update chart

- add serveDecrypted object variable
- repurpose obsolete c4gh secret logic
- update README

charts/sda-svc/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: sda-svc
-version: 0.29.0
+version: 0.30.0
 appVersion: v0.3.170
 kubeVersion: '>= 1.26.0'
 description: Components for Sensitive Data Archive (SDA) installation

charts/sda-svc/README.md

@@ -123,7 +123,9 @@ Parameter | Description | Default
 `global.doa.outbox.s3AccessKey` | Outbox S3 Access Key | `null`
 `global.doa.outbox.s3SecretKey` | Outbox S3 Secret key | `null`
 `global.download.enabled` | Deploy the download service | `true`
-`global.download.serveUnencryptedData` | Whether the download service serves unencrypted data | `false`
+`global.download.serveDecrypted` | If non-empty, the download service will serve decrypted data | `{}`
+`global.download.serveDecrypted.c4ghKeyFile` | Transient private C4GH key | `""`
+`global.download.serveDecrypted.secretName` | Secret holding the transient private C4GH key | `""`
 `global.download.sessionExpiration` | Session key expiration time in seconds | `28800`
 `global.download.trusted.configPath` | Path to the ISS config file | `$secrets/iss`
 `global.download.trusted.configFile` | Name of ISS config file | `iss.json`

charts/sda-svc/templates/download-deploy.yaml

@@ -140,9 +140,14 @@ spec:
         - name: LOG_LEVEL
           value: {{ .Values.global.log.level | quote }}
       {{- end }}
-      {{- if .Values.global.download.serveUnencryptedData }}
-        - name: APP_SERVEUNENCRYPTEDDATA
-          value: {{ .Values.global.download.serveUnencryptedData }}
+      {{- if .Values.global.download.serveDecrypted }}
+        - name: APP_C4GHPRIVATEKEYPATH
+          value: {{ template "c4ghPath" . }}/{{ .Values.global.download.serveDecrypted.c4ghKeyFile }}
+        - name: APP_C4GHPASSPHRASE
+          valueFrom:
+            secretKeyRef:
+              name: {{ required "A secret for the transient c4gh key is required" .Values.global.download.serveDecrypted.secretName }}
+              key: passphrase
       {{- end }}
       {{- if .Values.global.tls.enabled }}
         - name: APP_PORT
@@ -223,9 +228,11 @@ spec:
         resources:
 {{ toYaml .Values.download.resources | trim | indent 10 }}
         volumeMounts:
-        {{- if not .Values.global.vaultSecrets }}
-        - name: c4gh
+        {{- if .Values.global.download.serveDecrypted }}
+        - name: c4gh-transient
           mountPath: {{ template "c4ghPath" . }}
+        {{- end }}
+        {{- if not .Values.global.vaultSecrets }}
         - name: iss
           mountPath: {{ template "trustedIssPath" . }}
         {{- end }}
@@ -250,14 +257,16 @@ spec:
             secretName: {{ required "An certificate issuer or a TLS secret name is required for download" .Values.download.tls.secretName }}
         {{- end }}
       {{- end }}
-      {{- if not .Values.global.vaultSecrets }}
-        - name: c4gh
+      {{- if .Values.global.download.serveDecrypted }}
+        - name: c4gh-transient
           secret:
             defaultMode: 0440
-            secretName: {{ required "A secret for the c4gh key is required" .Values.global.c4gh.secretName }}
+            secretName: {{ required "A secret for the transient c4gh key is required" .Values.global.download.serveDecrypted.secretName }}
             items:
-            - key: {{ .Values.global.c4gh.keyFile }}
-              path: {{ .Values.global.c4gh.keyFile }}
+            - key: {{ .Values.global.download.serveDecrypted.c4ghKeyFile }}
+              path: {{ .Values.global.download.serveDecrypted.c4ghKeyFile }}
+      {{- end }}
+      {{- if not .Values.global.vaultSecrets }}
         - name: iss
           secret:
             defaultMode: 0440

charts/sda-svc/values.yaml

@@ -239,7 +239,7 @@ global:
       iss:
         - iss: "https://login.elixir-czech.org/oidc"
           jku: "https://login.elixir-czech.org/oidc/jwk"
-    serveUnencryptedData: false
+    serveDecrypted: {}
 
   oidc:
     provider:  "https://login.elixir-czech.org/oidc/"