Resolve external secrets by convention (#26)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: maor-rozenfeld

chart/templates/_helpers.tpl

@@ -143,11 +143,16 @@ Secret name used to store sensitive environment variables.
 {{- end }}
 
 {{/*
-Determine if an environment variable name should be treated as a secret.
+Determine if an environment variable should be treated as a secret.
+A key is a secret if it exists in openopsEnvSecrets or its value references openopsEnvSecrets.
+Expected dict: { "root": $, "key": "ENV_VAR", "value": "some-value" }
 */}}
 {{- define "openops.isSecretKey" -}}
-{{- $key := upper . -}}
-{{- if or (contains "PASSWORD" $key) (contains "SECRET" $key) (contains "KEY" $key) (contains "LOGZIO_TOKEN" $key) -}}
+{{- $root := .root -}}
+{{- $key := .key -}}
+{{- $value := .value | default "" | toString -}}
+{{- $secrets := default (dict) $root.Values.openopsEnvSecrets -}}
+{{- if or (hasKey $secrets $key) (contains ".Values.openopsEnvSecrets." $value) -}}
 true
 {{- else -}}
 false
@@ -162,12 +167,13 @@ Expected dict: { "root": $, "key": "ENV", "value": "value" }
 {{- $root := .root -}}
 {{- $key := .key -}}
 {{- $value := .value -}}
-{{- if eq (include "openops.isSecretKey" $key) "true" -}}
+{{- if eq (include "openops.isSecretKey" (dict "root" $root "key" $key "value" $value)) "true" -}}
 - name: {{ $key }}
   valueFrom:
     secretKeyRef:
       name: {{ include "openops.secretName" $root }}
       key: {{ $key }}
+      optional: true
 {{- else -}}
 - name: {{ $key }}
   value: {{ tpl (tpl $value $root) $root | quote }}
@@ -189,7 +195,43 @@ Expected dict: { "root": $, "env": dict }
 {{- end }}
 
