store opensearch-dashboards configs in Secret (#426)

opensearch_dashboards.yml contains values like opensearch.password or opensearch_security.openid.client_secret which should be stored in Secrets rather than ConfigMaps. Signed-off-by: Dominik Ruf <[email protected]>
opensearch-project · May 15, 2023 · e6b3eaa · e6b3eaa
1 parent 6fce617
commit e6b3eaa
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 21 deletions.
diff --git a/charts/opensearch-dashboards/CHANGELOG.md b/charts/opensearch-dashboards/CHANGELOG.md
@@ -13,6 +13,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 ### Security
 ---
+## [2.10.1]
+### Added
+### Changed
+store opensearch-dashboards configs in Secret (#426)
+### Deprecated
+### Removed
+### Fixed
+### Security
+---
 ## [2.10.0]
 ### Added
 - Updated OpenSearch Dashboards appVersion to 2.7.0

diff --git a/charts/opensearch-dashboards/Chart.yaml b/charts/opensearch-dashboards/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.10.0
+version: 2.10.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/opensearch-dashboards/templates/configmap.yaml b/charts/opensearch-dashboards/templates/configmap.yaml
diff --git a/charts/opensearch-dashboards/templates/deployment.yaml b/charts/opensearch-dashboards/templates/deployment.yaml
@@ -27,9 +27,9 @@ spec:
         {{- range $key, $value := .Values.podAnnotations }}
         {{ $key }}: {{ $value | quote }}
         {{- end }}
-        {{- /* This forces a restart if the configmap has changed */}}
+        {{- /* This forces a restart if the secret has changed */}}
         {{- if .Values.config }}
-        configchecksum: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum | trunc 63 }}
+        configchecksum: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum | trunc 63 }}
         {{- end }}
     spec:
 {{- if .Values.priorityClassName }}
@@ -49,8 +49,8 @@ spec:
         {{- end }}
         {{- if .Values.config }}
         - name: config
-          configMap:
-            name: {{ template "opensearch-dashboards.fullname" . }}-config
+          secret:
+            secretName: {{ template "opensearch-dashboards.fullname" . }}-config
             {{- if .Values.opensearchDashboardsYml.defaultMode }}
             defaultMode: {{ .Values.opensearchDashboardsYml.defaultMode }}
             {{- end }}

diff --git a/charts/opensearch-dashboards/templates/secret.yaml b/charts/opensearch-dashboards/templates/secret.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.config -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "opensearch-dashboards.fullname" . }}-config
+  labels: {{ include "opensearch-dashboards.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+{{- range $secretName, $secretYaml := .Values.config }}
+  {{ $secretName }}: |
+  {{- if eq (kindOf $secretYaml) "map" }}
+    {{- tpl (toYaml $secretYaml) $ | nindent 4 }}
+  {{- else }}
+    {{- tpl $secretYaml $ | nindent 4 -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}