fix: move api key from configmap to secret

charts/gpu-metrics-exporter/templates/daemonset.yaml

@@ -78,6 +78,11 @@ spec:
           env:
             - name: "DCGM_HOST"
               value: "localhost"
+            - name: "API_KEY"
+              valueFrom:
+                  secretKeyRef:
+                    name: {{ include "gpu-metrics-exporter.fullname" . }}
+                    key: API_KEY
           {{- end }}
           resources:
             {{- toYaml .Values.gpuMetricsExporter.resources | nindent 12 }}

charts/gpu-metrics-exporter/templates/move-api-key-to-secret.yaml

@@ -0,0 +1,43 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: migrate-configmap-to-secret
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  backoffLimit: 0
+  template:
+    spec:
+      serviceAccountName: {{ include "gpu-metrics-exporter.serviceAccountName" . }}
+      containers:
+        - name: migrate
+          image: alpine/k8s:1.31.0
+          command:
+            - /bin/sh
+            - -c
+            - |
+              configmap_data=$(kubectl get configmap ${CONFIGMAP_NAME} -o json)
+
+              if echo $configmap_data | jq -e '.data["API_KEY"]' > /dev/null; then
+                secret_value=$(echo $configmap_data | jq -r '.data["API_KEY"]')
+
+                kubectl create secret generic {{ include "gpu-metrics-exporter.fullname" . }} -n {{ .Release.Namespace }} \
+                  --from-literal=API_KEY=$secret_value \
+                  --dry-run=client -o yaml | kubectl apply -f -
+
+                kubectl patch configmap {{ include "gpu-metrics-exporter.config-map" . }} -n {{ .Release.Namespace }} \
+                  --type=json -p='[{"op": "remove", "path": "/data/API_KEY"}]'
+
+                kubectl rollout restart daemonset/{{ include "gpu-metrics-exporter.fullname" . }} -n {{ .Release.Namespace }}
+              else
+                echo "API_KEY not found in the ConfigMap. Skipping migration."
+              fi
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
+      restartPolicy: Never

charts/gpu-metrics-exporter/templates/rbac.yaml

@@ -26,6 +26,29 @@ rules:
   verbs:
   - get
   - list
+- apiGroups:
+    - ""
+  resources:
+    - configmaps
+  verbs:
+    - get
+    - list
+    - patch
+- apiGroups:
+    - ""
+  resources:
+    - secrets
+  verbs:
+    - get
+    - update
+    - patch
+- apiGroups:
+    - apps
+  resources:
+    - daemonsets
+  verbs:
+    - get
+    - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

charts/gpu-metrics-exporter/templates/secret.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gpu-metrics-exporter.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "gpu-metrics-exporter.labels" . | nindent 4 }}
+data:
+{{- if and .Values.castai (not (empty .Values.castai.apiKey)) }}
+  API_KEY: {{ .Values.castai.apiKey | b64enc | quote }}
+{{- else }}
+  API_KEY: ""
+{{- end }}

charts/gpu-metrics-exporter/values.yaml

@@ -6,6 +6,9 @@ serviceAccount:
   automount: true
   annotations: {}
 
+castai:
+  apiKey: ""
+
 gpuMetricsExporter:
   image:
     repository: ghcr.io/castai/gpu-metrics-exporter/gpu-metrics-exporter