Zipstack
diff --git a/‎docs/ADRs/001-helm-values-manager.md‎
Lines changed: 134 additions & 99 deletions b/‎docs/ADRs/001-helm-values-manager.md‎
Lines changed: 134 additions & 99 deletions
diff --git a/‎docs/Design/architecture-overview.md‎
Lines changed: 64 additions & 36 deletions b/‎docs/Design/architecture-overview.md‎
Lines changed: 64 additions & 36 deletions
@@ -9,7 +9,7 @@ Managing configurations and secrets across multiple Kubernetes deployments is a
 Key challenges include:
 - Ensuring configurations remain consistent across different environments (e.g., dev, staging, production).
 - Managing sensitive values securely using external secret management systems.
-- Automating the generation of `values.yaml` while integrating with GitOps tools like ArgoCD.
+- Automating the generation of `values.json` while integrating with GitOps tools like ArgoCD.
 - Providing a user-friendly CLI that integrates well with Helm workflows.
 
 ## Decision
@@ -22,110 +22,145 @@ We have decided to implement the **Helm Values Manager** as a **Helm plugin writ
 4. **Secret Storage Abstraction:** Securely manages sensitive values by integrating with AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault.
 5. **CLI-Based Approach:** Interactive commands for managing configurations and secrets.
 6. **Autocomplete Support:** Smooth CLI experience.
-7. **ArgoCD Compatibility:** Generates `values.yaml` dynamically for GitOps workflows.
+7. **ArgoCD Compatibility:** Generates `values.json` dynamically for GitOps workflows.
+8. **JSON for Configuration:** Using JSON for configuration files provides better schema validation and consistent parsing across different platforms.
 
-## YAML Structure
+## Configuration Structure
 
 The configuration follows this structure:
 
-```yaml
-version: "1.0"  # Schema version
-release: my-release
-
-deployments:
-  dev:
-    secrets_backend: aws_secrets_manager
-    secrets_config:
-      region: us-west-2
-      secret_prefix: "/dev/myapp/"
-      auth:
-        type: env  # Use AWS environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
-        # Alternative: type: file, path: "~/.aws/credentials"
-        # Alternative: type: direct
-        #             access_key_id: "AKIA..."
-        #             secret_access_key: "xyz..."
-
-  staging:
-    secrets_backend: google_secret_manager
-    secrets_config:
-      project_id: "my-gcp-project"
-      secret_prefix: "myapp-staging-"
-      auth:
-        type: file
-        path: "/path/to/gcp-service-account.json"
-        # Alternative: type: env, credential_env: "GOOGLE_APPLICATION_CREDENTIALS"
-        # Alternative: type: direct
-        #             credentials_json: "{...}"
-
-  prod:
-    secrets_backend: azure_key_vault
-    secrets_config:
-      vault_url: "https://my-prod-vault.vault.azure.net"
-      auth:
-        type: managed_identity  # Use Azure Managed Identity
-        # Alternative: type: service_principal
-        #             tenant_id: "${AZURE_TENANT_ID}"
-        #             client_id: "${AZURE_CLIENT_ID}"
-        #             client_secret: "${AZURE_CLIENT_SECRET}"
-
-  local:
-    secrets_backend: git_secret
-    secrets_config:
-      gpg_key: "${GPG_KEY}"  # GPG key for decryption
-      secret_files_path: "./.gitsecret"  # Path to git-secret files
-      auth:
-        type: file
-        path: "~/.gnupg/secring.gpg"
-        # Alternative: type: env
-        #             passphrase_env: "GIT_SECRET_PASSPHRASE"
-        # Alternative: type: direct
-        #             passphrase: "your-passphrase"
-
-config:
-  - key: DATABASE_URL
-    path: global.database.url
-    description: "Database connection string for the application"
-    required: true
-    sensitive: true
-    values:
-      dev: "mydb://dev-connection"
-      staging: "mydb://staging-connection"
-      prod: "mydb://prod-connection"
-      local: "mydb://localhost"
-
-  - key: LOG_LEVEL
-    path: global.logging.level
-    description: "Application logging verbosity level"
-    required: false
-    sensitive: false
-    values:
-      dev: "debug"
-      staging: "info"
-      prod: "warn"
-      local: "debug"
+```json
+{
+  "version": "1.0",
+  "release": "my-release",
+  "deployments": {
+    "dev": {
+      "secrets_backend": "aws_secrets_manager",
+      "secrets_config": {
+        "region": "us-west-2",
+        "secret_prefix": "/dev/myapp/",
+        "auth": {
+          "type": "env"
+        }
+      }
+    },
+    "staging": {
+      "secrets_backend": "google_secret_manager",
+      "secrets_config": {
+        "project_id": "my-gcp-project",
+        "secret_prefix": "myapp-staging-",
+        "auth": {
+          "type": "file",
+          "path": "/path/to/gcp-service-account.json"
+        }
+      }
+    },
+    "prod": {
+      "secrets_backend": "azure_key_vault",
+      "secrets_config": {
+        "vault_url": "https://my-prod-vault.vault.azure.net",
+        "auth": {
+          "type": "managed_identity"
+        }
+      }
+    },
+    "local": {
+      "secrets_backend": "git_secret",
+      "secrets_config": {
+        "gpg_key": "${GPG_KEY}",
+        "secret_files_path": "./.gitsecret",
+        "auth": {
+          "type": "file",
+          "path": "~/.gnupg/secring.gpg"
+        }
+      }
+    }
+  },
+  "config": [
+    {
+      "path": "global.database.url",
+      "description": "Database connection string for the application",
+      "required": true,
+      "sensitive": true,
+      "values": {
+        "dev": "mydb://dev-connection",
+        "staging": "mydb://staging-connection",
+        "prod": "mydb://prod-connection",
+        "local": "mydb://localhost"
+      }
+    },
+    {
+      "path": "global.logging.level",
+      "description": "Application logging verbosity level",
+      "required": false,
+      "sensitive": false,
+      "values": {
+        "dev": "DEBUG",
+        "staging": "INFO",
+        "prod": "WARN",
+        "local": "DEBUG"
+      }
+    }
+  ]
+}
 ```
 
-### Secret Backend Configuration
-
-The configuration supports multiple secret backend types with flexible authentication methods:
-
-1. **Authentication Methods**:
-   - `env`: Use environment variables
-   - `file`: Use credential files
-   - `direct`: Direct credential specification (not recommended for production)
-   - `managed_identity`: For cloud-native authentication (Azure)
-
-2. **Supported Secret Backends**:
-   - AWS Secrets Manager
-   - Google Secret Manager
-   - Azure Key Vault
-   - git-secret (for local development)
-
-3. **Authentication Patterns**:
-   - Environment variables for cloud credentials
-   - Credential files for service accounts
-   - Direct credentials (development only)
-   - Managed identities for cloud services
+Alternative authentication configurations:
+- AWS:
+  ```json
+  {
+    "type": "file",
+    "path": "~/.aws/credentials"
+  }
+  ```
+  or
+  ```json
+  {
+    "type": "direct",
+    "access_key_id": "AKIA...",
+    "secret_access_key": "xyz..."
+  }
+  ```
+
+- Google Cloud:
+  ```json
+  {
+    "type": "env",
+    "credential_env": "GOOGLE_APPLICATION_CREDENTIALS"
+  }
+  ```
+  or
+  ```json
+  {
+    "type": "direct",
+    "credentials_json": "{...}"
+  }
+  ```
+
+- Azure:
+  ```json
+  {
+    "type": "service_principal",
+    "tenant_id": "${AZURE_TENANT_ID}",
+    "client_id": "${AZURE_CLIENT_ID}",
+    "client_secret": "${AZURE_CLIENT_SECRET}"
+  }
+  ```
+
+- Git Secret:
+  ```json
+  {
+    "type": "env",
+    "passphrase_env": "GIT_SECRET_PASSPHRASE"
+  }
+  ```
+  or
+  ```json
+  {
+    "type": "direct",
+    "passphrase": "your-passphrase"
+  }
+  ```
 
 ## Consequences
 - The project will be built as a Helm plugin with Python as the core language.
 
@@ -7,52 +7,63 @@ Helm Values Manager simplifies **configuration and secret management** across mu
 
 The Helm plugin consists of:
 - **CLI Command Interface (Python Typer-based)**: Handles command execution.
-- **Validation Engine**: Ensures required keys have values for each deployment.
-- **Secret Manager Integration**: Supports AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, and Git-Secrets.
+- **Validation Engine**: Ensures required values have values for each deployment.
+- **Value Storage Backend**: Supports AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, and Git-Secrets.
 - **values.yaml Generator**: Produces the final Helm-compatible values file.
 - **Helm Plugin System**: Integrates seamlessly with Helm commands.
+- **JSON Schema Validation**: Ensures configuration files follow the correct structure.
 
-## Configuration YAML Structure
-
-```yaml
-release: my-release
-
-deployments:
-  dev:
-    secrets_backend: aws_secrets_manager
-  prod:
-    secrets_backend: azure_key_vault
-
-config:
-  - key: DATABASE_URL
-    path: global.database.url
-    required: true
-    sensitive: true
-    values:
-      dev: "mydb://dev-connection"
-      prod: "mydb://prod-connection"
-  - key: LOG_LEVEL
-    path: global.logging.level
-    required: false
-    sensitive: false
-    values:
-      dev: "debug"
-      prod: "warn"
+## Configuration Structure
+
+```json
+{
+  "release": "my-release",
+  "deployments": {
+    "dev": {
+      "secrets_backend": "aws_secrets_manager"
+    },
+    "prod": {
+      "secrets_backend": "azure_key_vault"
+    }
+  },
+  "config": [
+    {
+      "path": "global.database.url",
+      "required": true,
+      "sensitive": true,
+      "values": {
+        "dev": "mydb://dev-connection",
+        "prod": "mydb://prod-connection"
+      }
+    },
+    {
+      "path": "global.logging.level",
+      "required": false,
+      "sensitive": false,
+      "values": {
+        "dev": "DEBUG",
+        "prod": "WARN"
+      }
+    }
+  ]
+}
 ```
 
-## Secret Manager Extensibility
+## Value Backend Extensibility
 Implemented using **Abstract Base Class (ABC)**:
 
 ```python
 from abc import ABC, abstractmethod
 
-class SecretManager(ABC):
+class ValueBackend(ABC):
     @abstractmethod
-    def get_secret(self, secret_name: str) -> str:
+    def get_value(self, path: str, environment: str) -> str:
+        """Get a value from the secrets backend."""
         pass
 
     @abstractmethod
-    def store_secret(self, secret_name: str, secret_value: str):
+    def set_value(self, path: str, environment: str, value: str) -> None:
+        """Set a value in the secrets backend."""
         pass
 ```
 
@@ -61,16 +72,33 @@ class SecretManager(ABC):
 ### Example Commands
 ```sh
 helm values-manager init my-release
-helm values-manager add-key DATABASE_URL --required --sensitive --path=global.database.url
-helm values-manager add-secret DATABASE_URL=mydb://connection --deployment=dev
+helm values-manager add-value --path=global.database.url --required --sensitive
+helm values-manager set-value global.database.url=mydb://connection --deployment=dev
 helm values-manager validate
 helm values-manager generate --deployment=dev
 ```
 
 ## Testing Strategy
 - **Unit Tests:** CLI commands, validation logic, storage handling.
-- **Integration Tests:** Secret manager interactions.
+- **Integration Tests:** Backend interactions and value management.
 - **E2E Tests:** Full workflow validation.
 
+## Implementation Details
+
+### JSON Schema Validation
+- Uses Python's `jsonschema` library for configuration validation
+- Schema version control for backward compatibility
+- Strict validation of required fields and value types
+
+### Value Storage
+- Values stored in JSON format for consistency
+- Supports both plain text and encrypted storage
+- Environment-specific value management
+
+### Security Considerations
+- Sensitive values stored in secure backends
+- Support for various authentication methods
+- No sensitive data in version control
+
 ## Conclusion
-Helm Values Manager is a **secure, scalable, and extensible solution** for Helm-based deployments.
+Helm Values Manager is a **secure, scalable, and extensible solution** for Helm-based deployments, using JSON for consistent configuration management and robust schema validation.