From dc7c7e0f3212307dcf41adec892076d2c9154639 Mon Sep 17 00:00:00 2001
From: Sven Ketelsen <sven.ketelsen@netgo.de>
Date: Sun, 5 Jun 2022 15:18:15 +0200
Subject: [PATCH] feat: secrets

---
 smardigo/templates/iam/deployment.yml       | 17 ++++++++++------
 smardigo/templates/iam/secret.yml           | 22 +++++++++++++++++++++
 smardigo/templates/sepa-exporter/secret.yml | 19 +++++++++++++++++-
 smardigo/templates/uba-export/secret.yml    | 18 ++++++++++++++++-
 4 files changed, 68 insertions(+), 8 deletions(-)
 create mode 100644 smardigo/templates/iam/secret.yml

diff --git a/smardigo/templates/iam/deployment.yml b/smardigo/templates/iam/deployment.yml
index 212f819..b1ec885 100644
--- a/smardigo/templates/iam/deployment.yml
+++ b/smardigo/templates/iam/deployment.yml
@@ -22,18 +22,23 @@ spec:
         image: "{{ .Values.harbor.host.name }}/{{ .Values.iam.image.name }}:{{ .Values.iam.image.version }}"
         imagePullPolicy: Always
         env:
-        - name: SERVER_ERROR_INCLUDE_MESSAGE
-          value: "always"
+        - name: SMA_JWT_ENABLED
+          value: "true"
+        - name: SMA_JWT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: "iam-secrets"
+              key: JWT_SECRET
+
         - name: IAM_KEYCLOAK_AUTH_SERVER_URL
           value: "https://{{ .Values.sharedService.keycloak.host.name }}/auth"
         - name: IAM_KEYCLOAK_ADMIN_USER
           value: "{{ .Values.iam.keycloak.username }}"
         - name: IAM_KEYCLOAK_ADMIN_PASSWORD
           value: "{{ .Values.iam.keycloak.username }}"
-        - name: SMA_JWT_ENABLED
-          value: "true"
-        - name: SMA_JWT_SECRET
-          value: "456ae14462d049d3be76439ef379c7c6"
+
+        - name: SERVER_ERROR_INCLUDE_MESSAGE
+          value: "always"
         ports:
         - containerPort: 8080
         - containerPort: 8081
diff --git a/smardigo/templates/iam/secret.yml b/smardigo/templates/iam/secret.yml
new file mode 100644
index 0000000..e962c73
--- /dev/null
+++ b/smardigo/templates/iam/secret.yml
@@ -0,0 +1,22 @@
+# store the secret-name as variable
+{{- $secret_name := "iam-secrets" -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ $secret_name }}"
+  annotations:
+    "helm.sh/resource-policy": "keep"
+data:
+  # try to get the old secrets
+  # keep in mind, that a dry-run only returns an empty map
+  {{- $previous := lookup "v1" "Secret" .Release.Namespace $secret_name }}
+
+  # check, if a secret is already set
+  {{- if or (not $previous) (not $previous.data) }}
+  # if not set, then generate a new password
+  JWT_SECRET: "{{ .Values.iam.jwt.secret | b64enc }}"
+  {{ else }}
+  # if set, then use the old value
+  JWT_SECRET: "{{ index $previous.data "JWT_SECRET" }}"
+  {{ end }}
diff --git a/smardigo/templates/sepa-exporter/secret.yml b/smardigo/templates/sepa-exporter/secret.yml
index 6d466d1..1dcda84 100644
--- a/smardigo/templates/sepa-exporter/secret.yml
+++ b/smardigo/templates/sepa-exporter/secret.yml
@@ -1,8 +1,25 @@
+# store the secret-name as variable
+{{- $secret_name := "sepa-exporter-secrets" -}}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: "sepa-exporter-secrets"
+  name: "{{ $secret_name }}"
+  annotations:
+    "helm.sh/resource-policy": "keep"
 data:
+  # try to get the old secrets
+  # keep in mind, that a dry-run only returns an empty map
+  {{- $previous := lookup "v1" "Secret" .Release.Namespace $secret_name }}
+
+  # check, if a secret is already set
+  {{- if or (not $previous) (not $previous.data) }}
+  # if not set, then generate a new password
   SMA_WORKFLOW_AUTH_TOKEN: "{{ .Values.sepaExporter.workflow.api_token | b64enc }}"
   SMA_DOCUMENT_AUTH_TOKEN: "{{ .Values.sepaExporter.document.api_token | b64enc }}"
+  {{ else }}
+  # if set, then use the old value
+  SMA_WORKFLOW_AUTH_TOKEN: "{{ index $previous.data "SMA_WORKFLOW_AUTH_TOKEN" }}"
+  SMA_DOCUMENT_AUTH_TOKEN: "{{ index $previous.data "SMA_DOCUMENT_AUTH_TOKEN" }}"
+  {{ end }}
+  
\ No newline at end of file
diff --git a/smardigo/templates/uba-export/secret.yml b/smardigo/templates/uba-export/secret.yml
index c737520..f7f2eb1 100644
--- a/smardigo/templates/uba-export/secret.yml
+++ b/smardigo/templates/uba-export/secret.yml
@@ -1,8 +1,24 @@
+# store the secret-name as variable
+{{- $secret_name := "uba-exporter-secrets" -}}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: "uba-exporter-secrets"
+  name: "{{ $secret_name }}"
+  annotations:
+    "helm.sh/resource-policy": "keep"
 data:
+  # try to get the old secrets
+  # keep in mind, that a dry-run only returns an empty map
+  {{- $previous := lookup "v1" "Secret" .Release.Namespace $secret_name }}
+
+  # check, if a secret is already set
+  {{- if or (not $previous) (not $previous.data) }}
+  # if not set, then generate a new password
   SMA_WORKFLOW_AUTH_TOKEN: "{{ .Values.ubaExporter.workflow.api_token | b64enc }}"
   SMA_DOCUMENT_AUTH_TOKEN: "{{ .Values.ubaExporter.document.api_token | b64enc }}"
+  {{ else }}
+  # if set, then use the old value
+  SMA_WORKFLOW_AUTH_TOKEN: "{{ index $previous.data "SMA_WORKFLOW_AUTH_TOKEN" }}"
+  SMA_DOCUMENT_AUTH_TOKEN: "{{ index $previous.data "SMA_DOCUMENT_AUTH_TOKEN" }}"
+  {{ end }}