Feature: dynamic secret loading (#148)

uselagoon · Nov 29, 2022 · 178e99f · 178e99f
1 parent de40456
commit 178e99f
Show file tree

Hide file tree

Showing 54 changed files with 358 additions and 25 deletions.
diff --git a/legacy/build-deploy-docker-compose.sh b/legacy/build-deploy-docker-compose.sh
@@ -1356,6 +1356,9 @@ do
   # handle spot configurations
   . /kubectl-build-deploy/scripts/exec-spot-generation.sh
 
+  # handle dynamically added secrets
+  . /kubectl-build-deploy/scripts/exec-dynamic-secret-volumes.sh
+
 # TODO: we don't need this anymore
   # DEPLOYMENT_STRATEGY=$(cat $DOCKER_COMPOSE_YAML | shyaml get-value services.$COMPOSE_SERVICE.labels.lagoon\\.deployment\\.strategy false)
   # if [ ! $DEPLOYMENT_STRATEGY == "false" ]; then

diff --git a/legacy/helmcharts/basic-persistent/templates/deployment.yaml b/legacy/helmcharts/basic-persistent/templates/deployment.yaml
@@ -34,6 +34,9 @@ spec:
         - name: {{ include "basic-persistent.persistentStorageName" . }}
           persistentVolumeClaim:
             claimName: {{ include "basic-persistent.persistentStorageName" . }}
+        {{- if .Values.dynamicSecretVolumes }}
+          {{- toYaml .Values.dynamicSecretVolumes | nindent 8 }}
+        {{- end }}
       priorityClassName: {{ include "basic-persistent.lagoonPriority" . }}
       enableServiceLinks: false
       securityContext:
@@ -70,6 +73,9 @@ spec:
           volumeMounts:
             - name: {{ include "basic-persistent.persistentStorageName" . }}
               mountPath: {{ .Values.persistentStorage.path | quote }}
+          {{- if .Values.dynamicSecretMounts }}
+            {{- toYaml .Values.dynamicSecretMounts | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}

diff --git a/legacy/helmcharts/basic-persistent/values.yaml b/legacy/helmcharts/basic-persistent/values.yaml
@@ -64,4 +64,8 @@ configMapSha: ""
 
 useSpot: false
 
-cronjobUseSpot: false
+cronjobUseSpot: false
+
+dynamicSecretMounts: []
+
+dynamicSecretVolumes: []
diff --git a/legacy/helmcharts/basic/templates/deployment.yaml b/legacy/helmcharts/basic/templates/deployment.yaml
@@ -34,6 +34,10 @@ spec:
       enableServiceLinks: false
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- if .Values.dynamicSecretVolumes }}
+      volumes:
+        {{- toYaml .Values.dynamicSecretVolumes | nindent 8 }}
+      {{- end }}
       containers:
         - image: {{ .Values.image | quote }}
           name: {{ .Chart.Name }}
@@ -67,6 +71,10 @@ spec:
                 name: lagoon-env
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          {{- if .Values.dynamicSecretMounts }}
+          volumeMounts:
+            {{- toYaml .Values.dynamicSecretMounts | nindent 12 }}
+          {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/legacy/helmcharts/basic/values.yaml b/legacy/helmcharts/basic/values.yaml
@@ -61,4 +61,8 @@ configMapSha: ""
 
 useSpot: false
 
-cronjobUseSpot: false
+cronjobUseSpot: false
+
+dynamicSecretMounts: []
+
+dynamicSecretVolumes: []
diff --git a/legacy/helmcharts/cli-persistent/templates/deployment.yaml b/legacy/helmcharts/cli-persistent/templates/deployment.yaml
@@ -40,6 +40,9 @@ spec:
             claimName: {{ .Values.persistentStorage.name }}
         - name: {{ include "cli-persistent.twig-storage.name" . | quote }}
           emptyDir: {}
+      {{- if .Values.dynamicSecretVolumes }}
+        {{- toYaml .Values.dynamicSecretVolumes | nindent 8 }}
+      {{- end }}
       priorityClassName: {{ include "cli-persistent.lagoonPriority" . }}
       enableServiceLinks: false
       securityContext:
@@ -70,6 +73,9 @@ spec:
               mountPath: {{ .Values.persistentStorage.path | quote }}
             - name: {{ include "cli-persistent.twig-storage.name" . | quote }}
               mountPath: {{ include "cli-persistent.twig-storage.path" . | quote }}
+          {{- if .Values.dynamicSecretMounts }}
+          {{- toYaml .Values.dynamicSecretMounts | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           readinessProbe:

