Configure prod and stage for AWS services (RDS, S3, Secrets Manager)

2026-01-21 13:32:44 -06:00
parent 199821b34d
commit 427d2fec70
6 changed files with 100 additions and 212 deletions
--- a/helm/orchard/templates/_helpers.tpl
+++ b/helm/orchard/templates/_helpers.tpl
@@ -77,6 +77,8 @@ PostgreSQL secret name
 {{- define "orchard.postgresql.secretName" -}}
 {{- if .Values.orchard.database.existingSecret }}
 {{- .Values.orchard.database.existingSecret }}
+{{- else if and .Values.orchard.database.secretsManager .Values.orchard.database.secretsManager.enabled }}
+{{- printf "%s-db-credentials" (include "orchard.fullname" .) }}
 {{- else if .Values.postgresql.enabled }}
 {{- printf "%s-postgresql" .Release.Name }}
 {{- else }}
@@ -90,6 +92,8 @@ PostgreSQL password key in secret
 {{- define "orchard.postgresql.passwordKey" -}}
 {{- if .Values.orchard.database.existingSecret -}}
 {{- .Values.orchard.database.existingSecretPasswordKey -}}
+{{- else if and .Values.orchard.database.secretsManager .Values.orchard.database.secretsManager.enabled -}}
+password
 {{- else if .Values.postgresql.enabled -}}
 password
 {{- else -}}
--- a/helm/orchard/templates/deployment.yaml
+++ b/helm/orchard/templates/deployment.yaml
@@ -77,8 +77,16 @@ spec:
              value: {{ include "orchard.postgresql.host" . | quote }}
            - name: ORCHARD_DATABASE_PORT
              value: {{ .Values.orchard.database.port | quote }}
+            {{- if and .Values.orchard.database.secretsManager .Values.orchard.database.secretsManager.enabled }}
+            - name: ORCHARD_DATABASE_USER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "orchard.postgresql.secretName" . }}
+                  key: username
+            {{- else }}
            - name: ORCHARD_DATABASE_USER
              value: {{ .Values.orchard.database.user | default .Values.postgresql.auth.username | quote }}
+            {{- end }}
            - name: ORCHARD_DATABASE_DBNAME
              value: {{ .Values.orchard.database.dbname | default .Values.postgresql.auth.database | quote }}
            - name: ORCHARD_DATABASE_SSLMODE
@@ -96,6 +104,7 @@ spec:
              value: {{ .Values.orchard.s3.bucket | quote }}
            - name: ORCHARD_S3_USE_PATH_STYLE
              value: {{ .Values.orchard.s3.usePathStyle | quote }}
+            {{- if or .Values.minio.enabled .Values.orchard.s3.existingSecret .Values.orchard.s3.accessKeyId }}
            - name: ORCHARD_S3_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
@@ -106,6 +115,7 @@ spec:
                secretKeyRef:
                  name: {{ include "orchard.minio.secretName" . }}
                  key: {{ if .Values.minio.enabled }}root-password{{ else }}{{ .Values.orchard.s3.existingSecretSecretKeyKey }}{{ end }}
+            {{- end }}
            - name: ORCHARD_DOWNLOAD_MODE
              value: {{ .Values.orchard.download.mode | quote }}
            - name: ORCHARD_PRESIGNED_URL_EXPIRY
@@ -116,12 +126,27 @@ spec:
              value: {{ .Values.orchard.rateLimit.login | quote }}
            {{- end }}
            {{- end }}
+          {{- if and .Values.orchard.database.secretsManager .Values.orchard.database.secretsManager.enabled }}
+          volumeMounts:
+            - name: db-secrets
+              mountPath: /mnt/secrets-store
+              readOnly: true
+          {{- end }}
          livenessProbe:
            {{- toYaml .Values.livenessProbe | nindent 12 }}
          readinessProbe:
            {{- toYaml .Values.readinessProbe | nindent 12 }}
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
+      {{- if and .Values.orchard.database.secretsManager .Values.orchard.database.secretsManager.enabled }}
+      volumes:
+        - name: db-secrets
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: {{ include "orchard.fullname" . }}-db-secret
+      {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
--- a/helm/orchard/templates/secret-provider-class.yaml
+++ b/helm/orchard/templates/secret-provider-class.yaml
@@ -0,0 +1,27 @@
+{{- if and .Values.orchard.database.secretsManager .Values.orchard.database.secretsManager.enabled }}
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: {{ include "orchard.fullname" . }}-db-secret
+  labels:
+    {{- include "orchard.labels" . | nindent 4 }}
+spec:
+  provider: aws
+  parameters:
+    objects: |
+      - objectName: "{{ .Values.orchard.database.secretsManager.secretArn }}"
+        objectType: "secretsmanager"
+        jmesPath:
+          - path: username
+            objectAlias: db-username
+          - path: password
+            objectAlias: db-password
+  secretObjects:
+    - secretName: {{ include "orchard.fullname" . }}-db-credentials
+      type: Opaque
+      data:
+        - objectName: db-username
+          key: username
+        - objectName: db-password
+          key: password
+{{- end }}