feat: doppler compatibility

Taskfile.yml

@@ -28,3 +28,9 @@ tasks:
     dir: chart
     cmds:
       - helm dependency update
+
+  latest:
+    desc: Get the latest version of Bromine
+    cmds:
+      - >-
+        echo "sulfoxide-bromine: $(skopeo list-tags docker://ghcr.io/atomicloud/sulfoxide.bromine/sulfoxide-bromine | jq -r '.Tags[]' | sort -V | tail -n 1)"

chart/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: sulfoxide-bromine
+  repository: oci://ghcr.io/atomicloud/sulfoxide.bromine
+  version: 1.1.0
+digest: sha256:1f7801f05c546d2c1d85fd3f3a46c41922aaeba3f44eb37f58de73d962c1f55b
+generated: "2023-09-28T13:04:48.97515+08:00"

chart/Chart.yaml

@@ -1,6 +1,11 @@
 apiVersion: v2
-name: atomi-cluster-issuer
-description: AtomiCloud Cluster Issuer
+name: sulfoxide-zinc
+description: Helm chart to deploy cluster issuers, which issuer certificate using cert-manager
 type: application
 version: 1.0.1
 appVersion: "0.1.0"
+
+dependencies:
+  - name: sulfoxide-bromine
+    version: 1.1.0
+    repository: oci://ghcr.io/atomicloud/sulfoxide.bromine

chart/README.md

@@ -1,28 +1,46 @@
-# atomi-cluster-issuer
+# sulfoxide-zinc
 
 ![Version: 1.0.1](https://img.shields.io/badge/Version-1.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.0](https://img.shields.io/badge/AppVersion-0.1.0-informational?style=flat-square)
 
-AtomiCloud Cluster Issuer
+Helm chart to deploy cluster issuers, which issuer certificate using cert-manager
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| oci://ghcr.io/atomicloud/sulfoxide.bromine | sulfoxide-bromine | 1.1.0 |
 
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| issuers.letsencrypt | object | `{"email":"[email protected]","secrets":{"external":{"enable":true,"policy":{"creation":"Owner","deletion":"Retain"},"refreshInterval":"1h","remoteSecretName":"/pichu/opal/cloudflare/token","secretStore":{"kind":"ClusterSecretStore","name":"aws-ssm-secret-store"}},"internal":{"enable":true,"value":""},"key":"api-token","name":"cloudflare-api-token-secret"},"server":"https://acme-v02.api.letsencrypt.org/directory","solvers":[{"dns01":{"cloudflare":{"apiTokenSecretRef":{"key":"api-token","name":"cloudflare-api-token-secret"}}}}],"type":"ClusterIssuer","zones":["atomi.cloud"]}` | Each Issuers |
-| issuers.letsencrypt.email | string | `"[email protected]"` | Email for the issuer |
-| issuers.letsencrypt.secrets | object | `{"external":{"enable":true,"policy":{"creation":"Owner","deletion":"Retain"},"refreshInterval":"1h","remoteSecretName":"/pichu/opal/cloudflare/token","secretStore":{"kind":"ClusterSecretStore","name":"aws-ssm-secret-store"}},"internal":{"enable":true,"value":""},"key":"api-token","name":"cloudflare-api-token-secret"}` | Secrets |
+| issuers | object | `{"letsencrypt":{"email":"[email protected]","secrets":{"external":{"enable":true,"policy":{"creation":"Owner","deletion":"Retain"},"refreshInterval":"1h","remoteSecretName":"CLOUDFLARE_TOKEN","secretStore":{"kind":"SecretStore","name":"doppler"}},"internal":{"enable":false,"value":""},"key":"api-token","name":"cloudflare-api-token-secret"},"server":"https://acme-v02.api.letsencrypt.org/directory","solvers":[{"dns01":{"cloudflare":{"apiTokenSecretRef":{"key":"api-token","name":"cloudflare-api-token-secret"}}}}],"type":"ClusterIssuer","zones":["atomi.cloud"]}}` | Dictionary of Issuers to configure, where each key is the name of the issuer, and value is the configuration |
+| issuers.letsencrypt.email | string | `"[email protected]"` | Email to notify for the issuer |
+| issuers.letsencrypt.secrets | object | `{"external":{"enable":true,"policy":{"creation":"Owner","deletion":"Retain"},"refreshInterval":"1h","remoteSecretName":"CLOUDFLARE_TOKEN","secretStore":{"kind":"SecretStore","name":"doppler"}},"internal":{"enable":false,"value":""},"key":"api-token","name":"cloudflare-api-token-secret"}` | Secret for DNS provider to issue certificate |
+| issuers.letsencrypt.secrets.external | object | `{"enable":true,"policy":{"creation":"Owner","deletion":"Retain"},"refreshInterval":"1h","remoteSecretName":"CLOUDFLARE_TOKEN","secretStore":{"kind":"SecretStore","name":"doppler"}}` | External Secret, use secret from external secret store |
+| issuers.letsencrypt.secrets.external.enable | bool | `true` | Enable using external secret |
 | issuers.letsencrypt.secrets.external.policy | object | `{"creation":"Owner","deletion":"Retain"}` | Secret policy |
 | issuers.letsencrypt.secrets.external.policy.creation | string | `"Owner"` | Creation policy |
 | issuers.letsencrypt.secrets.external.policy.deletion | string | `"Retain"` | Deletion policy |
+| issuers.letsencrypt.secrets.external.refreshInterval | string | `"1h"` | Refresh Interval for the external secret |
+| issuers.letsencrypt.secrets.external.remoteSecretName | string | `"CLOUDFLARE_TOKEN"` | Remote reference for the secret |
+| issuers.letsencrypt.secrets.external.secretStore | object | `{"kind":"SecretStore","name":"doppler"}` | Secret store to use |
+| issuers.letsencrypt.secrets.external.secretStore.kind | string | `"SecretStore"` | Type of Secret Store: `ClusterSecretStore` or `SecretStore` |
+| issuers.letsencrypt.secrets.external.secretStore.name | string | `"doppler"` | Name of secret store to use |
+| issuers.letsencrypt.secrets.internal | object | `{"enable":false,"value":""}` | Internal Secret, use secret propogated via Helm |
+| issuers.letsencrypt.secrets.internal.enable | bool | `false` | Enable using internal secret |
+| issuers.letsencrypt.secrets.internal.value | string | `""` | The actual secret value |
+| issuers.letsencrypt.secrets.key | string | `"api-token"` | Key in the secret to use |
+| issuers.letsencrypt.secrets.name | string | `"cloudflare-api-token-secret"` | Name of the secret |
 | issuers.letsencrypt.server | string | `"https://acme-v02.api.letsencrypt.org/directory"` | ACME compatible server |
-| issuers.letsencrypt.type | string | `"ClusterIssuer"` | Type of Issuer: ClusterIssuer or Issuer |
-| issuers.letsencrypt.zones | list | `["atomi.cloud"]` | Zones to issue for |
-| serviceTree.cluster | string | `"opal"` |  |
-| serviceTree.landscape | string | `"pichu"` |  |
-| serviceTree.layer | string | `"1"` |  |
-| serviceTree.module | string | `"issuer"` |  |
-| serviceTree.platform | string | `"systems"` |  |
-| serviceTree.service | string | `"cert-manager"` |  |
+| issuers.letsencrypt.solvers | list | `[{"dns01":{"cloudflare":{"apiTokenSecretRef":{"key":"api-token","name":"cloudflare-api-token-secret"}}}}]` | TLS Certificate solvers |
+| issuers.letsencrypt.type | string | `"ClusterIssuer"` | Type of Issuer: `ClusterIssuer` or `Issuer` |
+| issuers.letsencrypt.zones | list | `["atomi.cloud"]` | List zones to issue for |
+| serviceTree | object | `{"layer":"1","module":"issuer","platform":"sulfoxide","service":"zinc"}` | AtomiCloud Service Tree. See [ServiceTree](https://atomicloud.larksuite.com/wiki/OkfJwTXGFiMJkrk6W3RuwRrZs64?theme=DARK&contentTheme=DARK#MHw5d76uDo2tBLx86cduFQMRsBb) |
+| sulfoxide-bromine | object | `{"rootSecret":{"ref":"SULFOXIDE_ZINC"},"storeName":"doppler"}` | Create SecretStore via secret of secrets pattern |
+| sulfoxide-bromine.rootSecret | object | `{"ref":"SULFOXIDE_ZINC"}` | Secret of Secrets reference |
+| sulfoxide-bromine.rootSecret.ref | string | `"SULFOXIDE_ZINC"` | DOPPLER Token Reference |
+| sulfoxide-bromine.storeName | string | `"doppler"` | Store name to create |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.11.1](https://github.com/norwoodj/helm-docs/releases/v1.11.1)

