Skip to content

Commit

Permalink
patch: enable existing secrets + minor ingress fixes (#34)
Browse files Browse the repository at this point in the history 
* patch: Adding existing secret option

This introduces the option for an existing secret to be supplied with the credentials for postgres, smtp, redis and s3.
By allowing users to roll their own secrets for these values, we improve their security as they don't have to hard code any values into their supplied `values.yaml` file.

The presumption is that if a user is supplying some credentials via a secret then all of the listed ones should be supplied.

* fix: Ingress manifest corrections

The ingress manifests had some invalid references and a duplicate secretName for the tls which has now been corrected.

* patch: added a helper for inferring the kubernetes version across all templates
  • Loading branch information
@drew-viles
drew-viles authored Mar 27, 2024
1 parent 5fe4bf9 commit 69db374
Show file tree
Hide file tree
Showing 9 changed files with 76 additions and 44 deletions.
15 changes: 15 additions & 0 deletions templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{{- define "secret-path" }}
{{- if .Values.global.existingSecret -}}
{{ .Values.global.existingSecret }}
{{- else -}}
{{ .Release.Name }}-secrets
{{- end }}
{{- end}}

{{- define "kubectlVersion" }}
{{- if .Values.global.kubectlVersion -}}
{{ .Values.global.kubectlVersion }}
{{- else -}}
{{ printf "%s.%s" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor }}
{{- end }}
{{- end}}
26 changes: 12 additions & 14 deletions templates/api-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ spec:
initContainers:
{{ if .Values.postgresql.enabled }}
- name: wait-for-postgresql
image: "docker.io/bitnami/kubectl:{{ printf "%s" .Values.global.kubectlVersion }}"
image: "docker.io/bitnami/kubectl:{{ include "kubectlVersion" . }}"
args:
- wait
- pod/{{ .Release.Name }}-postgresql-0
Expand All @@ -32,22 +32,20 @@ spec:
{{ end }}
{{ if .Values.redis.enabled }}
- name: wait-for-redis
image: "docker.io/bitnami/kubectl:{{ printf "%s" .Values.global.kubectlVersion }}"
image: "docker.io/bitnami/kubectl:{{ include "kubectlVersion" . }}"
args:
- wait
- pod/{{ .Release.Name }}-redis-master-0
- --for=condition=ready
- --timeout=180s
{{ end }}
{{ if .Values.global.kubectlVersion}}
- name: wait-for-migrations
image: "docker.io/bitnami/kubectl:{{ printf "%s" .Values.global.kubectlVersion }}"
image: "docker.io/bitnami/kubectl:{{ include "kubectlVersion" . }}"
args:
- wait
- job/{{ .Release.Name }}-migrate
- --for=condition=complete
- --timeout=180s
{{ end }}
containers:
- args: ["bundle", "exec", "rails", "s", "-b", "::"]
env:
Expand All @@ -56,17 +54,17 @@ spec:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: databaseUrl
- name: REDIS_URL
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: redisUrl
- name: LAGO_REDIS_CACHE_URL
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: redisUrl
- name: LAGO_PDF_URL
{{- $pdfHost := printf "%s-pdf-svc.%s" .Release.Name .Release.Namespace}}
Expand Down Expand Up @@ -134,18 +132,18 @@ spec:
- name: LAGO_AWS_S3_ENDPOINT
value: {{ .Values.global.s3.aws.endpoint | quote }}
{{ end }}
{{ if .Values.global.s3.aws.accessKeyId }}
{{ if or .Values.global.s3.aws.accessKeyId .Values.global.existingSecret }}
- name: LAGO_AWS_S3_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: awsS3AccessKeyId
{{ end }}
{{ if .Values.global.s3.aws.secretAccessKey }}
{{ if or .Values.global.s3.aws.secretAccessKey .Values.global.existingSecret }}
- name: LAGO_AWS_S3_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: awsS3SecretAccessKey
{{ end }}
- name: LAGO_AWS_S3_BUCKET
Expand All @@ -161,12 +159,12 @@ spec:
- name: LAGO_SMTP_USERNAME
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: smtpUsername
- name: LAGO_SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: smtpPassword
- name: LAGO_SMTP_PORT
value: "{{ .Values.global.smtp.port }}"
Expand Down
6 changes: 3 additions & 3 deletions templates/clock-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ spec:
initContainers:
{{ if .Values.redis.enabled }}
- name: wait-for-redis
image: "docker.io/bitnami/kubectl:{{ printf "%s" .Values.global.kubectlVersion }}"
image: "docker.io/bitnami/kubectl:{{ include "kubectlVersion" . }}"
args:
- wait
- pod/{{ .Release.Name }}-redis-master-0
Expand All @@ -39,12 +39,12 @@ spec:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: databaseUrl
- name: REDIS_URL
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: redisUrl
- name: RAILS_LOG_TO_STDOUT
value: {{ .Values.clock.rails.logStdout | quote }}
Expand Down
12 changes: 5 additions & 7 deletions templates/events-worker-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,22 +23,20 @@ spec:
initContainers:
{{ if .Values.redis.enabled }}
- name: wait-for-redis
image: "docker.io/bitnami/kubectl:{{ printf "%s" .Values.global.kubectlVersion }}"
image: "docker.io/bitnami/kubectl:{{ include "kubectlVersion" . }}"
args:
- wait
- pod/{{ .Release.Name }}-redis-master-0
- --for=condition=ready
- --timeout=180s
{{ end }}
{{ if .Values.global.kubectlVersion }}
- name: wait-for-migrations
image: "docker.io/bitnami/kubectl:{{ printf "%s" .Values.global.kubectlVersion }}"
image: "docker.io/bitnami/kubectl:{{ include "kubectlVersion" . }}"
args:
- wait
- job/{{ .Release.Name }}-migrate
- --for=condition=complete
- --timeout=180s
{{ end }}
containers:
- args:
- ./scripts/start.events.worker.sh
Expand All @@ -48,17 +46,17 @@ spec:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: databaseUrl
- name: REDIS_URL
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: redisUrl
- name: LAGO_REDIS_CACHE_URL
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: redisUrl
- name: RAILS_LOG_TO_STDOUT
value: {{ .Values.eventsWorker.rails.logStdout | quote }}
Expand Down
5 changes: 2 additions & 3 deletions templates/ingress.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ metadata:
name: {{ .Release.Name }}-ingress
annotations:
{{ if .Values.global.ingress.annotations }}
{{- with .Values.ingress.annotations }}
{{- with .Values.global.ingress.annotations }}
{{- toYaml . | trim | nindent 4 }}
{{- end }}
{{ end }}
Expand All @@ -14,9 +14,8 @@ spec:
tls:
- hosts:
- {{ .Values.global.ingress.frontHostname }}
secretName: {{ .Release.Name }}-ingress-secret
- {{ .Values.global.ingress.apiHostname }}
secretName: {{ .Release.Name }}-api-ingress-secret
secretName: {{ .Release.Name }}-ingress-secret
rules:
- host: {{ .Values.global.ingress.frontHostname }}
http:
Expand Down
6 changes: 3 additions & 3 deletions templates/migrate-job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ spec:
initContainers:
{{ if .Values.postgresql.enabled }}
- name: wait-for-postgresql
image: "docker.io/bitnami/kubectl:{{ printf "%s.%s" .Capabilities.KubeVersion.Major .Capabilities.KubeVersion.Minor }}"
image: "docker.io/bitnami/kubectl:{{ include "kubectlVersion" . }}"
args:
- wait
- pod/{{ .Release.Name }}-postgresql-0
Expand All @@ -38,12 +38,12 @@ spec:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: databaseUrl
- name: REDIS_URL
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: redisUrl
- name: LAGO_RSA_PRIVATE_KEY
valueFrom:
Expand Down
8 changes: 8 additions & 0 deletions templates/secrets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ data:
{{ $encryptionKeyDerivationSalt := (get $secretData "encryptionKeyDerivationSalt") | default (randAlphaNum 32 | b64enc | b64enc) }}
encryptionKeyDerivationSalt: {{ $encryptionKeyDerivationSalt | quote }}

{{- if not .Values.global.existingSecret }}
{{ if .Values.postgresql.enabled }}
{{ $pgDatabase := .Values.global.postgresql.auth.database }}
{{ $pgUser := .Values.global.postgresql.auth.username }}
Expand All @@ -35,18 +36,22 @@ data:
{{ else }}
databaseUrl: {{ required "global.databaseUrl value is required" .Values.global.databaseUrl | b64enc | quote }}
{{ end }}
{{- end }}

{{- if not .Values.global.existingSecret }}
{{ if .Values.redis.enabled }}
{{ $redisHost := printf "%s-redis-master.%s" .Release.Name .Release.Namespace }}
redisUrl: {{ printf "redis://%s:%v" $redisHost .Values.redis.master.service.ports.redis | b64enc | quote }}
{{ else }}
redisUrl: {{ required "global.redisUrl value is required" .Values.global.redisUrl | b64enc | quote }}
{{ end }}
{{- end }}

{{ if .Values.global.license }}
license: {{ .Values.global.license | b64enc | quote }}
{{ end }}

{{- if not .Values.global.existingSecret }}
{{ if .Values.global.s3.enabled }}
{{ if .Values.global.s3.aws.accessKeyId }}
awsS3AccessKeyId: {{ .Values.global.s3.aws.accessKeyId | b64enc }}
Expand All @@ -55,11 +60,14 @@ data:
awsS3SecretAccessKey: {{ .Values.global.s3.aws.secretAccessKey | b64enc }}
{{ end }}
{{ end }}
{{- end }}

{{- if not .Values.global.existingSecret }}
{{ if .Values.global.smtp.enabled }}
smtpUsername: {{ .Values.global.smtp.username | b64enc }}
smtpPassword: {{ .Values.global.smtp.password | b64enc }}
{{ end }}
{{- end }}

{{ if .Values.global.newRelic.enabled }}
newRelicKey: {{ .Values.global.newRelic.key | b64enc }}
Expand Down
24 changes: 11 additions & 13 deletions templates/worker-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,22 +23,20 @@ spec:
initContainers:
{{ if .Values.redis.enabled }}
- name: wait-for-redis
image: "docker.io/bitnami/kubectl:{{ printf "%s" .Values.global.kubectlVersion }}"
image: "docker.io/bitnami/kubectl:{{ include "kubectlVersion" . }}"
args:
- wait
- pod/{{ .Release.Name }}-redis-master-0
- --for=condition=ready
- --timeout=180s
{{ end }}
{{ if .Values.global.kubectlVersion }}
- name: wait-for-migrations
image: "docker.io/bitnami/kubectl:{{ printf "%s" .Values.global.kubectlVersion }}"
image: "docker.io/bitnami/kubectl:{{ include "kubectlVersion" . }}"
args:
- wait
- job/{{ .Release.Name }}-migrate
- --for=condition=complete
- --timeout=180s
{{ end }}
containers:
- args:
- ./scripts/start.worker.sh
Expand All @@ -48,17 +46,17 @@ spec:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: databaseUrl
- name: REDIS_URL
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: redisUrl
- name: LAGO_REDIS_CACHE_URL
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: redisUrl
- name: LAGO_PDF_URL
{{- $pdfHost := printf "%s-pdf-svc.%s" .Release.Name .Release.Namespace}}
Expand Down Expand Up @@ -116,18 +114,18 @@ spec:
- name: LAGO_AWS_S3_ENDPOINT
value: {{ .Values.global.s3.aws.endpoint | quote }}
{{ end }}
{{ if .Values.global.s3.aws.accessKeyId }}
{{ if or .Values.global.s3.aws.accessKeyId .Values.global.existingSecret }}
- name: LAGO_AWS_S3_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: awsS3AccessKeyId
{{ end }}
{{ if .Values.global.s3.aws.secretAccessKey }}
{{ if or .Values.global.s3.aws.secretAccessKey .Values.global.existingSecret }}
- name: LAGO_AWS_S3_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: awsS3SecretAccessKey
{{ end }}
- name: LAGO_AWS_S3_BUCKET
Expand All @@ -143,12 +141,12 @@ spec:
- name: LAGO_SMTP_USERNAME
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: smtpUsername
- name: LAGO_SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-secrets
name: {{ include "secret-path" . }}
key: smtpPassword
- name: LAGO_SMTP_PORT
value: "{{ .Values.global.smtp.port }}"
Expand Down
Loading

0 comments on commit 69db374

Please sign in to comment.