feat: secrets

smardigo/templates/iam/deployment.yml

@@ -22,18 +22,23 @@ spec:
         image: "{{ .Values.harbor.host.name }}/{{ .Values.iam.image.name }}:{{ .Values.iam.image.version }}"
         imagePullPolicy: Always
         env:
-        - name: SERVER_ERROR_INCLUDE_MESSAGE
-          value: "always"
+        - name: SMA_JWT_ENABLED
+          value: "true"
+        - name: SMA_JWT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: "iam-secrets"
+              key: JWT_SECRET
+
         - name: IAM_KEYCLOAK_AUTH_SERVER_URL
           value: "https://{{ .Values.sharedService.keycloak.host.name }}/auth"
         - name: IAM_KEYCLOAK_ADMIN_USER
           value: "{{ .Values.iam.keycloak.username }}"
         - name: IAM_KEYCLOAK_ADMIN_PASSWORD
           value: "{{ .Values.iam.keycloak.username }}"
-        - name: SMA_JWT_ENABLED
-          value: "true"
-        - name: SMA_JWT_SECRET
-          value: "456ae14462d049d3be76439ef379c7c6"
+
+        - name: SERVER_ERROR_INCLUDE_MESSAGE
+          value: "always"
         ports:
         - containerPort: 8080
         - containerPort: 8081

smardigo/templates/iam/secret.yml

@@ -0,0 +1,22 @@
+# store the secret-name as variable
+{{- $secret_name := "iam-secrets" -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "{{ $secret_name }}"
+  annotations:
+    "helm.sh/resource-policy": "keep"
+data:
+  # try to get the old secrets
+  # keep in mind, that a dry-run only returns an empty map
+  {{- $previous := lookup "v1" "Secret" .Release.Namespace $secret_name }}
+
+  # check, if a secret is already set
+  {{- if or (not $previous) (not $previous.data) }}
+  # if not set, then generate a new password
+  JWT_SECRET: "{{ .Values.iam.jwt.secret | b64enc }}"
+  {{ else }}
+  # if set, then use the old value
+  JWT_SECRET: "{{ index $previous.data "JWT_SECRET" }}"
+  {{ end }}

smardigo/templates/sepa-exporter/secret.yml

@@ -1,8 +1,25 @@
+# store the secret-name as variable
+{{- $secret_name := "sepa-exporter-secrets" -}}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: "sepa-exporter-secrets"
+  name: "{{ $secret_name }}"
+  annotations:
+    "helm.sh/resource-policy": "keep"
 data:
+  # try to get the old secrets
+  # keep in mind, that a dry-run only returns an empty map
+  {{- $previous := lookup "v1" "Secret" .Release.Namespace $secret_name }}
+
+  # check, if a secret is already set
+  {{- if or (not $previous) (not $previous.data) }}
+  # if not set, then generate a new password
   SMA_WORKFLOW_AUTH_TOKEN: "{{ .Values.sepaExporter.workflow.api_token | b64enc }}"
   SMA_DOCUMENT_AUTH_TOKEN: "{{ .Values.sepaExporter.document.api_token | b64enc }}"
+  {{ else }}
+  # if set, then use the old value
+  SMA_WORKFLOW_AUTH_TOKEN: "{{ index $previous.data "SMA_WORKFLOW_AUTH_TOKEN" }}"
+  SMA_DOCUMENT_AUTH_TOKEN: "{{ index $previous.data "SMA_DOCUMENT_AUTH_TOKEN" }}"
+  {{ end }}
+  

smardigo/templates/uba-export/secret.yml

@@ -1,8 +1,24 @@
+# store the secret-name as variable
+{{- $secret_name := "uba-exporter-secrets" -}}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: "uba-exporter-secrets"
+  name: "{{ $secret_name }}"
+  annotations:
+    "helm.sh/resource-policy": "keep"
 data:
+  # try to get the old secrets
+  # keep in mind, that a dry-run only returns an empty map
+  {{- $previous := lookup "v1" "Secret" .Release.Namespace $secret_name }}
+
+  # check, if a secret is already set
+  {{- if or (not $previous) (not $previous.data) }}
+  # if not set, then generate a new password
   SMA_WORKFLOW_AUTH_TOKEN: "{{ .Values.ubaExporter.workflow.api_token | b64enc }}"
   SMA_DOCUMENT_AUTH_TOKEN: "{{ .Values.ubaExporter.document.api_token | b64enc }}"
+  {{ else }}
+  # if set, then use the old value
+  SMA_WORKFLOW_AUTH_TOKEN: "{{ index $previous.data "SMA_WORKFLOW_AUTH_TOKEN" }}"
+  SMA_DOCUMENT_AUTH_TOKEN: "{{ index $previous.data "SMA_DOCUMENT_AUTH_TOKEN" }}"
+  {{ end }}