From c7c897d08f5facc5f4ce86f7baa0ae3130ae7ccc Mon Sep 17 00:00:00 2001 From: Kristaps Fabians Geikins Date: Tue, 15 Oct 2024 10:57:20 +0300 Subject: [PATCH 1/3] chore(server): core IoC #54 - deleting getUserById (duplicate) --- packages/server/modules/auth/index.ts | 7 +++---- packages/server/modules/auth/middleware.ts | 6 +++--- packages/server/modules/auth/strategies.ts | 4 ++-- packages/server/modules/automate/index.ts | 4 ++-- .../server/modules/automate/services/tracking.ts | 6 +++--- .../modules/core/graph/resolvers/branches.js | 6 +++--- packages/server/modules/core/services/users.js | 14 +------------- .../core/tests/integration/createUser.spec.ts | 4 ++-- packages/server/modules/core/tests/users.spec.js | 5 ++--- packages/server/modules/workspaces/rest/sso.ts | 4 ++-- 10 files changed, 23 insertions(+), 37 deletions(-) diff --git a/packages/server/modules/auth/index.ts b/packages/server/modules/auth/index.ts index bb4203e97..b55c42f23 100644 --- a/packages/server/modules/auth/index.ts +++ b/packages/server/modules/auth/index.ts @@ -18,8 +18,7 @@ import { getUserByEmail, findOrCreateUser, validatePasssword, - createUser, - getUserById + createUser } from '@/modules/core/services/users' import { validateServerInviteFactory, @@ -40,6 +39,7 @@ import localStrategyBuilderFactory from '@/modules/auth/strategies/local' import oidcStrategyBuilderFactory from '@/modules/auth/strategies/oidc' import { getRateLimitResult } from '@/modules/core/services/ratelimiter' import { passportAuthenticateHandlerBuilderFactory } from '@/modules/auth/services/passportService' +import { legacyGetUserFactory } from '@/modules/core/repositories/users' const initializeDefaultApps = initializeDefaultAppsFactory({ getAllScopes: getAllScopesFactory({ db }), @@ -64,7 +64,6 @@ const commonBuilderDeps = { validateServerInvite, finalizeInvitedServerRegistration, resolveAuthRedirectPath, - getUserById, passportAuthenticateHandlerBuilder: passportAuthenticateHandlerBuilderFactory() } const setupStrategies = setupStrategiesFactory({ @@ -81,7 +80,7 @@ const setupStrategies = setupStrategiesFactory({ }), oidcStrategyBuilder: oidcStrategyBuilderFactory({ ...commonBuilderDeps }), createAuthorizationCode: createAuthorizationCodeFactory({ db }), - getUserById + getUser: legacyGetUserFactory({ db }) }) let authStrategies: AuthStrategyMetadata[] diff --git a/packages/server/modules/auth/middleware.ts b/packages/server/modules/auth/middleware.ts index f75a13e99..e89e7b554 100644 --- a/packages/server/modules/auth/middleware.ts +++ b/packages/server/modules/auth/middleware.ts @@ -14,7 +14,6 @@ import { import { getSessionSecret } from '@/modules/shared/helpers/envHelper' import { isString, noop } from 'lodash' import { CreateAuthorizationCode } from '@/modules/auth/domain/operations' -import { getUserById } from '@/modules/core/services/users' import { mixpanel } from '@/modules/shared/utils/mixpanel' import { addToMailchimpAudience, @@ -22,6 +21,7 @@ import { } from '@/modules/auth/services/mailchimp' import { authLogger, logger } from '@/logging/logging' import { ensureError } from '@speckle/shared' +import { LegacyGetUser } from '@/modules/core/domain/users/operations' export const sessionMiddlewareFactory = (): RequestHandler => { const RedisStore = ConnectRedis(ExpressSession) @@ -72,7 +72,7 @@ export const moveAuthParamsToSessionMiddlewareFactory = export const finalizeAuthMiddlewareFactory = (deps: { createAuthorizationCode: CreateAuthorizationCode - getUserById: typeof getUserById + getUser: LegacyGetUser }): RequestHandler => async (req, res) => { try { @@ -109,7 +109,7 @@ export const finalizeAuthMiddlewareFactory = if (getMailchimpStatus()) { try { - const user = await deps.getUserById({ userId: req.user.id }) + const user = await deps.getUser(req.user.id) if (!user) throw new Error( 'Could not register user for mailchimp lists - no db user record found.' diff --git a/packages/server/modules/auth/strategies.ts b/packages/server/modules/auth/strategies.ts index 28d837394..4d9282d9b 100644 --- a/packages/server/modules/auth/strategies.ts +++ b/packages/server/modules/auth/strategies.ts @@ -1,5 +1,4 @@ import passport from 'passport' -import { getUserById } from '@/modules/core/services/users' import type { Express } from 'express' import { AuthStrategyBuilder, @@ -12,6 +11,7 @@ import { moveAuthParamsToSessionMiddlewareFactory, sessionMiddlewareFactory } from '@/modules/auth/middleware' +import { LegacyGetUser } from '@/modules/core/domain/users/operations' const setupStrategiesFactory = (deps: { @@ -21,7 +21,7 @@ const setupStrategiesFactory = localStrategyBuilder: AuthStrategyBuilder oidcStrategyBuilder: AuthStrategyBuilder createAuthorizationCode: CreateAuthorizationCode - getUserById: typeof getUserById + getUser: LegacyGetUser }) => async (app: Express) => { passport.serializeUser((user, done) => done(null, user)) diff --git a/packages/server/modules/automate/index.ts b/packages/server/modules/automate/index.ts index 001ed2158..461c07420 100644 --- a/packages/server/modules/automate/index.ts +++ b/packages/server/modules/automate/index.ts @@ -31,7 +31,6 @@ import { import { setupRunFinishedTrackingFactory } from '@/modules/automate/services/tracking' import authGithubAppRest from '@/modules/automate/rest/authGithubApp' import { getFeatureFlags } from '@/modules/shared/helpers/envHelper' -import { getUserById } from '@/modules/core/services/users' import { TokenScopeData } from '@/modules/shared/domain/rolesAndScopes/types' import db from '@/db/knex' import { AutomationsEmitter } from '@/modules/automate/events/automations' @@ -40,6 +39,7 @@ import { AutomateRunsEmitter } from '@/modules/automate/events/runs' import { createAppToken } from '@/modules/core/services/tokens' import { getBranchLatestCommitsFactory } from '@/modules/core/repositories/branches' import { getCommitFactory } from '@/modules/core/repositories/commits' +import { legacyGetUserFactory } from '@/modules/core/repositories/users' const { FF_AUTOMATE_MODULE_ENABLED } = getFeatureFlags() let quitListeners: Optional<() => void> = undefined @@ -101,7 +101,7 @@ const initializeEventListeners = () => { }) const setupRunFinishedTrackingInvoke = setupRunFinishedTrackingFactory({ getFullAutomationRevisionMetadata, - getUserById, + getUser: legacyGetUserFactory({ db }), getCommit: getCommitFactory({ db }), getFullAutomationRunById: getFullAutomationRunByIdFactory({ db }), automateRunsEventListener: AutomateRunsEmitter.listen diff --git a/packages/server/modules/automate/services/tracking.ts b/packages/server/modules/automate/services/tracking.ts index 385b5dd5e..d2eadbe79 100644 --- a/packages/server/modules/automate/services/tracking.ts +++ b/packages/server/modules/automate/services/tracking.ts @@ -17,7 +17,7 @@ import { } from '@/modules/automate/helpers/types' import { InsertableAutomationRun } from '@/modules/automate/repositories/automations' import { GetCommit } from '@/modules/core/domain/commits/operations' -import { getUserById } from '@/modules/core/services/users' +import { LegacyGetUser } from '@/modules/core/domain/users/operations' import { mixpanel } from '@/modules/shared/utils/mixpanel' import { throwUncoveredError } from '@speckle/shared' @@ -37,7 +37,7 @@ export type AutomateTrackingDeps = { getFullAutomationRevisionMetadata: GetFullAutomationRevisionMetadata getFullAutomationRunById: GetFullAutomationRunById getCommit: GetCommit - getUserById: typeof getUserById + getUser: LegacyGetUser } const onAutomationRunStatusUpdatedFactory = @@ -103,7 +103,7 @@ const getUserEmailFromAutomationRunFactory = if (!version) throw new Error("Version doesn't exist any more") const