 {{/*
-Render deployment strategy
+Resolve the AWS Secrets Manager property name for a secret key.
+For standalone keys (in openopsEnvSecrets), the property is the key itself.
+For derived keys (in tables/analytics/etc), the value is a template ref like
+"{{ .Values.openopsEnvSecrets.OPS_POSTGRES_PASSWORD }}" - extract the referenced key name.
+Expected dict: { "key": "DATABASE_PASSWORD", "value": "{{ .Values.openopsEnvSecrets.OPS_POSTGRES_PASSWORD }}" }
+*/}}
+{{- define "openops.secretPropertyName" -}}
+{{- $key := .key -}}
+{{- $value := .value | toString -}}
+{{- if contains ".Values.openopsEnvSecrets." $value -}}
+{{- $value | trimPrefix "{{" | trimPrefix " " | trimSuffix "}}" | trimSuffix " " | trimPrefix ".Values.openopsEnvSecrets." -}}
+{{- else -}}
+{{- $key -}}
+{{- end -}}
+{{- end }}
+
+{{/*
+Collect ExternalSecret data entries for all secret keys in an env map.
+Emits YAML list items for keys that are secrets (in openopsEnvSecrets or referencing it).
+Expected dict: { "root": $, "env": dict, "secretName": "my-secret" }
+*/}}
+{{- define "openops.collectSecretEntries" -}}
+{{- $root := .root -}}
+{{- $env := .env -}}
+{{- $secretName := .secretName -}}
+{{- range $k := keys $env | sortAlpha -}}
+{{- $v := index $env $k -}}
+{{- if eq (include "openops.isSecretKey" (dict "root" $root "key" $k "value" ($v | toString))) "true" }}
+    - secretKey: {{ $k }}
+      remoteRef:
+        key: {{ $secretName }}
+        property: {{ include "openops.secretPropertyName" (dict "key" $k "value" ($v | toString)) }}
+{{- end -}}
+{{- end -}}
+{{- end }}
+
+{{/*
 */}}
 {{- define "openops.deploymentStrategy" -}}
 {{- if .Values.global.strategy }}
@@ -293,26 +335,26 @@ Validate that required secrets are configured - ALWAYS ENFORCED
 {{- /* Skip validation if using an external secret manager */ -}}
 {{- $usingExistingSecret := and .Values.secretEnv .Values.secretEnv.existingSecret (not .Values.secretEnv.create) -}}
 {{- if not $usingExistingSecret -}}
-{{- $encKey := .Values.openopsEnv.OPS_ENCRYPTION_KEY -}}
+{{- $encKey := .Values.openopsEnvSecrets.OPS_ENCRYPTION_KEY -}}
 {{- if not $encKey -}}
-{{- fail "ERROR: OPS_ENCRYPTION_KEY is required. Generate with: openssl rand -hex 32" -}}
+{{- fail "ERROR: OPS_ENCRYPTION_KEY is required. Generate with: openssl rand -hex 16" -}}
 {{- end -}}
 {{- if ne (len $encKey) 32 -}}
 {{- fail "ERROR: OPS_ENCRYPTION_KEY must be exactly 32 hex characters" -}}
 {{- end -}}
-{{- if not .Values.openopsEnv.OPS_JWT_SECRET -}}
-{{- fail "ERROR: OPS_JWT_SECRET is required. Generate with: openssl rand -hex 32" -}}
+{{- if not .Values.openopsEnvSecrets.OPS_JWT_SECRET -}}
+{{- fail "ERROR: OPS_JWT_SECRET is required. Generate with: openssl rand -hex 16" -}}
 {{- end -}}
-{{- if not .Values.openopsEnv.OPS_OPENOPS_ADMIN_PASSWORD -}}
+{{- if not .Values.openopsEnvSecrets.OPS_OPENOPS_ADMIN_PASSWORD -}}
 {{- fail "ERROR: OPS_OPENOPS_ADMIN_PASSWORD is required. Use a strong password" -}}
 {{- end -}}
-{{- if not .Values.openopsEnv.OPS_POSTGRES_PASSWORD -}}
+{{- if not .Values.openopsEnvSecrets.OPS_POSTGRES_PASSWORD -}}
 {{- fail "ERROR: OPS_POSTGRES_PASSWORD is required. Use a strong password" -}}
 {{- end -}}
-{{- if not .Values.openopsEnv.OPS_ANALYTICS_ADMIN_PASSWORD -}}
+{{- if not .Values.openopsEnvSecrets.OPS_ANALYTICS_ADMIN_PASSWORD -}}
 {{- fail "ERROR: OPS_ANALYTICS_ADMIN_PASSWORD is required. Use a strong password" -}}
 {{- end -}}
-{{- if not .Values.openopsEnv.ANALYTICS_POWERUSER_PASSWORD -}}
+{{- if not .Values.openopsEnvSecrets.ANALYTICS_POWERUSER_PASSWORD -}}
 {{- fail "ERROR: ANALYTICS_POWERUSER_PASSWORD is required. Use a strong password" -}}
 {{- end -}}
 {{- end -}}

chart/templates/deployment-app.yaml

@@ -74,6 +74,7 @@ spec:
             - name: OPS_COMPONENT
               value: app
 {{ include "openops.renderEnv" (dict "root" . "env" .Values.openopsEnv) | nindent 12 }}
+{{ include "openops.renderEnv" (dict "root" . "env" .Values.openopsEnvSecrets) | nindent 12 }}
           ports:
             - containerPort: 80
               name: http

chart/templates/deployment-engine.yaml

@@ -57,6 +57,7 @@ spec:
             - name: OPS_COMPONENT
               value: engine
 {{ include "openops.renderEnv" (dict "root" . "env" .Values.openopsEnv) | nindent 12 }}
+{{ include "openops.renderEnv" (dict "root" . "env" .Values.openopsEnvSecrets) | nindent 12 }}
 {{ include "openops.renderEnv" (dict "root" . "env" .Values.engine.env) | nindent 12 }}
           ports:
             - containerPort: 3005

