[workbench] support Sealed Secrets

wmcdona89 commented 1 year ago

Fixes https://github.com/rstudio/helm/issues/374

Support Sealed Secrets in the rstudio/workbench chart to allow for storing secrets in SCM and to ensure secrets are never leaked via helm.

Changes

adds SealedSecret templates alongside existing Secret templates in the configmap-secret and configmap-session template files
adds a feature flag to enable the use of SealedSecret templates instead of Secret templates to deploy secrets
config.secret."database.conf" now defaults to null instead of {} to allow it to be set to a string

Sample values

sealedSecret:
  enabled: true
  annotations:
    sealedsecrets.bitnami.com/namespace-wide: "true"

config:
  secret:
    secret.conf: AgBD1mUgglt5c8Uvu18wHr0ADQF1npS0OMRs1AKwv+8gLOIxn/1ssLin1fCaqc/mdQn6O3X6dpAlBOn+KuUiKTliPGoJmJQE3fS5jSG6P9fkv0RM2Ynr660cql4LUG1zLwqx7uQnt08vXM7eHFxvoHsf5bZJIbO/P1gVIIMtCD/cbXS24sfnYcveHMw4FHlovrkmMvNhMGU2eUBiwgJwQhSHl4E07gJwsi+x4ZuT9gRSNLVL/7vH69jMqeDyF4J4WxHc4ST80qwQKtDwLE62FNJkXzvOb6SwCP9QEzykqVCX3cy0BX26ZRSncImJjS/N+N6K54DJSlu5AlIBCXPr/XHCb1aakrS/jJIO2kiMtnF8Cm1aNX+pnzLGrdFOTVfVctZWTrkkfRaSWOXpq5WXDnzcFCJSn4dF7KSNa6Q2FB6qziEQ51ONTPJI0JfvBDLZ/HNoLBE9ICRv9ItsX1MjVH3kcYJunoK8N4ie4iBm7EvVvw9OdZvNzM4VH5BApOZ5LGSV5qx2Br+k5H73LDuVtfLMcJHdmCBmkLwYBLUGixWyI11lfxsLd5Nkes3odw3sxx7wsaOzX5EOCz2st/dRiXuJK+df3FUXB4lUFaPgvGIlEwCdG7G1lKq9tXmcuP8lZxd/OVPJq7AP67SGvaLyOFnKSdBhjMdiSdMYW/8DEuhP3QsqpcHdKitFfpBgo5E7msyl3jnA2w==

  sessionSecret:
    odbc.ini: AgBD1mUgglt5c8Uvu18wHr0ADQF1npS0OMRs1AKwv+8gLOIxn/1ssLin1fCaqc/mdQn6O3X6dpAlBOn+KuUiKTliPGoJmJQE3fS5jSG6P9fkv0RM2Ynr660cql4LUG1zLwqx7uQnt08vXM7eHFxvoHsf5bZJIbO/P1gVIIMtCD/cbXS24sfnYcveHMw4FHlovrkmMvNhMGU2eUBiwgJwQhSHl4E07gJwsi+x4ZuT9gRSNLVL/7vH69jMqeDyF4J4WxHc4ST80qwQKtDwLE62FNJkXzvOb6SwCP9QEzykqVCX3cy0BX26ZRSncImJjS/N+N6K54DJSlu5AlIBCXPr/XHCb1aakrS/jJIO2kiMtnF8Cm1aNX+pnzLGrdFOTVfVctZWTrkkfRaSWOXpq5WXDnzcFCJSn4dF7KSNa6Q2FB6qziEQ51ONTPJI0JfvBDLZ/HNoLBE9ICRv9ItsX1MjVH3kcYJunoK8N4ie4iBm7EvVvw9OdZvNzM4VH5BApOZ5LGSV5qx2Br+k5H73LDuVtfLMcJHdmCBmkLwYBLUGixWyI11lfxsLd5Nkes3odw3sxx7wsaOzX5EOCz2st/dRiXuJK+df3FUXB4lUFaPgvGIlEwCdG7G1lKq9tXmcuP8lZxd/OVPJq7AP67SGvaLyOFnKSdBhjMdiSdMYW/8DEuhP3QsqpcHdKitFfpBgo5E7msyl3jnA2w==

  userProvisioning:
    user.conf: AgBD1mUgglt5c8Uvu18wHr0ADQF1npS0OMRs1AKwv+8gLOIxn/1ssLin1fCaqc/mdQn6O3X6dpAlBOn+KuUiKTliPGoJmJQE3fS5jSG6P9fkv0RM2Ynr660cql4LUG1zLwqx7uQnt08vXM7eHFxvoHsf5bZJIbO/P1gVIIMtCD/cbXS24sfnYcveHMw4FHlovrkmMvNhMGU2eUBiwgJwQhSHl4E07gJwsi+x4ZuT9gRSNLVL/7vH69jMqeDyF4J4WxHc4ST80qwQKtDwLE62FNJkXzvOb6SwCP9QEzykqVCX3cy0BX26ZRSncImJjS/N+N6K54DJSlu5AlIBCXPr/XHCb1aakrS/jJIO2kiMtnF8Cm1aNX+pnzLGrdFOTVfVctZWTrkkfRaSWOXpq5WXDnzcFCJSn4dF7KSNa6Q2FB6qziEQ51ONTPJI0JfvBDLZ/HNoLBE9ICRv9ItsX1MjVH3kcYJunoK8N4ie4iBm7EvVvw9OdZvNzM4VH5BApOZ5LGSV5qx2Br+k5H73LDuVtfLMcJHdmCBmkLwYBLUGixWyI11lfxsLd5Nkes3odw3sxx7wsaOzX5EOCz2st/dRiXuJK+df3FUXB4lUFaPgvGIlEwCdG7G1lKq9tXmcuP8lZxd/OVPJq7AP67SGvaLyOFnKSdBhjMdiSdMYW/8DEuhP3QsqpcHdKitFfpBgo5E7msyl3jnA2w==