userId = version.author if (userId) { - const user = await deps.getUserById({ userId }) + const user = await deps.getUser(userId) if (user) userEmail = user.email } diff --git a/packages/server/modules/core/graph/resolvers/branches.js b/packages/server/modules/core/graph/resolvers/branches.js index 0c26f422d..4710d40a3 100644 --- a/packages/server/modules/core/graph/resolvers/branches.js +++ b/packages/server/modules/core/graph/resolvers/branches.js @@ -17,7 +17,6 @@ const { getPaginatedStreamBranches } = require('@/modules/core/services/branch/retrieval') -const { getUserById } = require('../../services/users') const { Roles } = require('@speckle/shared') const { getBranchByIdFactory, @@ -37,6 +36,7 @@ const { markBranchStreamUpdatedFactory } = require('@/modules/core/repositories/streams') const { ModelsEmitter } = require('@/modules/core/events/modelsEmitter') +const { legacyGetUserFactory } = require('@/modules/core/repositories/users') // subscription events const BRANCH_CREATED = BranchPubsubEvents.BranchCreated @@ -65,6 +65,7 @@ const deleteBranchAndNotify = deleteBranchAndNotifyFactory({ addBranchDeletedActivity, deleteBranchById: deleteBranchByIdFactory({ db }) }) +const getUser = legacyGetUserFactory({ db }) /** @type {import('@/modules/core/graph/generated/graphql').Resolvers} */ module.exports = { @@ -94,8 +95,7 @@ module.exports = { }, Branch: { async author(parent, args, context) { - if (parent.authorId && context.auth) - return await getUserById({ userId: parent.authorId }) + if (parent.authorId && context.auth) return await getUser(parent.authorId) else return null } }, diff --git a/packages/server/modules/core/services/users.js b/packages/server/modules/core/services/users.js index 4eb50a9cc..bb45c56af 100644 --- a/packages/server/modules/core/services/users.js +++ b/packages/server/modules/core/services/users.js @@ -17,11 +17,7 @@ const Users = () => UsersSchema.knex() const Acl = () => ServerAclSchema.knex() const { LIMITED_USER_FIELDS } = require('@/modules/core/helpers/userHelper') -const { - getUserByEmail, - getUserFactory, - legacyGetUserFactory -} = require('@/modules/core/repositories/users') +const { getUserByEmail, getUserFactory } = require('@/modules/core/repositories/users') const { UsersEmitter, UsersEvents } = require('@/modules/core/events/usersEmitter') const { pick, omit } = require('lodash') const { dbLogger } = require('@/logging/logging') @@ -194,14 +190,6 @@ module.exports = { } }, - /** - * @deprecated Use getUser instead - */ - async getUserById({ userId }) { - const getUser = legacyGetUserFactory({ db }) - return await getUser(userId) - }, - // TODO: this should be moved to repository async getUserByEmail({ email }) { const user = await Users() diff --git a/packages/server/modules/core/tests/integration/createUser.spec.ts b/packages/server/modules/core/tests/integration/createUser.spec.ts index d170dba7c..4343325ef 100644 --- a/packages/server/modules/core/tests/integration/createUser.spec.ts +++ b/packages/server/modules/core/tests/integration/createUser.spec.ts @@ -1,5 +1,5 @@ import { expect } from 'chai' -import { createUser, getUserById } from '@/modules/core/services/users' +import { createUser } from '@/modules/core/services/users' import { beforeEach, describe, it } from 'mocha' import { beforeEachContext } from '@/test/hooks' import { db } from '@/db/knex' @@ -77,7 +77,7 @@ describe('Users @core-users', () => { password: createRandomPassword() }) - const user = await getUserById({ userId }) + const user = await getUser(userId) expect(user).to.be.ok expect(user!.email.toLowerCase()).to.eq(email.toLowerCase()) diff --git a/packages/server/modules/core/tests/users.spec.js b/packages/server/modules/core/tests/users.spec.js index 941d2a58f..bead17f6e 100644 --- a/packages/server/modules/core/tests/users.spec.js +++ b/packages/server/modules/core/tests/users.spec.js @@ -11,8 +11,7 @@ const { updateUser, deleteUser, validatePasssword, - updateUserPassword, - getUserById + updateUserPassword } = require('../services/users') const { createPersonalAccessToken, @@ -194,7 +193,7 @@ describe('Actors & Tokens @user-services', () => { const { id } = await findOrCreateUser({ user: newUser }) ballmerUserId = id expect(id).to.be.a('string') - const user = await getUserById({ userId: id }) + const user = await getUser(id) expect(user.verified).to.equal(true) }) diff --git a/packages/server/modules/workspaces/rest/sso.ts b/packages/server/modules/workspaces/rest/sso.ts index 5c0e5d695..3288a9d76 100644 --- a/packages/server/modules/workspaces/rest/sso.ts +++ b/packages/server/modules/workspaces/rest/sso.ts @@ -36,14 +36,14 @@ import { sessionMiddlewareFactory } from '@/modules/auth/middleware' import { createAuthorizationCodeFactory } from '@/modules/auth/repositories/apps' -import { getUserById } from '@/modules/core/services/users' +import { legacyGetUserFactory } from '@/modules/core/repositories/users' const router = Router() const sessionMiddleware = sessionMiddlewareFactory() const finalizeAuthMiddleware = finalizeAuthMiddlewareFactory({ createAuthorizationCode: createAuthorizationCodeFactory({ db }), - getUserById + getUser: legacyGetUserFactory({ db }) }) const buildAuthRedirectUrl = (workspaceSlug: string): URL => From ef25428bd8e4f01a6329619f341668682f91a9de Mon Sep 17 00:00:00 2001 From: Iain Sproat <68657+iainsproat@users.noreply.github.com> Date: Tue, 15 Oct 2024 10:12:55 +0100 Subject: [PATCH 2/3] fix(helm chart): service account secrets only includes unique value (#3275) - this makes the chart more robust and the behaviour can be determined at template time - previously, the unique values were removed by kubernetes which made modification difficult --- .../speckle-server/templates/_helpers.tpl | 37 +++++++++++++++++++ .../templates/objects/serviceaccount.yml | 30 +-------------- .../templates/server/serviceaccount.yml | 30 +-------------- 3 files changed, 39 insertions(+), 58 deletions(-) diff --git a/utils/helm/speckle-server/templates/_helpers.tpl b/utils/helm/speckle-server/templates/_helpers.tpl index 0c6516cf9..16755df19 100644 --- a/utils/helm/speckle-server/templates/_helpers.tpl +++ b/utils/helm/speckle-server/templates/_helpers.tpl @@ -955,3 +955,40 @@ Generate the environment variables for Speckle server and Speckle objects deploy value: "{{ .Values.server.ratelimiting.burst_get_auth }}" {{- end }} {{- end }} + +{{/* +Generate the secrets to which the service account should allow access for the Speckle server and Speckle objects deployments +*/}} +{{- define "server.serviceAccountSecrets" -}} +{{- $secretNames := list ( default .Values.secretName .Values.db.connectionString.secretName ) }} +{{- $secretNames := append $secretNames ( default .Values.secretName .Values.redis.connectionString.secretName ) }} +{{- $secretNames := append $secretNames ( default .Values.secretName .Values.s3.secret_key.secretName ) }} +{{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.sessionSecret.secretName ) }} +{{- if .Values.server.auth.google.enabled }} + {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.auth.google.clientSecret.secretName ) }} +{{- end }} +{{- if .Values.server.auth.github.enabled }} + {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.auth.github.clientSecret.secretName ) }} +{{- end }} +{{- if .Values.server.auth.azure_ad.enabled }} + {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.auth.azure_ad.clientSecret.secretName ) }} +{{- end }} +{{- if .Values.server.auth.oidc.enabled }} + {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.auth.oidc.clientSecret.secretName ) }} +{{- end }} +{{- if .Values.server.email.enabled }} + {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.email.password.secretName ) }} +{{- end }} +{{- if .Values.server.monitoring.apollo.enabled }} + {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.monitoring.apollo.key.secretName ) }} +{{- end }} +{{- if .Values.featureFlags.automateModuleEnabled }} + {{- $secretNames := append $secretNames "encryption-keys" }} +{{- end }} +{{- if .Values.featureFlags.workspaceModuleEnabled }} + {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.licenseTokenSecret.secretName ) }} +{{- end }} +{{- range $secretName := uniq $secretNames }} + - name: {{ $secretName }} +{{- end }} +{{- end }} diff --git a/utils/helm/speckle-server/templates/objects/serviceaccount.yml b/utils/helm/speckle-server/templates/objects/serviceaccount.yml index ecd4da60f..6dfcd7316 100644 --- a/utils/helm/speckle-server/templates/objects/serviceaccount.yml +++ b/utils/helm/speckle-server/templates/objects/serviceaccount.yml @@ -10,33 +10,5 @@ metadata: "kubernetes.io/enforce-mountable-secrets": "true" automountServiceAccountToken: false secrets: - - name: {{ default .Values.secretName .Values.db.connectionString.secretName }} - - name: {{ default .Values.secretName .Values.redis.connectionString.secretName }} - - name: {{ default .Values.secretName .Values.s3.secret_key.secretName }} - - name: {{ default .Values.secretName .Values.server.sessionSecret.secretName }} -{{- if .Values.server.auth.google.enabled }} - - name: {{ default .Values.secretName .Values.server.auth.google.clientSecret.secretName }} -{{- end }} -{{- if .Values.server.auth.github.enabled }} - - name: {{ default .Values.secretName .Values.server.auth.github.clientSecret.secretName }} -{{- end }} -{{- if .Values.server.auth.azure_ad.enabled }} - - name: {{ default .Values.secretName .Values.server.auth.azure_ad.clientSecret.secretName }} -{{- end }} -{{- if .Values.server.auth.oidc.enabled }} - - name: {{ default .Values.secretName .Values.server.auth.oidc.clientSecret.secretName }} -{{- end }} -{{- if .Values.server.email.enabled }} - - name: {{ default .Values.secretName .Values.server.email.password.secretName }} -{{- end }} -{{- if .Values.server.monitoring.apollo.enabled }} - - name: {{ default .Values.secretName .Values.server.monitoring.apollo.key.secretName }} -{{- end }} -{{- if .Values.featureFlags.automateModuleEnabled }} - - name: encryption-keys -{{- end }} -{{- if .Values.featureFlags.workspaceModuleEnabled }} - - name: {{ default .Values.secretName .Values.server.licenseTokenSecret.secretName }} -{{- end }} - +{{- include "server.serviceAccountSecrets" $ | indent 2 }} {{- end -}} diff --git a/utils/helm/speckle-server/templates/server/serviceaccount.yml b/utils/helm/speckle-server/templates/server/serviceaccount.yml index c1895c233..f1fd31873 100644 --- a/utils/helm/speckle-server/templates/server/serviceaccount.yml +++ b/utils/helm/speckle-server/templates/server/serviceaccount.yml @@ -10,33 +10,5 @@ metadata: "kubernetes.io/enforce-mountable-secrets": "true" automountServiceAccountToken: false secrets: - - name: {{ default .Values.secretName .Values.db.connectionString.secretName }} - - name: {{ default .Values.secretName .Values.redis.connectionString.secretName }} - - name: {{ default .Values.secretName .Values.s3.secret_key.secretName }} - - name: {{ default .Values.secretName .Values.server.sessionSecret.secretName }} -{{- if .Values.server.auth.google.enabled }} - - name: {{ default .Values.secretName .Values.server.auth.google.clientSecret.secretName }} -{{- end }} -{{- if .Values.server.auth.github.enabled }} - - name: {{ default .Values.secretName .Values.server.auth.github.clientSecret.secretName }} -{{- end }} -{{- if .Values.server.auth.azure_ad.enabled }} - - name: {{ default .Values.secretName .Values.server.auth.azure_ad.clientSecret.secretName }} -{{- end }} -{{- if .Values.server.auth.oidc.enabled }} - - name: {{ default .Values.secretName .Values.server.auth.oidc.clientSecret.secretName }} -{{- end }} -{{- if .Values.server.email.enabled }} - - name: {{ default .Values.secretName .Values.server.email.password.secretName }} -{{- end }} -{{- if .Values.server.monitoring.apollo.enabled }} - - name: {{ default .Values.secretName .Values.server.monitoring.apollo.key.secretName }} -{{- end }} -{{- if .Values.featureFlags.automateModuleEnabled }} - - name: encryption-keys -{{- end }} -{{- if .Values.featureFlags.workspaceModuleEnabled }} - - name: {{ default .Values.secretName .Values.server.licenseTokenSecret.secretName }} -{{- end }} - +{{- include "server.serviceAccountSecrets" $ | indent 2 }} {{- end -}} From b85cfe44ad1c990514c6379b86fc160847c00a60 Mon Sep 17 00:00:00 2001 From: Iain Sproat <68657+iainsproat@users.noreply.github.com> Date: Tue, 15 Oct 2024 12:29:55 +0100 Subject: [PATCH 3/3] Revert "fix(helm chart): service account secrets only includes unique value (#3275)" (#3289) This reverts commit ef25428bd8e4f01a6329619f341668682f91a9de. --- .../speckle-server/templates/_helpers.tpl | 37 ------------------- .../templates/objects/serviceaccount.yml | 30 ++++++++++++++- .../templates/server/serviceaccount.yml | 30 ++++++++++++++- 3 files changed, 58 insertions(+), 39 deletions(-) diff --git a/utils/helm/speckle-server/templates/_helpers.tpl b/utils/helm/speckle-server/templates/_helpers.tpl index 16755df19..0c6516cf9 100644 --- a/utils/helm/speckle-server/templates/_helpers.tpl +++ b/utils/helm/speckle-server/templates/_helpers.tpl @@ -955,40 +955,3 @@ Generate the environment variables for Speckle server and Speckle objects deploy value: "{{ .Values.server.ratelimiting.burst_get_auth }}" {{- end }} {{- end }} - -{{/* -Generate the secrets to which the service account should allow access for the Speckle server and Speckle objects deployments -*/}} -{{- define "server.serviceAccountSecrets" -}} -{{- $secretNames := list ( default .Values.secretName .Values.db.connectionString.secretName ) }} -{{- $secretNames := append $secretNames ( default .Values.secretName .Values.redis.connectionString.secretName ) }} -{{- $secretNames := append $secretNames ( default .Values.secretName .Values.s3.secret_key.secretName ) }} -{{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.sessionSecret.secretName ) }} -{{- if .Values.server.auth.google.enabled }} - {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.auth.google.clientSecret.secretName ) }} -{{- end }} -{{- if .Values.server.auth.github.enabled }} - {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.auth.github.clientSecret.secretName ) }} -{{- end }} -{{- if .Values.server.auth.azure_ad.enabled }} - {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.auth.azure_ad.clientSecret.secretName ) }} -{{- end }} -{{- if .Values.server.auth.oidc.enabled }} - {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.auth.oidc.clientSecret.secretName ) }} -{{- end }} -{{- if .Values.server.email.enabled }} - {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.email.password.secretName ) }} -{{- end }} -{{- if .Values.server.monitoring.apollo.enabled }} - {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.monitoring.apollo.key.secretName ) }} -{{- end }} -{{- if .Values.featureFlags.automateModuleEnabled }} - {{- $secretNames := append $secretNames "encryption-keys" }} -{{- end }} -{{- if .Values.featureFlags.workspaceModuleEnabled }} - {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.licenseTokenSecret.secretName ) }} -{{- end }} -{{- range $secretName := uniq $secretNames }} - - name: {{ $secretName }} -{{- end }} -{{- end }} diff --git a/utils/helm/speckle-server/templates/objects/serviceaccount.yml b/utils/helm/speckle-server/templates/objects/serviceaccount.yml index 6dfcd7316..ecd4da60f 100644 --- a/utils/helm/speckle-server/templates/objects/serviceaccount.yml +++ b/utils/helm/speckle-server/templates/objects/serviceaccount.yml @@ -10,5 +10,33 @@ metadata: "kubernetes.io/enforce-mountable-secrets": "true" automountServiceAccountToken: false secrets: -{{- include "server.serviceAccountSecrets" $ | indent 2 }} + - name: {{ default .Values.secretName .Values.db.connectionString.secretName }} + - name: {{ default .Values.secretName .Values.redis.connectionString.secretName }} + - name: {{ default .Values.secretName .Values.s3.secret_key.secretName }} + - name: {{ default .Values.secretName .Values.server.sessionSecret.secretName }} +{{- if .Values.server.auth.google.enabled }} + - name: {{ default .Values.secretName .Values.server.auth.google.clientSecret.secretName }} +{{- end }} +{{- if .Values.server.auth.github.enabled }} + - name: {{ default .Values.secretName .Values.server.auth.github.clientSecret.secretName }} +{{- end }} +{{- if .Values.server.auth.azure_ad.enabled }} + - name: {{ default .Values.secretName .Values.server.auth.azure_ad.clientSecret.secretName }} +{{- end }} +{{- if .Values.server.auth.oidc.enabled }} + - name: {{ default .Values.secretName .Values.server.auth.oidc.clientSecret.secretName }} +{{- end }} +{{- if .Values.server.email.enabled }} + - name: {{ default .Values.secretName .Values.server.email.password.secretName }} +{{- end }} +{{- if .Values.server.monitoring.apollo.enabled }} + - name: {{ default .Values.secretName .Values.server.monitoring.apollo.key.secretName }} +{{- end }} +{{- if .Values.featureFlags.automateModuleEnabled }} + - name: encryption-keys +{{- end }} +{{- if .Values.featureFlags.workspaceModuleEnabled }} + - name: {{ default .Values.secretName .Values.server.licenseTokenSecret.secretName }} +{{- end }} + {{- end -}} diff --git a/utils/helm/speckle-server/templates/server/serviceaccount.yml b/utils/helm/speckle-server/templates/server/serviceaccount.yml index f1fd31873..c1895c233 100644 --- a/utils/helm/speckle-server/templates/server/serviceaccount.yml +++ b/utils/helm/speckle-server/templates/server/serviceaccount.yml @@ -10,5 +10,33 @@ metadata: "kubernetes.io/enforce-mountable-secrets": "true" automountServiceAccountToken: false secrets: -{{- include "server.serviceAccountSecrets" $ | indent 2 }} + - name: {{ default .Values.secretName .Values.db.connectionString.secretName }} + - name: {{ default .Values.secretName .Values.redis.connectionString.secretName }} + - name: {{ default .Values.secretName .Values.s3.secret_key.secretName }} + - name: {{ default .Values.secretName .Values.server.sessionSecret.secretName }} +{{- if .Values.server.auth.google.enabled }} + - name: {{ default .Values.secretName .Values.server.auth.google.clientSecret.secretName }} +{{- end }} +{{- if .Values.server.auth.github.enabled }} + - name: {{ default .Values.secretName .Values.server.auth.github.clientSecret.secretName }} +{{- end }} +{{- if .Values.server.auth.azure_ad.enabled }} + - name: {{ default .Values.secretName .Values.server.auth.azure_ad.clientSecret.secretName }} +{{- end }} +{{- if .Values.server.auth.oidc.enabled }} + - name: {{ default .Values.secretName .Values.server.auth.oidc.clientSecret.secretName }} +{{- end }} +{{- if .Values.server.email.enabled }} + - name: {{ default .Values.secretName .Values.server.email.password.secretName }} +{{- end }} +{{- if .Values.server.monitoring.apollo.enabled }} + - name: {{ default .Values.secretName .Values.server.monitoring.apollo.key.secretName }} +{{- end }} +{{- if .Values.featureFlags.automateModuleEnabled }} + - name: encryption-keys +{{- end }} +{{- if .Values.featureFlags.workspaceModuleEnabled }} + - name: {{ default .Values.secretName .Values.server.licenseTokenSecret.secretName }} +{{- end }} + {{- end -}}