2gis · Ashigo · Jun 18, 2024 · Apr 26, 2024 · Apr 26, 2024 · Apr 27, 2024
diff --git a/charts/keys/Chart.yaml b/charts/keys/Chart.yaml
@@ -4,7 +4,7 @@ type: application
 description: A Helm chart for Kubernetes to deploy API Keys service
 
 version: 1.23.0
-appVersion: 1.79.0
+appVersion: 1.85.2
 
 maintainers:
 - name: 2gis

diff --git a/charts/keys/README.md b/charts/keys/README.md
@@ -31,17 +31,18 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about
 | `imagePullSecrets`         | Kubernetes image pull secrets.    | `[]`                           |
 | `imagePullPolicy`          | Pull policy.                      | `IfNotPresent`                 |
 | `backend.image.repository` | Backend service image repository. | `2gis-on-premise/keys-backend` |
-| `backend.image.tag`        | Backend service image tag.        | `1.79.0`                       |
+| `backend.image.tag`        | Backend service image tag.        | `1.85.2`                       |
 | `admin.image.repository`   | Admin service image repository.   | `2gis-on-premise/keys-ui`      |
 | `admin.image.tag`          | Admin service image tag.          | `0.8.0`                        |
 | `redis.image.repository`   | Redis image repository.           | `2gis-on-premise/keys-redis`   |
 | `redis.image.tag`          | Redis image tag.                  | `6.2.6-alpine3.15`             |
 
 ### Flags for enabling/disabling certain features.
 
-| Name                       | Description           | Value   |
-| -------------------------- | --------------------- | ------- |
-| `featureFlags.enableAudit` | Enable audit logging. | `false` |
+| Name                               | Description                             | Value   |
+| ---------------------------------- | --------------------------------------- | ------- |
+| `featureFlags.enableAudit`         | Enable audit logging.                   | `false` |
+| `featureFlags.enablePublicAPISign` | Enable signing responses in Public API. | `false` |
 
 ### Admin service settings
 
@@ -85,6 +86,7 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about
 | `api.adminUsers`                            | Usernames and passwords of admin users. Format: `username1:password1,username2:password2`.                                                                                                                                 | `""`            |
 | `api.adminSessionTTL`                       | TTL of the admin users sessions. Duration string is a sequence of decimal numbers with optional fraction and unit suffix, like `100ms`, `2.3h` or `4h35m`. Valid time units are `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. | `336h`          |
 | `api.logLevel`                              | Log level for the service. Can be: `trace`, `debug`, `info`, `warning`, `error`, `fatal`.                                                                                                                                  | `warning`       |
+| `api.signPrivateKey`                        | RSA-PSS 2048 private key (in PKCS#1 format) for signing responses in Public API.                                                                                                                                           | `""`            |
 | `api.replicas`                              | A replica count for the pod.                                                                                                                                                                                               | `1`             |
 | `api.strategy.type`                         | Type of Kubernetes deployment. Can be `Recreate` or `RollingUpdate`.                                                                                                                                                       | `RollingUpdate` |
 | `api.strategy.rollingUpdate.maxUnavailable` | Maximum number of pods that can be created over the desired number of pods when doing [rolling update](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment).                   | `0`             |

diff --git a/charts/keys/templates/helpers.tpl b/charts/keys/templates/helpers.tpl
@@ -99,11 +99,20 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- define "keys.env.featureFlags" -}}
 - name: KEYS_FEATURE_FLAGS_AUDIT
   value: "{{ .Values.featureFlags.enableAudit }}"
+- name: KEYS_FEATURE_FLAGS_PUBLIC_API_SIGN
+  value: "{{ .Values.featureFlags.enablePublicAPISign }}"
 {{- end }}
 
 {{- define "keys.env.api" -}}
 - name: KEYS_LOG_LEVEL
   value: "{{ .Values.api.logLevel }}"
+{{- if .Values.featureFlags.enablePublicAPISign }}
+- name: KEYS_SIGN_PRIVATE_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "keys.secret.deploys.name" . }}
+      key: signPrivateKey
+{{- end }}
 {{- end }}
 
 {{- define "keys.env.import" -}}

diff --git a/charts/keys/templates/secret-deploys.yaml b/charts/keys/templates/secret-deploys.yaml
@@ -12,6 +12,9 @@ data:
   dbROPassword:  {{ required "A valid .Values.postgres.ro.password required" .Values.postgres.ro.password | b64enc }}
   dbRWPassword:  {{ required "A valid .Values.postgres.rw.password required" .Values.postgres.rw.password | b64enc }}
   ldapBindPassword: {{ .Values.ldap.bind.password | b64enc }}
+  {{- if .Values.featureFlags.enablePublicAPISign }}
+  signPrivateKey: {{ required "A valid .Values.api.signPrivateKey required" .Values.api.signPrivateKey | b64enc }}
+  {{- end }}
   {{- if .Values.redis.password }}
   redisPassword: {{ .Values.redis.password | b64enc }}
   {{- end }}
diff --git a/charts/keys/values.yaml b/charts/keys/values.yaml
@@ -23,13 +23,15 @@ imagePullPolicy: IfNotPresent
 
 featureFlags:
   # @param featureFlags.enableAudit Enable audit logging.
+  # @param featureFlags.enablePublicAPISign Enable signing responses in Public API.
 
   enableAudit: false
+  enablePublicAPISign: false
 
 backend:
   image:
     repository: 2gis-on-premise/keys-backend
-    tag: 1.79.0
+    tag: 1.85.2
 
 # @section Admin service settings
 
@@ -142,6 +144,14 @@ api:
   # @param api.logLevel Log level for the service. Can be: `trace`, `debug`, `info`, `warning`, `error`, `fatal`.
   logLevel: warning
 
+  # @param api.signPrivateKey RSA-PSS 2048 private key (in PKCS#1 format) for signing responses in Public API.
+
+  signPrivateKey: ''
+  # signPrivateKey: |
+      # -----BEGIN CERTIFICATE-----
+      # ...
+      # -----END CERTIFICATE-----
+
   # @param api.replicas A replica count for the pod.
 
   replicas: 1