feat(chart): use infisical (huggingface#1276)

rtrompier · web-flow · commit 4650c2496852 · 2024-06-14T09:18:42.000+02:00
diff --git a/chart/env/prod.yaml b/chart/env/prod.yaml
@@ -347,20 +347,9 @@ envVars:
   WEBSEARCH_BLOCKLIST: '["youtube.com", "twitter.com"]'
   XFF_DEPTH: '2'
 
-externalSecrets:
+infisical:
   enabled: true
-  secretStoreName: "chat-ui-prod-secretstore"
-  secretName: "chat-ui-prod-secrets"
-  parameters:
-    MONGODB_URL: "hub-prod-chat-ui-mongodb-url"
-    OPENID_CONFIG: "hub-prod-chat-ui-openid-config"
-    SERPER_API_KEY: "hub-prod-chat-ui-serper-api-key"
-    HF_TOKEN: "hub-prod-chat-ui-hf-token"
-    WEBHOOK_URL_REPORT_ASSISTANT: "hub-prod-chat-ui-webhook-report-assistant"
-    ADMIN_API_SECRET: "hub-prod-chat-ui-admin-api-secret"
-    USAGE_LIMITS: "hub-prod-chat-ui-usage-limits"
-    MESSAGES_BEFORE_LOGIN: "hub-prod-chat-ui-messages-before-login"
-    IP_TOKEN_SECRET: "hub-prod-chat-ui-ip-token-secret"
+  env: "prod-us-east-1"
 
 autoscaling:
   enabled: true
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
@@ -61,9 +61,9 @@ spec:
           envFrom:
             - configMapRef:
                 name: {{ include "name" . }}
-          {{- if $.Values.externalSecrets.enabled }}
+          {{- if $.Values.infisical.enabled }}
             - secretRef:
-                name: {{ $.Values.externalSecrets.secretName }}
+                name: {{ include "name" $ }}-infisical-secret
           {{- end }}
           {{- with $.Values.extraEnvFrom }}
             {{- toYaml . | nindent 14 }}
diff --git a/chart/templates/infisical.yaml b/chart/templates/infisical.yaml
@@ -0,0 +1,24 @@
+{{- if .Values.infisical.enabled }}
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: {{ include "name" $ }}-infisical-secret
+  namespace: {{ $.Release.Namespace }}
+spec:
+  authentication:
+    universalAuth:
+      credentialsRef:
+        secretName: {{ .Values.infisical.operatorSecretName | quote }}
+        secretNamespace: {{ .Values.infisical.operatorSecretNamespace | quote }}
+      secretsScope:
+        envSlug: {{ .Values.infisical.env | quote }}
+        projectSlug: {{ .Values.infisical.project | quote }}
+        secretsPath: /
+  hostAPI: {{ .Values.infisical.url | quote }}
+  managedSecretReference:
+    creationPolicy: Owner
+    secretName: {{ include "name" $ }}-secs
+    secretNamespace: {{ .Release.Namespace | quote }}
+    secretType: Opaque
+  resyncInterval: {{ .Values.infisical.resyncInterval }}
+{{- end }}
diff --git a/chart/templates/secrets.yaml b/chart/templates/secrets.yaml
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -38,12 +38,17 @@ nodeSelector: {}
 tolerations: []
 
 envVars: { }
-externalSecrets:
+
+infisical:
   enabled: false
-  secretStoreName: ""
-  secretName: ""
-  parameters: { }
-# Allow to environment injections on top or instead of externalSecrets
+  env: ""
+  project: "huggingchat-v2-a1"
+  url: ""
+  resyncInterval: 60
+  operatorSecretName: "huggingchat-operator-secrets"
+  operatorSecretNamespace: "hub-utils"
+
+# Allow to environment injections on top or instead of infisical
 extraEnvFrom: []
 extraEnv: []
 
diff --git a/docs/source/installation/helm.md b/docs/source/installation/helm.md
@@ -29,7 +29,7 @@ resources:
 
 envVars:
   MONGODB_URL: mongodb://chat-ui-mongo:27017
-  # Ensure that your values.yaml will not leak anywhere or use externalSecrets instead
+  # Ensure that your values.yaml will not leak anywhere
   # PRs welcome for a chart rework with envFrom support!
   HF_TOKEN: secret_token
 ```
