From 2ba3496537809b43f0e3090bbc56cb444277890a Mon Sep 17 00:00:00 2001
From: Ivaylo Papratilov <ivaylo@cast.ai>
Date: Fri, 30 Aug 2024 13:15:09 +0300
Subject: [PATCH] fix: move api key from configmap to secret

---
 .../templates/daemonset.yaml                  |  5 +++
 .../templates/move-api-key-to-secret.yaml     | 43 +++++++++++++++++++
 .../gpu-metrics-exporter/templates/rbac.yaml  | 23 ++++++++++
 .../templates/secret.yaml                     | 14 ++++++
 charts/gpu-metrics-exporter/values.yaml       |  3 ++
 5 files changed, 88 insertions(+)
 create mode 100644 charts/gpu-metrics-exporter/templates/move-api-key-to-secret.yaml
 create mode 100644 charts/gpu-metrics-exporter/templates/secret.yaml

diff --git a/charts/gpu-metrics-exporter/templates/daemonset.yaml b/charts/gpu-metrics-exporter/templates/daemonset.yaml
index 2985a07..5314c24 100644
--- a/charts/gpu-metrics-exporter/templates/daemonset.yaml
+++ b/charts/gpu-metrics-exporter/templates/daemonset.yaml
@@ -78,6 +78,11 @@ spec:
           env:
             - name: "DCGM_HOST"
               value: "localhost"
+            - name: "API_KEY"
+              valueFrom:
+                  secretKeyRef:
+                    name: {{ include "gpu-metrics-exporter.fullname" . }}
+                    key: API_KEY
           {{- end }}
           resources:
             {{- toYaml .Values.gpuMetricsExporter.resources | nindent 12 }}
diff --git a/charts/gpu-metrics-exporter/templates/move-api-key-to-secret.yaml b/charts/gpu-metrics-exporter/templates/move-api-key-to-secret.yaml
new file mode 100644
index 0000000..e982f9f
--- /dev/null
+++ b/charts/gpu-metrics-exporter/templates/move-api-key-to-secret.yaml
@@ -0,0 +1,43 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: migrate-configmap-to-secret
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  backoffLimit: 0
+  template:
+    spec:
+      serviceAccountName: {{ include "gpu-metrics-exporter.serviceAccountName" . }}
+      containers:
+        - name: migrate
+          image: alpine/k8s:1.31.0
+          command:
+            - /bin/sh
+            - -c
+            - |
+              configmap_data=$(kubectl get configmap ${CONFIGMAP_NAME} -o json)
+
+              if echo $configmap_data | jq -e '.data["API_KEY"]' > /dev/null; then
+                secret_value=$(echo $configmap_data | jq -r '.data["API_KEY"]')
+
+                kubectl create secret generic {{ include "gpu-metrics-exporter.fullname" . }} -n {{ .Release.Namespace }} \
+                  --from-literal=API_KEY=$secret_value \
+                  --dry-run=client -o yaml | kubectl apply -f -
+
+                kubectl patch configmap {{ include "gpu-metrics-exporter.config-map" . }} -n {{ .Release.Namespace }} \
+                  --type=json -p='[{"op": "remove", "path": "/data/API_KEY"}]'
+
+                kubectl rollout restart daemonset/{{ include "gpu-metrics-exporter.fullname" . }} -n {{ .Release.Namespace }}
+              else
+                echo "API_KEY not found in the ConfigMap. Skipping migration."
+              fi
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
+      restartPolicy: Never
\ No newline at end of file
diff --git a/charts/gpu-metrics-exporter/templates/rbac.yaml b/charts/gpu-metrics-exporter/templates/rbac.yaml
index 94bf9f4..728ad54 100644
--- a/charts/gpu-metrics-exporter/templates/rbac.yaml
+++ b/charts/gpu-metrics-exporter/templates/rbac.yaml
@@ -26,6 +26,29 @@ rules:
   verbs:
   - get
   - list
+- apiGroups:
+    - ""
+  resources:
+    - configmaps
+  verbs:
+    - get
+    - list
+    - patch
+- apiGroups:
+    - ""
+  resources:
+    - secrets
+  verbs:
+    - get
+    - update
+    - patch
+- apiGroups:
+    - apps
+  resources:
+    - daemonsets
+  verbs:
+    - get
+    - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
diff --git a/charts/gpu-metrics-exporter/templates/secret.yaml b/charts/gpu-metrics-exporter/templates/secret.yaml
new file mode 100644
index 0000000..95880fb
--- /dev/null
+++ b/charts/gpu-metrics-exporter/templates/secret.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gpu-metrics-exporter.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "gpu-metrics-exporter.labels" . | nindent 4 }}
+data:
+{{- if and .Values.castai (not (empty .Values.castai.apiKey)) }}
+  API_KEY: {{ .Values.castai.apiKey | b64enc | quote }}
+{{- else }}
+  API_KEY: ""
+{{- end }}
diff --git a/charts/gpu-metrics-exporter/values.yaml b/charts/gpu-metrics-exporter/values.yaml
index 5ac9ace..6b80fcb 100644
--- a/charts/gpu-metrics-exporter/values.yaml
+++ b/charts/gpu-metrics-exporter/values.yaml
@@ -6,6 +6,9 @@ serviceAccount:
   automount: true
   annotations: {}
 
+castai:
+  apiKey: ""
+
 gpuMetricsExporter:
   image:
     repository: ghcr.io/castai/gpu-metrics-exporter/gpu-metrics-exporter