From 638dc8f9242b0b65afed7c54c6ddc5f60744ab97 Mon Sep 17 00:00:00 2001
From: Jerry Sun <jerry.sun@windriver.com>
Date: Wed, 11 Aug 2021 16:13:56 -0400
Subject: [PATCH] Add helm chart for observing secrets

This commit adds helm chart for observing changes to a kubernetes
secret. This is done with a cron job. The cron job updates a
configurable deployment annotation with a checksum of the secret.
This way, when the secret changes, the pod in the deployment is
automatically restarted to pick up the changes.

Change-Id: I1a1a1b78ec1c6752747ea2a115ecea9caffdfb66
Story: 2007361
Task: 42932
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
---
 .../helm-charts/secret-observer/Chart.yaml    | 10 +++
 .../templates/clusterrole.yaml                | 23 +++++++
 .../templates/clusterrolebinding.yaml         | 24 +++++++
 .../templates/configmap-bin.yaml              | 27 ++++++++
 .../secret-observer/templates/cronjob.yaml    | 66 +++++++++++++++++++
 .../templates/serviceaccount.yaml             | 18 +++++
 .../helm-charts/secret-observer/values.yaml   | 36 ++++++++++
 7 files changed, 204 insertions(+)
 create mode 100644 secret-observer/secret-observer/helm-charts/secret-observer/Chart.yaml
 create mode 100644 secret-observer/secret-observer/helm-charts/secret-observer/templates/clusterrole.yaml
 create mode 100644 secret-observer/secret-observer/helm-charts/secret-observer/templates/clusterrolebinding.yaml
 create mode 100644 secret-observer/secret-observer/helm-charts/secret-observer/templates/configmap-bin.yaml
 create mode 100644 secret-observer/secret-observer/helm-charts/secret-observer/templates/cronjob.yaml
 create mode 100644 secret-observer/secret-observer/helm-charts/secret-observer/templates/serviceaccount.yaml
 create mode 100644 secret-observer/secret-observer/helm-charts/secret-observer/values.yaml

