NX-13810 Added new env, envFrom, secrets & configMaps option for api-… (#5)

fank · web-flow · commit af1e5e60948a · 2025-06-06T23:06:12.000+09:00
* NX-13810 Added new env, envFrom, secrets &amp; configMaps option for api-deployment

* 🎨

* 🎨
diff --git a/charts/api-deployment/Chart.yaml b/charts/api-deployment/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.1
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/api-deployment/templates/deployment.yaml b/charts/api-deployment/templates/deployment.yaml
@@ -42,12 +42,13 @@ spec:
             - {{ . | quote }}
           {{- end }}
           {{- end }}
+          {{- with .Values.env }}
           env:
-            - name: GOOGLE_APPLICATION_CREDENTIALS
-              value: /var/run/secret/cloud.google.com/service-account.json
-          {{- if ne .Values.gcp.projectID "" }}
-            - name: GOOGLE_CLOUD_PROJECT
-              value: {{ .Values.gcp.projectID | quote }}
+            {{- toYaml . | nindent 14 }}
+          {{- end }}
+          {{- with .Values.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 14 }}
           {{- end }}
           ports:
             - name: http
@@ -73,11 +74,18 @@ spec:
               mountPath: /etc/nx
               readOnly: true
           {{- end }}
-            - name: gcp-service-account
-              mountPath: /var/run/secret/cloud.google.com
-              readOnly: true
             - name: files
               mountPath: /mnt/files
+          {{- range .Values.secrets }}
+            - name: {{ .name | quote }}
+              mountPath: {{ .mountPath | quote }}
+              readOnly: {{ .readOnly | default true }} # Enforce read-only by default to enhance security
+          {{- end }}
+          {{- range .Values.configMaps }}
+            - name: {{ .name | quote }}
+              mountPath: {{ .mountPath | quote }}
+              readOnly: {{ .readOnly | default true }} # Enforce read-only by default to enhance security
+          {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -96,13 +104,22 @@ spec:
           configMap:
             name: {{ include "api-deployment.fullname" $ }}
         {{- end }}
-        - name: gcp-service-account
-          secret:
-            secretName: {{ .Values.gcp.serviceAccount }}
         - name: files
         {{- with .Values.volume.data.volumeClaim }}
           persistentVolumeClaim:
             claimName: {{ . }}
         {{- else }}
           emptyDir: {}
         {{- end }}
+        {{- range .Values.secrets }}
+        - name: {{ .name | quote }}
+          secret:
+            secretName: {{ .secretName | quote }}
+            optional: {{ .optional | default false }} # Ensure configmap is present by default
+        {{- end }}
+        {{- range .Values.configMaps }}
+        - name: {{ .name | quote }}
+          configMap:
+            name: {{ .configMapName | quote }}
+            optional: {{ .optional | default false }} # Ensure configmap is present by default
+        {{- end }}
diff --git a/charts/api-deployment/values-example.yaml b/charts/api-deployment/values-example.yaml
@@ -0,0 +1,51 @@
+# Example values.yaml configuration for certificate loading
+
+# Load certificate from a secret and reference it via environment variable
+secrets:
+  - name: tls-cert
+    secretName: my-tls-certificate
+    mountPath: /etc/ssl/certs
+    readOnly: true
+
+env:
+  # Static environment variables
+  - name: CERT_PATH
+    value: "/etc/ssl/certs/tls.crt"
+  - name: KEY_PATH
+    value: "/etc/ssl/certs/tls.key"
+  - name: SSL_VERIFY
+    value: "true"
+  
+  # Load environment variable from a secret
+  - name: DATABASE_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: database-secret
+        key: password
+        optional: false
+  
+  # Load environment variable from a configmap
+  - name: API_BASE_URL
+    valueFrom:
+      configMapKeyRef:
+        name: app-config
+        key: api-url
+        optional: false
+
+envFrom:
+  # Load all environment variables from a secret
+  - secretRef:
+      name: app-secrets
+      optional: false
+  
+  # Load all environment variables from a configmap
+  - configMapRef:
+      name: app-config
+      optional: false
+
+# Mount additional configmaps
+configMaps:
+  - name: app-config-files
+    configMapName: application-config
+    mountPath: /etc/app-config
+    readOnly: true
diff --git a/charts/api-deployment/values.yaml b/charts/api-deployment/values.yaml
@@ -97,9 +97,43 @@ args: []
 
 config: {}
 
-gcp:
-  serviceAccount: ""
-  projectID: ""
+env: []
+  # - name: MY_STATIC_VAR
+  #   value: "my_value"
+  # - name: MY_CONFIG_VAR
+  #   valueFrom:
+  #     configMapKeyRef:
+  #       name: my-configmap
+  #       key: config-key
+  #       optional: false
+  # - name: MY_SECRET_VAR
+  #   valueFrom:
+  #     secretKeyRef:
+  #       name: my-secret
+  #       key: secret-key
+  #       optional: false
+
+envFrom: []
+  # - configMapRef:
+  #     name: my-configmap
+  #     optional: false
+  # - secretRef:
+  #     name: my-secret
+  #     optional: false
+
+secrets: []
+  # - name: cert-secret
+  #   secretName: my-certificate-secret
+  #   mountPath: /etc/certs
+  #   readOnly: true
+  #   optional: false
+
+configMaps: []
+  # - name: app-config
+  #   configMapName: my-app-config
+  #   mountPath: /etc/config
+  #   readOnly: true
+  #   optional: false
 
 volume:
   data:
