From b5cd44faef59689e34ec7d65f1ca3039de219440 Mon Sep 17 00:00:00 2001 From: Sagar2366 Date: Sun, 11 Sep 2022 11:28:32 +0530 Subject: [PATCH 1/3] Use existing betydb password secret --- templates/_helpers.tpl | 66 ++++++++++++++++++++++++++++++++--- templates/deployment.yaml | 5 +++ templates/hooks/add-user.yaml | 5 +++ templates/hooks/load-db.yaml | 5 +++ templates/secrets.yaml | 6 +++- values.yaml | 8 +++++ 6 files changed, 89 insertions(+), 6 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index e239785c..5bfb3241 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -66,6 +66,67 @@ postgresql Port {{- end -}} {{- end -}} +{{/* +Get the betydb secret. +*/}} +{{- define "betydb.secretName" -}} +{{- if .Values.auth.existingSecret -}} + {{- printf "%s" (tpl .Values.auth.existingSecret $) -}} +{{- else -}} + {{- printf "%s" (include "betydb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the betyPassword key. +*/}} +{{- define "betyPassword" -}} +{{- if .Values.auth.existingSecret }} + {{- if .Values.auth.secretKeys.betyPassword }} + {{- printf "%s" (tpl .Values.auth.secretKeys.betyPassword $) -}} + {{- else -}} + {{ .Values.betyPassword | b64enc | quote }} + {{- end -}} +{{- else -}} + {{ .Values.betyPassword | b64enc | quote }} +{{- end -}} +{{- end -}} + +{{/* +Get the betydb password secret name. +*/}} +{{- define "betydb.secretName" -}} +{{- if .Values.auth.existingSecret -}} + {{- printf "%s" (tpl .Values.auth.existingSecret $) -}} +{{- else -}} + {{- printf "%s" (include "betydb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the betydb Password key. +*/}} +{{- define "betydb.betydbPasswordKey" -}} +{{- if .Values.auth.existingSecret }} + {{- if .Values.auth.secretKeys.betydbPasswordKey }} + {{- printf "%s" (tpl .Values.auth.secretKeys.betydbPasswordKey $) -}} + {{- else -}} + {{- "betyPassword" }} + {{- end -}} +{{- else -}} + {{- "betyPassword" }} +{{- end -}} +{{- end -}} + +{{/* +Return true if a betydb secret object should be created +*/}} +{{- define "betydb.createSecret" -}} +{{- if not (.Values.auth.existingSecret) -}} + {{- true -}} +{{- end -}} +{{- end -}} + {{/* Environment variables for PostgreSQL */}} @@ -94,11 +155,6 @@ Environment variables for BetyDB {{- define "betydb.betydbEnv" -}} - name: BETYUSER value: {{ .Values.betyUser | quote }} -- name: BETYPASSWORD - valueFrom: - secretKeyRef: - name: {{ include "betydb.fullname" . }} - key: betyPassword - name: BETYDATABASE value: {{ .Values.betyDatabase | quote }} - name: LOCAL_SERVER diff --git a/templates/deployment.yaml b/templates/deployment.yaml index b9027786..4586724d 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -66,6 +66,11 @@ spec: value: {{ .Values.ingress.path | default "" | trimSuffix "/" | quote }} - name: RAILS_LOG_TO_STDOUT value: "true" + - name: BETYPASSWORD + valueFrom: + secretKeyRef: + name: {{ include "betydb.secretName" . }} + key: {{ include "betydb.betydbPasswordKey" . }} {{- include "betydb.postgresqlEnv" . | nindent 12 }} {{- include "betydb.betydbEnv" . | nindent 12 }} {{- if .Values.customization }} diff --git a/templates/hooks/add-user.yaml b/templates/hooks/add-user.yaml index df160cbe..189a0df4 100644 --- a/templates/hooks/add-user.yaml +++ b/templates/hooks/add-user.yaml @@ -64,6 +64,11 @@ spec: - {{ .data | quote }} - {{ .page | quote }} env: + - name: BETYPASSWORD + valueFrom: + secretKeyRef: + name: {{ include "betydb.secretName" . }} + key: {{ include "betydb.betydbPasswordKey" . }} {{- $pgenv | nindent 12 }} {{- $betyenv | nindent 12 }} {{- end }} diff --git a/templates/hooks/load-db.yaml b/templates/hooks/load-db.yaml index e6e244db..3f843c5b 100644 --- a/templates/hooks/load-db.yaml +++ b/templates/hooks/load-db.yaml @@ -57,6 +57,11 @@ spec: imagePullPolicy: Always {{- end }} env: + - name: BETYPASSWORD + valueFrom: + secretKeyRef: + name: {{ include "betydb.secretName" . }} + key: {{ include "betydb.betydbPasswordKey" . }} {{- include "betydb.postgresqlEnv" . | nindent 12 }} {{- include "betydb.betydbEnv" . | nindent 12 }} {{- end }} diff --git a/templates/secrets.yaml b/templates/secrets.yaml index 70d0e937..2cb2f75a 100644 --- a/templates/secrets.yaml +++ b/templates/secrets.yaml @@ -9,5 +9,9 @@ data: {{- if and (not .Values.postgresql.enabled) .Values.postgresql.postgresqlPassword }} postgresqlPassword: {{ .Values.postgresql.postgresqlPassword | b64enc | quote }} {{- end }} +{{- if .Values.auth.existingSecret }} + {{- if .Values.auth.secretKeys.betydbPasswordKey }} betyPassword: {{ .Values.betyPassword | b64enc | quote }} - secretKey: {{ .Values.secretKey | b64enc | quote }} + {{- end }} +{{- end }} + secretKey: {{ .Values.secretKey | b64enc | quote }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index 13d48931..42f88336 100644 --- a/values.yaml +++ b/values.yaml @@ -181,3 +181,11 @@ affinity: {} ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity hooks: affinity: {} + + +## Use existing bety password as secret +## Create secret pecan-betydb-old with key betyPassword +auth: + existingSecret: + secretKeys: + betydbPasswordKey: "" \ No newline at end of file From 218f323b927f6324b20bcb69ef86cefd5f9b7bfd Mon Sep 17 00:00:00 2001 From: Sagar2366 Date: Sun, 11 Sep 2022 11:32:34 +0530 Subject: [PATCH 2/3] Use existing betydb password secret --- values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index 42f88336..ba255de2 100644 --- a/values.yaml +++ b/values.yaml @@ -186,6 +186,6 @@ hooks: ## Use existing bety password as secret ## Create secret pecan-betydb-old with key betyPassword auth: - existingSecret: + existingSecret: "" secretKeys: betydbPasswordKey: "" \ No newline at end of file From fb96a86d28193b4ef04cab179deeb9ed958cb32a Mon Sep 17 00:00:00 2001 From: Sagar2366 Date: Mon, 19 Sep 2022 22:02:31 +0530 Subject: [PATCH 3/3] Adding changes to use existing encryption key --- templates/_helpers.tpl | 23 ++++++----------------- templates/deployment.yaml | 4 ++-- templates/secrets.yaml | 8 +++----- values.yaml | 3 ++- 4 files changed, 13 insertions(+), 25 deletions(-) diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 5bfb3241..6a5a774b 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -93,28 +93,17 @@ Get the betyPassword key. {{- end -}} {{/* -Get the betydb password secret name. +Get the betydb encryption secret key. */}} -{{- define "betydb.secretName" -}} -{{- if .Values.auth.existingSecret -}} - {{- printf "%s" (tpl .Values.auth.existingSecret $) -}} -{{- else -}} - {{- printf "%s" (include "betydb.fullname" .) -}} -{{- end -}} -{{- end -}} - -{{/* -Get the betydb Password key. -*/}} -{{- define "betydb.betydbPasswordKey" -}} +{{- define "betydb.betydbEncryptionSecretKey" -}} {{- if .Values.auth.existingSecret }} - {{- if .Values.auth.secretKeys.betydbPasswordKey }} - {{- printf "%s" (tpl .Values.auth.secretKeys.betydbPasswordKey $) -}} + {{- if .Values.auth.secretKeys.betydbEncryptionKey }} + {{- printf "%s" (tpl .Values.auth.secretKeys.betydbEncryptionKey $) -}} {{- else -}} - {{- "betyPassword" }} + {{- "secretKey" }} {{- end -}} {{- else -}} - {{- "betyPassword" }} + {{- "secretKey" }} {{- end -}} {{- end -}} diff --git a/templates/deployment.yaml b/templates/deployment.yaml index 4586724d..2207a1c5 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -60,8 +60,8 @@ spec: - name: SECRET_KEY_BASE valueFrom: secretKeyRef: - name: {{ include "betydb.fullname" . }} - key: secretKey + name: {{ include "betydb.secretName" . }} + key: {{ include "betydb.betydbEncryptionSecretKey" . }} - name: RAILS_RELATIVE_URL_ROOT value: {{ .Values.ingress.path | default "" | trimSuffix "/" | quote }} - name: RAILS_LOG_TO_STDOUT diff --git a/templates/secrets.yaml b/templates/secrets.yaml index 2cb2f75a..65084858 100644 --- a/templates/secrets.yaml +++ b/templates/secrets.yaml @@ -1,3 +1,4 @@ +{{- if (include "postgresql.createSecret" .) }} apiVersion: v1 kind: Secret metadata: @@ -9,9 +10,6 @@ data: {{- if and (not .Values.postgresql.enabled) .Values.postgresql.postgresqlPassword }} postgresqlPassword: {{ .Values.postgresql.postgresqlPassword | b64enc | quote }} {{- end }} -{{- if .Values.auth.existingSecret }} - {{- if .Values.auth.secretKeys.betydbPasswordKey }} betyPassword: {{ .Values.betyPassword | b64enc | quote }} - {{- end }} -{{- end }} - secretKey: {{ .Values.secretKey | b64enc | quote }} \ No newline at end of file + secretKey: {{ .Values.secretKey | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/values.yaml b/values.yaml index ba255de2..40e3f1c1 100644 --- a/values.yaml +++ b/values.yaml @@ -188,4 +188,5 @@ hooks: auth: existingSecret: "" secretKeys: - betydbPasswordKey: "" \ No newline at end of file + betydbPasswordKey: "" + betydbEncryptSecretKey: "" \ No newline at end of file