chart/templates/external-secret.yaml

@@ -41,91 +41,14 @@ spec:
     name: {{ .Values.secretEnv.existingSecret | default "openops-env" }}
     creationPolicy: Owner
   data:
-    - secretKey: OPS_ENCRYPTION_KEY
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: OPS_ENCRYPTION_KEY
-    - secretKey: OPS_JWT_SECRET
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: OPS_JWT_SECRET
-    - secretKey: OPS_POSTGRES_PASSWORD
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: OPS_POSTGRES_PASSWORD
-    - secretKey: OPS_OPENOPS_ADMIN_PASSWORD
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: OPS_OPENOPS_ADMIN_PASSWORD
-    - secretKey: OPS_ANALYTICS_ADMIN_PASSWORD
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: OPS_ANALYTICS_ADMIN_PASSWORD
-    - secretKey: ANALYTICS_POWERUSER_PASSWORD
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: ANALYTICS_POWERUSER_PASSWORD
-    - secretKey: OPS_SLACK_APP_SIGNING_SECRET
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: OPS_SLACK_APP_SIGNING_SECRET
-    - secretKey: OPS_LOGZIO_TOKEN
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: OPS_LOGZIO_TOKEN
-    - secretKey: OPS_OPENOPS_ADMIN_PASSWORD_SALT
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: OPS_OPENOPS_ADMIN_PASSWORD_SALT
-    - secretKey: OPS_LANGFUSE_PUBLIC_KEY
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: OPS_LANGFUSE_PUBLIC_KEY
-    - secretKey: OPS_LANGFUSE_SECRET_KEY
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: OPS_LANGFUSE_SECRET_KEY
-    - secretKey: OPS_SSO_FRONTEGG_PUBLIC_KEY
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: OPS_SSO_FRONTEGG_PUBLIC_KEY
-    # Tables derived keys
-    - secretKey: LOGZIO_TOKEN
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: OPS_LOGZIO_TOKEN
-    - secretKey: OPENOPS_ADMIN_PASSWORD_SALT
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: OPS_OPENOPS_ADMIN_PASSWORD_SALT
-    # Tables (Baserow) derived keys
-    - secretKey: BASEROW_ADMIN_PASSWORD
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: OPS_OPENOPS_ADMIN_PASSWORD
-    - secretKey: BASEROW_JWT_SIGNING_KEY
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: OPS_JWT_SECRET
-    - secretKey: SECRET_KEY
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: OPS_ENCRYPTION_KEY
-    - secretKey: DATABASE_PASSWORD
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: OPS_POSTGRES_PASSWORD
-    # Analytics (Superset) derived keys
-    - secretKey: ADMIN_PASSWORD
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: OPS_ANALYTICS_ADMIN_PASSWORD
-    - secretKey: POWERUSER_PASSWORD
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: ANALYTICS_POWERUSER_PASSWORD
-    - secretKey: SUPERSET_SECRET_KEY
-      remoteRef:
-        key: {{ .Values.externalSecrets.secretName }}
-        property: SUPERSET_SECRET_KEY
+{{- $allEnv := dict -}}
+{{- range $k, $v := .Values.openopsEnvSecrets }}{{ $_ := set $allEnv $k ($v | toString) }}{{ end }}
+{{- range $k, $v := .Values.openopsEnv }}{{ if not (hasKey $allEnv $k) }}{{ $_ := set $allEnv $k ($v | toString) }}{{ end }}{{ end }}
+{{- range $k, $v := .Values.tables.env }}{{ if not (hasKey $allEnv $k) }}{{ $_ := set $allEnv $k ($v | toString) }}{{ end }}{{ end }}
+{{- range $k, $v := .Values.analytics.env }}{{ if not (hasKey $allEnv $k) }}{{ $_ := set $allEnv $k ($v | toString) }}{{ end }}{{ end }}
+{{- range $k, $v := .Values.postgres.env }}{{ if not (hasKey $allEnv $k) }}{{ $_ := set $allEnv $k ($v | toString) }}{{ end }}{{ end }}
+{{- if .Values.engine }}{{- if .Values.engine.env }}
+{{- range $k, $v := .Values.engine.env }}{{ if not (hasKey $allEnv $k) }}{{ $_ := set $allEnv $k ($v | toString) }}{{ end }}{{ end }}
+{{- end }}{{- end }}
+{{- include "openops.collectSecretEntries" (dict "root" $ "env" $allEnv "secretName" .Values.externalSecrets.secretName) }}
 {{- end }}

chart/templates/secret-env.yaml

@@ -10,11 +10,11 @@
 {{- $existingSecret := default "" $secretSettings.existingSecret -}}
 {{- if and $create (not $existingSecret) -}}
 {{- $autoSecretData := dict -}}
-{{- $envSources := list .Values.openopsEnv .Values.engine.env .Values.tables.env .Values.analytics.env .Values.postgres.env -}}
+{{- $envSources := list .Values.openopsEnvSecrets .Values.openopsEnv .Values.engine.env .Values.tables.env .Values.analytics.env .Values.postgres.env -}}
 {{- range $env := $envSources }}
 {{- if $env }}
 {{- range $k, $v := $env }}
-{{- if eq (include "openops.isSecretKey" $k) "true" }}
+{{- if eq (include "openops.isSecretKey" (dict "root" $root "key" $k "value" ($v | toString))) "true" }}
 {{- /* Double-tpl allows recursive variable resolution, e.g., "{{ .Values.foo }}" can contain "{{ .Values.bar }}" */ -}}
 {{- $_ := set $autoSecretData $k (tpl (tpl $v $root) $root) }}
 {{- end }}

chart/values.ci.yaml

@@ -16,7 +16,7 @@ global:
     enabled: false
 
 # CI test secrets (not for production)
-openopsEnv:
+openopsEnvSecrets:
   OPS_ENCRYPTION_KEY: "0123456789abcdef0123456789abcdef"
   OPS_JWT_SECRET: "ci-jwt-secret-not-for-production"
   OPS_OPENOPS_ADMIN_PASSWORD: "ci-admin123"

chart/values.overrides-example.yaml

@@ -6,6 +6,8 @@ global:
 
 openopsEnv:
   OPS_OPENOPS_ADMIN_EMAIL: openops@example.com
+
+openopsEnvSecrets:
   OPS_OPENOPS_ADMIN_PASSWORD: 9wqhK7jehmxAQlre
   OPS_ENCRYPTION_KEY: 7de996f020438444dc2c79e9b843805d
   OPS_JWT_SECRET: M72yCOp9riLjIDws

chart/values.yaml

@@ -97,12 +97,8 @@ openopsEnv:
   OPS_OPENOPS_TABLES_VERSION: "{{ .Values.tables.tag }}"
   OPS_ANALYTICS_VERSION: "{{ .Values.analytics.tag }}"
 
-  # Authentication - REQUIRED, NO DEFAULTS
-  # Generate secure values with: openssl rand -hex 32
-  OPS_ENCRYPTION_KEY: ""  # REQUIRED: 32-character hex string
-  OPS_JWT_SECRET: ""      # REQUIRED: Random secret string
+  # Authentication
   OPS_OPENOPS_ADMIN_EMAIL: admin@openops.com
-  OPS_OPENOPS_ADMIN_PASSWORD: ""  # REQUIRED: Strong password
 
   # Telemetry
   OPS_LOG_LEVEL: info
@@ -125,7 +121,6 @@ openopsEnv:
   OPS_POSTGRES_HOST: '{{ include "openops.postgresHost" . }}'
   OPS_POSTGRES_PORT: '{{ include "openops.postgresPort" . }}'
   OPS_POSTGRES_USERNAME: postgres
-  OPS_POSTGRES_PASSWORD: ""  # REQUIRED: Strong password
 
