diff --git a/charts/sda-svc/Chart.yaml b/charts/sda-svc/Chart.yaml index 472878aad..1630e2775 100644 --- a/charts/sda-svc/Chart.yaml +++ b/charts/sda-svc/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: sda-svc -version: 0.29.0 +version: 0.30.0 appVersion: v0.3.170 kubeVersion: '>= 1.26.0' description: Components for Sensitive Data Archive (SDA) installation diff --git a/charts/sda-svc/README.md b/charts/sda-svc/README.md index a184b3d40..1921bbf12 100644 --- a/charts/sda-svc/README.md +++ b/charts/sda-svc/README.md @@ -123,7 +123,9 @@ Parameter | Description | Default `global.doa.outbox.s3AccessKey` | Outbox S3 Access Key | `null` `global.doa.outbox.s3SecretKey` | Outbox S3 Secret key | `null` `global.download.enabled` | Deploy the download service | `true` -`global.download.serveUnencryptedData` | Whether the download service serves unencrypted data | `false` +`global.download.serveDecrypted` | If non-empty, the download service will serve decrypted data | `{}` +`global.download.serveDecrypted.c4ghKeyFile` | Transient private C4GH key | `""` +`global.download.serveDecrypted.secretName` | Secret holding the transient private C4GH key | `""` `global.download.sessionExpiration` | Session key expiration time in seconds | `28800` `global.download.trusted.configPath` | Path to the ISS config file | `$secrets/iss` `global.download.trusted.configFile` | Name of ISS config file | `iss.json` diff --git a/charts/sda-svc/templates/download-deploy.yaml b/charts/sda-svc/templates/download-deploy.yaml index e941df359..0b42e7249 100644 --- a/charts/sda-svc/templates/download-deploy.yaml +++ b/charts/sda-svc/templates/download-deploy.yaml @@ -140,9 +140,14 @@ spec: - name: LOG_LEVEL value: {{ .Values.global.log.level | quote }} {{- end }} - {{- if .Values.global.download.serveUnencryptedData }} - - name: APP_SERVEUNENCRYPTEDDATA - value: {{ .Values.global.download.serveUnencryptedData }} + {{- if .Values.global.download.serveDecrypted }} + - name: APP_C4GHPRIVATEKEYPATH + value: {{ template "c4ghPath" . }}/{{ .Values.global.download.serveDecrypted.c4ghKeyFile }} + - name: APP_C4GHPASSPHRASE + valueFrom: + secretKeyRef: + name: {{ required "A secret for the transient c4gh key is required" .Values.global.download.serveDecrypted.secretName }} + key: passphrase {{- end }} {{- if .Values.global.tls.enabled }} - name: APP_PORT @@ -223,9 +228,11 @@ spec: resources: {{ toYaml .Values.download.resources | trim | indent 10 }} volumeMounts: - {{- if not .Values.global.vaultSecrets }} - - name: c4gh + {{- if .Values.global.download.serveDecrypted }} + - name: c4gh-transient mountPath: {{ template "c4ghPath" . }} + {{- end }} + {{- if not .Values.global.vaultSecrets }} - name: iss mountPath: {{ template "trustedIssPath" . }} {{- end }} @@ -250,14 +257,16 @@ spec: secretName: {{ required "An certificate issuer or a TLS secret name is required for download" .Values.download.tls.secretName }} {{- end }} {{- end }} - {{- if not .Values.global.vaultSecrets }} - - name: c4gh + {{- if .Values.global.download.serveDecrypted }} + - name: c4gh-transient secret: defaultMode: 0440 - secretName: {{ required "A secret for the c4gh key is required" .Values.global.c4gh.secretName }} + secretName: {{ required "A secret for the transient c4gh key is required" .Values.global.download.serveDecrypted.secretName }} items: - - key: {{ .Values.global.c4gh.keyFile }} - path: {{ .Values.global.c4gh.keyFile }} + - key: {{ .Values.global.download.serveDecrypted.c4ghKeyFile }} + path: {{ .Values.global.download.serveDecrypted.c4ghKeyFile }} + {{- end }} + {{- if not .Values.global.vaultSecrets }} - name: iss secret: defaultMode: 0440 diff --git a/charts/sda-svc/values.yaml b/charts/sda-svc/values.yaml index a74bbe93b..a309d72d0 100644 --- a/charts/sda-svc/values.yaml +++ b/charts/sda-svc/values.yaml @@ -239,7 +239,7 @@ global: iss: - iss: "https://login.elixir-czech.org/oidc" jku: "https://login.elixir-czech.org/oidc/jwk" - serveUnencryptedData: false + serveDecrypted: {} oidc: provider: "https://login.elixir-czech.org/oidc/"