demos/api7-demo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add support for existing Secrets and External Secrets Operator
Some checks failed
Helm Chart Build / lint-only (push) Has been skipped
Details
Helm Chart Build / build-helm (push) Failing after 9s
Details
Build and Deploy / build-api (push) Successful in 51s
Details
Build and Deploy / build-web (push) Successful in 1m3s
Details

Browse Source 
Enhanced secret management for API7 Gateway credentials with support
for existing Secrets and External Secrets Operator integration.

Changes:

1. Secret Configuration:
   - Added api7.gateway.existingSecret parameter for using existing secrets
   - Added api7.gateway.existingSecretKeys for custom key names
   - Modified secret-api7.yaml to only create secret if existingSecret is empty
   - Updated job-adc-sync.yaml to reference configurable secret name

2. Values.yaml Documentation:
   - Added comprehensive documentation for secret configuration options
   - Documented two approaches: inline config (dev) vs existing secret (prod)
   - Added example kubectl command for creating secrets manually
   - Included instructions for obtaining admin key from API7 EE

3. External Secrets Support:
   - Created externalsecret-api7.yaml.example with complete examples
   - Included examples for AWS Secrets Manager and HashiCorp Vault
   - Documented SecretStore configuration patterns

4. Documentation:
   - Created SECRET-MANAGEMENT.md comprehensive guide
   - Covered all secret management options (inline, manual, external)
   - Added security best practices and troubleshooting guide
   - Included examples for External Secrets Operator setup

Benefits:
- Improved security: Secrets not stored in values.yaml
- Flexibility: Support for any secret management tool
- Production-ready: Works with External Secrets Operator
- Better practices: Clear separation of config vs secrets

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
d.viti
2025-10-09 15:53:38 +02:00
parent f5a4071b71
commit 694709ae9a
5 changed files with 370 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

93
helm/api7ee-demo-k8s/templates/externalsecret-api7.yaml.example Normal file
View File

@@ -0,0 +1,93 @@
# Example ExternalSecret for API7 Gateway credentials
# This file is not deployed by default - it serves as an example.
#
# To use External Secrets Operator:
# 1. Install External Secrets Operator in your cluster
# 2. Configure a SecretStore (e.g., AWS Secrets Manager, Vault, etc.)
# 3. Rename this file to remove .example extension
# 4. Set api7.gateway.existingSecret to the secret name below
# 5. Adjust the backend configuration to match your SecretStore
#
# Documentation: https://external-secrets.io/
{{- if false }} # Change to 'if .Values.api7.gateway.useExternalSecret' to enable
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: {{ include "api7ee.fullname" . }}-api7-admin-external
labels:
{{- include "api7ee.labels" . | nindent 4 }}
app.kubernetes.io/component: api7
spec:
# Refresh interval for fetching secrets from external provider
refreshInterval: 1h
# Reference to SecretStore
secretStoreRef:
name: vault-backend # Name of your SecretStore
kind: SecretStore # or ClusterSecretStore
# Target Secret configuration
target:
name: {{ include "api7ee.fullname" . }}-api7-admin
creationPolicy: Owner
template:
type: Opaque
data:
# Map external secret keys to Kubernetes secret keys
admin-url: "{{ `{{ .adminUrl }}` }}"
admin-key: "{{ `{{ .adminKey }}` }}"
gateway-group: "{{ `{{ .group }}` }}"
# Data to fetch from external provider
data:
- secretKey: adminUrl
remoteRef:
key: api7/gateway # Path in external secret store
property: admin_url # Property name
- secretKey: adminKey
remoteRef:
key: api7/gateway
property: admin_key
- secretKey: group
remoteRef:
key: api7/gateway
property: gateway_group
---
# Example for AWS Secrets Manager
# apiVersion: external-secrets.io/v1beta1
# kind: SecretStore
# metadata:
# name: aws-secretsmanager
# spec:
# provider:
# aws:
# service: SecretsManager
# region: us-east-1
# auth:
# jwt:
# serviceAccountRef:
# name: external-secrets-sa
---
# Example for HashiCorp Vault
# apiVersion: external-secrets.io/v1beta1
# kind: SecretStore
# metadata:
# name: vault-backend
# spec:
# provider:
# vault:
# server: "https://vault.example.com"
# path: "secret"
# version: "v2"
# auth:
# kubernetes:
# mountPath: "kubernetes"
# role: "api7-role"
# serviceAccountRef:
# name: {{ include "api7ee.serviceAccountName" . }}
{{- end }}