charts/bitnami/chainloop/templates/controlplane/secret-config.yaml

{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

apiVersion: v1
kind: Secret
metadata:
  name: {{ include "chainloop.controlplane.fullname" . }}
  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }}
  {{- if .Values.commonAnnotations }}
  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
  {{- end }}
type: Opaque
{{- $hmacpass := include "common.secrets.passwords.manage" (dict "secret" (include "chainloop.controlplane.fullname" .) "key" "generated_jws_hmac_secret" "providedValues" (list "controlplane.auth.passphrase") "context" $) }}
data:
  # We store it also as a different key so it can be reused during upgrades by the common.secrets.passwords.manage helper
  generated_jws_hmac_secret: {{ $hmacpass }}
  db_migrate_source: {{include "controlplane.database.atlas_connection_string" . | b64enc | quote }}
stringData:
  {{- if and .Values.controlplane.sentry .Values.controlplane.sentry.enabled }}
    {{- fail "configuring sentry at the top level is no longer supported. Add the configuration to the controlplane section in the values.yaml file" }}
  {{- end -}}
  {{- if and .Values.controlplane.sentry .Values.controlplane.sentry.enabled }}
  config.observability.yaml: |
    {{- include "chainloop.sentry" .Values.controlplane.sentry | nindent 4 }}
  {{- end }}
  {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }}
  fileca.secret.yaml: |
    {{- with .Values.controlplane.keylessSigning.fileCA }}
    certificate_authority:
      file_ca:
        cert_path: "/ca_secrets/file_ca.cert"
        key_path:  "/ca_secrets/file_ca.key"
        key_pass: "{{- required "FileCA keyPass is mandatory" .keyPass }}"
    {{- end }}
  {{- end }}
  {{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }}
  ejbca.secret.yaml: |
    {{- with .Values.controlplane.keylessSigning.ejbcaCA }}
    certificate_authority:
      ejbca_ca:
        cert_path: "/ca_secrets/ejbca_client.cert"
        key_path:  "/ca_secrets/ejbca_client.key"
        server_url: "{{- required "EJBCA server URL is mandatory" .serverURL }}"
        certificate_profile_name: "{{- required "EJBCA certificate profile name is mandatory" .certProfileName }}"
        end_entity_profile_name: "{{- required "EJBCA end entity profile name is mandatory" .endEntityProfileName }}"
        certificate_authority_name: "{{- required "EJBCA certificate authority name is mandatory" .caName }}"
    {{- end }}
  {{- end }}  
  config.secret.yaml: |
    data:
      database:
        driver: pgx
        source: {{include "controlplane.database.connection_string" . }}

    credentials_service: {{- include "chainloop.credentials_service_settings" . | indent 6 }}

    auth:
      oidc: {{- include "controlplane.oidc_settings" . | indent 4 }}

      # HMAC key used to sign the JWTs generated by the controlplane
      # The helper returns the base64 quoted value of the secret
      # We need to remove the quotes and then decoding it so it's compatible with the stringData stanza
      generated_jws_hmac_secret: {{ $hmacpass | replace "\"" "" | b64dec | quote }}

      # Private key used to sign the JWTs meant to be consumed by the CAS
      cas_robot_account_private_key_path: "/secrets/cas.private.key"