feat: add support for External Secrets Operator in Helm chart

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## [Unreleased](https://github.com/MarquezProject/marquez/compare/0.50.0...HEAD)
 
+### Added
+
+* Chart: Add External Secrets Operator (ESO) integration to manage PostgreSQL passwords
+
 ## [0.50.0](https://github.com/MarquezProject/marquez/compare/0.49.0...0.50.0) - 2024-10-23
 
 ### Added

chart/README.md

@@ -122,11 +122,23 @@ helm delete marquez
 |-----------------------|------------------------------------|---------|
 | `ingress.enabled`     | Enables ingress settings           | `false` |
 | `ingress.annotations` | Annotations applied to ingress     | `nil`   |
-| `ingress.hosts`       | Hostname applied to ingress routes | `nil`   |
-| `ingress.tls`         | TLS settings for hostname          | `nil`   |
+| `ingress.hosts`       | Hostname applied to ingress routes | `nil`       |
+| `ingress.tls`         | TLS settings for hostname          | `nil`       |
+
+### [External Secrets Operator](https://external-secrets.io/) **parameters**
+
+| Parameter                                     | Description                                                             | Default             |
+|-----------------------------------------------|-------------------------------------------------------------------------|---------------------|
+| `externalSecrets.enabled`                     | Enable ExternalSecret resource creation                                 | `false`             |
+| `externalSecrets.secretStoreName`             | Name of the SecretStore or ClusterSecretStore                           | `my-secret-store`   |
+| `externalSecrets.secretStoreKind`             | Kind of the SecretStore (SecretStore or ClusterSecretStore)             | `SecretStore`       |
+| `externalSecrets.refreshInterval`             | How often the secret should be refreshed                                | `1h`                |
+| `externalSecrets.auth.password.remoteKey`     | Remote key in the external secret store for the database password       | `marquez/db/password` |
+| `externalSecrets.auth.password.remoteProperty`| Property in the external secret store (if the key is a JSON object)     | `""`                |
 
 ## Local Installation Guide
 
+
 ### Helm Managed Postgres
 
 The quickest way to install Marquez via Kubernetes is to create a local Postgres instance.

chart/templates/marquez/external-secret.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.externalSecrets.enabled -}}
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ include "marquez.postgresql.secretName" . }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.commonLabels "context" $) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }}
+  {{- end }}
+spec:
+  refreshInterval: {{ .Values.externalSecrets.refreshInterval | default "1h" | quote }}
+  secretStoreRef:
+    name: {{ .Values.externalSecrets.secretStoreName }}
+    kind: {{ .Values.externalSecrets.secretStoreKind | default "SecretStore" }}
+  target:
+    name: {{ include "marquez.postgresql.secretName" . }}
+    creationPolicy: Owner
+  data:
+  - secretKey: {{ include "marquez.database.existingsecret.key" . }}
+    remoteRef:
+      key: {{ .Values.externalSecrets.auth.password.remoteKey }}
+      {{- if .Values.externalSecrets.auth.password.remoteProperty }}
+      property: {{ .Values.externalSecrets.auth.password.remoteProperty }}
+      {{- end }}
+{{- end -}}

chart/templates/marquez/secret.yaml

@@ -1,4 +1,4 @@
-{{- if (not .Values.marquez.existingSecretName) -}}
+{{- if and (not .Values.marquez.existingSecretName) (not .Values.externalSecrets.enabled) -}}
 apiVersion: v1
 kind: Secret
 metadata:

chart/values.yaml

@@ -212,3 +212,23 @@ ingress:
   #  - secretName: chart-example-tls
   #    hosts:
   #      - chart-example.local
+
+
+## External Secrets Operator integration
+## ref: https://external-secrets.io/
+externalSecrets:
+  ## @param externalSecrets.enabled Enable ExternalSecret resource creation
+  enabled: false
+  ## @param externalSecrets.secretStoreName Name of the SecretStore or ClusterSecretStore
+  secretStoreName: "my-secret-store"
+  ## @param externalSecrets.secretStoreKind Kind of the SecretStore (SecretStore or ClusterSecretStore)
+  secretStoreKind: "SecretStore"
+  ## @param externalSecrets.refreshInterval How often the secret should be refreshed
+  refreshInterval: "1h"
+  ## Authentication parameters to be fetched from external secret store
+  auth:
+    ## @param externalSecrets.auth.password.remoteKey Remote key in the external secret store for the database password
+    password:
+      remoteKey: "marquez/db/password"
+      ## @param externalSecrets.auth.password.remoteProperty Property in the external secret store (if the key is a JSON object)
+      remoteProperty: ""