diff --git a/secret-observer/secret-observer/helm-charts/secret-observer/Chart.yaml b/secret-observer/secret-observer/helm-charts/secret-observer/Chart.yaml
new file mode 100644
index 0000000..1bab7cb
--- /dev/null
+++ b/secret-observer/secret-observer/helm-charts/secret-observer/Chart.yaml
@@ -0,0 +1,10 @@
+#
+# Copyright (c) 2021 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart to update a deployment annotation if a secret changes
+name: secret-observer
+version: 0.1.0
diff --git a/secret-observer/secret-observer/helm-charts/secret-observer/templates/clusterrole.yaml b/secret-observer/secret-observer/helm-charts/secret-observer/templates/clusterrole.yaml
new file mode 100644
index 0000000..1d70189
--- /dev/null
+++ b/secret-observer/secret-observer/helm-charts/secret-observer/templates/clusterrole.yaml
@@ -0,0 +1,23 @@
+{{/*
+#
+# Copyright (c) 2021 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.clusterRole.create }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: secret-observer-cr
+  labels:
+    app: secret-observer
+    release: "{{ .Release.Name }}"
+rules:
+  - apiGroups: ["apps"]
+    resources:
+      - deployments
+    verbs:
+      - patch
+{{- end -}}
diff --git a/secret-observer/secret-observer/helm-charts/secret-observer/templates/clusterrolebinding.yaml b/secret-observer/secret-observer/helm-charts/secret-observer/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000..7b97ff8
--- /dev/null
+++ b/secret-observer/secret-observer/helm-charts/secret-observer/templates/clusterrolebinding.yaml
@@ -0,0 +1,24 @@
+{{/*
+#
+# Copyright (c) 2021 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.clusterRoleBinding.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    release: "{{ .Release.Name }}"
+  name: secret-observer-crb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: secret-observer-cr
+subjects:
+- kind: ServiceAccount
+  name: secret-observer
+  namespace: {{ .Values.namespace }}
+{{- end -}}
diff --git a/secret-observer/secret-observer/helm-charts/secret-observer/templates/configmap-bin.yaml b/secret-observer/secret-observer/helm-charts/secret-observer/templates/configmap-bin.yaml
new file mode 100644
index 0000000..966e42d
--- /dev/null
+++ b/secret-observer/secret-observer/helm-charts/secret-observer/templates/configmap-bin.yaml
@@ -0,0 +1,27 @@
+{{/*
+#
+# Copyright (c) 2021 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: secret-observer-bin
+  namespace: {{ .Values.namespace }}
+data:
+  update-secret-sha.sh: |
+    #!/bin/sh
+    set -ex
+
+    KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+    SECRET_SHA=$(sha256sum /home/$1 | awk '{print $1}')
+
+    curl -sS -H "Authorization: Bearer $KUBE_TOKEN" \
+        --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+        --request PATCH -H "Accept: application/json" \
+        -H "Content-Type: application/strategic-merge-patch+json" \
+        https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/apis/apps/v1/namespaces/{{ .Values.namespace }}/deployments/$2 \
+        --data '{"spec":{"template":{"metadata":{"annotations":{"'$3'": "'$SECRET_SHA'"}}}}}';
diff --git a/secret-observer/secret-observer/helm-charts/secret-observer/templates/cronjob.yaml b/secret-observer/secret-observer/helm-charts/secret-observer/templates/cronjob.yaml
new file mode 100644
index 0000000..fd4da01
--- /dev/null
+++ b/secret-observer/secret-observer/helm-charts/secret-observer/templates/cronjob.yaml
@@ -0,0 +1,66 @@
+{{/*
+#
+# Copyright (c) 2021 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: secret-observer-cron-job
+  namespace: {{ .Values.namespace }}
+spec:
+  schedule: "{{ .Values.cronSchedule }}"
+  successfulJobsHistoryLimit: {{ .Values.jobs.successfulHistoryLimit }}
+  failedJobsHistoryLimit: {{ .Values.jobs.failedHistoryLimit }}
+  concurrencyPolicy: Forbid
+  startingDeadlineSeconds: {{ .Values.jobs.startingDeadlineSeconds }}
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: secret-observer
+          {{- with .Values.nodeSelector }}
+          nodeSelector:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          containers:
+          - name: secret-observer-cron-container
+            image: "{{ .Values.image }}:{{ .Values.imageTag }}"
+            command:
+            - /bin/sh
+            - -c
+            - |
+              {{- range .Values.observedSecrets }}
+              /tmp/update-secret-sha.sh "{{ .secretName }}-{{ .deploymentToRestart }}/{{ .filename }}" {{ .deploymentToRestart }} "{{ .secretName }}sha"
+              {{- end }}
+            stdin: true
+            tty: true
+            volumeMounts:
+              {{- range .Values.observedSecrets }}
+              - mountPath: "/home/{{ .secretName }}-{{ .deploymentToRestart }}"
+                name: mounted-{{ .secretName | replace "." "-" }}-{{ .deploymentToRestart | replace "." "-" }}-{{ .filename | replace "." "-" }}
+              {{- end }}
+              - name: pod-tmp
+                mountPath: /tmp
+              - name: secret-observer-bin
+                mountPath: /tmp/update-secret-sha.sh
+                subPath: update-secret-sha.sh
+                readOnly: true
+          restartPolicy: OnFailure
+          imagePullSecrets:
+          - name: default-registry-key
+          volumes:
+            {{- range .Values.observedSecrets }}
+            - name: mounted-{{ .secretName | replace "." "-" }}-{{ .deploymentToRestart | replace "." "-" }}-{{ .filename | replace "." "-" }}
+              secret:
+                secretName: {{ .secretName }}
+            {{- end }}
+            - name: pod-tmp
+              emptyDir: {}
+            - name: secret-observer-bin
+              configMap:
+                name: secret-observer-bin
+                defaultMode: 0555
diff --git a/secret-observer/secret-observer/helm-charts/secret-observer/templates/serviceaccount.yaml b/secret-observer/secret-observer/helm-charts/secret-observer/templates/serviceaccount.yaml
new file mode 100644
index 0000000..322bd73
--- /dev/null
+++ b/secret-observer/secret-observer/helm-charts/secret-observer/templates/serviceaccount.yaml
@@ -0,0 +1,18 @@
+{{/*
+#
+# Copyright (c) 2021 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+*/}}
+
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  release: "{{ .Release.Name }}"
+  name: secret-observer
+  namespace: {{ .Values.namespace }}
+imagePullSecrets:
+  - name: default-registry-key
+{{- end -}}
diff --git a/secret-observer/secret-observer/helm-charts/secret-observer/values.yaml b/secret-observer/secret-observer/helm-charts/secret-observer/values.yaml
new file mode 100644
index 0000000..23a0393
--- /dev/null
+++ b/secret-observer/secret-observer/helm-charts/secret-observer/values.yaml
@@ -0,0 +1,36 @@
+#
+# Copyright (c) 2021 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+image: docker.io/curlimages/curl
+imageTag: 7.77.0
+namespace: default
+
+clusterRoleBinding:
+  create: true
+
+clusterRole:
+  create: true
+
+serviceAccount:
+  create: true
+
+cronSchedule: "0 1 * * *"
+
+nodeSelector:
+  node-role.kubernetes.io/master: ""
+
+jobs:
+  startingDeadlineSeconds: 200
+  successfulHistoryLimit: 3
+  failedHistoryLimit: 1
+
+observedSecrets:
+# the name of the secret to observe
+#  - secretName: "overrideMe"
+# the name of the file within the secret to observe
+#    filename: "overrideMe"
+# the deployment to restart if a change in the secret is detected
+#    deploymentToRestart: "overrideMe"