Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make unifiedSecret keys configurable, support setting of non-"public" Postgres Schema #126

Closed
wants to merge 8 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions charts/zabbix/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
apiVersion: v2 # Don't change this
name: zabbix
version: 6.0.0 # helm chart version
version: 6.0.1 # helm chart version
# LTS Zabbix version by default due to stability. See: https://www.zabbix.com/life_cycle_and_release_policy
appVersion: 7.0.5 # zabbix version
description: Zabbix is a mature and effortless enterprise-class open source monitoring solution for network monitoring and application monitoring of millions of metrics.
Expand All @@ -20,5 +20,5 @@ maintainers:
email: [email protected]
url: https://github.com/aeciopires
- name: Christian Anton
email: christian.anton@secadm.de
url: https://secadm.de
email: christian.anton@inqbeo.de
url: https://inqbeo.de
22 changes: 17 additions & 5 deletions charts/zabbix/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,7 @@ Return the entire logic of setting PostgreSQL access related env vars for the co
{{- $uservar := "POSTGRES_USER" }}
{{- $passwordvar := "POSTGRES_PASSWORD" }}
{{- $dbvar := "POSTGRES_DB" }}
{{- $schemavar := "DB_SERVER_SCHEMA" }}
{{/* special settings for the DB client (autoclean cron job) container, needs different env variable names */}}
{{- if eq $cntxt "db_client" }}
{{- $hostvar = "PGHOST" }}
Expand All @@ -128,12 +129,12 @@ Return the entire logic of setting PostgreSQL access related env vars for the co
valueFrom:
secretKeyRef:
name: {{ .Values.postgresAccess.unifiedSecretName }}
key: host
key: {{ .Values.postgresAccess.unifiedSecretHostKey }}
- name: {{ $portvar }}
valueFrom:
secretKeyRef:
name: {{ .Values.postgresAccess.unifiedSecretName }}
key: port
key: {{ .Values.postgresAccess.unifiedSecretPortKey }}
optional: true
{{- else }}
- name: {{ $hostvar }}
Expand All @@ -146,19 +147,26 @@ Return the entire logic of setting PostgreSQL access related env vars for the co
valueFrom:
secretKeyRef:
name: {{ .Values.postgresAccess.unifiedSecretName }}
key: user
key: {{ .Values.postgresAccess.unifiedSecretUserKey }}
optional: true
- name: {{ $passwordvar }}
valueFrom:
secretKeyRef:
name: {{ .Values.postgresAccess.unifiedSecretName }}
key: password
key: {{ .Values.postgresAccess.unifiedSecretPasswordKey }}
- name: {{ $dbvar }}
valueFrom:
secretKeyRef:
name: {{ .Values.postgresAccess.unifiedSecretName }}
key: dbname
key: {{ .Values.postgresAccess.unifiedSecretDBKey }}
optional: true
{{- if and (not .Values.postgresql.enabled) .Values.postgresAccess.unifiedSecretSchemaKey }}
- name: {{ $schemavar }}
valueFrom:
secretKeyRef:
name: {{ .Values.postgresAccess.unifiedSecretName }}
key: {{ .Values.postgresAccess.unifiedSecretSchemaKey }}
{{- end }}
{{- else }}
- name: {{ $uservar }}
value: {{ .Values.postgresAccess.user | quote }}
Expand All @@ -173,6 +181,10 @@ Return the entire logic of setting PostgreSQL access related env vars for the co
{{- end }}
- name: {{ $dbvar }}
value: {{ .Values.postgresAccess.database | quote }}
{{- if and (not .Values.postgresql.enabled) .Values.postgresAccess.schema }}
- name: {{ $schemavar }}
value: {{ .Values.postgresAccess.schema }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@ data:

if [ -n "${DBVERSION_TABLE_EXISTS}" ]; then
echo "** Table '${DB_SERVER_DBNAME}.dbversion' exists."
ZBX_DB_VERSION=$(psql_query "SELECT mandatory FROM dbversion" "${DB_SERVER_DBNAME}")
ZBX_DB_VERSION=$(psql_query "SELECT mandatory FROM ${DB_SERVER_SCHEMA}.dbversion" "${DB_SERVER_DBNAME}")
fi

if [ -n "${ZBX_DB_VERSION}" ]; then
Expand Down Expand Up @@ -181,7 +181,7 @@ data:
if [ ${ZBX_SRV_VERSION_MAJOR} -eq ${ZBX_DB_VERSION_MAJOR} ]; then
echo "** schema is the appropriate version, continuing checks"

DB_AMOUNT_USERS=$(psql_query "SELECT count(*) FROM users" "${DB_SERVER_DBNAME}")
DB_AMOUNT_USERS=$(psql_query "SELECT count(*) FROM ${DB_SERVER_SCHEMA}.users" "${DB_SERVER_DBNAME}")
if [ ${DB_AMOUNT_USERS} -gt 0 ]; then
echo "** amount of users in users table is ${DB_AMOUNT_USERS}, letting the Zabbix Server container start"
break
Expand Down
3 changes: 3 additions & 0 deletions charts/zabbix/templates/deployment-zabbix-server.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,9 @@ spec:
{{- end }}
env:
{{- include "zabbix.postgresAccess.variables" (list $ . "zabbix") | nindent 12 }}
{{- with .Values.zabbixServer.extraEnv }}
{{- toYaml . | nindent 12 }}
{{- end }}
securityContext:
{{- toYaml .Values.zabbixServer.securityContext | nindent 12 }}
resources:
Expand Down
32 changes: 0 additions & 32 deletions charts/zabbix/templates/ingressroute.yml

This file was deleted.

32 changes: 0 additions & 32 deletions charts/zabbix/templates/route.yaml

This file was deleted.

27 changes: 17 additions & 10 deletions charts/zabbix/templates/secret-db-access.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,21 @@ type: Opaque
data:
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace .Values.postgresAccess.unifiedSecretName) | default dict }}
{{- $secretData := (get $secretObj "data") | default dict }}
{{- $secretHost := (get $secretData "host") | default (default (printf "%s-%s" (include "zabbix.fullname" .) "postgresql") .Values.postgresAccess.host | b64enc) }}
{{- $secretPort := (get $secretData "port") | default (.Values.postgresql.service.port | toString | b64enc) }}
{{- $secretDbname := (get $secretData "dbname") | default ( default "zabbix" .Values.postgresAccess.database | b64enc) }}
{{- $secretUser := (get $secretData "user") | default (default "zabbix" .Values.postgresAccess.user | b64enc) }}
{{- $secretPassword := (get $secretData "password") | default (default (randAlphaNum 16) .Values.postgresAccess.password | b64enc) }}
host: {{ $secretHost | quote }}
port: {{ $secretPort | quote }}
dbname: {{ $secretDbname | quote }}
user: {{ $secretUser | quote }}
password: {{ $secretPassword | quote }}
{{- $secretHost := (get $secretData .Values.postgresAccess.unifiedSecretHostKey) | default (default (printf "%s-%s" (include "zabbix.fullname" .) "postgresql") .Values.postgresAccess.host | b64enc) }}
{{- $secretPort := (get $secretData .Values.postgresAccess.unifiedSecretPortKey) | default (.Values.postgresql.service.port | toString | b64enc) }}
{{- $secretDbname := (get $secretData .Values.postgresAccess.unifiedSecretDBKey) | default ( default "zabbix" .Values.postgresAccess.database | b64enc) }}
{{- $secretUser := (get $secretData .Values.postgresAccess.unifiedSecretUserKey) | default (default "zabbix" .Values.postgresAccess.user | b64enc) }}
{{- $secretPassword := (get $secretData .Values.postgresAccess.unifiedSecretPasswordKey) | default (default (randAlphaNum 16) .Values.postgresAccess.password | b64enc) }}
{{- $secretSchema := "" }}
{{- if and (not .Values.postgresql.enabled) .Values.postgresAccess.unifiedSecretSchemaKey }}
{{- $secretSchema = (get $secretData .Values.postgresAccess.unifiedSecretSchemaKey) | default (default "public" .Values.postgresAccess.schema | b64enc )}}
{{- end }}
{{ .Values.postgresAccess.unifiedSecretHostKey }}: {{ $secretHost | quote }}
{{ .Values.postgresAccess.unifiedSecretPortKey }}: {{ $secretPort | quote }}
{{ .Values.postgresAccess.unifiedSecretDBKey }}: {{ $secretDbname | quote }}
{{ .Values.postgresAccess.unifiedSecretUserKey }}: {{ $secretUser | quote }}
{{ .Values.postgresAccess.unifiedSecretPasswordKey }}: {{ $secretPassword | quote }}
{{- if $secretSchema }}
{{ .Values.postgresAccess.unifiedSecretSchemaKey }}: {{ $secretSchema | quote }}
{{- end }}
{{- end }}
52 changes: 16 additions & 36 deletions charts/zabbix/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,20 +31,27 @@ postgresAccess:
# All relevant components installed by this chart will respect it: zabbixServer, zabbixWeb and postgresql (if enabled)
#
# USING ONE SECRET CONTAINING ALL DB RELEVANT SETTINGS
# PostgreSQL access details all in one existing secret (matches the structure of secrets the CrunchyData pgo operator generates)
# PostgreSQL access details all in one existing secret (matches the structure of secrets the CrunchyData PGO operator
# and the CNPG postgres operator generate)
# if this option is chosen the below listed settings are being ignored
# the secret must contain the following keys:
# * host
# * port
# * user
# * password
# * dbname
# -- Whether to use the unified PostgreSQL access secret
useUnifiedSecret: true
# -- Name of one secret for unified configuration of PostgreSQL access
unifiedSecretName: zabbixdb-pguser-zabbix
# -- automatically create secret if not already present (works only in combination with postgresql.enabled=true)
unifiedSecretAutoCreate: true
# -- key of the unified postgres access secret where host ip / dns name for the postgres db is found
unifiedSecretHostKey: host
# -- key of the unified postgres access secret where the port for the postgres db is found
unifiedSecretPortKey: port
# -- key of the unified postgres access secret where user name for the postgres db is found
unifiedSecretUserKey: user
# -- key of the unified postgres access secret where password for the postgres db is found
unifiedSecretPasswordKey: password
# -- key of the unified postgres access secret where database name for the postgres db is found
unifiedSecretDBKey: dbname
# -- key of the unified postgres access secret where schema name for the postgres db is found. Can be left empty (defaults to "public", then). Only being used if external database is used (`postgresql.enabled` not set)
unifiedSecretSchemaKey: ""
#
# If you do NOT want to use one unified secret for all settings, you can still set the credentials manually here.
# These settings will be used for all components of this chart where it makes sense (zabbix server, postgresql,
Expand All @@ -63,6 +70,8 @@ postgresAccess:
password: "zabbix"
# -- Name of database
database: "zabbix"
# -- Schema of database. Can be left empty if unifiedSecretSchemaKey is not set. Only being used if external database is used (`postgresql.enabled` not set)
schema: ""

# **Zabbix Server** configurations
zabbixServer:
Expand Down Expand Up @@ -900,35 +909,6 @@ ingress:
# -- pathType is only for k8s >= 1.1=
pathType: Prefix

# Ingress CRD object for the Traefik Ingresscontroller
ingressRoute:
# -- Enables Traefik IngressRoute
enabled: false
# -- IngressRoute annotations
annotations: {}
# -- Ingressroute entrypoints
entryPoints:
- websecure
# -- Ingressroute host name
hostName: chart-example.local
# -- IngressRoute TLS configuration
#tls:
# certResolver: myresolver

route:
# -- Enables Route object for Openshift
enabled: false
# -- Host Name for the route. Can be left empty
hostName: chart-example.local
# -- Openshift Route wildcardPolicy
#wildcardPolicy:
# -- Openshift Route TLS settings
tls:
termination: edge
#insecureEdgeTerminationPolicy: Redirect
# -- Openshift Route extra annotations
annotations: {}

# -- nodeSelector configurations. Reference: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
nodeSelector: {}

Expand Down