diff --git a/legacy/helmcharts/cli-persistent/values.yaml b/legacy/helmcharts/cli-persistent/values.yaml
@@ -58,4 +58,8 @@ configMapSha: ""
 
 useSpot: false
 
-cronjobUseSpot: false
+cronjobUseSpot: false
+
+dynamicSecretMounts: []
+
+dynamicSecretVolumes: []
diff --git a/legacy/helmcharts/cli/templates/deployment.yaml b/legacy/helmcharts/cli/templates/deployment.yaml
@@ -39,6 +39,9 @@ spec:
           secret:
             defaultMode: 420
             secretName: lagoon-sshkey
+      {{- if .Values.dynamicSecretVolumes }}
+        {{- toYaml .Values.dynamicSecretVolumes | nindent 8 }}
+      {{- end }}
       containers:
         - image: {{ .Values.image | quote }}
           name: {{ include "cli.fullname" . }}
@@ -63,6 +66,9 @@ spec:
             - mountPath: /var/run/secrets/lagoon/sshkey/
               name: lagoon-sshkey
               readOnly: true
+          {{- if .Values.dynamicSecretMounts }}
+            {{- toYaml .Values.dynamicSecretMounts | nindent 12 }}
+          {{- end }}
           readinessProbe:
             initialDelaySeconds: 5
             periodSeconds: 2

diff --git a/legacy/helmcharts/cli/values.yaml b/legacy/helmcharts/cli/values.yaml
@@ -56,4 +56,8 @@ configMapSha: ""
 
 useSpot: false
 
-cronjobUseSpot: false
+cronjobUseSpot: false
+
+dynamicSecretMounts: []
+
+dynamicSecretVolumes: []
diff --git a/legacy/helmcharts/elasticsearch/templates/deployment.yaml b/legacy/helmcharts/elasticsearch/templates/deployment.yaml
@@ -36,6 +36,9 @@ spec:
         - name: {{ include "elasticsearch.persistentStorageName" . }}
           persistentVolumeClaim:
             claimName: {{ include "elasticsearch.persistentStorageName" . }}
+      {{- if .Values.dynamicSecretVolumes }}
+        {{- toYaml .Values.dynamicSecretVolumes | nindent 8 }}
+      {{- end }}
       priorityClassName: {{ include "elasticsearch.lagoonPriority" . }}
       enableServiceLinks: false
       securityContext:
@@ -85,5 +88,8 @@ spec:
           volumeMounts:
             - name: {{ include "elasticsearch.persistentStorageName" . }}
               mountPath: {{ .Values.persistentStorage.path | quote }}
+          {{- if .Values.dynamicSecretMounts }}
+            {{- toYaml .Values.dynamicSecretMounts | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
diff --git a/legacy/helmcharts/elasticsearch/values.yaml b/legacy/helmcharts/elasticsearch/values.yaml
@@ -58,4 +58,8 @@ configMapSha: ""
 
