An attempt to define DB secret access for migrations (#36)

kamu-data · Jul 1, 2024 · 443f679 · 443f679
1 parent 40822ea
commit 443f679
Show file tree

Hide file tree

Showing 6 changed files with 46 additions and 13 deletions.
diff --git a/charts/kamu-api-server/Chart.yaml b/charts/kamu-api-server/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: kamu-api-server
 description: API server component of the Kamu Compute Node
 type: application
-version: 0.26.10
-appVersion: "0.26.4"
+version: 0.27.0
+appVersion: "0.27.1"
 home: https://kamu.dev
 icon: https://www.kamu.dev/images/kamu_logo_icon_bg_square.png
 sources:

diff --git a/charts/kamu-api-server/fetch_db_secret.sh b/charts/kamu-api-server/fetch_db_secret.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+if [ $# -ne 5 ]; then
+  echo "Usage: $0 <secret-name> <region> <db-host> <db-port> <db-name>"
+  exit 1
+fi
+
+SECRET_NAME="$1"
+REGION="$2"
+DB_HOST="$3"
+DB_PORT="$4"
+DB_NAME="$5"
+
+SECRET_STRING=$(aws secretsmanager get-secret-value --secret-id $SECRET_NAME --region $REGION --query SecretString --output text)
+USERNAME=$(echo $SECRET_STRING | jq -r .username)
+PASSWORD=$(echo $SECRET_STRING | jq -r .password)
+
+export DB_CONNECTION_STRING="postgresql://${USERNAME}:${PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}"
+
+exec "$@"
diff --git a/charts/kamu-api-server/templates/configmap.yaml b/charts/kamu-api-server/templates/configmap.yaml
@@ -5,4 +5,6 @@ metadata:
   labels:
     {{- include "kamu-api-server.labels" . | nindent 4 }}
 data:
-  {{- include "kamu-api-server.config.yaml" . | nindent 2 }}
+  {{- include "kamu-api-server.config.yaml" . | nindent 2 }}
+  fetch-db-secret.sh: : |-
+    {{ .Files.Get "fetch_db_secret.sh" | nindent 4}}
diff --git a/charts/kamu-api-server/templates/deployment.yaml b/charts/kamu-api-server/templates/deployment.yaml
@@ -35,18 +35,25 @@ spec:
           imagePullPolicy: {{ .Values.imageMigrations.pullPolicy }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          args:
-            - "migrate"
-            - "run"
-            - "--source"
-            - {{ .Values.imageMigrations.migrationsPath | quote }}
-            - "--database-url"
-            - {{ .Values.imageMigrations.databaseConnectionString | quote }}
+          command: [ "/bin/sh", "-c", "/fetch-db-secret.sh {{ .Values.imageMigrations.databaseSecretName }} $AWS_REGION {{ .Values.imageMigrations.databaseHost }} {{ .Values.imageMigrations.databasePort }} {{ .Values.imageMigrations.databaseName }} && sqlx migrate run --source {{ .Values.imageMigrations.migrationsPath }} --database-url $DB_CONNECTION_STRING" ]
           env:
             - name: RUST_BACKTRACE
               value: "1"
+            - name: AWS_REGION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $secretName }}
+                  key: aws_region
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: fetch-db-secret
+              mountPath: /fetch-db-secret.sh
+              subPath: fetch-db-secret.sh          
+      volumes:
+        - name: fetch-db-secret
+          configMap:
+            name: fetch-db-secret-script
       containers:
         - name: {{ .Chart.Name }}
           securityContext:

diff --git a/charts/kamu-api-server/values.yaml b/charts/kamu-api-server/values.yaml
@@ -39,7 +39,11 @@ imageMigrations:
   pullPolicy: IfNotPresent
   tag: ""
   migrationsPath: ""
-  databaseConnectionString: ""
+  databaseSecretName: ""
+  databaseHost: ""
+  databasePort: 5432
+  databaseName: ""
+
 
 imagePullSecrets: []
 nameOverride: ""

diff --git a/charts/kamu-oracle-provider/Chart.yaml b/charts/kamu-oracle-provider/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: kamu-oracle-provider
 description: Oracle provider that uses Kamu Node to supply data to blockchain smart contracts
 type: application
-version: 0.26.3
-appVersion: "0.26.2"
+version: 0.27.0
+appVersion: "0.27.1"
 home: https://kamu.dev
 icon: https://www.kamu.dev/images/kamu_logo_icon_bg_square.png
 sources: