From e96d4fe3cee5bb8791ea95dcdae471f111255798 Mon Sep 17 00:00:00 2001
From: Tyler Gillson <tyler.gillson@gmail.com>
Date: Fri, 17 Nov 2023 15:19:11 -0700
Subject: [PATCH] fix: omit secret data from ValidatorConfig (#125)

* fix: omit secret data from ValidatorConfig

Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com>

* chore: update comments and anticipate removal of createSecret options

Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com>

* chore: clarify wording for secret config

Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com>

* chore: fix typo

Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com>

---------

Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com>
---
 .../templates/plugin-secret-aws.yaml          | 14 ++++++
 .../templates/plugin-secret-vsphere.yaml      | 11 +++++
 chart/validator/values.yaml                   | 47 ++++++++++++-------
 3 files changed, 55 insertions(+), 17 deletions(-)
 create mode 100644 chart/validator/templates/plugin-secret-aws.yaml
 create mode 100644 chart/validator/templates/plugin-secret-vsphere.yaml

diff --git a/chart/validator/templates/plugin-secret-aws.yaml b/chart/validator/templates/plugin-secret-aws.yaml
new file mode 100644
index 00000000..eac726a8
--- /dev/null
+++ b/chart/validator/templates/plugin-secret-aws.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.pluginSecrets.aws }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ required ".Values.pluginSecrets.aws.secretName is required!" .Values.pluginSecrets.aws.secretName }}
+stringData:
+  credentials: |
+    [default]
+    aws_access_key_id={{ required ".Values.pluginSecrets.aws.accessKeyId is required!" .Values.pluginSecrets.aws.accessKeyId }}
+    aws_secret_access_key={{ required ".Values.pluginSecrets.aws.secretAccessKey is required!" .Values.pluginSecrets.aws.secretAccessKey }}
+    {{- if .Values.pluginSecrets.aws.sessionToken }}
+    aws_session_token={{ $.Values.pluginSecrets.aws.sessionToken }}
+    {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/validator/templates/plugin-secret-vsphere.yaml b/chart/validator/templates/plugin-secret-vsphere.yaml
new file mode 100644
index 00000000..95071353
--- /dev/null
+++ b/chart/validator/templates/plugin-secret-vsphere.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.pluginSecrets.vSphere }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ required ".Values.pluginSecrets.vSphere.secretName is required!" .Values.pluginSecrets.vSphere.secretName }}
+data:
+  username: {{ required ".Values.pluginSecrets.vSphere.username is required!" .Values.pluginSecrets.vSphere.username | b64enc }}
+  password: {{ required ".Values.pluginSecrets.vSphere.password is required!" .Values.pluginSecrets.vSphere.password | b64enc }}
+  vcenterServer: {{ required ".Values.pluginSecrets.vSphere.vcenterServer is required!" .Values.pluginSecrets.vSphere.vcenterServer | b64enc }}
+  insecureSkipVerify: {{ required ".Values.pluginSecrets.vSphere.insecureSkipVerify is required!" .Values.pluginSecrets.vSphere.insecureSkipVerify | b64enc }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/validator/values.yaml b/chart/validator/values.yaml
index 6787152f..69526c77 100644
--- a/chart/validator/values.yaml
+++ b/chart/validator/values.yaml
@@ -77,7 +77,7 @@ plugins:
 - chart:
     name: validator-plugin-aws
     repository: "https://spectrocloud-labs.github.io/validator-plugin-aws"
-    version: "v0.0.10"
+    version: "v0.0.16"
   values: |-
     controllerManager:
       kubeRbacProxy:
@@ -112,7 +112,7 @@ plugins:
             - ALL
         image:
           repository: quay.io/spectrocloud-labs/validator-plugin-aws
-          tag: v0.0.8
+          tag: v0.0.16
         resources:
           limits:
             cpu: 500m
@@ -134,21 +134,17 @@ plugins:
     auth:
       # Leave secret undefined for implicit auth (node instance role, IMDSv2, etc.)
       secret: {}
+        # If creating a secret via pluginSecrets (see below), uncomment secretName and delete the curly braces on the line above;
+        # ensuring that secretName and pluginSecrets.aws.secretName match. Alternatively, leave pluginSecrets.aws undefined and
+        # specify the name of a preexisting secret in your target cluster.
         # secretName: aws-creds
-        # accessKeyId: ""
-        # secretAccessKey: ""
-        # sessionToken: ""
-        # By default, a secret will be created. Leave the above fields blank and specify 'createSecret: false' to use an existing secret.
-        # WARNING: the existing secret must match the format used in auth-secret.yaml
-        # createSecret: true
-
       # Override the service account used by AWS validator (optional, could be used for IMDSv2 on EKS)
       # WARNING: the chosen service account must have the same RBAC privileges as seen in manager-rbac.yaml
       serviceAccountName: ""
 - chart:
     name: validator-plugin-vsphere
     repository: "https://spectrocloud-labs.github.io/validator-plugin-vsphere"
-    version: "v0.0.12"
+    version: "v0.0.13"
   values: |-
     controllerManager:
       kubeRbacProxy:
@@ -183,7 +179,7 @@ plugins:
             - ALL
         image:
           repository: quay.io/spectrocloud-labs/validator-plugin-vsphere
-          tag: v0.0.11
+          tag: v0.0.13
         resources:
           limits:
             cpu: 500m
@@ -203,15 +199,13 @@ plugins:
         targetPort: https
       type: ClusterIP
     auth:
+      # If creating a secret via pluginSecrets (see below), secretName and pluginSecrets.vSphere.secretName must match.
+      # Alternatively, leave pluginSecrets.vSphere undefined and specify the name of a preexisting secret in your target cluster.
       secretName: vsphere-creds
-      username: ""
-      password: ""
-      vcenterServer: ""
-      insecureSkipVerify: ""
 - chart:
     name: validator-plugin-network
     repository: "https://spectrocloud-labs.github.io/validator-plugin-network"
-    version: "v0.0.4"
+    version: "v0.0.7"
   values: |-
     controllerManager:
       kubeRbacProxy:
@@ -248,7 +242,7 @@ plugins:
             - ALL
         image:
           repository: quay.io/spectrocloud-labs/validator-plugin-network
-          tag: v0.0.4
+          tag: v0.0.7
         resources:
           limits:
             cpu: 500m
@@ -267,3 +261,22 @@ plugins:
         protocol: TCP
         targetPort: https
       type: ClusterIP
+pluginSecrets:
+  # If installing the AWS plugin, the below config is required unless one of the following applies:
+  # - the target cluster already has a secret with the correct format and you've specified its name above
+  # - you're deploying to a K8s cluster in AWS and relying on an node instance IAM role
+  # - you're deploying to a K8s cluster in AWS and relying on IMDSv2, plus you've specified auth.serviceAccountName
+  aws: {}
+    # secretName: aws-creds  # ensure this matches the AWS plugin values above
+    # accessKeyId: ""
+    # secretAccessKey: ""
+    # sessionToken: ""
+
+  # If installing the vSphere plugin, the below config is required unless the following applies:
+  # - the target cluster already has a secret with the correct format and you've specified its name above
+  vSphere: {}
+    # secretName: vsphere-creds  # ensure this matches the vSphere plugin values above
+    # username: ""
+    # password: ""
+    # vcenterServer: ""
+    # insecureSkipVerify: ""