   # Tables
   OPS_OPENOPS_TABLES_DATABASE_NAME: tables
@@ -139,18 +134,32 @@ openopsEnv:
   # Analytics
   OPS_ANALYTICS_PUBLIC_URL: '{{ include "openops.publicUrl" . }}'
   OPS_ANALYTICS_PRIVATE_URL: '{{ include "openops.analyticsServiceUrl" . }}'
-  OPS_ANALYTICS_ADMIN_PASSWORD: ""  # REQUIRED: Strong password
-  ANALYTICS_POWERUSER_PASSWORD: ""  # REQUIRED: Strong password
   ANALYTICS_ALLOW_ADHOC_SUBQUERY: "true"
 
   # AWS
   OPS_AWS_ENABLE_IMPLICIT_ROLE: "false"
 
   # Blocks custom settings
   OPS_CODE_BLOCK_MEMORY_LIMIT_IN_MB: "256"
-  OPS_SLACK_APP_SIGNING_SECRET: ""
   OPS_SLACK_ENABLE_INTERACTIONS: "true"
 
+# Secret environment variables
+# Any var in this section is treated as a secret (stored in K8s Secret, referenced via secretKeyRef).
+# Generate secure values with: openssl rand -hex 16
+openopsEnvSecrets:
+  OPS_ENCRYPTION_KEY: ""  # REQUIRED: 32-character hex string (openssl rand -hex 16)
+  OPS_JWT_SECRET: ""      # REQUIRED: Random secret string
+  OPS_OPENOPS_ADMIN_PASSWORD: ""  # REQUIRED: Strong password
+  OPS_POSTGRES_PASSWORD: ""  # REQUIRED: Strong password
+  OPS_ANALYTICS_ADMIN_PASSWORD: ""  # REQUIRED: Strong password
+  ANALYTICS_POWERUSER_PASSWORD: ""  # REQUIRED: Strong password
+  OPS_SLACK_APP_SIGNING_SECRET: ""
+  SUPERSET_SECRET_KEY: "thisISaSECRET_1234"
+  OPS_LOGZIO_TOKEN: ""
+  OPS_LANGFUSE_PUBLIC_KEY: ""
+  OPS_LANGFUSE_SECRET_KEY: ""
+  OPS_SSO_FRONTEGG_PUBLIC_KEY: ""
+
 secretEnv:
   create: true
   existingSecret: ""
@@ -276,10 +285,10 @@ tables:
     BASEROW_PUBLIC_URL: "{{ .Values.openopsEnv.OPS_OPENOPS_TABLES_PUBLIC_URL }}"
     BASEROW_PRIVATE_URL: "{{ .Values.openopsEnv.OPS_OPENOPS_TABLES_API_URL }}"
     BASEROW_EXTRA_ALLOWED_HOSTS: '*'
-    SECRET_KEY: "{{ .Values.openopsEnv.OPS_ENCRYPTION_KEY }}"
-    BASEROW_JWT_SIGNING_KEY: "{{ .Values.openopsEnv.OPS_JWT_SECRET }}"
+    SECRET_KEY: "{{ .Values.openopsEnvSecrets.OPS_ENCRYPTION_KEY }}"
+    BASEROW_JWT_SIGNING_KEY: "{{ .Values.openopsEnvSecrets.OPS_JWT_SECRET }}"
     BASEROW_ADMIN_USERNAME: "{{ .Values.openopsEnv.OPS_OPENOPS_ADMIN_EMAIL }}"
-    BASEROW_ADMIN_PASSWORD: "{{ .Values.openopsEnv.OPS_OPENOPS_ADMIN_PASSWORD }}"
+    BASEROW_ADMIN_PASSWORD: "{{ .Values.openopsEnvSecrets.OPS_OPENOPS_ADMIN_PASSWORD }}"
     BASEROW_REFRESH_TOKEN_LIFETIME_HOURS: "{{ .Values.openopsEnv.OPS_JWT_TOKEN_LIFETIME_HOURS }}"