chart/templates/_helpers.tpl

@@ -1,7 +1,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "atomi-cluster-issuer.name" -}}
+{{- define "sulfoxide-zinc.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
@@ -10,7 +10,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "atomi-cluster-issuer.fullname" -}}
+{{- define "sulfoxide-zinc.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -26,19 +26,19 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "atomi-cluster-issuer.chart" -}}
+{{- define "sulfoxide-zinc.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "atomi-cluster-issuer.labels" -}}
-helm.sh/chart: {{ include "atomi-cluster-issuer.chart" . }}
+{{- define "sulfoxide-zinc.labels" -}}
+helm.sh/chart: {{ include "sulfoxide-zinc.chart" . }}
 {{- range $k, $v := .Values.serviceTree }}
 "atomi.cloud/{{ $k }}": "{{ $v }}"
 {{- end }}
-{{ include "atomi-cluster-issuer.selectorLabels" . }}
+{{ include "sulfoxide-zinc.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -48,8 +48,8 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Common annotations
 */}}
-{{- define "atomi-cluster-issuer.annotations" -}}
-helm.sh/chart: {{ include "atomi-cluster-issuer.chart" . }}
+{{- define "sulfoxide-zinc.annotations" -}}
+helm.sh/chart: {{ include "sulfoxide-zinc.chart" . }}
 {{- range $k, $v := .Values.serviceTree }}
 "atomi.cloud/{{ $k }}": "{{ $v }}"
 {{- end }}
@@ -58,17 +58,17 @@ helm.sh/chart: {{ include "atomi-cluster-issuer.chart" . }}
 {{/*
 Selector labels
 */}}
-{{- define "atomi-cluster-issuer.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "atomi-cluster-issuer.name" . }}
+{{- define "sulfoxide-zinc.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "sulfoxide-zinc.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
 Create the name of the service account to use
 */}}
-{{- define "atomi-cluster-issuer.serviceAccountName" -}}
+{{- define "sulfoxide-zinc.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
-{{- default (include "atomi-cluster-issuer.fullname" .) .Values.serviceAccount.name }}
+{{- default (include "sulfoxide-zinc.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}

chart/templates/cluster_issuer.yaml

@@ -3,8 +3,8 @@ apiVersion: cert-manager.io/v1
 kind: {{ $v.type }}
 metadata:
   name: "{{ $.Release.Name }}-{{ $k }}-issuer"
-  labels:
-    {{ include "atomi-cluster-issuer.labels" $ | nindent 4 }}
+  labels: {{- include "sulfoxide-zinc.labels" $ | nindent 4 }}
+  annotations: {{- include "sulfoxide-zinc.annotations" $ | nindent 4 }}
 spec:
   acme:
     email: "{{ $v.email }}"

chart/templates/external_secret.yaml → chart/templates/provider_token.yaml

@@ -4,12 +4,10 @@ apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
   name: {{ $.Release.Name -}}-external-secret
-  annotations:
-   {{- include "atomi-cluster-issuer.annotations" $ | nindent 4 }}
+  annotations: {{- include "sulfoxide-zinc.annotations" $ | nindent 4 }}
     "helm.sh/hook": pre-install,pre-upgrade
     "helm.sh/hook-weight": "-2"
-  labels:
-    {{- include "atomi-cluster-issuer.labels" $ | nindent 4 }}
+  labels: {{- include "sulfoxide-zinc.labels" $ | nindent 4 }}
 spec:
   refreshInterval: {{ $v.secrets.external.refreshInterval }}
   secretStoreRef:
@@ -23,5 +21,19 @@ spec:
     - secretKey: {{ $v.secrets.key }}
       remoteRef:
         key: "{{ $v.secrets.external.remoteSecretName }}"
+---
+{{- end }}
+{{- if $v.secrets.internal.enable }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $v.secrets.name }}
+  annotations: {{- include "sulfoxide-zinc.annotations" $ | nindent 4 }}
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-2"
+  labels: {{- include "sulfoxide-zinc.labels" $ | nindent 4 }}
+data:
+  {{ $v.secrets.key }}: {{ b64enc $v.secrets.internal.value }}
+---
 {{- end }}
 {{- end }}

