control-service: Add helm chart entries for Vault Configuation

projects/control-service/projects/helm_charts/pipelines-control-service/templates/_helpers.tpl

@@ -178,6 +178,22 @@ JDBC secret name
 {{ include "common.names.fullname" . }}-jdbc
 {{- end -}}
 
+
+{{/*
+Generate default Vault configuration.
+*/}}
+{{- define "pipelines-control-service.vaultSecret" -}}
+URI: {{ default "http://localhost:8200" .Values.secrets.vault.uri | b64enc | quote }}
+TOKEN: {{ default "root" .Values.secrets.vault.token | b64enc | quote }}
+{{- end -}}
+
+{{/*
+Vault secret name
+*/}}
+{{- define "pipelines-control-service.vaultSecretName" -}}
+{{ include "common.names.fullname" . }}-vault
+{{- end -}}
+
 {{/*
 VDK distribution docker repository secret name
 */}}

projects/control-service/projects/helm_charts/pipelines-control-service/templates/deployment.yaml

@@ -299,6 +299,22 @@ spec:
             - name: MAIL_TRANSPORT_PROTOCOL
               value: "{{ .Values.mail.transport.protocol }}"
             {{- end }}
+            {{- if .Values.secrets.vault.enabled }}
+            - name: FEATUREFLAG_VAULT_INTEGRATION_ENABLED
+              value: "{{ .Values.secrets.vault.enabled }}"
+            - name: VDK_VAULT_URI
+              valueFrom:
+                secretKeyRef:
+                  name: { { .Values.secrets.vault.externalSecretName | default (include "pipelines-control-service.vaultSecretName" . ) } }
+                  key: URI
+            - name: VDK_VAULT_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: { { .Values.secrets.vault.externalSecretName | default (include "pipelines-control-service.vaultSecretName" . ) } }
+                  key: TOKEN
+            - name: DATAJOBS_VAULT_SIZE_LIMIT_BYTES
+              value: "{{ .Values.secrets.vault.sizeLimitBytes }}"
+            {{- end }}
 
 
 {{- if .Values.extraVars }}

projects/control-service/projects/helm_charts/pipelines-control-service/templates/secret_vault.yaml

@@ -0,0 +1,16 @@
+{{- /*
+  Copyright 2021-2023 VMware, Inc.
+  SPDX-License-Identifier: Apache-2.0
+ */}}
+
+## Create a secret with Vault credentials for storing Secrets only if externalSecretName is not supplied.
+## If any of the fields are empty, we fall-back to defaults (f.e. local dev environment)
+{{- if not .Values.secrets.vault.externalSecretName }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "pipelines-control-service.vaultSecretName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels: {{- include "pipelines-control-service.labels" . | nindent 4 }}
+data: {{- include "pipelines-control-service.vaultSecret" . | nindent 2 }}
+{{- end }}

projects/control-service/projects/helm_charts/pipelines-control-service/values.yaml

@@ -573,7 +573,7 @@ database:
    ## Name of the secret which holds JDBC credentials. The chart will not attempt to create this, but will use it as is.
    ## The secret should contain keys: JDBC, USERNAME, PASSWORD
    externalSecretName: ""
-   ## Alternatively provide JDBC url, username and password. externalSecretName takes precendence if both are set.
+   ## Alternatively provide JDBC url, username and password. externalSecretName takes precedence if both are set.
    jdbcUrl: ""
    username: ""
    password: ""
@@ -1087,3 +1087,16 @@ alertmanager:
           value: ""
       receiver: "data-pipelines-receiver"
       repeatInterval: 30d
+
+# Vault integration configuration for storing Data Job Secrets
+# More information here: https://github.com/vmware/versatile-data-kit/tree/main/specs/vep-1493-vault-integration
+secrets:
+    vault:
+        enabled: false
+        ## Name of the secret which holds Vault URI and Token. The chart will not attempt to create this, but will use it as is.
+        ## The secret should contain keys: URI, TOKEN
+        externalSecretName: ""
+        ## Alternatively provide the uri and token here. externalSecretName takes precedence if both are set.
+        uri: "http://localhost:8200"
+        token: "root"
+        sizeLimitBytes: 1048576