clean up

Signed-off-by: Alan Sherman <[email protected]>

Author: AlanSherman

charts/lfx-service/Chart.yaml

@@ -2,8 +2,8 @@
 # SPDX-License-Identifier: MIT
 ---
 apiVersion: v2
-name: lfx-v2-service-base
+name: lfx-service
 description: LFX Service v2 Helm chart
 type: application
-version: 0.1.0
+version: 1.0.0
 icon: https://github.com/linuxfoundation/lfx-v2-helm/raw/main/img/lfx-logo-color.svg

charts/lfx-service/README.md

@@ -244,45 +244,6 @@ nats:
   annotations: {}
 ```
 
-### External Secrets
-
-Integrates with AWS Secrets Manager (requires `global.awsRegion`):
-
-```yaml
-externalSecrets:
-  enabled: false
-  
-  # SecretStore configuration
-  secretStore:
-    name: ""                     # Defaults to "{release-name}-secret-store"
-    labels: {}
-    annotations: {}
-  
-  # ExternalSecret configuration
-  name: ""                       # Defaults to "{release-name}-external-secret"
-  refreshInterval: "1h"
-  labels: {}
-  annotations: {}
-  
-  # Target secret configuration
-  target:
-    creationPolicy: "Owner"
-    deletionPolicy: "Retain"
-    template: {}
-  
-  # Individual secret mappings
-  data:
-    - secretKey: database-password
-      remoteRef:
-        key: /app/database
-        property: password
-  
-  # Bulk secret import (use either data OR dataFrom)
-  dataFrom:
-    - extract:
-        key: /app/all-secrets
-```
-
 ### Horizontal Pod Autoscaler
 
 Configures automatic scaling based on metrics:
@@ -311,6 +272,58 @@ podDisruptionBudget:
   annotations: {}
 ```
 
+### External Secrets Operator
+
+Integrates with AWS Secrets Manager (requires `global.awsRegion`):
+
+```yaml
+externalSecretsOperator:
+  enabled: false
+  
+  # SecretStore configuration
+  secretStore:
+    name: ""                     # Defaults to "{release-name}-secret-store"
+    labels: {}
+    annotations: {}
+  
+  # ExternalSecret configuration
+  externalSecret:
+    name: ""                     # Defaults to "{release-name}-external-secret"
+    refreshInterval: "10m"
+    labels: {}
+    annotations: {}
+    
+    # Target secret configuration
+    target:
+      name: ""                   # Defaults to "{release-name}-secrets"
+      creationPolicy: "Owner"
+      deletionPolicy: "Retain"
+      template: {}
+    
+    # Secret data configuration
+    # IMPORTANT: Use EITHER data OR dataFrom, never both
+    # If both are empty, defaults to tag-based discovery
+    
+    # Individual secret mappings
+    data:
+      - secretKey: database-password
+        remoteRef:
+          key: /app/database
+          property: password
+      - secretKey: api-key
+        remoteRef:
+          key: /app/api-credentials
+          property: key
+    
+    # Bulk secret import (alternative to data)
+    dataFrom: []
+      # - extract:
+      #     key: /app/all-secrets
+      # - find:
+      #     name:
+      #       regexp: ".*"
+```
+
 
 ## Values Reference
 
@@ -328,10 +341,10 @@ podDisruptionBudget:
 | `heimdall.enabled` | Enable Heimdall auth | `false` |
 | `ruleSet.enabled` | Create RuleSet | `false` |
 | `nats.kvBuckets` | NATS KV bucket configurations | `[]` |
-| `externalSecrets.enabled` | Enable External Secrets | `false` |
-| `externalSecrets.data` | Individual secret mappings | `[]` |
-| `externalSecrets.dataFrom` | Bulk secret import | `[]` |
-| `externalSecrets.refreshInterval` | Secret refresh interval | `"1h"` |
+| `externalSecretsOperator.enabled` | Enable External Secrets Operator | `false` |
+| `externalSecretsOperator.externalSecret.data` | Individual secret mappings | `[]` |
+| `externalSecretsOperator.externalSecret.dataFrom` | Bulk secret import | `[]` |
+| `externalSecretsOperator.externalSecret.refreshInterval` | Secret refresh interval | `"1h"` |
 | `serviceAccount.awsRoleArn` | AWS IAM role for External Secrets | `""` |
 | `global.awsRegion` | AWS region for External Secrets | `""` (blank for local) |
 | `commonLabels` | Labels applied to all resources | `{}` |

charts/lfx-service/templates/_helpers.tpl

@@ -6,7 +6,7 @@ SPDX-License-Identifier: MIT
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "lfx-v2-service-base.name" -}}
+{{- define "lfx-service.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
@@ -15,7 +15,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "lfx-v2-service-base.fullname" -}}
+{{- define "lfx-service.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -31,19 +31,19 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "lfx-v2-service-base.chart" -}}
+{{- define "lfx-service.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 
 {{/*
 Merged labels (standard + chart-wide + resource-specific)
-Usage: {{ include "lfx-v2-service-base.mergedLabels" (dict "context" . "resourceLabels" .Values.service.labels) }}
+Usage: {{ include "lfx-service.mergedLabels" (dict "context" . "resourceLabels" .Values.service.labels) }}
 */}}
-{{- define "lfx-v2-service-base.mergedLabels" -}}
+{{- define "lfx-service.mergedLabels" -}}
 {{- $standardLabels := dict 
-  "helm.sh/chart" (include "lfx-v2-service-base.chart" .context)
-  "app.kubernetes.io/name" (include "lfx-v2-service-base.name" .context)
+  "helm.sh/chart" (include "lfx-service.chart" .context)
+  "app.kubernetes.io/name" (include "lfx-service.name" .context)
   "app.kubernetes.io/instance" .context.Release.Name
   "app.kubernetes.io/managed-by" .context.Release.Service 
 }}
@@ -59,17 +59,17 @@ Usage: {{ include "lfx-v2-service-base.mergedLabels" (dict "context" . "resource
 {{/*
 Selector labels
 */}}
-{{- define "lfx-v2-service-base.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "lfx-v2-service-base.name" . }}
+{{- define "lfx-service.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "lfx-service.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
 Create the name of the service account to use
 */}}
-{{- define "lfx-v2-service-base.serviceAccountName" -}}
+{{- define "lfx-service.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
-{{- default (include "lfx-v2-service-base.fullname" .) .Values.serviceAccount.name }}
+{{- default (include "lfx-service.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
@@ -78,9 +78,9 @@ Create the name of the service account to use
 
 {{/*
 Merged annotations (chart-wide + resource-specific)
-Usage: {{ include "lfx-v2-service-base.mergedAnnotations" (dict "context" . "resourceAnnotations" .Values.service.annotations) }}
+Usage: {{ include "lfx-service.mergedAnnotations" (dict "context" . "resourceAnnotations" .Values.service.annotations) }}
 */}}
-{{- define "lfx-v2-service-base.mergedAnnotations" -}}
+{{- define "lfx-service.mergedAnnotations" -}}
 {{- $commonAnnotations := .context.Values.commonAnnotations | default dict }}
 {{- $resourceAnnotations := .resourceAnnotations | default dict }}
 {{- $merged := mergeOverwrite $commonAnnotations $resourceAnnotations }}
@@ -93,22 +93,22 @@ Usage: {{ include "lfx-v2-service-base.mergedAnnotations" (dict "context" . "res
 {{/*
 Get the image tag
 */}}
-{{- define "lfx-v2-service-base.imageTag" -}}
+{{- define "lfx-service.imageTag" -}}
 {{- .Values.image.tag | default .Chart.AppVersion }}
 {{- end }}
 
 
 {{/*
 Get the default hostname for HTTPRoute
 */}}
-{{- define "lfx-v2-service-base.defaultHostname" -}}
+{{- define "lfx-service.defaultHostname" -}}
 {{- printf "lfx-api.%s" .Values.global.domain }}
 {{- end }}
 
 {{/*
 Generate Heimdall rule execute section
 */}}
-{{- define "lfx-v2-service-base.ruleExecute" -}}
+{{- define "lfx-service.ruleExecute" -}}
 - authenticator: oidc
 - authenticator: anonymous_authenticator
 {{- if .Values.ruleSet.useOidcContextualizer }}
@@ -141,32 +141,32 @@ Generate Heimdall rule execute section
 {{/*
 Create the name of the secret store to use
 */}}
-{{- define "lfx-v2-service-base.secretStoreName" -}}
-{{- if .Values.externalSecrets.secretStore.name }}
-{{- .Values.externalSecrets.secretStore.name }}
+{{- define "lfx-service.secretStoreName" -}}
+{{- if .Values.externalSecretsOperator.secretStore.name }}
+{{- .Values.externalSecretsOperator.secretStore.name }}
 {{- else }}
-{{- printf "%s-secret-store" (include "lfx-v2-service-base.fullname" .) }}
+{{- printf "%s-secret-store" (include "lfx-service.fullname" .) }}
 {{- end }}
 {{- end }}
 
 {{/*
 Create the name of the external secret to use
 */}}
-{{- define "lfx-v2-service-base.externalSecretName" -}}
-{{- if .Values.externalSecrets.name }}
-{{- .Values.externalSecrets.name }}
+{{- define "lfx-service.externalSecretName" -}}
+{{- if .Values.externalSecretsOperator.externalSecret.name }}
+{{- .Values.externalSecretsOperator.externalSecret.name }}
 {{- else }}
-{{- printf "%s-external-secret" (include "lfx-v2-service-base.fullname" .) }}
+{{- printf "%s-external-secret" (include "lfx-service.fullname" .) }}
 {{- end }}
 {{- end }}
 
 {{/*
 Create the name of the secret to use
 */}}
-{{- define "lfx-v2-service-base.secretName" -}}
-{{- if .Values.externalSecrets.secret.name }}
-{{- .Values.externalSecrets.secret.name }}
+{{- define "lfx-service.secretName" -}}
+{{- if .Values.externalSecretsOperator.externalSecret.target.name }}
+{{- .Values.externalSecretsOperator.externalSecret.target.name }}
 {{- else }}
-{{- printf "%s-secrets" (include "lfx-v2-service-base.fullname" .) }}
+{{- printf "%s-secrets" (include "lfx-service.fullname" .) }}
 {{- end }}
 {{- end }}

charts/lfx-service/templates/deployment.yaml

@@ -4,11 +4,11 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "lfx-v2-service-base.fullname" . }}
+  name: {{ include "lfx-service.fullname" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    {{- include "lfx-v2-service-base.mergedLabels" (dict "context" . "resourceLabels" .Values.deployment.labels) | nindent 4 }}
-  {{- $annotations := include "lfx-v2-service-base.mergedAnnotations" (dict "context" . "resourceAnnotations" .Values.deployment.annotations) }}
+    {{- include "lfx-service.mergedLabels" (dict "context" . "resourceLabels" .Values.deployment.labels) | nindent 4 }}
+  {{- $annotations := include "lfx-service.mergedAnnotations" (dict "context" . "resourceAnnotations" .Values.deployment.annotations) }}
   {{- if $annotations }}
   annotations:
     {{- $annotations | nindent 4 }}
@@ -17,22 +17,22 @@ spec:
   replicas: {{ .Values.deployment.replicaCount }}
   selector:
     matchLabels:
-      {{- include "lfx-v2-service-base.selectorLabels" . | nindent 6 }}
+      {{- include "lfx-service.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       labels:
-        {{- include "lfx-v2-service-base.selectorLabels" . | nindent 8 }}
+        {{- include "lfx-service.selectorLabels" . | nindent 8 }}
         {{- with .Values.commonLabels }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
-      {{- $annotations := include "lfx-v2-service-base.annotations" . }}
+      {{- $annotations := include "lfx-service.mergedAnnotations" (dict "context" . "resourceAnnotations" .Values.deployment.annotations) }}
       {{- if $annotations }}
       annotations:
         {{- $annotations | nindent 8 }}
       {{- end }}
     spec:
       {{- if .Values.serviceAccount.create }}
-      serviceAccountName: {{ include "lfx-v2-service-base.serviceAccountName" . }}
+      serviceAccountName: {{ include "lfx-service.serviceAccountName" . }}
       {{- end }}
       {{- with .Values.deployment.nodeSelector }}
       nodeSelector:
@@ -48,7 +48,7 @@ spec:
       {{- end }}
       containers:
         - name: app
-          image: "{{ .Values.image.repository }}:{{ include "lfx-v2-service-base.imageTag" . }}"
+          image: "{{ .Values.image.repository }}:{{ include "lfx-service.imageTag" . }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           {{- with .Values.deployment.securityContext }}
           securityContext: