Merge branch 'release/0.4.3'

passbolt · Oct 6, 2023 · 3cfc51c · 3cfc51c
2 parents f1820e4 + 00b2eb3
commit 3cfc51c
Show file tree

Hide file tree

Showing 17 changed files with 423 additions and 24 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -1,12 +1,17 @@
+name: Create Release
+
 on:
   push:
     tags:
-      - '*'
+      - "[0-9]+.[0-9]+.[0-9]+"
+
 jobs:
-  create-shasums:
+  build:
+    name: Create release
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
     steps:
       - uses: actions/checkout@v3
-      - uses: ncipollo/release-action@v1
+      - env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+        name: Create Release
+        run: gh release create "${GITHUB_REF#refs/*/}" --notes-file RELEASE_NOTES.md
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,7 +3,21 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
-## [Unreleased](https://github.com/passbolt/charts-passbolt/compare/0.4.0...HEAD)
+## [Unreleased](https://github.com/passbolt/charts-passbolt/compare/0.4.3...HEAD)
+
+## [0.4.3] - 2023-10-06
+
+### Added
+- New values tls.existingSecret and tls.autogenerate to control injecting ssl certificates in passbolt containers and ingress
+
+### Fixed
+- [#51](https://github.com/passbolt/charts-passbolt/issues/51) ability to use external tls secret
+- [#49](https://github.com/passbolt/charts-passbolt/issues/49) ability to use custom registries and custom pullSecrets
+
+## [0.4.2] - 2023-08-31
+
+### Added
+- Bump passbolt version 4.1.2-1-ce
 
 ## [0.4.1] - 2023-06-11
 

diff --git a/Chart.yaml b/Chart.yaml
@@ -15,12 +15,12 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.2
+version: 0.4.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.2.0-1-ce
+appVersion: 4.3.0-1-ce
 dependencies:
   - name: passbolt-library
     version: 0.2.7

diff --git a/README.md b/README.md
@@ -75,7 +75,6 @@ Once the chart is deployed, you can create your first user by running the follow
 kubectl exec -it <passbolt-pod-name> -- su -c "bin/cake passbolt register_user -u <email> -f <firstname> -l <lastname> -r admin" -s /bin/bash www-data
 ```
 
-
 ## Uninstalling the chart
 
 To uninstall/delete the chart from your cluster:
@@ -90,15 +89,15 @@ chart and deletes the release.
 ## Requirements
 
 | Repository                                            | Name             | Version |
-|-------------------------------------------------------|------------------|---------|
+| ----------------------------------------------------- | ---------------- | ------- |
 | https://charts.bitnami.com/bitnami                    | mariadb          | 11.5.7  |
 | https://charts.bitnami.com/bitnami                    | redis            | 17.15.2 |
 | https://download.passbolt.com/charts/passbolt-library | passbolt-library | 0.2.7   |
 
 ## Values
 
 | Key                                                           | Type   | Default                                                                                                                                                                      | Description                                                                                                                                                               |
-|---------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| ------------------------------------------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | affinity                                                      | object | `{}`                                                                                                                                                                         | Configure passbolt deployment affinity                                                                                                                                    |
 | app.cache.redis.enabled                                       | bool   | `true`                                                                                                                                                                       | By enabling redis the chart will mount a configuration file on /etc/passbolt/app.php That instructs passbolt to store sessions on redis and to use it as a general cache. |
 | app.cache.redis.sentinelProxy.enabled                         | bool   | `true`                                                                                                                                                                       | Inject a haproxy sidecar container configured as a proxy to redis sentinel Make sure that CACHE_CAKE_DEFAULT_SERVER is set to '127.0.0.1' to use the proxy                |
@@ -213,3 +212,10 @@ chart and deletes the release.
 | serviceAccount.create                                         | bool   | `true`                                                                                                                                                                       | Specifies whether a service account should be created                                                                                                                     |
 | tolerations                                                   | list   | `[]`                                                                                                                                                                         | Configure passbolt deployment tolerations                                                                                                                                 |
 
+## Updating REAME.md
+
+We rely on the [helm-docs](https://github.com/norwoodj/helm-docs) helm plugin and [mdformat](https://github.com/executablebooks/mdformat) with [mdformat-tables](https://github.com/executablebooks/mdformat-tables) to generate and format the README.md on each release
+
+```
+helm-docs -t README.md.gotmpl --dry-run | mdformat - > README.md 
+```
diff --git a/README.md.gotmpl b/README.md.gotmpl
@@ -0,0 +1,105 @@
+# Passbolt Helm chart
+
+<h3 align="center">
+    <img src="./.assets/helm_passbolt.png" alt="passbolt sails kubernetes" width="500"/>
+</h3>
+
+{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
+
+Passbolt is an open source, security first password manager with strong focus on
+collaboration.
+
+## TL;DR
+
+The following command is not recommended for production deployments as it will
+use default passwords for internal databases:
+
+```bash
+helm repo add my-repo https://download.passbolt.com/charts/passbolt
+helm install my-release my-repo/passbolt
+```
+
+Production workloads should change the fields with values 'CHANGEME' on values.yaml
+and deploy the chart as follows:
+
+```bash
+helm repo add my-repo https://download.passbolt.com/charts/passbolt
+helm install my-release my-repo/passbolt -f values.yaml
+```
+
+Or using `--set` flags to modify certain chart options:
+
+```bash
+helm repo add my-repo https://download.passbolt.com/charts/passbolt
+helm install my-release my-repo/passbolt \
+  --set redis.auth.password=my_redis_password \
+  --set passboltEnv.CACHE_CAKE_DEFAULT_PASSWORD=my_redis_password \
+  --set mariadb.auth.password=my_mariadb_password \
+  --set passboltEnv.secret.DATASOURCES_DEFAULT_PASSWORD=my_mariadb_password
+```
+
+## Introduction
+
+This chart deploys [passbolt](https://www.passbolt.com) on [kubernetes](https://kubernetes.io) using the [Helm](https://helm.sh/) package manager.
+
+Passbolt comes in three editions:
+
+- [Community edition](https://www.passbolt.com/ce/docker)
+- [Professional edition](https://signup.passbolt.com/pricing/pro)
+- [Cloud edition](https://signup.passbolt.com/pricing/cloud)
+
+This chart supports the deployment of Community edition and Professional edition.
+
+## Prerequisites
+
+- Kubernetes 1.19+ or 1.23+ if you want to use hpa
+- Helm 3.x
+- Passbolt docker >= 3.12.2-1
+
+## Installing the chart
+
+Installing the chart under the name `my-release`:
+
+```bash
+helm install my-release my-repo
+```
+
+The above command deploys passbolt with default settings on your kubernetes cluster.
+Check the [configuration](#Configuration) section to check which parameters you can fine tune.
+
+## Creating first user
+
+Once the chart is deployed, you can create your first user by running the following command:
+
+```bash
+kubectl exec -it <passbolt-pod-name> -- su -c "bin/cake passbolt register_user -u <email> -f <firstname> -l <lastname> -r admin" -s /bin/bash www-data
+```
+
+## Uninstalling the chart
+
+To uninstall/delete the chart from your cluster:
+
+```bash
+helm delete my-release
+```
+
+The above command deletes all the kubernetes components associated with the
+chart and deletes the release.
+
+## Requirements
+
+| Repository                                            | Name             | Version |
+|-------------------------------------------------------|------------------|---------|
+| https://charts.bitnami.com/bitnami                    | mariadb          | 11.5.7  |
+| https://charts.bitnami.com/bitnami                    | redis            | 17.15.2 |
+| https://download.passbolt.com/charts/passbolt-library | passbolt-library | 0.2.7   |
+
+{{ template "chart.valuesSection" . }}
+
+## Updating REAME.md
+
+We rely on the [helm-docs](https://github.com/norwoodj/helm-docs) helm plugin and [mdformat](https://github.com/executablebooks/mdformat) with [mdformat-tables](https://github.com/executablebooks/mdformat-tables) to generate and format the README.md on each release 
+
+```
+helm-docs -t README.md.gotmpl --dry-run | mdformat - > README.md  
+```
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -0,0 +1,15 @@
+This release introduces several fixes and enhancenments reported by
+the community.
+
+It introduces the possibility to inject SSL certificates as external
+secrets to both the ingress object and to the passbolt container
+through the `tls.existingSecret`. By default the chart still relies
+on the autogenerated SSL certificate if not specified.
+
+[Deprecation warning]: ingress.tls will be deprecated in future
+versions in favour of the new tls{} value to specify secrets.
+
+[Deprecation warning]: ingress.hosts will be deprecated in future
+versions too, new values will be announced.
+
+For more information please check our [changelog](https://github.com/passbolt/charts-passbolt/blob/0.4.3/CHANGELOG.md)
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -91,3 +91,62 @@ Show error message if the user didn't set the gpg key after upgrade
 {{- end }}
 {{- end }}
 {{- end }}
+
+{{- define "passbolt.tls.secretName" -}}
+{{- if .globalTLS.existingSecret -}}
+  {{- printf "%s" .globalTLS.existingSecret -}}
+{{- else }}
+  {{- printf "%s-sec-%s" .name .tls.secretName -}}
+{{- end }}
+{{- end }}
+
+{{- define "passbolt.container.tls.secretName" -}}
+{{- $name := .name }}
+{{- if .globalTLS.existingSecret -}}
+  {{- printf "%s" .globalTLS.existingSecret -}}
+{{- else }}
+  {{- with (index .ingressTLS 0 ) -}}
+    {{- printf "%s-sec-%s" $name .secretName -}}
+  {{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "passbolt.image" -}}
+{{- $registryName := .imageRoot.registry -}}
+{{- $repositoryName := .imageRoot.repository -}}
+{{- $separator := ":" -}}
+{{- $termination := .imageRoot.tag | toString -}}
+{{- if .global }}
+  {{- if .global.imageRegistry }}
+    {{- $registryName = .global.imageRegistry -}}
+  {{- end -}}
+{{- end -}}
+{{- if $registryName }}
+    {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}}
+{{- else -}}
+    {{- printf "%s%s%s"  $repositoryName $separator $termination -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "passbolt.pullSecrets" -}}
+  {{- $pullSecrets := list }}
+
+  {{- if .global }}
+    {{- range .global.imagePullSecrets -}}
+      {{- $pullSecrets = append $pullSecrets . -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- range .images -}}
+    {{- range . -}}
+      {{- $pullSecrets = append $pullSecrets . -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- if (not (empty $pullSecrets)) }}
+imagePullSecrets:
+    {{- range $pullSecrets | uniq }}
+  - name: {{ . }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
diff --git a/templates/cronjob-proc-email.yaml b/templates/cronjob-proc-email.yaml
@@ -23,6 +23,7 @@ spec:
              {{- toYaml . | nindent 12 }}
            {{- end }}
         spec:
+          {{- include "passbolt.pullSecrets" ( dict "images" (list .Values.imagePullSecrets ) "global" .Values.global) | nindent 10 }}
           serviceAccountName: {{ $Name }}-sa-common
           restartPolicy: OnFailure
           securityContext:

diff --git a/templates/deployment.yaml b/templates/deployment.yaml
@@ -34,16 +34,14 @@ spec:
         checksum/sec-redis-proxy: {{ include (print $.Template.BasePath "/secret-redis-proxy.yaml") . | sha256sum }}
         {{- end }}
     spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
+      {{- include "passbolt.pullSecrets" ( dict "images" (list .Values.imagePullSecrets ) "global" .Values.global) | nindent 6 }}
       serviceAccountName: {{ $Name }}-sa-common
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       initContainers:
         - name: {{ $fullName }}-init
-          {{ include "passbolt-library.container-repositories.tpl" (dict "Values" . "Image" .Values.app.initImage) | nindent 10 }}
+          image: {{ include "passbolt.image" (dict "imageRoot" .Values.app.initImage "global" .Values.global) }}
+          imagePullPolicy: {{ .Values.app.initImage.pullPolicy }}
           command:
             - "/bin/bash"
           args:
@@ -85,7 +83,8 @@ spec:
               set -e
               > /etc/supervisor/conf.d/cron.conf
               /docker-entrypoint.sh
-          {{ include "passbolt-library.container-repositories.tpl" (dict "Values" . "Image" .Values.app.image) | nindent 10 }}
+          image: {{ include "passbolt.image" (dict "imageRoot" .Values.app.image "global" .Values.global) }}
+          imagePullPolicy: .Values.app.image.pullPolicy
           ports:
           - name: https
             containerPort: {{ .Values.service.targetPort }}
@@ -142,7 +141,8 @@ spec:
             {{- toYaml .Values.app.resources | nindent 12 }}
         {{- if .Values.app.cache.redis.sentinelProxy.enabled }}
         - name: {{ $fullName }}-redisproxy
-          {{ include "passbolt-library.container-repositories.tpl" (dict "Values" . "Image" .Values.app.cache.redis.sentinelProxy.image) | nindent 10 }}
+          image: {{ include "passbolt.image" (dict "imageRoot" .Values.app.cache.redis.sentinelProxy.image "global" .Values.global) }}
+          imagePullPolicy: .Values.app.cache.redis.sentinelProxy.pullPolicy
           volumeMounts:
             - mountPath: "/usr/local/etc/haproxy/haproxy.cfg"
               subPath: haproxy.cfg
@@ -166,7 +166,7 @@ spec:
       volumes:
         - name: {{ $fullName }}-sec-tls
           secret:
-            secretName: {{ $Name }}-sec-tls
+            secretName: {{ include "passbolt.container.tls.secretName" (dict "name" $Name "ingressTLS" .Values.ingress.tls "globalTLS" $.Values.tls ) }}
         - name: {{ $fullName }}-sec-gpg
           secret:
             secretName: {{ $Name }}-sec-gpg

diff --git a/templates/ingress.yaml b/templates/ingress.yaml
@@ -33,7 +33,7 @@ spec:
         {{- range .hosts }}
         - {{ . | quote }}
         {{- end }}
-      secretName: {{ $Name }}-sec-{{ .secretName }}
+      secretName: {{ include "passbolt.tls.secretName" (dict "name" $Name "tls" . "globalTLS" $.Values.tls ) }}
     {{- end }}
   {{- end }}
   rules:

diff --git a/templates/job-create-gpg.yaml b/templates/job-create-gpg.yaml
@@ -22,11 +22,12 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
+      {{- include "passbolt.pullSecrets" ( dict "images" (list .Values.imagePullSecrets ) "global" .Values.global) | nindent 6 }}
       serviceAccountName: {{ $Name }}-sa-{{ $action }}
       restartPolicy: OnFailure
       containers:
         - name: {{ $fullName }}
-          {{ include "passbolt-library.container-repositories.tpl" (dict "Values" . "Image" .Values.app.image) | nindent 10 }}
+          image: {{ include "passbolt.image" (dict "imageRoot" .Values.app.image "global" .Values.global) }}
           command:
             - "/bin/bash"
           args:

diff --git a/templates/secret-tls.yaml b/templates/secret-tls.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.tls.autogenerate -}}
 {{- $type := "sec" -}}
 {{- $action := "tls" -}}
 {{- $Name := include "passbolt-library.fullname" . -}}
@@ -14,3 +15,4 @@ metadata:
 type: Opaque
 data:
 {{ ( include "passbolt-library.gen-certs" . ) | indent 2 }}
+{{- end }}