     BASEROW_ACCESS_TOKEN_LIFETIME_MINUTES: "{{ .Values.openopsEnv.OPS_TABLES_TOKEN_LIFETIME_MINUTES }}"
     SYNC_TEMPLATES_ON_STARTUP: 'false'
@@ -289,7 +298,7 @@ tables:
     DATABASE_HOST: "{{ .Values.openopsEnv.OPS_POSTGRES_HOST }}"
     DATABASE_PORT: "{{ .Values.openopsEnv.OPS_POSTGRES_PORT }}"
     DATABASE_USER: "{{ .Values.openopsEnv.OPS_POSTGRES_USERNAME }}"
-    DATABASE_PASSWORD: "{{ .Values.openopsEnv.OPS_POSTGRES_PASSWORD }}"
+    DATABASE_PASSWORD: "{{ .Values.openopsEnvSecrets.OPS_POSTGRES_PASSWORD }}"
     REDIS_URL: '{{ include "openops.redisUrl" . }}'
   storage:
     size: 10Gi
@@ -336,17 +345,17 @@ analytics:
     port: 8088
     path: /health
   env:
-    ADMIN_PASSWORD: "{{ .Values.openopsEnv.OPS_ANALYTICS_ADMIN_PASSWORD }}"
-    POWERUSER_PASSWORD: "{{ .Values.openopsEnv.ANALYTICS_POWERUSER_PASSWORD }}"
+    ADMIN_PASSWORD: "{{ .Values.openopsEnvSecrets.OPS_ANALYTICS_ADMIN_PASSWORD }}"
+    POWERUSER_PASSWORD: "{{ .Values.openopsEnvSecrets.ANALYTICS_POWERUSER_PASSWORD }}"
     GUNICORN_LOGLEVEL: 'debug'
     DATABASE_DIALECT: 'postgresql'
     DATABASE_DB: 'analytics'
     DATABASE_HOST: "{{ .Values.openopsEnv.OPS_POSTGRES_HOST }}"
     DATABASE_PORT: "{{ .Values.openopsEnv.OPS_POSTGRES_PORT }}"
     DATABASE_USER: "{{ .Values.openopsEnv.OPS_POSTGRES_USERNAME }}"
-    DATABASE_PASSWORD: "{{ .Values.openopsEnv.OPS_POSTGRES_PASSWORD }}"
+    DATABASE_PASSWORD: "{{ .Values.openopsEnvSecrets.OPS_POSTGRES_PASSWORD }}"
     DATABASE_HOST_ALT: "{{ .Values.openopsEnv.OPS_OPENOPS_TABLES_DB_HOST }}"
-    SUPERSET_SECRET_KEY: "{{ .Values.openopsEnv.OPS_ENCRYPTION_KEY }}"
+    SUPERSET_SECRET_KEY: "{{ .Values.openopsEnvSecrets.SUPERSET_SECRET_KEY }}"
     SUPERSET_FEATURE_ALLOW_ADHOC_SUBQUERY: '"{{ .Values.openopsEnv.ANALYTICS_ALLOW_ADHOC_SUBQUERY }}"'
     REDIS_HOST: "{{ .Values.openopsEnv.OPS_REDIS_HOST }}"
     REDIS_PORT: "{{ .Values.openopsEnv.OPS_REDIS_PORT }}"
@@ -391,7 +400,7 @@ postgres:
   env:
     maxConnections: "300"
     POSTGRES_USER: "{{ .Values.openopsEnv.OPS_POSTGRES_USERNAME }}"
-    POSTGRES_PASSWORD: "{{ .Values.openopsEnv.OPS_POSTGRES_PASSWORD }}"
+    POSTGRES_PASSWORD: "{{ .Values.openopsEnvSecrets.OPS_POSTGRES_PASSWORD }}"
     POSTGRES_DB: "{{ .Values.openopsEnv.OPS_POSTGRES_DATABASE }}"
   # Authentication configuration
   auth: