nethermind: adding secret name override

charts/nethermind/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: nethermind
 description: .NET Core Ethereum client
 type: application
-version: 2.5.4
+version: 2.5.5
 appVersion: "v1.27.0"
 icon: https://storage.googleapis.com/stakewise-charts/stakewise.png
 keywords:

charts/nethermind/templates/statefulset.yaml

@@ -114,7 +114,7 @@ spec:
               --JsonRpc.Port={{ .Values.jsonrpc.ports.rest }}
               --JsonRpc.WebSocketsPort={{ .Values.jsonrpc.ports.websocket }}
           {{- end }}
-          {{- if .Values.global.JWTSecret }}
+          {{- if or .Values.global.JWTSecret .Values.global.secretNameOverride }}
               --JsonRpc.JwtSecretFile=/secret/jwtsecret
               --JsonRpc.EnginePort={{ .Values.jsonrpc.engine.port }}
               --JsonRpc.EngineHost={{ .Values.jsonrpc.engine.host }}
@@ -160,7 +160,7 @@ spec:
               containerPort: {{ .Values.jsonrpc.ports.websocket }}
               protocol: TCP
           {{- end }}
-          {{- if .Values.global.JWTSecret }}
+          {{- if or .Values.global.JWTSecret .Values.global.secretNameOverride }}
             - name: engine
               protocol: TCP
               containerPort: {{ .Values.jsonrpc.engine.port }}
@@ -181,13 +181,16 @@ spec:
           volumeMounts:
             - name: data
               mountPath: /data/nethermind
-          {{- if .Values.global.JWTSecret }}
+          {{- if or .Values.global.JWTSecret .Values.global.secretNameOverride }}
             - name: jwtsecret
               mountPath: /secret
               readOnly: true
           {{- end }}
             - name: env-nodeport
               mountPath: /env
+          {{- with .Values.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- if .Values.jsonrpc.enabled }}
@@ -199,11 +202,14 @@ spec:
               value: "{{ .Values.sidecar.bindAddr }}:{{ .Values.sidecar.bindPort }}"
             - name: CLIENT_PORT
               value: {{ .Values.jsonrpc.ports.rest | quote }}
-          {{- if .Values.global.JWTSecret }}
+          {{- if or .Values.global.JWTSecret .Values.global.secretNameOverride }}
             - name: CLIENT_AUTHORIZATIONTYPE
               value: "bearer"
             - name: CLIENT_JWTSECRET
-              value: {{ .Values.global.JWTSecret | quote }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ coalesce .Values.global.secretNameOverride (include "common.names.fullname" .) }}
+                  key: jwtsecret
           {{- end }}
           ports:
             - containerPort: {{ .Values.sidecar.bindPort }}
@@ -235,17 +241,20 @@ spec:
         {{- end }}
       {{- end }}
       volumes:
-        {{- if .Values.global.JWTSecret }}
+        {{- if or .Values.global.JWTSecret .Values.global.secretNameOverride }}
         - name: jwtsecret
           secret:
-            secretName: {{ include "common.names.fullname" . }}
+            secretName: {{ coalesce .Values.global.secretNameOverride (include "common.names.fullname" .) }}
         {{- end }}
         - name: env-nodeport
           emptyDir: {}
 {{- if (not .Values.persistence.enabled) }}
         - name: data
           emptyDir: {}
 {{- else }}
+        {{- with .Values.extraVolumes }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
   volumeClaimTemplates:
     - metadata:
         name: data
@@ -261,4 +270,4 @@ spec:
         resources:
           requests:
             storage: {{ .Values.persistence.size | quote }}
-  {{- end }}
+  {{- end }}

charts/nethermind/values.yaml

@@ -16,6 +16,12 @@ global:
   ##
   JWTSecret: ""
 
+  ## If you would like the JSON Web Token (JWT) to be managed by a secert outside
+  ## of this chart, an existing secret name can be passed here. If specified, JWTSecret should not be set. 
+  ## jwtsecret should be the key of the token in the secret.
+  ##
+  secretNameOverride: ""
+
   ## Credentials to fetch images from private registry
   ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
   ##
@@ -405,3 +411,25 @@ metrics:
     ## Custom Prometheus rules
     ##
     rules: []
+
+## Specify extra volumes which can be useful for for things like SecretProviderClass.
+## Useful if secretNameOverride is passed.
+## ref: https://kubernetes.io/docs/concepts/storage/volumes/
+##
+extraVolumes: {}
+# - name: vault
+#   csi:
+#     driver: secrets-store.csi.k8s.io
+#     readOnly: true
+#     volumeAttributes:
+#       secretProviderClass: "nethermind"
+
+## Specify extra volume mounts which can be useful for things like SecretProviderClass.
+## Useful if secretNameOverride is passed.
+## ref: https://kubernetes.io/docs/concepts/storage/volumes/
+##
+extraVolumeMounts: {}
+# An example is listed below on how to specify an extra volume mount using SecretProviderClass
+# - name: 'vault'
+#   mountPath: '/mnt/secrets-store'
+#   readOnly: true