Skip to content

Commit

Permalink
Merge branch 'develop' into 'main'
Browse files Browse the repository at this point in the history 
Develop into main

See merge request passbolt/passbolt-ops/charts-passbolt!49
  • Loading branch information
@Tecnobutrul
Tecnobutrul committed Jan 9, 2024
2 parents 5d01378 + b6a63be commit bbc6310
Show file tree
Hide file tree
Showing 19 changed files with 160 additions and 30 deletions.
11 changes: 11 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,17 @@ This project adheres to [Semantic Versioning](http://semver.org/).

## [Unreleased](https://github.com/passbolt/charts-passbolt/compare/0.7.0...HEAD)

## [0.7.1] - 2024-01-09

### Added

- [#67](https://github.com/passbolt/charts-passbolt/pull/67) feat: add value for supplying an existing secret containing the JWT server keypair
- [#74](https://github.com/passbolt/charts-passbolt/pull/74) Per architecture kubectl download

### Fixed

- [#71](https://github.com/passbolt/charts-passbolt/pull/71) fix: set JWT private key in the secret

## [0.7.0] - 2023-11-23

### Added
Expand Down
4 changes: 2 additions & 2 deletions Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,12 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.7.0
version: 0.7.1

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
appVersion: 4.4.0-1-ce
appVersion: 4.4.2-1-ce
dependencies:
- name: passbolt-library
version: 0.2.7
Expand Down
5 changes: 3 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
<img src="./.assets/helm_passbolt.png" alt="passbolt sails kubernetes" width="500"/>
</h3>

![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.4.0-1-ce](https://img.shields.io/badge/AppVersion-4.4.0--1--ce-informational?style=flat-square)
![Version: 0.7.1](https://img.shields.io/badge/Version-0.7.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.4.2-1-ce](https://img.shields.io/badge/AppVersion-4.4.2--1--ce-informational?style=flat-square)

Passbolt is an open source, security first password manager with strong focus on
collaboration.
Expand Down Expand Up @@ -119,7 +119,7 @@ chart and deletes the release.
| app.image.pullPolicy | string | `"IfNotPresent"` | Configure pasbolt deployment image pullPolicy |
| app.image.registry | string | `""` | Configure pasbolt deployment image repsitory |
| app.image.repository | string | `"passbolt/passbolt"` | |
| app.image.tag | string | `"4.4.0-1-ce"` | Overrides the image tag whose default is the chart appVersion. |
| app.image.tag | string | `"4.4.2-1-ce"` | Overrides the image tag whose default is the chart appVersion. |
| app.resources | object | `{}` | |
| autoscaling.enabled | bool | `false` | Enable autoscaling on passbolt deployment |
| autoscaling.maxReplicas | int | `100` | Configure autoscaling maximum replicas |
Expand All @@ -143,6 +143,7 @@ chart and deletes the release.
| jobCreateGpgKeys.extraPodLabels | object | `{}` | |
| jobCreateJwtKeys.extraPodLabels | object | `{}` | |
| jwtCreateKeysForced | bool | `false` | Forces overwrite JWT keys |
| jwtExistingSecret | string | `""` | Name of the existing secret for the JWT server keypair. The secret must contain the `jwt.key` and `jwt.pem` keys. |
| jwtPath | string | `"/etc/passbolt/jwt"` | Configure passbolt jwt directory |
| jwtServerPrivate | string | `""` | JWT server private key in base64 |
| jwtServerPublic | string | `""` | JWT server public key in base64 |
Expand Down
14 changes: 7 additions & 7 deletions RELEASE_NOTES.md
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
Announcing the immediate availability of passbolt's official helm chart 0.7.0.
Announcing the immediate availability of passbolt's official helm chart 0.7.1.

First of all, thanks to @Kuruyia for the contributions made to this new release.
One of them adds the ability to inject the GPG key pair from an existing secret
and another one to add some defaults values on the email configuration.
This release contains support for providing external secrets for JWT keys
as well as automatic support to download kubectl binaries based on host
cpu architecture.

The release also brings a new field to toggle the initContainer that waits for
the database to be ready, so users that use service mesh or they have already a
running database can disable it.
Thanks to all the community members involved in this release!

@Kuruyia @ook
10 changes: 9 additions & 1 deletion templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ Show error message if the user didn't set the needed values during upgrade
{{- $message = printf "%s\n%s" $message (printf " export FINGERPRINT=$(kubectl exec deploy/%s -c %s -- grep PASSBOLT_GPG_SERVER_KEY_FINGERPRINT /etc/environment | awk -F= '{gsub(/\"/, \"\"); print $2}')" $dpName $containerName) -}}
{{- $arguments = printf "%s %s" $arguments (printf "--set %s=$%s --set %s=$%s --set %s=$%s" "gpgServerKeyPrivate" "PRIVATE_KEY" "gpgServerKeyPublic" "PUBLIC_KEY" "passboltEnv.secret.PASSBOLT_GPG_SERVER_KEY_FINGERPRINT" "FINGERPRINT" ) -}}
{{- end }}
{{ if and $.Release.IsUpgrade .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED ( not .Values.jwtCreateKeysForced ) (or ( not $.Values.jwtServerPublic ) ( not $.Values.jwtServerPrivate )) }}
{{ if and $.Release.IsUpgrade .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED ( not .Values.jwtCreateKeysForced ) ( not .Values.jwtExistingSecret ) (or ( not $.Values.jwtServerPublic ) ( not $.Values.jwtServerPrivate )) }}
{{- if eq $header "" }}
{{- $header = printf "JWT" -}}
{{- else }}
Expand Down Expand Up @@ -222,3 +222,11 @@ imagePullSecrets:
{{- printf "%s-sec-gpg" .name -}}
{{- end }}
{{- end }}

{{- define "passbolt.jwt.secretName" -}}
{{- if .Values.jwtExistingSecret -}}
{{- printf "%s" .Values.jwtExistingSecret -}}
{{- else }}
{{- printf "%s-sec-jwt" .name -}}
{{- end }}
{{- end }}
8 changes: 4 additions & 4 deletions templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ spec:
checksum/sec-gpg: {{ include (print $.Template.BasePath "/secret-gpg.yaml") . | sha256sum }}
{{- end }}
checksum/cm-env: {{ include (print $.Template.BasePath "/configmap-env.yaml") . | sha256sum }}
{{- if .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED }}
{{- if and .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED ( not .Values.jwtExistingSecret ) }}
checksum/sec-jwt: {{ include (print $.Template.BasePath "/secret-jwt.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.app.cache.redis.sentinelProxy.enabled }}
Expand Down Expand Up @@ -151,7 +151,7 @@ spec:
readOnly: true
{{- end }}
{{- if .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED }}
- name: {{ $fullName }}-sec-jwt
- name: {{ include "passbolt.jwt.secretName" ( dict "name" $Name "Values" $.Values ) }}
mountPath: {{ quote .Values.jwtPath }}
readOnly: true
{{- end }}
Expand Down Expand Up @@ -205,9 +205,9 @@ spec:
path: subscription_key.txt
{{- end }}
{{- if .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED }}
- name: {{ $fullName }}-sec-jwt
- name: {{ include "passbolt.jwt.secretName" ( dict "name" $Name "Values" $.Values ) }}
secret:
secretName: {{ $Name }}-sec-jwt
secretName: {{ include "passbolt.jwt.secretName" ( dict "name" $Name "Values" $.Values ) }}
{{- end }}
{{- if .Values.app.cache.redis.sentinelProxy.enabled }}
- name: {{ $fullName }}-sec-redis-proxy
Expand Down
3 changes: 2 additions & 1 deletion templates/job-create-gpg.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,8 @@ spec:
PUBLIC_SERVERKEY="$(gpg --homedir $GNUPGHOME --armor --export $key_email | base64 -w0)"
cd /tmp
kubectlDownload=${KUBECTL_DOWNLOAD_CMD:-'curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"'}
cpuArch=${CPU_ARCH:-$(eval "case `uname -m` in 'x86_64') echo 'amd64';;'aarch64') echo 'arm64';;esac")}
kubectlDownload=${KUBECTL_DOWNLOAD_CMD:-'curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${cpuArch}/kubectl"'}
eval $kubectlDownload
chmod +x kubectl
./kubectl patch secret {{ include "passbolt.gpg.secretName" ( dict "name" $Name "Values" $.Values ) }} --type='json' -p='[{"op": "replace", "path" : "/data/serverkey_private.asc", "value" : '"${PRIVATE_SERVERKEY}"'}]'
Expand Down
9 changes: 5 additions & 4 deletions templates/job-create-jwt.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if and .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED (or ( not .Values.jwtServerPrivate ) ( not .Values.jwtServerPublic )) }}
{{- if and .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED ( not .Values.jwtExistingSecret ) (or ( not .Values.jwtServerPrivate ) ( not .Values.jwtServerPublic )) }}
{{- $type := "job" -}}
{{- $action := "create-jwt-keys" -}}
{{- $Name := include "passbolt-library.fullname" . -}}
Expand Down Expand Up @@ -45,11 +45,12 @@ spec:
PUBLIC_JWT_KEY="$(cat {{ .Values.jwtPath }}/jwt.pem | base64 -w0 )"
cd /tmp
kubectlDownload=${KUBECTL_DOWNLOAD_CMD:-'curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"'}
cpuArch=${CPU_ARCH:-$(eval "case `uname -m` in 'x86_64') echo 'amd64';;'aarch64') echo 'arm64';;esac")}
kubectlDownload=${KUBECTL_DOWNLOAD_CMD:-'curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${cpuArch}/kubectl"'}
eval $kubectlDownload
chmod +x kubectl
./kubectl patch secret {{ $Name }}-sec-jwt --type='json' -p='[{"op": "replace", "path" : "/data/jwt.key", "value" : '"${PUBLIC_JWT_KEY}"'}]'
./kubectl patch secret {{ $Name }}-sec-jwt --type='json' -p='[{"op": "replace", "path" : "/data/jwt.pem", "value" : '"${PUBLIC_JWT_KEY}"'}]'
./kubectl patch secret {{ include "passbolt.jwt.secretName" ( dict "name" $Name "Values" $.Values ) }} --type='json' -p='[{"op": "replace", "path" : "/data/jwt.key", "value" : '"${PRIVATE_JWT_KEY}"'}]'
./kubectl patch secret {{ include "passbolt.jwt.secretName" ( dict "name" $Name "Values" $.Values ) }} --type='json' -p='[{"op": "replace", "path" : "/data/jwt.pem", "value" : '"${PUBLIC_JWT_KEY}"'}]'
touch /tmp/pod/success
echo "Success"
env:
Expand Down
4 changes: 2 additions & 2 deletions templates/rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ rules:
- {{ $Name }}-cm-env
- {{ $Name }}-sec-env
- {{ include "passbolt.gpg.secretName" ( dict "name" $Name "Values" $.Values ) }}
- {{ $Name }}-sec-jwt
- {{ include "passbolt.jwt.secretName" ( dict "name" $Name "Values" $.Values ) }}
- {{ $Name }}-sec-tls
- {{ $Name }}-sec-tls-ing
- {{ $Name }}-sec-subscription
Expand Down Expand Up @@ -113,7 +113,7 @@ rules:
resources: [ "configmaps", "secrets" ]
resourceNames:
- {{ $Name }}-cm-env
- {{ $Name }}-sec-jwt
- {{ include "passbolt.jwt.secretName" ( dict "name" $Name "Values" $.Values ) }}
- {{ $Name }}-sec-env
- {{ $Name }}-sec-redis-proxy
verbs: ["get", "patch"]
Expand Down
2 changes: 1 addition & 1 deletion templates/secret-jwt.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED }}
{{- if and .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED ( not .Values.jwtExistingSecret ) }}
{{- $type := "sec" -}}
{{- $action := "jwt" -}}
{{- $Name := include "passbolt-library.fullname" . -}}
Expand Down
16 changes: 14 additions & 2 deletions tests/auto_jwt_keys_creation_install.yaml → .../auto_jwt_keys_creation_install_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ tests:
kind: Job
name: test-passbolt-job-create-jwt-keys

- it: should not create a gpg job
- it: should not create a gpg job if key values are supplied
templates:
- job-create-jwt.yaml
set:
Expand All @@ -38,6 +38,15 @@ tests:
- hasDocuments:
count: 0

- it: should not create a gpg job if an existing secret is supplied
templates:
- job-create-jwt.yaml
set:
jwtExistingSecret: "my-jwt-secret"
asserts:
- hasDocuments:
count: 0

- it: should be executed only on pre-install
templates:
- job-create-jwt.yaml
Expand All @@ -60,7 +69,10 @@ tests:
asserts:
- matchRegex:
path: spec.template.spec.containers[0].args[1]
pattern: ./kubectl patch secret test-passbolt-sec-jwt*
pattern: .*./kubectl patch secret test-passbolt-sec-jwt .*PRIVATE_JWT_KEY.*
- matchRegex:
path: spec.template.spec.containers[0].args[1]
pattern: .*./kubectl patch secret test-passbolt-sec-jwt .*PUBLIC_JWT_KEY.*

- it: should have a jwt-secret with smaller weight than jwt secret job
templates:
Expand Down
3 changes: 3 additions & 0 deletions tests/auto_jwt_keys_creation_upgrade.yaml → .../auto_jwt_keys_creation_upgrade_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ tests:
set:
jwtServerPublic: ""
jwtServerPrivate: ""
jwtCreateKeysForced: true
gpgServerKeyPrivate: "test"
gpgServerKeyPublic: "test"
asserts:
- equal:
path: metadata.annotations["helm.sh/hook"]
Expand Down
0 tests/cronjob_images.yaml → tests/cronjob_images_test.yaml
View file
File renamed without changes.
46 changes: 46 additions & 0 deletions tests/deployment_jwt_secret_test.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
---
suite: deployment jwt secret
release:
name: test
values:
- values-test.yaml
tests:
- it: should contain a volumes and volumeMounts section for jwt secret
templates:
- deployment.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: test-passbolt-sec-jwt
count: 1
any: true
- contains:
path: spec.template.spec.volumes
content:
name: test-passbolt-sec-jwt
secret:
secretName: test-passbolt-sec-jwt
count: 1
any: true

- it: should use the existing jwt secret if supplied
templates:
- deployment.yaml
set:
jwtExistingSecret: "my-jwt-secret"
asserts:
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
name: my-jwt-secret
count: 1
any: true
- contains:
path: spec.template.spec.volumes
content:
name: my-jwt-secret
secret:
secretName: my-jwt-secret
count: 1
any: true
6 changes: 5 additions & 1 deletion tests/initContainer_image.yaml → tests/initContainer_image_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,21 +9,25 @@ tests:
set:
app.initImage: null # this means emtpy haha
app.database.kind: "postgresql"
postgresqlDependencyEnabled: true
mariadbDependencyEnabled: false
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: postgres
- matchRegex:
path: spec.template.spec.initContainers[0].args[1]
pattern: 'client="pg_isready"'
- it: image should be match what is defined on the app.initImage field and the dbclient should match app.initImage.client
- it: image should match what is defined on the app.initImage field and the dbclient should match app.initImage.client
templates:
- deployment.yaml
set:
app.initImage.repository: databaseImage
app.initImage.tag: test
app.initImage.client: test
app.database.kind: "postgresql"
postgresqlDependencyEnabled: true
mariadbDependencyEnabled: false
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
Expand Down
Loading

0 comments on commit bbc6310

Please sign in to comment.