feat: add support to key files in secrets

Add possibility to store the online key as file in the secrets

It allows uses that uses clients that doesn't support KMS key for
example

Signed-off-by: Kairo Araujo <kairo.araujo@testifysec.com>

charts/rstuf-worker/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.3
+version: 0.1.4
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/rstuf-worker/templates/deployment.yaml

@@ -42,10 +42,17 @@ spec:
             {{- toYaml .Values.readinessProbe | nindent 12 }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-          {{- with .Values.volumeMounts }}
           volumeMounts:
+            {{- with .Values.volumeMounts }}
             {{- toYaml . | nindent 12 }}
-          {{- end }}
+            {{- end }}
+            {{- if .Values.onlineKeyFile }}
+            {{- range .Values.onlineKeyFile }}
+            - name: {{ .keyid | printf "%.7s" }}-keyfile-volume
+              mountPath: /run/secrets/{{ .keyid }}
+              subPath: {{ .keyid }}
+            {{- end }}
+            {{- end }}
           env:
             - name: RSTUF_BROKER_SERVER
               value: {{ .Values.backend.brokerServer | quote }}
@@ -59,9 +66,9 @@ spec:
             - name: RSTUF_LOCAL_STORAGE_BACKEND_PATH
               value: {{ required "storage.backendPath is required when storage.type is 'LocalStorage'." .Values.storage.storagePath | quote }}
             {{- end }}
-            {{- if and (eq .Values.storage.type "LocalStorage") .Values.storage.onlineKeyDir }}
+            {{- if .Values.onlineKeyDir }}
             - name: RSTUF_ONLINE_KEY_DIR
-              value: {{ .Values.storage.onlineKeyDir | quote }}
+              value: {{ .Values.onlineKeyDir | quote }}
             {{- end }}
             {{- if eq .Values.storage.type "AWSS3" }}
             - name: RSTUF_AWS_STORAGE_BUCKET
@@ -103,10 +110,17 @@ spec:
             - name: RSTUF_LOCK_TIMEOUT
               value: {{ .Values.backend.lockTimeOut | quote }}
             {{- end }}
-      {{- with .Values.volumes }}
       volumes:
+        {{- with .Values.volumes }}
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
+        {{- if .Values.onlineKeyFile }}
+        {{- range .Values.onlineKeyFile }}
+        - name: {{ .keyid | printf "%.7s" }}-keyfile-volume
+          secret:
+            secretName: {{ .keyid }}-keyfile-secret
+        {{- end }}
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/rstuf-worker/templates/secrets.yaml

@@ -0,0 +1,13 @@
+# templates/secrets.yaml
+{{- if and (.Values.onlineKeyDir) (.Values.onlineKeyFile) }}
+{{- range .Values.onlineKeyFile }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .keyid }}-keyfile-secret
+type: Opaque
+data:
+  {{ .keyid }}: {{ .pem | quote }}
+---
+{{- end }}
+{{- end }}

charts/rstuf-worker/values.yaml

@@ -43,7 +43,6 @@ storage:
     s3Region: ""
     s3Endpoint: ""
 
-
 backend:
   brokerServer: "redis://redis"
   redisServer: "redis://redis"
@@ -53,6 +52,14 @@ backend:
   redisDbResult: "" # default is 0
   redisDbSettings: "" # default is 1
 
+# using online key as file
+# onlineKeyDir: "/run/secrets"
+# onlineKeyFile:
+#   - keyid: 0d9d3d4bad91c455bc03921daa95774576b86625ac45570d0cac025b08e65043
+#     # pem must be base64 encoded
+#     pem: |
+#       LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd0pOdG1KeTBia3kwVlpIaEpvVndWUjBvSXRvOG5kTExpY25hSFBEVWZGc3YyZFRQCjUwdUxpWXVZaFUvUkxUaCtQSU1tOWRVNWd2ZlNRMFlJVUZIT2ZkY0RDQmFNTllSOXo5YzlrdldrZmd4UDRIN2MKTWR5OWV2M3loNHBMK3VhNjRBVDE1OThReG1GMFJTcDlwOFA0VURQSkM0WHNnVnoza0tlQ1NRQWd6MDJNSitLZApIeVREUCtyZ091V1FmVkw4Yno1M3B1TVNTRm9qaWFFSlRtWlE3ZUJuSTJuNlVGNkFBVjZlbzZEYzRjZ1BRTFNqCmhEcWNmb0hDeWsvQXpwVFFPNUVWK2Fob2ZZbVYva1FRdHI3Z3o4TVFYb0tSd0NiZkljV2hQeWZQTlJlT283ZnEKVkszdUsza2tEMW91b05TcjlERlJjblVic1g0UVIvQ1FMY29QWHdJREFRQUJBb0lCQUVXVndCZFNJSHh1cVFiMgpoSFhINTlSSmlkUTJLWXNadlVSWHRNR2FZQjFqVWNJVGZPQmwwdERycVR3YW9Fb0h6TTJPMG9nbitQVVRHVjRICnN6OWFvQk9tbXNqVVpPdDlxWHh0bVNrK0s2Y0VTZVNqMG1zT0NVV2s5M3IwaFFudlQzMWRMWUlRZjE0L25xVFQKZXI0aE9OdTZLcDVJVVRKWlpuZFZuK1ZDNzVnWUc3Y2NPYys3ODkwb085ZTdvaFBmRUJ4Z3IrV0ZlYVNQZ2xhSwpybXFobkN4czV5b1B2bGl0aW1VVDMzdjJkMUtQYzJYOEo1RkpQdXlNcUU5RXdOQ01pZlByNjc3R1FUNlU2ZGxKCkFtRHpJNk9LM0F5c3B2UXhLS2Zva1NuQzhuNm90bk1MYll6RktoY3RBQlVUZkRvZENhVXg2NzB1ZGl5ZzdaaTYKdXZtQzhha0NnWUVBNko5Z2lQWWVRMEJsdnZwbFBjZmlqMTQ4dHVLU0x5bThqVGRSWHhnNW8zZE5XZWl5NjQ0WQpYY3dyTXVRQTdYb2RaU0licHVqTU1Zb2VZNE5lSzNnQU90MVlDREVmZTZyYXZ2ZnJad1BhWHV0ZGtTTDFDUjNBCjREUC9RcFJYN3BXV3RmVVBoTmhMbTY3b0l4dFdNa3BtK2JmME1ZK3Q4dGMwc0dWdXlNRG52WlVDZ1lFQTArM0gKdUV0WENwNDhraCtMMFFoNDAyekhNMzZ4ZWRaUWROZGdLWFQ0dWFLZ001VzZldWx6c0FzMTVyVVFSZmFTT1FjWApCTWtzQkxEZkNJa2Z2aDlWN3BwQkRwNTR4ak1Jc09JN0FMNkUyZHdHSEdDQmdYMkxjY3lGRXhFZXViTUF3TnZlCk52cERUdzVYMHpFdmF4MmJQaXcrZjRqbUJQQ1F6cE5oNXdnOWxDTUNnWUVBNFBXUUU2Ti83S1dRUDdwQ3doWlYKZ1RRdkh1WEpYUmJOb3Z0R0UrS0hpdy9LbkJJdlJTRXJhem9RNUt3ZVFZb0FkMWNleXJFREZ6MXMyZXVtMi82MgpxalozOWFRYndDcWdWR0hKSXR4VkI4b3h1RFBJSjhMQVRaRzdYeFc2VzU0S0cza2NRdW94WkNNbmx4dk9wZC9SCjZkajlyQmc0cmtsMFNNb3U4ckdxNm1rQ2dZRUFnSWNhc3ZodUozQmtCN0srRnQzdWVUcmxiS09QZXZheEFNdUYKOUY2T1lmYnc5WmYrNm9BZXUwdHhPeVBnWkszdmJFcVNlVUtRUWFBTEE2QTE4aFlMQlpQamxMd2pQd0RBYXBZcApkb0FWRGhOVVdXMWwzV1NJWjFIRCt4Wk03ZzVUaktOTGwwZ2IvaHdTdzNCMjg1MlhBeFBPSzRhWkNiSGtBSVI5CndhSEx4c1VDZ1lBNGxyR2VlMDM1SjVseGd3M0xJaThhZEpPZlBGNmw2bEZBY0VxMDJyaloyU014QmZlOGRzOWMKVUIrUTdTNnFwTi9yWEVqYmREMHpRZEhRMDN5czN3NVhtVVZCeW1FVDZXOTR0d0F2RW9RNUJsU2VzZ3lRdjVWYwpDMEc0ajN1ZEUzNUhNUVBKbjAwdmJIOG5yemdseENGMVc1MkF5QVZNYjNIbllRdk9BM0lCa3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ==
+
 serviceAccount:
   # Specifies whether a service account should be created
   create: true