From e517a1b8fab7713af92c5fc98bb1f981d16698ae Mon Sep 17 00:00:00 2001 From: lsalfaro Date: Fri, 6 Sep 2024 16:07:48 +0200 Subject: [PATCH 1/2] Add use of existing secrets for templates for variables ONEUPTIME_SECRET and ENCRYPTION_SECRET --- HelmChart/Public/oneuptime/README.md | 6 +++++- HelmChart/Public/oneuptime/templates/_helpers.tpl | 15 +++++++++++++++ HelmChart/Public/oneuptime/values.yaml | 12 ++++++++++++ 3 files changed, 32 insertions(+), 1 deletion(-) diff --git a/HelmChart/Public/oneuptime/README.md b/HelmChart/Public/oneuptime/README.md index 3542b6b3f24..0146cd041a6 100644 --- a/HelmChart/Public/oneuptime/README.md +++ b/HelmChart/Public/oneuptime/README.md @@ -77,6 +77,10 @@ The following table lists the configurable parameters of the OneUptime chart and | `global.storageClass` | Storage class to be used for all persistent volumes | `nil` | 🚨 | | `host` | Hostname for the ingress | `localhost` | 🚨 | | `httpProtocol` | If the server is hosted with SSL/TLS cert then change this value to https | `http` | 🚨 | + +| `oneuptimeSecret` | Value used to define ONEUPTIME_SECRET | `nil` | | +| `encryptionSecret` | Value used to define ENCRYPTION_SECRET | `nil` | | + | `global.clusterDomain` | Kubernetes Cluster Domain | `cluster.local` | | | `image.registry` | Docker image registry | `docker.io` | | | `image.repository` | Docker image repository | `oneuptime` | | @@ -307,7 +311,7 @@ Please do the same for Redis and Clickhouse. - [ ] Please make sure you have a backups enabled for your PVCs. This is outside the scope of this chart. Please refer to your cloud provider's documentation on how to enable backups for PVCs. - [ ] Please make sure you have static passwords for your database passswords (for redis, clickhouse and postgres). You can refer to Bitnami documentation on how to set static passwords for these databases. -- [ ] Please set `oneuptimeSecret` and `encryptionSecret` to a long random string. You can use a password generator to generate these strings. +- [ ] Please set `oneuptimeSecret` and `encryptionSecret` (or setup in `externalSecrets` section) to a long random string. You can use a password generator to generate these strings. - [ ] Please set `probes..key` to a long random string. This is used to secure your probes. - [ ] Please regularly update OneUptime. We release updates every day. We recommend you to update the software aleast once a week if you're running OneUptime production. diff --git a/HelmChart/Public/oneuptime/templates/_helpers.tpl b/HelmChart/Public/oneuptime/templates/_helpers.tpl index b0bb5088d7c..0f36ac21936 100644 --- a/HelmChart/Public/oneuptime/templates/_helpers.tpl +++ b/HelmChart/Public/oneuptime/templates/_helpers.tpl @@ -97,11 +97,19 @@ Usage: {{- if $.Values.oneuptimeSecret }} value: {{ $.Values.oneuptimeSecret }} {{- else }} + + {{- if $.Values.externalSecrets.oneuptimeSecret.existingSecret.name }} + valueFrom: + secretKeyRef: + name: {{ printf "%s" $.Values.externalSecrets.oneuptimeSecret.existingSecret.name }} + key: {{ $.Values.externalSecrets.oneuptimeSecret.existingSecret.passwordKey }} + {{- else }} valueFrom: secretKeyRef: name: {{ printf "%s-%s" $.Release.Name "secrets" }} key: oneuptime-secret {{- end }} + {{- end }} {{- end }} {{- define "oneuptime.env.commonServer" }} @@ -124,11 +132,18 @@ Usage: {{- if $.Values.encryptionSecret }} value: {{ $.Values.encryptionSecret }} {{- else }} + {{- if $.Values.externalSecrets.encryptionSecret.existingSecret.name }} + valueFrom: + secretKeyRef: + name: {{ printf "%s" $.Values.externalSecrets.encryptionSecret.existingSecret.name }} + key: {{ $.Values.externalSecrets.encryptionSecret.existingSecret.passwordKey }} + {{- else }} valueFrom: secretKeyRef: name: {{ printf "%s-%s" $.Release.Name "secrets" }} key: encryption-secret {{- end }} + {{- end }} - name: CLICKHOUSE_USER {{- if $.Values.clickhouse.enabled }} diff --git a/HelmChart/Public/oneuptime/values.yaml b/HelmChart/Public/oneuptime/values.yaml index a70e48983f1..20d9120f5d0 100644 --- a/HelmChart/Public/oneuptime/values.yaml +++ b/HelmChart/Public/oneuptime/values.yaml @@ -11,6 +11,18 @@ httpProtocol: http oneuptimeSecret: encryptionSecret: +# External Secrets +# You need to leave blank oneuptimeSecret and encryptionSecret to use this section +externalSecrets: + oneuptimeSecret: + existingSecret: + name: + passwordKey: + encryptionSecret: + existingSecret: + name: + passwordKey: + # (Optional): You usually do not need to set this if you're self hosting. openTelemetryCollectorHost: fluentdHost: From 2e962d918ccf61f63352cef4f4956ebec6887b36 Mon Sep 17 00:00:00 2001 From: lsalfaro Date: Fri, 6 Sep 2024 16:20:36 +0200 Subject: [PATCH 2/2] Remove format to string using print --- HelmChart/Public/oneuptime/templates/_helpers.tpl | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/HelmChart/Public/oneuptime/templates/_helpers.tpl b/HelmChart/Public/oneuptime/templates/_helpers.tpl index 0f36ac21936..e1bb441ed7e 100644 --- a/HelmChart/Public/oneuptime/templates/_helpers.tpl +++ b/HelmChart/Public/oneuptime/templates/_helpers.tpl @@ -97,11 +97,10 @@ Usage: {{- if $.Values.oneuptimeSecret }} value: {{ $.Values.oneuptimeSecret }} {{- else }} - {{- if $.Values.externalSecrets.oneuptimeSecret.existingSecret.name }} valueFrom: secretKeyRef: - name: {{ printf "%s" $.Values.externalSecrets.oneuptimeSecret.existingSecret.name }} + name: {{ $.Values.externalSecrets.oneuptimeSecret.existingSecret.name }} key: {{ $.Values.externalSecrets.oneuptimeSecret.existingSecret.passwordKey }} {{- else }} valueFrom: @@ -135,7 +134,7 @@ Usage: {{- if $.Values.externalSecrets.encryptionSecret.existingSecret.name }} valueFrom: secretKeyRef: - name: {{ printf "%s" $.Values.externalSecrets.encryptionSecret.existingSecret.name }} + name: {{ $.Values.externalSecrets.encryptionSecret.existingSecret.name }} key: {{ $.Values.externalSecrets.encryptionSecret.existingSecret.passwordKey }} {{- else }} valueFrom: