Feat: Secret Environment Variables (#95)

* Feat: Private repo auth header via secrets * Add optional `remoteAuthHeaders` value * Populating the value creates a Kubernetes Secret * `envFrom` is used to inject secret keys/values as environment variables * `secretEnvVars` instead of `remoteAuthHeaders` * Make it more generic so you can inject sensitive env vars via k8s secret * Update Readme, rename env secret * Add checksum for env secret * Add checksum of env secret to annotations * Change in checksum triggers deployment rollout
verdaccio · Apr 25, 2022 · 9b1c809 · 9b1c809
1 parent 0470c20
commit 9b1c809
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -117,7 +117,8 @@ and their default values.
 | `service.type`                     | Type of service to create                                                        | `ClusterIP`                    |
 | `serviceAccount.create`            | Create service account                                                           | `false`                        |
 | `serviceAccount.name`              | Service account Name                                                             | none                           |
-| `extraEnvVars`                     | Define environment variables to be passed to the container                       | `{}`                           |
+| `extraEnvVars`                     | Define environment variables to be passed to the container                       | `[]`                           |
+| `secretEnvVars`                    | Define sensitive environment variables to be passed to the container             | `{}`                           |
 | `extraInitContainers`              | Define additional initContainers to be added to the deployment                   | `[]`                           |
 | `securityContext`                  | Define Container Security Context                                                | `{runAsUser=10001}`            |
 | `podSecurityContext`               | Define Pod Security Context                                                      | `{fsGroup=101}`                |

diff --git a/charts/verdaccio/Chart.yaml b/charts/verdaccio/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: A lightweight private node.js proxy registry
 name: verdaccio
-version: 4.7.1
+version: 4.8.0
 appVersion: 5.5.0
 home: https://verdaccio.org
 icon: https://cdn.verdaccio.dev/logos/default.png

diff --git a/charts/verdaccio/templates/deployment.yaml b/charts/verdaccio/templates/deployment.yaml
@@ -21,6 +21,9 @@ spec:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
         checksum/htpasswd-secret: {{ toJson .Values.secrets.htpasswd | sha256sum }}
+        {{- if .Values.secretEnvVars }}
+        checksum/env-secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+        {{- end }}
         {{- include "verdaccio.podAnnotations" . | nindent 8 }}
       labels:
         {{- include "verdaccio.podLabels" . | nindent 8 }}
@@ -39,6 +42,11 @@ spec:
         - name: {{ template "verdaccio.name" . }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.secretEnvVars }}
+          envFrom:
+            - secretRef:
+                name: {{ template "verdaccio.fullname" . }}-env
+          {{- end }}
           ports:
             - containerPort: 4873
               name: http

diff --git a/charts/verdaccio/templates/secret.yaml b/charts/verdaccio/templates/secret.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.secretEnvVars }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "verdaccio.fullname" . }}-env
+  labels:
+    {{- include "verdaccio.labels" . | nindent 4 }}
+stringData:
+  {{- range $header, $value := .Values.secretEnvVars }}
+  {{ printf "%s" (upper (replace "-" "_" $header)) }}: {{ tpl (toString $value) $ }}
+  {{- end }}
+{{- end }}
diff --git a/charts/verdaccio/values.yaml b/charts/verdaccio/values.yaml
@@ -108,6 +108,13 @@ extraEnvVars:
 #  - name: REGULAR_VAR
 #    value: ABC
 
+## Secret Environment Variables
+## Use this to pass sensitive key:values to the container via k8s secret
+secretEnvVars: {}
+  # SECRET_ENV_VAR: secretValue
+  # corp_artifactory: foo
+  # npmjs: bar
+
 # Extra Init Containers - allows yaml definitions
 extraInitContainers: []