 useSpot: false
 
-cronjobUseSpot: false
+cronjobUseSpot: false
+
+dynamicSecretMounts: []
+
+dynamicSecretVolumes: []
diff --git a/legacy/helmcharts/kibana/templates/deployment.yaml b/legacy/helmcharts/kibana/templates/deployment.yaml
@@ -31,6 +31,10 @@ spec:
     {{- end }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+    {{- if .Values.dynamicSecretVolumes }}
+      volumes:
+        {{- toYaml .Values.dynamicSecretVolumes | nindent 8 }}
+    {{- end }}
       containers:
         - image: {{ .Values.image | quote }}
           name: {{ .Chart.Name }}
@@ -61,6 +65,10 @@ spec:
             periodSeconds: 10
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          {{- if .Values.dynamicSecretMounts }}
+          volumeMounts:
+            {{- toYaml .Values.dynamicSecretMounts | nindent 12 }}
+          {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/legacy/helmcharts/kibana/values.yaml b/legacy/helmcharts/kibana/values.yaml
@@ -84,4 +84,8 @@ configMapSha: ""
 
 useSpot: false
 
-cronjobUseSpot: false
+cronjobUseSpot: false
+
+dynamicSecretMounts: []
+
+dynamicSecretVolumes: []
diff --git a/legacy/helmcharts/logstash/templates/deployment.yaml b/legacy/helmcharts/logstash/templates/deployment.yaml
@@ -31,6 +31,10 @@ spec:
     {{- end }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+    {{- if .Values.dynamicSecretVolumes }}
+      volumes:
+      {{- toYaml .Values.dynamicSecretVolumes | nindent 8 }}
+    {{- end }}
       containers:
         - name: {{ .Chart.Name | quote }}
           securityContext:
@@ -63,6 +67,10 @@ spec:
             periodSeconds: 10
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          {{- if .Values.dynamicSecretMounts }}
+          volumeMounts:
+            {{- toYaml .Values.dynamicSecretMounts | nindent 12 }}
+          {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/legacy/helmcharts/logstash/values.yaml b/legacy/helmcharts/logstash/values.yaml
@@ -74,4 +74,8 @@ configMapSha: ""
 
 useSpot: false
 
-cronjobUseSpot: false
+cronjobUseSpot: false
+
+dynamicSecretMounts: []
+
+dynamicSecretVolumes: []
diff --git a/legacy/helmcharts/mariadb-single/templates/deployment.yaml b/legacy/helmcharts/mariadb-single/templates/deployment.yaml
@@ -37,6 +37,9 @@ spec:
         - name: {{ include "mariadb-single.fullname" . }}
           persistentVolumeClaim:
             claimName: {{ include "mariadb-single.fullname" . }}
+      {{- if .Values.dynamicSecretVolumes }}
+        {{- toYaml .Values.dynamicSecretVolumes | nindent 8 }}
+      {{- end }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
@@ -69,6 +72,9 @@ spec:
           volumeMounts:
             - name: {{ include "mariadb-single.fullname" . }}
               mountPath: {{ .Values.persistentStorage.path | quote }}
+          {{- if .Values.dynamicSecretMounts }}
+            {{- toYaml .Values.dynamicSecretMounts | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}

diff --git a/legacy/helmcharts/mariadb-single/values.yaml b/legacy/helmcharts/mariadb-single/values.yaml
@@ -82,4 +82,8 @@ configMapSha: ""
 
 useSpot: false
 
-cronjobUseSpot: false
+cronjobUseSpot: false
+
+dynamicSecretMounts: []
+
+dynamicSecretVolumes: []
diff --git a/legacy/helmcharts/mongodb-single/templates/deployment.yaml b/legacy/helmcharts/mongodb-single/templates/deployment.yaml
@@ -37,6 +37,9 @@ spec:
         - name: {{ include "mongodb-single.fullname" . }}
           persistentVolumeClaim:
             claimName: {{ include "mongodb-single.fullname" . }}
+      {{- if .Values.dynamicSecretVolumes }}
+        {{- toYaml .Values.dynamicSecretVolumes | nindent 8 }}
+      {{- end }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
@@ -64,6 +67,9 @@ spec:
           volumeMounts:
             - name: {{ include "mongodb-single.fullname" . }}
               mountPath: {{ .Values.persistentStorage.path | quote }}
+          {{- if .Values.dynamicSecretMounts }}
+            {{- toYaml .Values.dynamicSecretMounts | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}

diff --git a/legacy/helmcharts/mongodb-single/values.yaml b/legacy/helmcharts/mongodb-single/values.yaml
@@ -82,4 +82,8 @@ configMapSha: ""
 
 useSpot: false
 
-cronjobUseSpot: false
+cronjobUseSpot: false
+
+dynamicSecretMounts: []
+
+dynamicSecretVolumes: []
diff --git a/legacy/helmcharts/nginx-php-persistent/templates/deployment.yaml b/legacy/helmcharts/nginx-php-persistent/templates/deployment.yaml
@@ -36,6 +36,9 @@ spec:
             claimName: {{ include "nginx-php-persistent.persistentStorageName" . }}
         - name: {{ include "nginx-php-persistent.twig-storage.name" . | quote }}
           emptyDir: {}
+      {{- if .Values.dynamicSecretVolumes }}
+        {{- toYaml .Values.dynamicSecretVolumes | nindent 8 }}
+      {{- end }}
       priorityClassName: {{ include "nginx-php-persistent.lagoonPriority" . }}
       enableServiceLinks: false
       securityContext:
@@ -102,6 +105,9 @@ spec:
           volumeMounts:
             - name: {{ include "nginx-php-persistent.persistentStorageName" . }}
               mountPath: {{ .Values.persistentStorage.path | quote }}
+          {{- if .Values.dynamicSecretMounts }}
+            {{- toYaml .Values.dynamicSecretMounts | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources.nginx | nindent 12 }}
 
@@ -136,6 +142,9 @@ spec:
               mountPath: {{ .Values.persistentStorage.path | quote }}
             - name: {{ include "nginx-php-persistent.twig-storage.name" . | quote }}
               mountPath: {{ include "nginx-php-persistent.twig-storage.path" . | quote }}
+          {{- if .Values.dynamicSecretMounts }}
+            {{- toYaml .Values.dynamicSecretMounts | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources.php | nindent 12 }}
       {{- with .Values.nodeSelector }}

diff --git a/legacy/helmcharts/nginx-php-persistent/values.yaml b/legacy/helmcharts/nginx-php-persistent/values.yaml
@@ -74,4 +74,8 @@ configMapSha: ""
 
 useSpot: false
 
-cronjobUseSpot: false
+cronjobUseSpot: false
+
+dynamicSecretMounts: []
+
+dynamicSecretVolumes: []
diff --git a/legacy/helmcharts/nginx-php/templates/deployment.yaml b/legacy/helmcharts/nginx-php/templates/deployment.yaml
@@ -34,6 +34,10 @@ spec:
       enableServiceLinks: false
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+    {{- if .Values.dynamicSecretVolumes }}
+      volumes:
+        {{- toYaml .Values.dynamicSecretVolumes | nindent 8 }}
+    {{- end }}
       containers:
         - image: {{ .Values.images.nginx | quote }}
           name: "nginx"
@@ -69,6 +73,10 @@ spec:
                 name: lagoon-env
           resources:
             {{- toYaml .Values.resources.nginx | nindent 12 }}
+          {{- if .Values.dynamicSecretMounts }}
+          volumeMounts:
+            {{- toYaml .Values.dynamicSecretMounts | nindent 12 }}
+          {{- end }}
 
         - image: {{ .Values.images.php | quote }}
           name: "php"
@@ -98,6 +106,10 @@ spec:
               value: '127.0.0.1'
           resources:
             {{- toYaml .Values.resources.php | nindent 12 }}
+          {{- if .Values.dynamicSecretMounts }}
+          volumeMounts:
+            {{- toYaml .Values.dynamicSecretMounts | nindent 12 }}
+          {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/legacy/helmcharts/nginx-php/values.yaml b/legacy/helmcharts/nginx-php/values.yaml
@@ -71,4 +71,8 @@ configMapSha: ""
 
 useSpot: false
 
-cronjobUseSpot: false
+cronjobUseSpot: false
+
+dynamicSecretMounts: []
+
+dynamicSecretVolumes: []