694709ae9a
Enhanced secret management for API7 Gateway credentials with support for existing Secrets and External Secrets Operator integration. Changes: 1. Secret Configuration: - Added api7.gateway.existingSecret parameter for using existing secrets - Added api7.gateway.existingSecretKeys for custom key names - Modified secret-api7.yaml to only create secret if existingSecret is empty - Updated job-adc-sync.yaml to reference configurable secret name 2. Values.yaml Documentation: - Added comprehensive documentation for secret configuration options - Documented two approaches: inline config (dev) vs existing secret (prod) - Added example kubectl command for creating secrets manually - Included instructions for obtaining admin key from API7 EE 3. External Secrets Support: - Created externalsecret-api7.yaml.example with complete examples - Included examples for AWS Secrets Manager and HashiCorp Vault - Documented SecretStore configuration patterns 4. Documentation: - Created SECRET-MANAGEMENT.md comprehensive guide - Covered all secret management options (inline, manual, external) - Added security best practices and troubleshooting guide - Included examples for External Secrets Operator setup Benefits: - Improved security: Secrets not stored in values.yaml - Flexibility: Support for any secret management tool - Production-ready: Works with External Secrets Operator - Better practices: Clear separation of config vs secrets 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
75 lines
2.7 KiB
YAML
75 lines
2.7 KiB
YAML
{{- if .Values.api7.enabled }}
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: {{ include "api7ee.fullname" . }}-adc-sync
|
|
labels:
|
|
{{- include "api7ee.labels" . | nindent 4 }}
|
|
app.kubernetes.io/component: adc-sync
|
|
annotations:
|
|
"helm.sh/hook": post-install,post-upgrade
|
|
"helm.sh/hook-weight": "10"
|
|
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
|
spec:
|
|
backoffLimit: 3
|
|
activeDeadlineSeconds: 300
|
|
template:
|
|
metadata:
|
|
labels:
|
|
{{- include "api7ee.selectorLabels" . | nindent 8 }}
|
|
app.kubernetes.io/component: adc-sync
|
|
spec:
|
|
restartPolicy: Never
|
|
serviceAccountName: {{ include "api7ee.serviceAccountName" . }}
|
|
containers:
|
|
- name: adc-sync
|
|
image: ghcr.io/api7/adc:latest
|
|
imagePullPolicy: IfNotPresent
|
|
args:
|
|
- sync
|
|
- -f
|
|
- /config/adc-config.yaml
|
|
- --backend
|
|
- {{ .Values.api7.backend | default "api7ee" }}
|
|
- --server
|
|
- $(API7_ADMIN_URL)
|
|
- --token
|
|
- $(API7_ADMIN_KEY)
|
|
- --gateway-group
|
|
- $(API7_GATEWAY_GROUP)
|
|
{{- if .Values.api7.adc.tlsSkipVerify }}
|
|
- --tls-skip-verify
|
|
{{- end }}
|
|
{{- if .Values.api7.adc.verbose }}
|
|
- --verbose
|
|
{{- end }}
|
|
env:
|
|
- name: API7_ADMIN_URL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ .Values.api7.gateway.existingSecret | default (printf "%s-api7-admin" (include "api7ee.fullname" .)) }}
|
|
key: {{ .Values.api7.gateway.existingSecretKeys.adminUrl | default "admin-url" }}
|
|
- name: API7_ADMIN_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ .Values.api7.gateway.existingSecret | default (printf "%s-api7-admin" (include "api7ee.fullname" .)) }}
|
|
key: {{ .Values.api7.gateway.existingSecretKeys.adminKey | default "admin-key" }}
|
|
- name: API7_GATEWAY_GROUP
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ .Values.api7.gateway.existingSecret | default (printf "%s-api7-admin" (include "api7ee.fullname" .)) }}
|
|
key: {{ .Values.api7.gateway.existingSecretKeys.group | default "gateway-group" }}
|
|
volumeMounts:
|
|
- name: adc-config
|
|
mountPath: /config
|
|
readOnly: true
|
|
{{- if .Values.api7.adc.resources }}
|
|
resources:
|
|
{{- toYaml .Values.api7.adc.resources | nindent 12 }}
|
|
{{- end }}
|
|
volumes:
|
|
- name: adc-config
|
|
configMap:
|
|
name: {{ include "api7ee.fullname" . }}-adc-config
|
|
{{- end }}
|