global:
  secureCookieKey: AgBD1mUgglt5c8Uvu18wHr0ADQF1npS0OMRs1AKwv+8gLOIxn/1ssLin1fCaqc/mdQn6O3X6dpAlBOn+KuUiKTliPGoJmJQE3fS5jSG6P9fkv0RM2Ynr660cql4LUG1zLwqx7uQnt08vXM7eHFxvoHsf5bZJIbO/P1gVIIMtCD/cbXS24sfnYcveHMw4FHlovrkmMvNhMGU2eUBiwgJwQhSHl4E07gJwsi+x4ZuT9gRSNLVL/7vH69jMqeDyF4J4WxHc4ST80qwQKtDwLE62FNJkXzvOb6SwCP9QEzykqVCX3cy0BX26ZRSncImJjS/N+N6K54DJSlu5AlIBCXPr/XHCb1aakrS/jJIO2kiMtnF8Cm1aNX+pnzLGrdFOTVfVctZWTrkkfRaSWOXpq5WXDnzcFCJSn4dF7KSNa6Q2FB6qziEQ51ONTPJI0JfvBDLZ/HNoLBE9ICRv9ItsX1MjVH3kcYJunoK8N4ie4iBm7EvVvw9OdZvNzM4VH5BApOZ5LGSV5qx2Br+k5H73LDuVtfLMcJHdmCBmkLwYBLUGixWyI11lfxsLd5Nkes3odw3sxx7wsaOzX5EOCz2st/dRiXuJK+df3FUXB4lUFaPgvGIlEwCdG7G1lKq9tXmcuP8lZxd/OVPJq7AP67SGvaLyOFnKSdBhjMdiSdMYW/8DEuhP3QsqpcHdKitFfpBgo5E7msyl3jnA2w==

launcherPem: AgBD1mUgglt5c8Uvu18wHr0ADQF1npS0OMRs1AKwv+8gLOIxn/1ssLin1fCaqc/mdQn6O3X6dpAlBOn+KuUiKTliPGoJmJQE3fS5jSG6P9fkv0RM2Ynr660cql4LUG1zLwqx7uQnt08vXM7eHFxvoHsf5bZJIbO/P1gVIIMtCD/cbXS24sfnYcveHMw4FHlovrkmMvNhMGU2eUBiwgJwQhSHl4E07gJwsi+x4ZuT9gRSNLVL/7vH69jMqeDyF4J4WxHc4ST80qwQKtDwLE62FNJkXzvOb6SwCP9QEzykqVCX3cy0BX26ZRSncImJjS/N+N6K54DJSlu5AlIBCXPr/XHCb1aakrS/jJIO2kiMtnF8Cm1aNX+pnzLGrdFOTVfVctZWTrkkfRaSWOXpq5WXDnzcFCJSn4dF7KSNa6Q2FB6qziEQ51ONTPJI0JfvBDLZ/HNoLBE9ICRv9ItsX1MjVH3kcYJunoK8N4ie4iBm7EvVvw9OdZvNzM4VH5BApOZ5LGSV5qx2Br+k5H73LDuVtfLMcJHdmCBmkLwYBLUGixWyI11lfxsLd5Nkes3odw3sxx7wsaOzX5EOCz2st/dRiXuJK+df3FUXB4lUFaPgvGIlEwCdG7G1lKq9tXmcuP8lZxd/OVPJq7AP67SGvaLyOFnKSdBhjMdiSdMYW/8DEuhP3QsqpcHdKitFfpBgo5E7msyl3jnA2w==

Design Considerations

Separate SealedSecret and Secret templates in a single helm template file is proposed over...

using fine-grained if/else conditions to render either SealedSecret values or Secret values as the SealedSecret and Secret templates have a number of syntax differences and this approach would arguably make the helm template file less readable. For example:
```
{{- if .Values.sealedSecret.enabled -}}
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
{{- else }}
apiVersion: v1
kind: Secret
{{- end }}
...
{{- if .Values.sealedSecret.enabled -}}
spec:
encryptedData:
{{- else }}
stringData:
{{- end }}
```


- placing `SealedSecret` templates and `Secret` templates in separate helm template files. The `SealedSecret` templates will need to stay in sync with the `Secret` templates to some extent and the templates are small enough to manage together in a single file. While separate files would allow for a file diff, the relationship between the files may not be obvious.

CLAassistant commented 1 year ago

All committers have signed the CLA.

colearendt commented 1 year ago

@wmcdona89 I know it can be a bit tedious - are you up for signing the CLA? It looks like there is a disconnect from the email used for your commits (work) and the one on your GitHub account. Feel free to refactor / rebase / re-author the commits if you want!

Otherwise I think we are good to merge!

rstudio / helm