingSecret.data "jwtSecret" }} objectStoreAccess: {{ index $existingSecret.data "objectStoreAccess" }} objectStoreSecret: {{ index $existingSecret.data "objectStoreSecret" }} + bbEncryptionKey: {{ index $existingSecret.data "bbEncryptionKey" }} + apiEncryptionKey: {{ index $existingSecret.data "apiEncryptionKey" }} {{- else }} internalApiKey: {{ template "budibase.defaultsecret" .Values.globals.internalApiKey }} jwtSecret: {{ template "budibase.defaultsecret" .Values.globals.jwtSecret }} objectStoreAccess: {{ template "budibase.defaultsecret" .Values.services.objectStore.accessKey }} objectStoreSecret: {{ template "budibase.defaultsecret" .Values.services.objectStore.secretKey }} + bbEncryptionKey: {{ template "budibase.defaultsecret" "" }} + apiEncryptionKey: {{ template "budibase.defaultsecret" "" }} {{- end }} {{- end }} diff --git a/charts/budibase/templates/worker-service-deployment.yaml b/charts/budibase/templates/worker-service-deployment.yaml index 65c922b8e0..fbd88e862f 100644 --- a/charts/budibase/templates/worker-service-deployment.yaml +++ b/charts/budibase/templates/worker-service-deployment.yaml @@ -65,7 +65,10 @@ spec: {{ end }} {{ end }} - name: API_ENCRYPTION_KEY - value: {{ .Values.globals.apiEncryptionKey | quote }} + valueFrom: + secretKeyRef: + name: {{ template "budibase.fullname" . }} + key: apiEncryptionKey - name: HTTP_LOGGING value: {{ .Values.services.worker.httpLogging | quote }} - name: INTERNAL_API_KEY @@ -167,7 +170,10 @@ spec: - name: TENANT_FEATURE_FLAGS value: {{ .Values.globals.tenantFeatureFlags | quote }} - name: ENCRYPTION_KEY - value: {{ .Values.globals.bbEncryptionKey | quote }} + valueFrom: + secretKeyRef: + name: {{ template "budibase.fullname" . }} + key: bbEncryptionKey {{ if .Values.globals.datadogApmEnabled }} - name: DD_LOGS_INJECTION value: {{ .Values.globals.datadogApmEnabled | quote }}