chart/values.pichu.opal.yaml → chart/values.example.yaml

@@ -1,5 +1,5 @@
 serviceTree:
-  landscape: pichu
+  landscape: lapras
   cluster: opal
 
 issuers:
@@ -10,18 +10,20 @@ issuers:
     zones:
       - atomi.cloud
     secrets:
-      name: cloudflare-api-token
+      name: cloudflare-api-token-secret
       key: api-token
       internal:
         enable: false
       external:
         enable: true
         refreshInterval: 1h
-        remoteSecretName: /pichu/manual/cert-manager/cloudflare-issuer-token
-    # solvers
+        remoteSecretName: CLOUDFLARE_TOKEN
     solvers:
-      - dns01:
-          cloudflare:
-            apiTokenSecretRef:
-              name: cloudflare-api-token
-              key: api-token
+    - dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token
+
+
+

chart/values.yaml

@@ -1,47 +1,70 @@
+# -- AtomiCloud Service Tree. See [ServiceTree](https://atomicloud.larksuite.com/wiki/OkfJwTXGFiMJkrk6W3RuwRrZs64?theme=DARK&contentTheme=DARK#MHw5d76uDo2tBLx86cduFQMRsBb)
 serviceTree:
-  landscape: pichu
-  cluster: opal
-  platform: systems
-  service: cert-manager
+  platform: sulfoxide
+  service: zinc
   module: issuer
   layer: "1"
 
+# -- Create SecretStore via secret of secrets pattern
+sulfoxide-bromine:
+  # -- Store name to create
+  storeName: doppler
+  # -- Secret of Secrets reference
+  rootSecret:
+    # -- DOPPLER Token Reference
+    ref: "SULFOXIDE_ZINC"
+
+# -- Dictionary of Issuers to configure, where each key is the name of the issuer, and value is the configuration
 issuers:
-  # -- Each Issuers
   letsencrypt:
-    # -- Email for the issuer
+    # -- Email to notify for the issuer
     email: [email protected]
-    # -- Type of Issuer: ClusterIssuer or Issuer
+    # -- Type of Issuer: `ClusterIssuer` or `Issuer`
     type: ClusterIssuer
     # -- ACME compatible server
     server: https://acme-v02.api.letsencrypt.org/directory
-    # -- Zones to issue for
+    # -- List zones to issue for
     zones:
       - atomi.cloud
-    # -- Secrets
+    # -- Secret for DNS provider to issue certificate
     secrets:
+      # -- Name of the secret
       name: cloudflare-api-token-secret
+      # -- Key in the secret to use
       key: api-token
+      # -- Internal Secret, use secret propogated via Helm
       internal:
-        enable: true
+        # -- Enable using internal secret
+        enable: false
+        # -- The actual secret value
         value: ""
+      # -- External Secret, use secret from external secret store
       external:
+        # -- Enable using external secret
         enable: true
+        # -- Refresh Interval for the external secret
         refreshInterval: 1h
-        remoteSecretName: /pichu/opal/cloudflare/token
+        # -- Remote reference for the secret
+        remoteSecretName: CLOUDFLARE_TOKEN
+        # -- Secret store to use
         secretStore:
-          name: aws-ssm-secret-store
-          kind: ClusterSecretStore
+          # -- Name of secret store to use
+          name: doppler
+          # -- Type of Secret Store: `ClusterSecretStore` or `SecretStore`
+          kind: SecretStore
         # -- Secret policy
         policy:
           # -- Creation policy
           creation: Owner
           # -- Deletion policy
           deletion: Retain
-    # solvers
+    # -- TLS Certificate solvers
     solvers:
     - dns01:
         cloudflare:
           apiTokenSecretRef:
             name: cloudflare-api-token-secret
             key: api-token
+
+
+

nix/env.nix

@@ -7,6 +7,7 @@ with packages;
     bash
     jq
     yq-go
+    skopeo
   ];
 
   dev = [

nix/packages.nix

@@ -27,6 +27,7 @@ let
           git
           jq
           yq-go
+          skopeo
 
           nodejs_20