feat: add secretsStoreCsiDriver integration (usages in azure)

Author: thenav56

toggle-django-helm/templates/_helpers.tpl

@@ -42,6 +42,17 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
+{{/*
+Create the name of the secret to be used by the django-app
+*/}}
+{{- define "django-app.secretProviderName" -}}
+{{- if .Values.secretsStoreCsiDriverProviderName }}
+  {{- .Values.secretsStoreCsiDriverProviderName -}}
+{{- else }}
+  {{- printf "%s-secret-provider" (include "django-app.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Create the name of the secret to be used by the django-app
 */}}
@@ -151,18 +162,35 @@ Generate default labels for app deployments
 Generate default volumes for app deployments
 */}}
 {{- define "django-app.appDefaultVolumes" -}}
-{{- if .Values.podVolumes }}
+{{- if or .Values.secretsStoreCsiDriver.create .Values.podVolumes -}}
 volumes:
+{{- if .Values.secretsStoreCsiDriver.create }}
+  - name: {{ template "django-app.secretname" . }}
+    csi:
+      driver: "secrets-store.csi.k8s.io"
+      readOnly: true
+      volumeAttributes:
+        secretProviderClass: {{ template "django-app.secretProviderName" . }}
+{{- end }}
+{{- if .Values.podVolumes }}
 {{ .Values.podVolumes | toYaml | indent 2 }}
 {{- end }}
 {{- end }}
+{{- end }}
 
 {{/*
 Generate default volumes mounts for app deployments
 */}}
 {{- define "django-app.appDefaultVolumeMounts" -}}
-{{- if .Values.podVolumeMounts }}
+{{- if or .Values.secretsStoreCsiDriver.create .Values.podVolumeMounts -}}
 volumeMounts:
+{{- if .Values.secretsStoreCsiDriver.create }}
+  - name: {{ template "django-app.secretname" . }}
+    mountPath: /mnt/secrets-store
+    readOnly: true
+{{- end }}
+{{- if .Values.podVolumeMounts }}
 {{ .Values.podVolumeMounts | toYaml | indent 2 }}
 {{- end }}
 {{- end }}
+{{- end }}

toggle-django-helm/templates/api/secrets-provider-class.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.secretsStoreCsiDriver.create -}}
+
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: {{ template "django-app.secretProviderName" . }}
+spec:
+  provider: {{ .Values.secretsStoreCsiDriver.provider }}
+  parameters:
+    {{- with .Values.secretsStoreCsiDriver.parameters -}}
+      {{ toYaml . | nindent 4 }}
+    {{- end }}
+    objects: |
+      array:
+      {{- range $secret_key, $object_key := .Values.secretsStoreCsiDriver.secretsKeyMap }}
+        - |
+          objectName: {{ $object_key }}
+          objectType: secret
+      {{- end }}
+  secretObjects:
+    - secretName: {{ template "django-app.secretname" . }}
+      type: Opaque
+      data:
+      {{- range $secret_key, $object_key := .Values.secretsStoreCsiDriver.secretsKeyMap }}
+        - objectName: {{ $object_key }}
+          key: {{ $secret_key }}
+      {{- end }}
+
+{{- end }}

toggle-django-helm/templates/config/secret.yaml

@@ -1,3 +1,5 @@
+{{- if not .Values.secretsStoreCsiDriver.create -}}
+
 kind: Secret
 apiVersion: v1
 metadata:
@@ -12,3 +14,5 @@ stringData:
   {{- range $name, $value := .Values.secrets }}
   {{ $name }}: {{ tpl $value $ | quote }}
   {{- end }}
+
+{{- end }}

toggle-django-helm/tests/values-2.yaml

@@ -157,6 +157,18 @@ secrets:
   AWS_S3_BUCKET_MEDIA_NAME: media-data
 
 
+# Azure configurations
+secretsStoreCsiDriver:
+  create: true
+  parameters:
+    usePodIdentity: "false"
+    clientID: "sample"
+    keyvaultName: "sample"
+    tenantId: ""
+  secretsKeyMap:
+    CACHE_REDIS_URL: CACHE-REDIS-URL
+    CELERY_BROKER_URL: CELERY-BROKER-URL
+
 serviceAccountName: ""
 serviceAccount:
   create: true

toggle-django-helm/values.yaml

@@ -266,4 +266,16 @@ serviceAccount:
   labels: {}
   automountServiceAccountToken: true
 
+# Azure configurations
+secretsStoreCsiDriverProviderName: ""
+secretsStoreCsiDriver:
+  create: false
+  provider: azure  # Only azure is supported
+  parameters:
+    usePodIdentity: "false"
+    clientID: ""
+    keyvaultName: ""
+    tenantId: ""
+  secretsKeyMap: {}  # k8s Secret Key -> VaultKey
+
 # extraManifests: [] or {}