From 8458277dbc2b6aab56b57d3a51a3fafbbc2e9fbc Mon Sep 17 00:00:00 2001
From: saisatish karra <saisatish.karra@konghq.com>
Date: Wed, 5 Apr 2023 11:23:27 -0400
Subject: [PATCH] override fulcio server secret keys

Signed-off-by: saisatish karra <saisatish.karra@konghq.com>
---
 charts/fulcio/Chart.yaml                      |  2 +-
 charts/fulcio/README.md                       |  5 ++-
 charts/fulcio/templates/createcerts-job.yaml  |  2 +-
 .../fulcio/templates/fulcio-deployment.yaml   | 11 +++---
 charts/fulcio/values.schema.json              | 38 ++++++++++++++++++-
 charts/fulcio/values.yaml                     |  6 ++-
 6 files changed, 53 insertions(+), 11 deletions(-)

diff --git a/charts/fulcio/Chart.yaml b/charts/fulcio/Chart.yaml
index 65525ff5..ca9f9b86 100644
--- a/charts/fulcio/Chart.yaml
+++ b/charts/fulcio/Chart.yaml
@@ -5,7 +5,7 @@ description: |
 
 type: application
 
-version: 2.2.0
+version: 2.2.1
 appVersion: 1.2.0
 
 keywords:
diff --git a/charts/fulcio/README.md b/charts/fulcio/README.md
index 956deca9..9ead3d9b 100644
--- a/charts/fulcio/README.md
+++ b/charts/fulcio/README.md
@@ -134,7 +134,10 @@ helm uninstall [RELEASE_NAME]
 | server.logging.production | bool | `false` |  |
 | server.name | string | `"server"` |  |
 | server.replicaCount | int | `1` |  |
-| server.secret | string | `"fulcio-server-secret"` |  |
+| server.secret.certificateKey | string | `"cert"` |  |
+| server.secret.name | string | `"fulcio-server-secret"` |  |
+| server.secret.passwordKey | string | `"password"` |  |
+| server.secret.privateKey | string | `"private"` |  |
 | server.securityContext.runAsNonRoot | bool | `true` |  |
 | server.securityContext.runAsUser | int | `65533` |  |
 | server.service.ports[0].name | string | `"http"` |  |
diff --git a/charts/fulcio/templates/createcerts-job.yaml b/charts/fulcio/templates/createcerts-job.yaml
index 1286561f..16147135 100644
--- a/charts/fulcio/templates/createcerts-job.yaml
+++ b/charts/fulcio/templates/createcerts-job.yaml
@@ -23,7 +23,7 @@ spec:
         - name: {{ template "fulcio.createcerts.fullname" . }}
           image: "{{ template "fulcio.image" .Values.createcerts.image }}"
           imagePullPolicy: "{{ .Values.createcerts.image.pullPolicy }}"
-          args: ["--secret={{ .Values.server.secret }}"]
+          args: ["--secret={{ .Values.server.secret.name }}"]
           env:
             - name: NAMESPACE
               valueFrom:
diff --git a/charts/fulcio/templates/fulcio-deployment.yaml b/charts/fulcio/templates/fulcio-deployment.yaml
index d7a8ee2e..1b4e7a26 100644
--- a/charts/fulcio/templates/fulcio-deployment.yaml
+++ b/charts/fulcio/templates/fulcio-deployment.yaml
@@ -64,8 +64,9 @@ spec:
             - name: PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.server.secret }}
-                  key: password
+                  name: {{ .Values.server.secret.name }}
+                  key: {{ .Values.server.secret.passwordKey }}
+                  optional: true
           {{- end }}
           volumeMounts:
             - name: fulcio-config
@@ -101,10 +102,10 @@ spec:
         {{- if eq .Values.server.args.certificateAuthority "fileca" }}
         - name: fulcio-cert
           secret:
-            secretName: {{ .Values.server.secret }}
+            secretName: {{ .Values.server.secret.name }}
             items:
-              - key: private
+              - key: {{ .Values.server.secret.privateKey }}
                 path: key.pem
-              - key: cert
+              - key: {{ .Values.server.secret.certificateKey }}
                 path: cert.pem
         {{- end }}
diff --git a/charts/fulcio/values.schema.json b/charts/fulcio/values.schema.json
index e594fad0..deeec18d 100644
--- a/charts/fulcio/values.schema.json
+++ b/charts/fulcio/values.schema.json
@@ -818,8 +818,42 @@
                     ]
                 },
                 "secret": {
-                    "type": "string",
-                    "title": "The name of the secret containing the fulcio keys, password and PEM"
+                    "type": "object",
+                    "default": {},
+                    "title": "The secret containing the fulcio sever keys, certificate",
+                    "required": [
+                        "name",
+                        "privateKey",
+                        "certificateKey"
+                    ],
+                    "properties": {
+                        "name": {
+                            "type": "string",
+                            "default": "fulcio-server-cert",
+                            "title": "The name of the fulcio secret containing the keys, password, pem",
+                            "examples": [
+                                "fulcio-server-cert"
+                            ]
+                        },
+                        "privateKey": {
+                            "type": "string",
+                            "default": "private",
+                            "title": "The key path for private key in secret",
+                            "examples": [
+                                "private",
+                                "tls.key"
+                            ]
+                        },
+                        "certificateKey": {
+                            "type": "string",
+                            "default": "cert",
+                            "title": "The key path for certificate PEM in secret",
+                            "examples": [
+                                "cert",
+                                "tls.cert"
+                            ]
+                        }
+                    }
                 }
             },
             "examples": [
diff --git a/charts/fulcio/values.yaml b/charts/fulcio/values.yaml
index 0dcb4745..0ce30292 100644
--- a/charts/fulcio/values.yaml
+++ b/charts/fulcio/values.yaml
@@ -10,7 +10,11 @@ server:
   name: server
   svcPort: 80
   grpcSvcPort: 5554
-  secret: fulcio-server-secret
+  secret:
+    name: fulcio-server-secret
+    privateKey: private
+    passwordKey: password
+    certificateKey: cert
   logging:
     production: false
   image: