From 899070d3d13eeb97fc21753203ed0d3668a137b7 Mon Sep 17 00:00:00 2001
From: Iain Sproat <68657+iainsproat@users.noreply.github.com>
Date: Mon, 14 Oct 2024 21:02:18 +0100
Subject: [PATCH 1/4] fix(helm chart): service account secrets only includes
 unique value - this makes the chart more robust and the behaviour can be
 determined at template time - previously, the unique values were removed by
 kubernetes which made modification difficult

---
 .../speckle-server/templates/_helpers.tpl     | 37 +++++++++++++++++++
 .../templates/objects/serviceaccount.yml      | 30 +--------------
 .../templates/server/serviceaccount.yml       | 30 +--------------
 3 files changed, 39 insertions(+), 58 deletions(-)

diff --git a/utils/helm/speckle-server/templates/_helpers.tpl b/utils/helm/speckle-server/templates/_helpers.tpl
index 0c6516cf96..16755df194 100644
--- a/utils/helm/speckle-server/templates/_helpers.tpl
+++ b/utils/helm/speckle-server/templates/_helpers.tpl
@@ -955,3 +955,40 @@ Generate the environment variables for Speckle server and Speckle objects deploy
   value: "{{ .Values.server.ratelimiting.burst_get_auth }}"
 {{- end }}
 {{- end }}
+
+{{/*
+Generate the secrets to which the service account should allow access for the Speckle server and Speckle objects deployments
+*/}}
+{{- define "server.serviceAccountSecrets" -}}
+{{- $secretNames := list ( default .Values.secretName .Values.db.connectionString.secretName ) }}
+{{- $secretNames := append $secretNames ( default .Values.secretName .Values.redis.connectionString.secretName ) }}
+{{- $secretNames := append $secretNames ( default .Values.secretName .Values.s3.secret_key.secretName ) }}
+{{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.sessionSecret.secretName ) }}
+{{- if .Values.server.auth.google.enabled }}
+  {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.auth.google.clientSecret.secretName ) }}
+{{- end }}
+{{- if .Values.server.auth.github.enabled }}
+  {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.auth.github.clientSecret.secretName ) }}
+{{- end }}
+{{- if .Values.server.auth.azure_ad.enabled }}
+  {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.auth.azure_ad.clientSecret.secretName ) }}
+{{- end }}
+{{- if .Values.server.auth.oidc.enabled }}
+  {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.auth.oidc.clientSecret.secretName ) }}
+{{- end }}
+{{- if .Values.server.email.enabled }}
+  {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.email.password.secretName ) }}
+{{- end }}
+{{- if .Values.server.monitoring.apollo.enabled }}
+  {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.monitoring.apollo.key.secretName ) }}
+{{- end }}
+{{- if .Values.featureFlags.automateModuleEnabled }}
+  {{- $secretNames := append $secretNames "encryption-keys" }}
+{{- end }}
+{{- if .Values.featureFlags.workspaceModuleEnabled }}
+  {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.licenseTokenSecret.secretName ) }}
+{{- end }}
+{{- range $secretName := uniq $secretNames }}
+  - name: {{ $secretName }}
+{{- end }}
+{{- end }}
diff --git a/utils/helm/speckle-server/templates/objects/serviceaccount.yml b/utils/helm/speckle-server/templates/objects/serviceaccount.yml
index ecd4da60fd..6dfcd7316e 100644
--- a/utils/helm/speckle-server/templates/objects/serviceaccount.yml
+++ b/utils/helm/speckle-server/templates/objects/serviceaccount.yml
@@ -10,33 +10,5 @@ metadata:
     "kubernetes.io/enforce-mountable-secrets": "true"
 automountServiceAccountToken: false
 secrets:
-  - name: {{ default .Values.secretName .Values.db.connectionString.secretName }}
-  - name: {{ default .Values.secretName .Values.redis.connectionString.secretName }}
-  - name: {{ default .Values.secretName .Values.s3.secret_key.secretName }}
-  - name: {{ default .Values.secretName .Values.server.sessionSecret.secretName }}
-{{- if .Values.server.auth.google.enabled }}
-  - name: {{ default .Values.secretName .Values.server.auth.google.clientSecret.secretName }}
-{{- end }}
-{{- if .Values.server.auth.github.enabled }}
-  - name: {{ default .Values.secretName .Values.server.auth.github.clientSecret.secretName }}
-{{- end }}
-{{- if .Values.server.auth.azure_ad.enabled }}
-  - name: {{ default .Values.secretName .Values.server.auth.azure_ad.clientSecret.secretName }}
-{{- end }}
-{{- if .Values.server.auth.oidc.enabled }}
-  - name: {{ default .Values.secretName .Values.server.auth.oidc.clientSecret.secretName }}
-{{- end }}
-{{- if .Values.server.email.enabled }}
-  - name: {{ default .Values.secretName .Values.server.email.password.secretName }}
-{{- end }}
-{{- if .Values.server.monitoring.apollo.enabled }}
-  - name: {{ default .Values.secretName .Values.server.monitoring.apollo.key.secretName }}
-{{- end }}
-{{- if .Values.featureFlags.automateModuleEnabled }}
-  - name: encryption-keys
-{{- end }}
-{{- if .Values.featureFlags.workspaceModuleEnabled }}
-  - name: {{ default .Values.secretName .Values.server.licenseTokenSecret.secretName }}
-{{- end }}
-
+{{- include "server.serviceAccountSecrets" $ | indent 2 }}
 {{- end -}}
diff --git a/utils/helm/speckle-server/templates/server/serviceaccount.yml b/utils/helm/speckle-server/templates/server/serviceaccount.yml
index c1895c2332..f1fd318735 100644
--- a/utils/helm/speckle-server/templates/server/serviceaccount.yml
+++ b/utils/helm/speckle-server/templates/server/serviceaccount.yml
@@ -10,33 +10,5 @@ metadata:
     "kubernetes.io/enforce-mountable-secrets": "true"
 automountServiceAccountToken: false
 secrets:
-  - name: {{ default .Values.secretName .Values.db.connectionString.secretName }}
-  - name: {{ default .Values.secretName .Values.redis.connectionString.secretName }}
-  - name: {{ default .Values.secretName .Values.s3.secret_key.secretName }}
-  - name: {{ default .Values.secretName .Values.server.sessionSecret.secretName }}
-{{- if .Values.server.auth.google.enabled }}
-  - name: {{ default .Values.secretName .Values.server.auth.google.clientSecret.secretName }}
-{{- end }}
-{{- if .Values.server.auth.github.enabled }}
-  - name: {{ default .Values.secretName .Values.server.auth.github.clientSecret.secretName }}
-{{- end }}
-{{- if .Values.server.auth.azure_ad.enabled }}
-  - name: {{ default .Values.secretName .Values.server.auth.azure_ad.clientSecret.secretName }}
-{{- end }}
-{{- if .Values.server.auth.oidc.enabled }}
-  - name: {{ default .Values.secretName .Values.server.auth.oidc.clientSecret.secretName }}
-{{- end }}
-{{- if .Values.server.email.enabled }}
-  - name: {{ default .Values.secretName .Values.server.email.password.secretName }}
-{{- end }}
-{{- if .Values.server.monitoring.apollo.enabled }}
-  - name: {{ default .Values.secretName .Values.server.monitoring.apollo.key.secretName }}
-{{- end }}
-{{- if .Values.featureFlags.automateModuleEnabled }}
-  - name: encryption-keys
-{{- end }}
-{{- if .Values.featureFlags.workspaceModuleEnabled }}
-  - name: {{ default .Values.secretName .Values.server.licenseTokenSecret.secretName }}
-{{- end }}
-
+{{- include "server.serviceAccountSecrets" $ | indent 2 }}
 {{- end -}}

From 45755e31dab602b143172a35cb2c7019c1831b07 Mon Sep 17 00:00:00 2001
From: Iain Sproat <68657+iainsproat@users.noreply.github.com>
Date: Tue, 15 Oct 2024 12:39:17 +0100
Subject: [PATCH 2/4] Revert "Revert "fix(helm chart): service account secrets
 only includes unique value (#3275)" (#3289)"

This reverts commit b85cfe44ad1c990514c6379b86fc160847c00a60.
---
 utils/helm/speckle-server/templates/_helpers.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/helm/speckle-server/templates/_helpers.tpl b/utils/helm/speckle-server/templates/_helpers.tpl
index 16755df194..bf3cfbf48a 100644
--- a/utils/helm/speckle-server/templates/_helpers.tpl
+++ b/utils/helm/speckle-server/templates/_helpers.tpl
@@ -989,6 +989,6 @@ Generate the secrets to which the service account should allow access for the Sp
   {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.licenseTokenSecret.secretName ) }}
 {{- end }}
 {{- range $secretName := uniq $secretNames }}
-  - name: {{ $secretName }}
+- name: {{ $secretName }}
 {{- end }}
 {{- end }}

From cf006f03d747527ae5f5c78a3f201b615996f8d8 Mon Sep 17 00:00:00 2001
From: Iain Sproat <68657+iainsproat@users.noreply.github.com>
Date: Tue, 26 Nov 2024 17:03:08 +0000
Subject: [PATCH 3/4] Include gendoai

---
 utils/helm/speckle-server/templates/_helpers.tpl | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/utils/helm/speckle-server/templates/_helpers.tpl b/utils/helm/speckle-server/templates/_helpers.tpl
index 2f38c6fdea..2fb6207570 100644
--- a/utils/helm/speckle-server/templates/_helpers.tpl
+++ b/utils/helm/speckle-server/templates/_helpers.tpl
@@ -1099,6 +1099,9 @@ Generate the secrets to which the service account should allow access for the Sp
 {{- if .Values.featureFlags.workspacesMultiRegionEnabled }}
   {{- $secretNames := append $secretNames ( default .Values.secretName .Values.multiRegion.config.secretName ) }}
 {{- end }}
+{{- if .Values.featureFlags.gendoAIModuleEnabled }}
+{{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.gendoAI.key.secretName ) }}
+{{- end }}
 {{- range $secretName := uniq $secretNames }}
 - name: {{ $secretName }}
 {{- end }}

From e37cdb91a35333ac6e3b3a4aca08c64614b0c495 Mon Sep 17 00:00:00 2001
From: Iain Sproat <68657+iainsproat@users.noreply.github.com>
Date: Tue, 26 Nov 2024 17:04:48 +0000
Subject: [PATCH 4/4] Fix indentation

---
 utils/helm/speckle-server/templates/_helpers.tpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/utils/helm/speckle-server/templates/_helpers.tpl b/utils/helm/speckle-server/templates/_helpers.tpl
index 2fb6207570..32e6046bfa 100644
--- a/utils/helm/speckle-server/templates/_helpers.tpl
+++ b/utils/helm/speckle-server/templates/_helpers.tpl
@@ -1100,7 +1100,7 @@ Generate the secrets to which the service account should allow access for the Sp
   {{- $secretNames := append $secretNames ( default .Values.secretName .Values.multiRegion.config.secretName ) }}
 {{- end }}
 {{- if .Values.featureFlags.gendoAIModuleEnabled }}
-{{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.gendoAI.key.secretName ) }}
+  {{- $secretNames := append $secretNames ( default .Values.secretName .Values.server.gendoAI.key.secretName ) }}
 {{- end }}
 {{- range $secretName := uniq $secretNames }}
 - name: {{ $secretName }}