feat(chat): migrate alpha and prod environments to use Azure Key Vault for sensitive data

- Add FreeleapsSecret configuration for Azure Key Vault integration - Move sensitive data (mongodbUri, jwtSecretKey, stripeApiKey, etc.) from config to secrets - Update deployment template to read from both config and FreeleapsSecret - Comment out sensitive fields in chat-config.yaml - Create freeleapssecret.yaml template for secret management - Update both alpha and prod environment configurations
2025-08-18 17:05:05 +08:00 · 2025-08-18 17:05:05 +08:00 · 377250ce6a
commit 377250ce6a
parent 69a2c112d1
6 changed files with 143 additions and 21 deletions
--- a/freeleaps/helm-pkg/chat/templates/chat/chat-config.yaml
+++ b/freeleaps/helm-pkg/chat/templates/chat/chat-config.yaml
@ -10,19 +10,13 @@ data:
  SERVICE_API_ACCESS_HOST: {{ .Values.chat.configs.serviceApiAccessHost | b64enc | quote }}
  SERVICE_API_ACCESS_PORT: {{ .Values.chat.configs.serviceApiAccessPort | toString | b64enc }}
  MONGODB_NAME: {{ .Values.chat.configs.mongodbName | b64enc | quote }}
-  MONGODB_URI: {{ .Values.chat.configs.mongodbUri | b64enc | quote }}
  MONGODB_PORT: {{ .Values.chat.configs.mongodbPort | toString | b64enc }}
  EMAIL_FROM: {{ .Values.chat.configs.emailFrom | b64enc | quote }}
  SITE_URL_ROOT: {{ .Values.chat.configs.siteUrlRoot | b64enc | quote }}
-  JWT_SECRET_KEY: {{ .Values.chat.configs.jwtSecretKey | b64enc | quote }}
  JWT_ALGORITHM: {{ .Values.chat.configs.jwtAlgorithm | b64enc | quote }}
-  STRIPE_API_KEY: {{ .Values.chat.configs.stripeApiKey | b64enc | quote }}
-  STRIPE_WEBHOOK_SECRET: {{ .Values.chat.configs.stripeWebhookSecret | b64enc | quote }}
-  STRIPE_ACCOUNT_WEBHOOK_SECRET: {{ .Values.chat.configs.stripeAccountWebhookSecret | b64enc | quote }}
  RABBITMQ_HOST: {{ .Values.chat.configs.rabbitmqHost | b64enc | quote }}
  RABBITMQ_PORT: {{ .Values.chat.configs.rabbitmqPort | toString | b64enc }}
  RABBITMQ_USERNAME: {{ .Values.chat.configs.rabbitmqUsername | b64enc | quote }}
-  RABBITMQ_PASSWORD: {{ .Values.chat.configs.rabbitmqPassword | b64enc | quote }}
  FREELEAPS_DEVSVC_ENDPOINT: {{ .Values.chat.configs.freeleapsDevsvcEndpoint | b64enc | quote }}
  FREELEAPS_CONTENT_ENDPOINT: {{ .Values.chat.configs.freeleapsContentEndpoint | b64enc | quote }}
  FREELEAPS_CENTRAL_STORAGE_ENDPOINT: {{ .Values.chat.configs.freeleapsCentralStorageEndpoint | b64enc | quote }}
@ -32,7 +26,6 @@ data:
  FREELEAPS_NOTIFICATION_ENDPOINT: {{ .Values.chat.configs.freeleapsNotificationEndpoint | b64enc | quote }}
  FREELEAPS_ENV: {{ .Values.chat.configs.freeleapsEnv | b64enc | quote }}
  CERT_PATH: {{ .Values.chat.configs.certPath | b64enc | quote }}
-  REDIS_URL: {{ .Values.chat.configs.redisUrl | b64enc | quote }}
  REDIS_IS_CLUSTER: {{ .Values.chat.configs.redisIsCluster | b64enc | quote }}
  METRICS_ENABLED: {{ .Values.chat.configs.metricsEnabled | default false | toString | b64enc }}
  PROBES_ENABLED: {{ .Values.chat.configs.probesEnabled | default false | toString | b64enc }}
--- a/freeleaps/helm-pkg/chat/templates/chat/deployment.yaml
+++ b/freeleaps/helm-pkg/chat/templates/chat/deployment.yaml
@ -109,6 +109,16 @@ spec:
                  name: chat-config
                  key: {{ $key | snakecase | upper }}
            {{- end }}
+            {{- if .Values.chat.secrets }}
+            {{ $targetSecretName := .Values.chat.secrets.target.name }}
+            {{- range .Values.chat.secrets.data }}
+            - name: {{ .key | snakecase | upper }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $targetSecretName }}
+                  key: {{ .key }}
+            {{- end }}
+            {{- end }}
 {{- if .Values.logIngest.enabled }}
          volumeMounts:
            - name: app-logs
--- a/freeleaps/helm-pkg/chat/templates/chat/freeleapssecret.yaml
+++ b/freeleaps/helm-pkg/chat/templates/chat/freeleapssecret.yaml
@ -0,0 +1,20 @@
+apiVersion: freeleaps.com/v1alpha1
+kind: FreeleapsSecret
+metadata:
+  name: freeleaps-chat-alpha-secrets
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretStoreRef:
+    kind: {{ .Values.chat.secrets.secretStoreRef.kind }}
+    name: {{ .Values.chat.secrets.secretStoreRef.name }}
+  target:
+    name: {{ .Values.chat.secrets.target.name }}
+    creationPolicy: {{ .Values.chat.secrets.target.creationPolicy }}
+  refreshInterval: {{ .Values.chat.secrets.refreshInterval }}
+  data:
+{{- range .Values.chat.secrets.data }}
+  - secretKey: {{ .key }}
+    remoteRef:
+      key: {{ .remoteRef.key }}
+      type: {{ .remoteRef.type }}
+{{- end }}
--- a/freeleaps/helm-pkg/chat/values.alpha.yaml
+++ b/freeleaps/helm-pkg/chat/values.alpha.yaml
@ -82,19 +82,13 @@ chat:
    serviceApiAccessHost: 0.0.0.0
    serviceApiAccessPort: 8012
    mongodbName: freeleaps2
-    mongodbUri: mongodb+srv://jetli:8IHKx6dZK8BfugGp@freeleaps2.hanbj.mongodb.net/
    mongodbPort: 27017
    emailFrom: freeleaps@freeleaps.com
    siteUrlRoot: https://freeleaps-alpha.com
-    jwtSecretKey: 8f87ca8c3c9c3df09a9c78e0adb0927855568f6072d9efc892534aee35f5867b
    jwtAlgorithm: HS256
-    stripeApiKey: sk_test_51Ogsw5B0IyqaSJBrwczlr820jnmvA1qQQGoLZ2XxOsIzikpmXo4pRLjw4XVMTEBR8DdVTYySiAv1XX53Zv5xqynF00GfMqttFd
-    stripeWebhookSecret: whsec_hUbnahlGtAvN2yckBk45a236LmrODOdm
-    stripeAccountWebhookSecret: whsec_PgPnkWGhEUiQfnV8aIb5Wmruz7XETJLm
    rabbitmqHost: freeleaps-alpha-rabbitmq.freeleaps-alpha.svc.freeleaps.cluster
    rabbitmqPort: 5672
    rabbitmqUsername: user
-    rabbitmqPassword: NjlhHFvnDuC7K0ir
    freeleapsDevsvcEndpoint: http://devsvc-service.freeleaps-alpha.svc.freeleaps.cluster:8007/api/devsvc/
    freeleapsContentEndpoint: http://content-service.freeleaps-alpha.svc.freeleaps.cluster:8013/api/content/
    freeleapsCentralStorageEndpoint: http://central-storage-service.freeleaps-alpha.svc.freeleaps.cluster:8005/api/central_storage/
@ -104,10 +98,47 @@ chat:
    freeleapsAilabEndpoint: ''
    freeleapsEnv: alpha
    certPath: ''
-    redisUrl: redis://:4sTqfZvUwR@freeleaps-alpha-redis-headless.freeleaps-alpha.svc.freeleaps.cluster:6379
    redisIsCluster: 'false'
    metricsEnabled: 'true'
    probesEnabled: 'true'
+  
+  secrets:
+    secretStoreRef:
+      kind: FreeleapsSecretStore
+      name: freeleaps-main-secret-store
+    target:
+      name: "freeleaps-chat-alpha-secrets"
+      creationPolicy: "Owner"
+    refreshInterval: 30s
+    data:
+      - key: mongodbUri
+        remoteRef:
+          key: "freeleaps-alpha-mongodb-uri"
+          type: Secret
+      - key: jwtSecretKey
+        remoteRef:
+          key: "freeleaps-alpha-jwt-secret-key"
+          type: Secret
+      - key: stripeApiKey
+        remoteRef:
+          key: "freeleaps-alpha-stripe-api-key"
+          type: Secret
+      - key: stripeWebhookSecret
+        remoteRef:
+          key: "freeleaps-alpha-stripe-webhook-secret"
+          type: Secret
+      - key: stripeAccountWebhookSecret
+        remoteRef:
+          key: "freeleaps-alpha-stripe-account-webhook-secret"
+          type: Secret
+      - key: rabbitmqPassword
+        remoteRef:
+          key: "freeleaps-alpha-rabbitmq-password"
+          type: Secret
+      - key: redisUrl
+        remoteRef:
+          key: "freeleaps-alpha-redis-url"
+          type: Secret
  vpa:
    minAllowed:
      enabled: false
--- a/freeleaps/helm-pkg/chat/values.prod.yaml
+++ b/freeleaps/helm-pkg/chat/values.prod.yaml
@ -74,18 +74,12 @@ chat:
    serviceApiAccessPort: 8012
    mongodbName: freeleaps2
    mongodbPort: 27017
-    mongodbUri: mongodb+srv://freeadmin:0eMV0bt8oyaknA0m@freeleaps2.zmsmpos.mongodb.net/?retryWrites=true&w=majority
    emailFrom: freeleaps@freeleaps.com
    siteUrlRoot: https://freeleaps.com
-    jwtSecretKey: ea84edf152976b2fcec12b78aa8e45bc26a5cf0ef61bf16f5c317ae33b3fd8b0
    jwtAlgorithm: HS256
-    stripeApiKey: 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
-    stripeWebhookSecret: whsec_yWObkdtJTP4FOrmN2vPNEAv0EBGXbU3n
-    stripeAccountWebhookSecret: whsec_cFhia4hz65OQLdhv26LZAAmjoBc6WNgg
    rabbitmqHost: freeleaps-prod-rabbitmq-headless.freeleaps-prod.svc.freeleaps.cluster
    rabbitmqPort: 5672
    rabbitmqUsername: user
-    rabbitmqPassword: D3b0HKz71T0OcYF8
    freeleapsDevsvcEndpoint: http://devsvc-service.freeleaps-prod.svc.freeleaps.cluster:8007/api/devsvc/
    freeleapsContentEndpoint: http://content-service.freeleaps-prod.svc.freeleaps.cluster:8013/api/content/
    freeleapsCentralStorageEndpoint: http://central-storage-service.freeleaps-prod.svc.freeleaps.cluster:8005/api/central_storage/
@ -95,10 +89,46 @@ chat:
    freeleapsAilabEndpoint: ''
    freeleapsEnv: chat
    certPath: ''
-    redisUrl: redis://:izrZtCmYk8@freeleaps-prod-redis-redis-cluster-headless.freeleaps-prod.svc.freeleaps.cluster:6379/0
    redisIsCluster: 'true'
    metricsEnabled: 'false'
    probesEnabled: 'true'
+  secrets:
+    secretStoreRef:
+      kind: FreeleapsSecretStore
+      name: freeleaps-main-secret-store
+    target:
+      name: "freeleaps-chat-prod-secrets"
+      creationPolicy: "Owner"
+    refreshInterval: 30s
+    data:
+      - key: mongodbUri
+        remoteRef:
+          key: "freeleaps-prod-mongodb-uri"
+          type: Secret
+      - key: jwtSecretKey
+        remoteRef:
+          key: "freeleaps-prod-jwt-secret-key"
+          type: Secret
+      - key: stripeApiKey
+        remoteRef:
+          key: "freeleaps-prod-stripe-api-key"
+          type: Secret
+      - key: stripeWebhookSecret
+        remoteRef:
+          key: "freeleaps-prod-stripe-webhook-secret"
+          type: Secret
+      - key: stripeAccountWebhookSecret
+        remoteRef:
+          key: "freeleaps-prod-stripe-account-webhook-secret"
+          type: Secret
+      - key: rabbitmqPassword
+        remoteRef:
+          key: "freeleaps-prod-rabbitmq-password"
+          type: Secret
+      - key: redisUrl
+        remoteRef:
+          key: "freeleaps-prod-redis-url"
+          type: Secret
  vpa:
    minAllowed:
      enabled: true
--- a/freeleaps/helm-pkg/chat/values.yaml
+++ b/freeleaps/helm-pkg/chat/values.yaml
@ -126,6 +126,44 @@ chat:
    metricsEnabled: "false"
    # PROBES_ENABLED
    probesEnabled: "true"
+  
+  secrets:
+    secretStoreRef:
+      kind: FreeleapsSecretStore
+      name: freeleaps-main-secret-store
+    target:
+      name: "freeleaps-chat-secrets"
+      creationPolicy: "Owner"
+    refreshInterval: 30s
+    data:
+      - key: mongodbUri
+        remoteRef:
+          key: "freeleaps-mongodb-uri"
+          type: Secret
+      - key: jwtSecretKey
+        remoteRef:
+          key: "freeleaps-jwt-secret-key"
+          type: Secret
+      - key: stripeApiKey
+        remoteRef:
+          key: "freeleaps-stripe-api-key"
+          type: Secret
+      - key: stripeWebhookSecret
+        remoteRef:
+          key: "freeleaps-stripe-webhook-secret"
+          type: Secret
+      - key: stripeAccountWebhookSecret
+        remoteRef:
+          key: "freeleaps-stripe-account-webhook-secret"
+          type: Secret
+      - key: rabbitmqPassword
+        remoteRef:
+          key: "freeleaps-rabbitmq-password"
+          type: Secret
+      - key: redisUrl
+        remoteRef:
+          key: "freeleaps-redis-url"
+          type: Secret
  vpa:
    minAllowed:
      enabled: false