From cb551d4bd55dbb037ac32c096afda60f8b3e5e87 Mon Sep 17 00:00:00 2001
From: Chinthiti Wisetsombat <chinnonae@gmail.com>
Date: Sun, 20 Nov 2022 11:22:14 +0700
Subject: [PATCH] Helm chart: allow using existing secrets for oncall secrets,
 slack, and telegram (#718)

* chart: allow to use oncall env from existing secret

* chart: slack credentials from existing secret

* chart: telegram token from existing secret

* chart: fix mirage cipher IV length

* chart: restore mirage cipher IV default and remove it from secret

* chart: add keys for existing oncall secret

* chart: add keys for existing slack secret

* chart: add keys for existing telegram secret

* chart: change key existingSecretName to existingSecret

Co-authored-by: Ildar Iskhakov <Ildar.iskhakov@grafana.com>
---
 helm/oncall/templates/_env.tpl     | 60 +++++++++++++++++++++++++++---
 helm/oncall/templates/secrets.yaml |  8 ++--
 helm/oncall/values.yaml            | 24 ++++++++++++
 3 files changed, 83 insertions(+), 9 deletions(-)

diff --git a/helm/oncall/templates/_env.tpl b/helm/oncall/templates/_env.tpl
index 1620523a..733d2d35 100644
--- a/helm/oncall/templates/_env.tpl
+++ b/helm/oncall/templates/_env.tpl
@@ -4,15 +4,15 @@
 - name: SECRET_KEY
   valueFrom:
     secretKeyRef:
-      name: {{ template "oncall.fullname" . }}
-      key: SECRET_KEY
+      name: {{ template "snippet.oncall.secret.name" . }}
+      key: {{ template "snippet.oncall.secret.secretKey" . }}
 - name: MIRAGE_SECRET_KEY
   valueFrom:
     secretKeyRef:
-      name: {{ template "oncall.fullname" . }}
-      key: MIRAGE_SECRET_KEY
+      name: {{ template "snippet.oncall.secret.name" . }}
+      key: {{ template "snippet.oncall.secret.mirageSecretKey" . }}
 - name: MIRAGE_CIPHER_IV
-  value: "1234567890abcdef"
+  value: "{{ .Values.oncall.mirageCipherIV | default "1234567890abcdef" }}"
 - name: DJANGO_SETTINGS_MODULE
   value: "settings.helm"
 - name: AMIXR_DJANGO_ADMIN_PATH
@@ -25,18 +25,60 @@
   value: {{ .Values.broker.type | default "rabbitmq" }}
 {{- end -}}
 
+{{- define "snippet.oncall.secret.name" -}}
+{{- if .Values.oncall.secrets.existingSecret -}}
+{{ .Values.oncall.secrets.existingSecret }}
+{{- else -}}
+{{ template "oncall.fullname" . }}
+{{- end -}}
+{{- end -}}
+
+{{- define "snippet.oncall.secret.secretKey" -}}
+{{- if .Values.oncall.secrets.existingSecret -}}
+{{ required "oncall.secrets.secretKey is required if oncall.secret.existingSecret is not empty" .Values.oncall.secrets.secretKey }}
+{{- else -}}
+SECRET_KEY
+{{- end -}}
+{{- end -}}
+
+{{- define "snippet.oncall.secret.mirageSecretKey" -}}
+{{- if .Values.oncall.secrets.existingSecret -}}
+{{ required "oncall.secrets.mirageSecretKey is required if oncall.secret.existingSecret is not empty" .Values.oncall.secrets.mirageSecretKey }}
+{{- else -}}
+MIRAGE_SECRET_KEY
+{{- end -}}
+{{- end -}}
+
 {{- define "snippet.oncall.slack.env" -}}
 {{- if .Values.oncall.slack.enabled -}}
 - name: FEATURE_SLACK_INTEGRATION_ENABLED
   value: {{ .Values.oncall.slack.enabled | toString | title | quote }}
 - name: SLACK_SLASH_COMMAND_NAME
   value: "/{{ .Values.oncall.slack.commandName | default "oncall" }}"
+{{- if .Values.oncall.slack.existingSecret }}
+- name: SLACK_CLIENT_OAUTH_ID
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.oncall.slack.existingSecret }}
+      key: {{ required "oncall.slack.clientIdKey is required if oncall.slack.existingSecret is not empty" .Values.oncall.slack.clientIdKey }}
+- name: SLACK_CLIENT_OAUTH_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.oncall.slack.existingSecret }}
+      key: {{ required "oncall.slack.clientSecretKey is required if oncall.slack.existingSecret is not empty" .Values.oncall.slack.clientSecretKey }}
+- name: SLACK_SIGNING_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.oncall.slack.existingSecret }}
+      key: {{ required "oncall.slack.signingSecretKey is required if oncall.slack.existingSecret is not empty" .Values.oncall.slack.signingSecretKey }}
+{{- else }}
 - name: SLACK_CLIENT_OAUTH_ID
   value: {{ .Values.oncall.slack.clientId | default "" | quote }}
 - name: SLACK_CLIENT_OAUTH_SECRET
   value: {{ .Values.oncall.slack.clientSecret | default "" | quote }}
 - name: SLACK_SIGNING_SECRET
   value: {{ .Values.oncall.slack.signingSecret | default "" | quote }}
+{{- end }}
 - name: SLACK_INSTALL_RETURN_REDIRECT_HOST
   value: {{ .Values.oncall.slack.redirectHost | default (printf "https://%s" .Values.base_url) | quote }}
 {{- else -}}
@@ -51,8 +93,16 @@
   value: {{ .Values.oncall.telegram.enabled | toString | title | quote }}
 - name: TELEGRAM_WEBHOOK_HOST
   value: {{ .Values.oncall.telegram.webhookUrl | default "" | quote }}
+{{- if .Values.oncall.telegram.existingSecret }}
+- name: TELEGRAM_TOKEN
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.oncall.telegram.existingSecret }}
+      key: {{ required "oncall.telegram.tokenKey is required if oncall.telegram.existingSecret is not empty" .Values.oncall.telegram.tokenKey }}
+{{- else }}
 - name: TELEGRAM_TOKEN
   value: {{ .Values.oncall.telegram.token | default "" | quote }}
+{{- end }}
 {{- else -}}
 - name: FEATURE_TELEGRAM_INTEGRATION_ENABLED
   value: {{ .Values.oncall.telegram.enabled | toString | title | quote }}
diff --git a/helm/oncall/templates/secrets.yaml b/helm/oncall/templates/secrets.yaml
index 07fa1351..8a0dc069 100644
--- a/helm/oncall/templates/secrets.yaml
+++ b/helm/oncall/templates/secrets.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.oncall.secrets.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -6,10 +7,9 @@ metadata:
     {{- include "oncall.labels" . | nindent 4 }}
 type: Opaque
 data:
-  SECRET_KEY: {{ randAlphaNum 40 | b64enc | quote }}
-  MIRAGE_SECRET_KEY: {{ randAlphaNum 40 | b64enc | quote }}
-  MIRAGE_CIPHER_IV: {{ randAlphaNum 40 | b64enc | quote }}
-
+  {{ template "snippet.oncall.secret.secretKey" . }}: {{ randAlphaNum 40 | b64enc | quote }}
+  {{ template "snippet.oncall.secret.mirageSecretKey" . }}: {{ randAlphaNum 40 | b64enc | quote }}
+{{- end }}
 ---
 {{ if and (not .Values.mariadb.enabled) (eq .Values.database.type "mysql") -}}
 apiVersion: v1
diff --git a/helm/oncall/values.yaml b/helm/oncall/values.yaml
index dfc71d38..c4511216 100644
--- a/helm/oncall/values.yaml
+++ b/helm/oncall/values.yaml
@@ -68,6 +68,17 @@ celery:
     #   memory: 128Mi
 
 oncall:
+  # Override default MIRAGE_CIPHER_IV (must be 16 bytes long)
+  # For existing installation, this should not be changed.
+  # mirageCipherIV: 1234567890abcdef
+  # oncall secrets
+  secrets:
+    # Use existing secret. (secretKey and mirageSecretKey is required)
+    existingSecret: ""
+    # the key in the secret containing secret key
+    secretKey: ""
+    # the key in the secret containing mirage secret key
+    mirageSecretKey: ""
   # slack configures the Grafana Oncall Slack ChatOps integration.
   slack:
     # enabled enable the Slack ChatOps integration for the Oncall Engine.
@@ -84,12 +95,25 @@ oncall:
     # requests comming from Slack.
     # api.slack.com/apps/<yourApp> -> Basic Information -> App Credentials -> Signing Secret
     signingSecret: ~
+    # Use existing secret for clientId, clientSecret and signingSecret.
+    # clientIdKey, clientSecretKey and signingSecretKey are required
+    existingSecret: ""
+    # the key in the secret containing OAuth2 client ID
+    clientIdKey: ""
+    # the key in the secret containing OAuth2 client secret
+    clientSecretKey: ""
+    # the key in the secret containing the Slack app signature secret
+    signingSecretKey: ""
     # OnCall external URL
     redirectHost: ~
   telegram:
     enabled: false
     token: ~
     webhookUrl: ~
+    # Use exsting secret. (tokenKey is required)
+    existingSecret: ""
+    # the key in the secret containing Telegram token
+    tokenKey: ""
   smtp:
     enabled: false
     host: ~