Merge pull request #13 from linuxfoundation/LFXV2-618

[LFXV2-618] fix: add ServiceAccount support for GroupsIO secrets

Author: prabodhcs

charts/lfx-v2-mailing-list-service/templates/deployment.yaml

@@ -16,48 +16,26 @@ spec:
       labels:
         app: {{.Chart.Name}}
     spec:
+      # Use the configured service account for pod identity
+      serviceAccountName: {{ .Values.serviceAccount.name | default .Chart.Name }}
       containers:
         - name: app
-          image: "{{.Values.image.repository}}:{{.Values.image.tag | default .Chart.AppVersion}}"
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           securityContext:
             allowPrivilegeEscalation: false
-          imagePullPolicy: {{.Values.image.pullPolicy}}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          # Environment variables from values.yaml app.environment
+          # Supports both direct values and valueFrom for secret references
           env:
-            - name: NATS_URL
-              value: {{.Values.nats.url}}
-            - name: LOG_LEVEL
-              value: {{.Values.app.logLevel}}
-            - name: LOG_ADD_SOURCE
-              value: {{.Values.app.logAddSource | quote}}
-            - name: JWKS_URL
-              value: {{.Values.heimdall.jwksUrl}}
-            - name: JWT_AUDIENCE
-              value: {{.Values.app.audience}}
-            - name: AUTH_SOURCE
-              value: {{.Values.app.authSource}}
-            - name: JWT_AUTH_DISABLED_MOCK_LOCAL_PRINCIPAL
-              value: {{.Values.app.jwtAuthDisabledMockLocalPrincipal}}
-            # Repository configuration
-            - name: REPOSITORY_SOURCE
-              value: {{.Values.app.repositorySource | default "nats"}}
-            # GroupsIO configuration
-            - name: GROUPSIO_SOURCE
-              value: {{.Values.app.groupsio.source}}
-            - name: GROUPSIO_BASE_URL
-              value: {{.Values.app.groupsio.baseUrl}}
-            - name: GROUPSIO_EMAIL
-              value: {{.Values.app.groupsio.email}}
-            - name: GROUPSIO_PASSWORD
-              value: {{.Values.app.groupsio.password}}
-            - name: GROUPSIO_TIMEOUT
-              value: {{.Values.app.groupsio.timeout}}
-            - name: GROUPSIO_MAX_RETRIES
-              value: {{.Values.app.groupsio.maxRetries}}
-            - name: GROUPSIO_RETRY_DELAY
-              value: {{.Values.app.groupsio.retryDelay}}
-            # Webhook configuration
-            - name: GROUPSIO_WEBHOOK_SECRET
-              value: {{.Values.app.groupsioWebhookSecret | default "" | quote}}
+            {{- range $name, $config := .Values.app.environment }}
+            - name: {{ $name }}
+              {{- if $config.value }}
+              value: {{ $config.value | quote }}
+              {{- else if $config.valueFrom }}
+              valueFrom:
+                {{- toYaml $config.valueFrom | nindent 16 }}
+              {{- end }}
+            {{- end }}
           ports:
             - containerPort: {{.Values.service.port}}
               name: web

charts/lfx-v2-mailing-list-service/templates/nats-kv-buckets.yaml

@@ -1,7 +1,7 @@
 # Copyright The Linux Foundation and each contributor to LFX.
 # SPDX-License-Identifier: MIT
----
 {{- if .Values.nats.groupsio_services_kv_bucket.creation }}
+---
 apiVersion: jetstream.nats.io/v1beta2
 kind: KeyValue
 metadata:
@@ -19,8 +19,8 @@ spec:
   maxBytes: {{ .Values.nats.groupsio_services_kv_bucket.maxBytes }}
   compression: {{ .Values.nats.groupsio_services_kv_bucket.compression }}
 {{- end }}
+{{- if .Values.nats.groupsio_mailing_lists_kv_bucket.creation }}
 ---
-{{- if .Values.nats.groupsio_mailing_lists_kv_bucket.creation -}}
 apiVersion: jetstream.nats.io/v1beta2
 kind: KeyValue
 metadata:
@@ -38,8 +38,8 @@ spec:
   maxBytes: {{ .Values.nats.groupsio_mailing_lists_kv_bucket.maxBytes }}
   compression: {{ .Values.nats.groupsio_mailing_lists_kv_bucket.compression }}
 {{- end }}
+{{- if .Values.nats.groupsio_members_kv_bucket.creation }}
 ---
-{{- if .Values.nats.groupsio_members_kv_bucket.creation -}}
 apiVersion: jetstream.nats.io/v1beta2
 kind: KeyValue
 metadata:

charts/lfx-v2-mailing-list-service/templates/serviceaccount.yaml

@@ -0,0 +1,17 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+{{- if .Values.serviceAccount.create -}}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name | default .Chart.Name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Chart.Name }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+{{- end }}

charts/lfx-v2-mailing-list-service/values.local.yaml

@@ -1,29 +1,57 @@
 # Copyright The Linux Foundation and each contributor to LFX.
 # SPDX-License-Identifier: MIT
 ---
-# Local development values override
+# Local development overrides for lfx-v2-mailing-list-service
+# Use with: helm install -f values.local.yaml or make helm-install-local
 # This file configures the service for local testing with mock authentication
 # DO NOT USE IN PRODUCTION
 
-# app is the configuration for the application
+# Local development domain
+lfx:
+  domain: "k8s.orb.local"
+
+# Use latest image with always pull policy for local development
+image:
+  tag: "latest"
+  pullPolicy: Always
+
+# Application configuration for local development
 app:
-  # Use mock authentication for local testing
-  authSource: mock
-  # Mock principal for local development - bypasses JWT validation
-  jwtAuthDisabledMockLocalPrincipal: "test-super-admin"
-  # Enable debug logging for local development
-  logLevel: debug
+  # Disable OIDC contextualizer for local testing
+  use_oidc_contextualizer: false
+
+  environment:
+    # Enable debug logging for local development
+    LOG_LEVEL:
+      value: debug
+    LOG_ADD_SOURCE:
+      value: true
 
-  # Use mock repository for local testing
-  repositorySource: mock
+    # Use mock authentication for local testing
+    AUTH_SOURCE:
+      value: mock
 
-  # Use mock GroupsIO integration for local testing
-  groupsio:
-    source: mock
+    # Mock principal for local development - bypasses JWT validation
+    JWT_AUTH_DISABLED_MOCK_LOCAL_PRINCIPAL:
+      value: "test-super-admin"
 
-  # Webhook secret for local testing (NOT FOR PRODUCTION)
-  groupsioWebhookSecret: "local-test-webhook-secret-not-for-production"
+    # Use mock repository for local testing
+    REPOSITORY_SOURCE:
+      value: mock
 
+    # Use mock GroupsIO integration for local testing
+    GROUPSIO_SOURCE:
+      value: mock
+
+    # Empty credentials for mock mode (not used in mock mode)
+    GROUPSIO_EMAIL:
+      value: ""
+    GROUPSIO_PASSWORD:
+      value: ""
+
+    # Webhook secret for local testing (NOT FOR PRODUCTION)
+    GROUPSIO_WEBHOOK_SECRET:
+      value: ""
 
 # Disable OpenFGA authorization for local testing
 openfga:
@@ -36,3 +64,8 @@ heimdall:
 # Disable Authelia authentication for local testing
 authelia:
   enabled: false
+
+# Service account configuration for local development
+serviceAccount:
+  create: true
+  name: ""

charts/lfx-v2-mailing-list-service/values.yaml

@@ -31,6 +31,18 @@ service:
   # port is the service port
   port: 8080
 
+# serviceAccount is the configuration for the Kubernetes service account
+serviceAccount:
+  # create specifies whether a service account should be created
+  create: true
+  # name is the name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+  # annotations to add to the service account
+  annotations: {}
+  # automountServiceAccountToken is a boolean to determine if the service account token should be automatically mounted
+  automountServiceAccountToken: true
+
 # nats is the configuration for the NATS server
 nats:
   # url is the URL of the NATS server
@@ -121,45 +133,82 @@ authelia:
 
 # app is the configuration for the application
 app:
-  # logLevel is the log level (debug, info, warn, error)
-  logLevel: debug
-  # logAddSource is a boolean to determine if the log source should be added
-  logAddSource: true
-  # authSource is the authentication source (jwt or mock)
-  authSource: jwt
-  # jwtAuthDisabledMockLocalPrincipal is used for local development to bypass JWT validation
-  jwtAuthDisabledMockLocalPrincipal: ""
+  # audience is the JWT audience required for authentication with this app
+  audience: lfx-v2-mailing-list-service
   # use_oidc_contextualizer is a boolean to determine if the OIDC contextualizer should be used
   use_oidc_contextualizer: true
-  # jwt is the configuration for JWT authentication
-  # audience is the intended audience for the JWT token
-  audience: lfx-v2-mailing-list-service
 
-  # Repository implementation source (nats or mock)
-  # Production should use 'nats', local development should use 'mock'
-  repositorySource: nats
-
-  # GroupsIO integration configuration
-  groupsio:
-    # source determines the GroupsIO implementation (groupsio or mock)
-    # Use 'groupsio' for production, 'mock' for testing/local development
-    # Empty string defaults to production in code
-    source: groupsio
-    # baseUrl is the Groups.io API base URL
-    baseUrl: "https://groups.io/api"
-    # email is the Groups.io account email for authentication
-    # Do not commit actual credentials to this file will be set by Kubernetes secrets
-    email: ""
-    # password is the Groups.io account password for authentication
-    # Do not commit actual credentials to this file will be set by Kubernetes secrets
-    password: ""
-    # timeout is the HTTP client timeout for Groups.io requests
-    timeout: "30s"
-    # maxRetries is the maximum number of retry attempts for failed requests
-    maxRetries: "3"
-    # retryDelay is the delay between retry attempts
-    retryDelay: "1s"
-
-  # Webhook secret for GroupsIO webhook validation
-  # Do not commit actual credentials to this file will be set by Kubernetes secrets
-  groupsioWebhookSecret: ""
+  # environment contains all application environment variables
+  # Each variable can have either a 'value' (for direct values) or 'valueFrom' (for secret references)
+  environment:
+    # NATS_URL is the URL of the NATS server (required)
+    NATS_URL:
+      value: nats://lfx-platform-nats.lfx.svc.cluster.local:4222
+
+    # LOG_LEVEL is the log level (debug, info, warn, error) - optional, defaults to info
+    LOG_LEVEL:
+      value: info
+
+    # LOG_ADD_SOURCE determines if log source should be added - optional, defaults to true
+    LOG_ADD_SOURCE:
+      value: true
+
+    # JWKS_URL is the URL to the JSON Web Key Set endpoint for JWT validation
+    # Required unless JWT_AUTH_DISABLED_MOCK_LOCAL_PRINCIPAL is set
+    JWKS_URL:
+      value: http://lfx-platform-heimdall.lfx.svc.cluster.local:4457/.well-known/jwks
+
+    # JWT_AUDIENCE is the intended audience for the JWT token (required)
+    JWT_AUDIENCE:
+      value: lfx-v2-mailing-list-service
+
+    # JWT_AUTH_DISABLED_MOCK_LOCAL_PRINCIPAL is used for local development to bypass JWT validation
+    # Optional, local dev only. Set to a principal name to enable mock authentication
+    JWT_AUTH_DISABLED_MOCK_LOCAL_PRINCIPAL:
+      value: ''
+
+    # AUTH_SOURCE is the authentication source: 'jwt' for production, 'mock' for local dev (optional, defaults to jwt)
+    AUTH_SOURCE:
+      value: jwt
+
+    # REPOSITORY_SOURCE is the repository implementation: 'nats' for production, 'mock' for local dev
+    # Optional, defaults to nats. Production should use 'nats', local development should use 'mock'
+    REPOSITORY_SOURCE:
+      value: nats
+
+    # GroupsIO Integration Configuration
+    # GROUPSIO_SOURCE determines the GroupsIO implementation: 'groupsio' for production, 'mock' for testing
+    # Use 'groupsio' for production, 'mock' for testing. Empty string defaults to production in code.
+    GROUPSIO_SOURCE:
+      value: groupsio
+
+    # GROUPSIO_BASE_URL is the Groups.io API base URL
+    GROUPSIO_BASE_URL:
+      value: "https://groups.io/api"
+
+    # GROUPSIO_EMAIL is the Groups.io account email for authentication
+    # WARNING: Do not commit actual credentials to this file - should be set via Kubernetes secrets using valueFrom
+    GROUPSIO_EMAIL:
+      value: null
+
+    # GROUPSIO_PASSWORD is the Groups.io account password for authentication
+    # WARNING: Do not commit actual credentials to this file - should be set via Kubernetes secrets using valueFrom
+    GROUPSIO_PASSWORD:
+      value: null
+
+    # GROUPSIO_TIMEOUT is the HTTP client timeout for Groups.io requests (e.g., "30s", "1m")
+    GROUPSIO_TIMEOUT:
+      value: "30s"
+
+    # GROUPSIO_MAX_RETRIES is the maximum number of retry attempts for failed requests
+    GROUPSIO_MAX_RETRIES:
+      value: "3"
+
+    # GROUPSIO_RETRY_DELAY is the delay between retry attempts (e.g., "1s", "500ms")
+    GROUPSIO_RETRY_DELAY:
+      value: "1s"
+
+    # GROUPSIO_WEBHOOK_SECRET is the secret for GroupsIO webhook validation
+    # WARNING: Do not commit actual credentials to this file - should be set via Kubernetes secrets using valueFrom
+    GROUPSIO_WEBHOOK_SECRET:
+      value: null