refactor(devsvc): implement secret management for sensitive configurations

- Removed direct references to sensitive data (e.g., MongoDB URI, Gitea token, RabbitMQ password) in values files and replaced them with a structured secrets section.
- Updated deployment and configuration templates to inject secrets from FreeleapsSecretStore, enhancing security and maintainability.
- This change aligns with the new secret management strategy across the application.

Signed-off-by: zhenyus <zhenyus@mathmast.com>

freeleaps/helm-pkg/authentication/templates/authentication/authentication-config.yaml

@@ -9,13 +9,11 @@ data:
   APP_NAME: {{ .Values.authentication.configs.appName | b64enc | quote }}
   DEVSVC_WEBAPI_URL_BASE: {{ .Values.authentication.configs.devsvcWebapiUrlBase | b64enc | quote }}
   NOTIFICATION_WEBAPI_URL_BASE: {{ .Values.authentication.configs.notificationWebapiUrlBase | b64enc | quote }}
-  JWT_SECRET_KEY: {{ .Values.authentication.configs.jwtSecretKey | b64enc | quote }}
   JWT_ALGORITHM: {{ .Values.authentication.configs.jwtAlgorithm | b64enc | quote }}
   SERVICE_API_ACCESS_HOST: {{ .Values.authentication.configs.serviceApiAccessHost | b64enc | quote }}
   SERVICE_API_ACCESS_PORT: {{ .Values.authentication.configs.serviceApiAccessPort | toString | b64enc }}
   MONGODB_NAME: {{ .Values.authentication.configs.mongodbName | b64enc | quote }}
   MONGODB_PORT: {{ .Values.authentication.configs.mongodbPort | toString | b64enc }}
-  MONGODB_URI: {{ .Values.authentication.configs.mongodbUri | b64enc | quote }}
   METRICS_ENABLED: {{ .Values.authentication.configs.metricsEnabled | default false | toString | b64enc }}
   PROBES_ENABLED: {{ .Values.authentication.configs.probesEnabled | default false | toString | b64enc }}
   

freeleaps/helm-pkg/devsvc/templates/devsvc/deployment.yaml

@@ -109,6 +109,15 @@ spec:
                   name: devsvc-config
                   key: {{ $key | snakecase | upper }}
             {{- end }}
+            # inject from secret created by FreeleapsSecret object
+            {{ $targetSecretName := .Values.devsvc.secrets.target.name }}
+            {{- range .Values.devsvc.secrets.data }}
+            - name: {{ .key | snakecase | upper }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $targetSecretName }}
+                  key: {{ .key }}
+            {{- end }}
 {{- if .Values.logIngest.enabled }}
           volumeMounts:
             - name: app-logs

freeleaps/helm-pkg/devsvc/templates/devsvc/devsvc-config.yaml

@@ -10,8 +10,6 @@ data:
   SERVICE_API_ACCESS_HOST: {{ .Values.devsvc.configs.serviceApiAccessHost | b64enc | quote }}
   SERVICE_API_ACCESS_PORT: {{ .Values.devsvc.configs.serviceApiAccessPort | toString | b64enc }}
   MONGODB_NAME: {{ .Values.devsvc.configs.mongodbName | b64enc | quote }}
-  MONGODB_URI: {{ .Values.devsvc.configs.mongodbUri | b64enc | quote }}
-  GITEA_TOKEN: {{ .Values.devsvc.configs.giteaToken | b64enc | quote }}
   GITEA_URL: {{ .Values.devsvc.configs.giteaUrl | b64enc | quote }}
   GITEA_DEPOT_ORGANIZATION: {{ .Values.devsvc.configs.giteaDepotOrganization | b64enc | quote }}
   CODE_DEPOT_HTTP_PORT: {{ .Values.devsvc.configs.codeDepotHttpPort | toString | b64enc }}
@@ -24,11 +22,8 @@ data:
   RABBITMQ_HOST: {{ .Values.devsvc.configs.rabbitmqHost | b64enc | quote }}
   RABBITMQ_PORT: {{ .Values.devsvc.configs.rabbitmqPort | toString | b64enc }}
   RABBITMQ_USERNAME: {{ .Values.devsvc.configs.rabbitmqUsername | b64enc | quote }}
-  RABBITMQ_PASSWORD: {{ .Values.devsvc.configs.rabbitmqPassword | b64enc | quote }}
   RABBITMQ_VIRTUAL_HOST: {{ .Values.devsvc.configs.rabbitmqVirtualHost | b64enc | quote }}
   DEFAULT_GIT_USERNAME: {{ .Values.devsvc.configs.defaultGitUsername | b64enc | quote }}
-  DEFAULT_GIT_PASSWORD: {{ .Values.devsvc.configs.defaultGitPassword | b64enc | quote }}
   DEVOPS_DOCKER_REGISTRY_URL: {{ .Values.devsvc.configs.devopsDockerRegistryUrl | b64enc | quote }}
   DEVOPS_DOCKER_REGISTRY_REPOSITORY_NAME: {{ .Values.devsvc.configs.devopsDockerRegistryRepositoryName | b64enc | quote }}
   DEVOPS_DOCKER_REGISTRY_USERNAME: {{ .Values.devsvc.configs.devopsDockerRegistryUsername | b64enc | quote }}
-  DEVOPS_DOCKER_REGISTRY_PASSWORD: {{ .Values.devsvc.configs.devopsDockerRegistryPassword | b64enc | quote }}

freeleaps/helm-pkg/devsvc/templates/devsvc/freeleapssecret.yaml

@@ -0,0 +1,20 @@
+apiVersion: freeleaps.com/v1alpha1
+kind: FreeleapsSecret
+metadata:
+  name: freeleaps-devsvc-secrets
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretStoreRef:
+    kind: {{ .Values.devsvc.secrets.secretStoreRef.kind }}
+    name: {{ .Values.devsvc.secrets.secretStoreRef.name }}
+  target:
+    name: {{ .Values.devsvc.secrets.target.name }}
+    creationPolicy: {{ .Values.devsvc.secrets.target.creationPolicy }}
+  refreshInterval: {{ .Values.devsvc.secrets.refreshInterval }}
+  data:
+{{- range .Values.devsvc.secrets.data }}
+  - secretKey: {{ .key }}
+    remoteRef:
+      key: {{ .remoteRef.key }}
+      type: {{ .remoteRef.type }}
+{{- end }}

freeleaps/helm-pkg/devsvc/values.alpha.yaml

@@ -81,8 +81,6 @@ devsvc:
     serviceApiAccessHost: 0.0.0.0
     serviceApiAccessPort: 8007
     mongodbName: freeleaps2
-    mongodbUri: mongodb+srv://jetli:8IHKx6dZK8BfugGp@freeleaps2.hanbj.mongodb.net/
-    giteaToken: 65bc8b16705414abbdaf8e6262ad698015ce49d9
     giteaUrl: http://freeleaps-alpha-gitea-http.freeleaps-alpha.svc.freeleaps.cluster:3000
     giteaDepotOrganization: products
     codeDepotHttpPort: 443
@@ -94,14 +92,41 @@ devsvc:
     rabbitmqHost: freeleaps-alpha-rabbitmq.freeleaps-alpha.svc.freeleaps.cluster
     rabbitmqPort: 5672
     rabbitmqUsername: user
-    rabbitmqPassword: NjlhHFvnDuC7K0ir
     rabbitmqVirtualHost: /
     defaultGitUsername: freeleaps
     defaultGitPassword: r8sA8CPHD9!bt6d
     devopsDockerRegistryUrl: https://hub.docker.com
     devopsDockerRegistryRepositoryName: freeleapsdevops
     devopsDockerRegistryUsername: freeleapsdevops
-    devopsDockerRegistryPassword: dckr_pat_y-KsBOwcEGTdCQDsAb-NBz9_beg
+  secrets:
+    secretStoreRef:
+      kind: FreeleapsSecretStore
+      name: freeleaps-main-secret-store
+    target:
+      name: "freeleaps-devsvc-secrets"
+      creationPolicy: "Owner"
+    refreshInterval: 30s
+    data:
+      - key: giteaToken
+        remoteRef:
+          key: "freeleaps-alpha-gitea-token"
+          type: Secret
+      - key: mongodbUri
+        remoteRef:
+          key: "freeleaps-alpha-mongodb-uri"
+          type: Secret
+      - key: rabbitmqPassword
+        remoteRef:
+          key: "freeleaps-alpha-rabbitmq-password"
+          type: Secret
+      - key: defaultGitPassword
+        remoteRef:
+          key: "freeleaps-alpha-gitea-password"
+          type: Secret
+      - key: devopsDockerRegistryPassword
+        remoteRef:
+          key: "freeleaps-alpha-devops-docker-registry-password"
+          type: Secret
   vpa:
     minAllowed:
       enabled: false

freeleaps/helm-pkg/devsvc/values.prod.yaml

@@ -72,8 +72,6 @@ devsvc:
     serviceApiAccessHost: 0.0.0.0
     serviceApiAccessPort: 8007
     mongodbName: freeleaps2
-    mongodbUri: mongodb+srv://freeadmin:0eMV0bt8oyaknA0m@freeleaps2.zmsmpos.mongodb.net/?retryWrites=true&w=majority
-    giteaToken: 87f8cf4bf9e6b7beb422967e079fadbdfb70e0be
     giteaUrl: http://freeleaps-prod-gitea-http.freeleaps-prod.svc.freeleaps.cluster:3000
     giteaDepotOrganization: products
     codeDepotHttpPort: 443
@@ -85,14 +83,40 @@ devsvc:
     rabbitmqHost: freeleaps-prod-rabbitmq-headless.freeleaps-prod.svc.freeleaps.cluster
     rabbitmqPort: 5672
     rabbitmqUsername: user
-    rabbitmqPassword: D3b0HKz71T0OcYF8
     rabbitmqVirtualHost: /
     defaultGitUsername: freeleaps-admin
-    defaultGitPassword: r8sA8CPHD9!bt6d
     devopsDockerRegistryUrl: https://hub.docker.com
     devopsDockerRegistryRepositoryName: freeleapsdevops
     devopsDockerRegistryUsername: freeleapsdevops
-    devopsDockerRegistryPassword: dckr_pat_y-KsBOwcEGTdCQDsAb-NBz9_beg
+  secrets:
+    secretStoreRef:
+      kind: FreeleapsSecretStore
+      name: freeleaps-main-secret-store
+    target:
+      name: "freeleaps-devsvc-secrets"
+      creationPolicy: "Owner"
+    refreshInterval: 30s
+    data:
+      - key: giteaToken
+        remoteRef:
+          key: "freeleaps-prod-gitea-token"
+          type: Secret
+      - key: mongodbUri
+        remoteRef:
+          key: "freeleaps-prod-mongodb-uri"
+          type: Secret
+      - key: rabbitmqPassword
+        remoteRef:
+          key: "freeleaps-prod-rabbitmq-password"
+          type: Secret
+      - key: defaultGitPassword
+        remoteRef:
+          key: "freeleaps-prod-gitea-password"
+          type: Secret
+      - key: devopsDockerRegistryPassword
+        remoteRef:
+          key: "freeleaps-prod-devops-docker-registry-password"
+          type: Secret
   vpa:
     minAllowed:
       enabled: true