diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 765b396..542f185 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -58,19 +58,107 @@ Cluster environment {{- end }} {{- end -}} +{{/* +Get the rabbitmq secret. +*/}} +{{- define "pecan.rabbitmq.secretName" -}} +{{- if .Values.rabbitmq.existingPasswordSecret -}} + {{- printf "%s" (tpl .Values.rabbitmq.existingPasswordSecret $) -}} +{{- else -}} + {{ .Release.Name }}-rabbitmq +{{- end -}} +{{- end -}} + +{{/* +Get the rabbitmq secret key. +*/}} +{{- define "pecan.rabbitmq.rabbitmqPasswordSecretKey" -}} +{{- if .Values.rabbitmq.existingPasswordSecret }} + {{- if .Values.rabbitmq.secretKeys.rabbitmqPasswordSecretKey }} + {{- printf "%s" (tpl .Values.rabbitmq.secretKeys.rabbitmqPasswordSecretKey $) -}} + {{- else -}} + {{- "rabbitmq-password" }} + {{- end -}} +{{- else -}} + {{- "rabbitmq-password" }} +{{- end -}} +{{- end -}} + +{{/* +Get the erlang secret. +*/}} +{{- define "pecam.rabbitmq.secretErlangName" -}} + {{- if .Values.rabbitmq.existingErlangSecret -}} + {{- printf "%s" .Values.rabbitmq.existingErlangSecret -}} + {{- else -}} + {{ .Release.Name }}-rabbitmq + {{- end -}} +{{- end -}} + +{{/* +Get the rabbitmq erlangCookie Secret key. +*/}} +{{- define "pecan.rabbitmq.erlangCookieSecretKey" -}} +{{- if .Values.rabbitmq.existingErlangSecret }} + {{- if .Values.rabbitmq.secretKeys.erlangCookieSecretKey }} + {{- printf "%s" (tpl .Values.rabbitmq.secretKeys.erlangCookieSecretKey $) -}} + {{- else -}} + {{- "rabbitmq-erlang-cookie" }} + {{- end -}} +{{- else -}} + {{- "rabbitmq-erlang-cookie" }} +{{- end -}} +{{- end -}} + {{/* RabbitMQ URI environment */}} {{- define "pecan.env.rabbitmq" -}} -- name: RABBITMQ_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name }}-rabbitmq - key: rabbitmq-password - name: RABBITMQ_URI value: "amqp://{{ .Values.rabbitmq.rabbitmq.username }}:$(RABBITMQ_PASSWORD)@{{ .Release.Name }}-rabbitmq/%2F" {{- end -}} +{{/* +Get the betydb secret. +*/}} +{{- define "pecan.betydb.secretName" -}} +{{- if .Values.betydb.auth.existingSecret -}} + {{- printf "%s" (tpl .Values.betydb.auth.existingSecret $) -}} +{{- else -}} + {{ .Release.Name }}-betydb +{{- end -}} +{{- end -}} + +{{/* +Get the betyPassword key. +*/}} +{{- define "pecan.betydb.betydbPasswordKey" -}} +{{- if .Values.betydb.auth.existingSecret }} + {{- if .Values.betydb.auth.secretKeys.betydbPasswordKey }} + {{- printf "%s" (tpl .Values.betydb.auth.secretKeys.betydbPasswordKey $) -}} + {{- else -}} + {{- "betyPassword" }} + {{- end -}} +{{- else -}} + {{- "betyPassword" }} +{{- end -}} +{{- end -}} + +{{/* +Get the betydb encryption secret key. +*/}} +{{- define "pecan.betydb.betydbEncryptionSecretKey" -}} +{{- if .Values.betydb.auth.existingSecret }} + {{- if .Values.betydb.auth.secretKeys.betydbEncryptionKey }} + {{- printf "%s" (tpl .Values.betydb.auth.secretKeys.betydbEncryptionKey $) -}} + {{- else -}} + {{- "secretKey" }} + {{- end -}} +{{- else -}} + {{- "secretKey" }} +{{- end -}} +{{- end -}} + {{/* Postgresql Environment for postgres */}} @@ -92,11 +180,6 @@ Postgresql Environment for postgres key: postgresql-password - name: BETYUSER value: {{ .Values.betydb.betyUser | quote }} -- name: BETYPASSWORD - valueFrom: - secretKeyRef: - name: {{ .Release.Name }}-betydb - key: betyPassword - name: BETYDATABASE value: {{ .Values.betydb.betyDatabase | quote }} {{- end -}} diff --git a/templates/add-data.yaml b/templates/add-data.yaml index 76d9982..5d7e7e7 100644 --- a/templates/add-data.yaml +++ b/templates/add-data.yaml @@ -29,6 +29,11 @@ spec: value: {{ .Values.betydb.betyDatabase | quote }} - name: PG_TABLE value: "yields" + - name: BETYPASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.betydb.secretName" . }} + key: {{ include "pecan.betydb.betydbPasswordKey" . }} containers: - name: add-data image: "{{ .Values.image.project }}/data:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -41,6 +46,11 @@ spec: {{- include "pecan.env.cluster" . | nindent 12 }} - name: PSQL value: "psql -d {{ .Values.betydb.betyDatabase }} -q -t -c" + - name: BETYPASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.betydb.secretName" . }} + key: {{ include "pecan.betydb.betydbPasswordKey" . }} volumes: - name: data persistentVolumeClaim: diff --git a/templates/executor/deployment.yaml b/templates/executor/deployment.yaml index 4aae9f1..9ddb60f 100644 --- a/templates/executor/deployment.yaml +++ b/templates/executor/deployment.yaml @@ -26,6 +26,11 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} env: {{- include "pecan.env.rabbitmq" . | nindent 12 }} + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.rabbitmq.secretName" . }} + key: {{ include "pecan.rabbitmq.rabbitmqPasswordSecretKey" . }} - name: check-postgresql image: "{{ $.Values.image.checks }}" imagePullPolicy: {{ $.Values.image.pullPolicy }} @@ -35,6 +40,11 @@ spec: value: {{ .Values.betydb.betyDatabase | quote }} - name: PG_TABLE value: "yields" + - name: BETYPASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.betydb.secretName" . }} + key: {{ include "pecan.betydb.betydbPasswordKey" . }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.project }}/executor:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -46,11 +56,21 @@ spec: {{- include "pecan.env.rabbitmq" . | nindent 12 }} {{- include "pecan.env.postgresql" . | nindent 12 }} {{- include "pecan.env.cluster" . | nindent 12 }} + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.rabbitmq.secretName" . }} + key: {{ include "pecan.rabbitmq.rabbitmqPasswordSecretKey" . }} - name: SECRET_KEY_BASE valueFrom: secretKeyRef: - name: {{ .Release.Name }}-betydb - key: secretKey + name: {{ include "pecan.betydb.secretName" . }} + key: {{ include "pecan.betydb.betydbEncryptionSecretKey" . }} + - name: BETYPASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.betydb.secretName" . }} + key: {{ include "pecan.betydb.betydbPasswordKey" . }} resources: {{- toYaml .Values.executor.resources | nindent 12 }} volumes: diff --git a/templates/models/deployment.yaml b/templates/models/deployment.yaml index 6243445..fb7cc2e 100644 --- a/templates/models/deployment.yaml +++ b/templates/models/deployment.yaml @@ -42,6 +42,11 @@ spec: mountPath: /data env: {{ $rabbitmqEnv | nindent 12 }} + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.rabbitmq.secretName" . }} + key: {{ include "pecan.rabbitmq.rabbitmqPasswordSecretKey" . }} {{- if .env }} {{- toYaml .env | nindent 12 }} {{- end }} diff --git a/templates/monitor/deployment.yaml b/templates/monitor/deployment.yaml index c3d5676..5abda7f 100644 --- a/templates/monitor/deployment.yaml +++ b/templates/monitor/deployment.yaml @@ -26,6 +26,11 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} env: {{- include "pecan.env.rabbitmq" . | nindent 12 }} + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.rabbitmq.secretName" . }} + key: {{ include "pecan.rabbitmq.rabbitmqPasswordSecretKey" . }} - name: check-postgresql image: "{{ $.Values.image.checks }}" imagePullPolicy: {{ .Values.image.pullPolicy }} @@ -35,6 +40,11 @@ spec: value: {{ .Values.betydb.betyDatabase | quote }} - name: PG_TABLE value: "yields" + - name: BETYPASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.betydb.secretName" . }} + key: {{ include "pecan.betydb.betydbPasswordKey" . }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.project }}/monitor:{{ .Values.image.tag | default .Chart.AppVersion }}" @@ -45,6 +55,16 @@ spec: {{- include "pecan.env.cluster" . | nindent 12 }} - name: RABBITMQ_MGMT_PATH value: {{ .Values.rabbitmq.ingress.path | default "/" | quote }} + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.rabbitmq.secretName" . }} + key: {{ include "pecan.rabbitmq.rabbitmqPasswordSecretKey" . }} + - name: BETYPASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.betydb.secretName" . }} + key: {{ include "pecan.betydb.betydbPasswordKey" . }} ports: - name: pecan-monitor containerPort: 9999 diff --git a/templates/rstudio/statefulset.yaml b/templates/rstudio/statefulset.yaml index 4a8be54..0984ada 100644 --- a/templates/rstudio/statefulset.yaml +++ b/templates/rstudio/statefulset.yaml @@ -36,6 +36,11 @@ spec: imagePullPolicy: {{ $.Values.image.pullPolicy }} env: {{- $rabbitmq | nindent 12 }} + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.rabbitmq.secretName" . }} + key: {{ include "pecan.rabbitmq.rabbitmqPasswordSecretKey" . }} - name: check-postgresql image: "{{ $.Values.image.checks }}" imagePullPolicy: {{ $.Values.image.pullPolicy }} @@ -45,6 +50,11 @@ spec: value: {{ $betydb }} - name: PG_TABLE value: "yields" + - name: BETYPASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.betydb.secretName" . }} + key: {{ include "pecan.betydb.betydbPasswordKey" . }} containers: - name: rstudio image: "{{ $.Values.image.project }}/base:{{ $.Values.image.tag | default $.Chart.AppVersion }}" @@ -57,12 +67,22 @@ spec: {{- $env | nindent 12 }} - name: RABBITMQ_MGMT_PATH value: {{ $.Values.rabbitmq.ingress.path | default "/" | quote }} + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.rabbitmq.secretName" . }} + key: {{ include "pecan.rabbitmq.rabbitmqPasswordSecretKey" . }} - name: USER value: {{ .username }} - name: PASSWORD value: {{ .password | quote }} - name: KEEP_ENV value: "RABBITMQ_URI RABBITMQ_PREFIX RABBITMQ_PORT FQDN NAME" + - name: BETYPASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.betydb.secretName" . }} + key: {{ include "pecan.betydb.betydbPasswordKey" . }} ports: - name: rstudio containerPort: 8787 diff --git a/templates/web/deployment.yaml b/templates/web/deployment.yaml index 026c162..37d2b59 100644 --- a/templates/web/deployment.yaml +++ b/templates/web/deployment.yaml @@ -26,6 +26,11 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} env: {{- include "pecan.env.rabbitmq" . | nindent 12 }} + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.rabbitmq.secretName" . }} + key: {{ include "pecan.rabbitmq.rabbitmqPasswordSecretKey" . }} - name: check-postgresql image: "{{ $.Values.image.checks }}" imagePullPolicy: {{ $.Values.image.pullPolicy }} @@ -35,6 +40,11 @@ spec: value: {{ .Values.betydb.betyDatabase | quote }} - name: PG_TABLE value: "yields" + - name: BETYPASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.betydb.secretName" . }} + key: {{ include "pecan.betydb.betydbPasswordKey" . }} - name: check-betydb image: "{{ $.Values.image.checks }}" imagePullPolicy: {{ .Values.image.pullPolicy }} @@ -55,11 +65,21 @@ spec: {{- include "pecan.env.rabbitmq" . | nindent 12 }} {{- include "pecan.env.postgresql" . | nindent 12 }} {{- include "pecan.env.cluster" . | nindent 12 }} + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.rabbitmq.secretName" . }} + key: {{ include "pecan.rabbitmq.rabbitmqPasswordSecretKey" . }} - name: SECRET_KEY_BASE valueFrom: secretKeyRef: - name: {{ .Release.Name }}-betydb - key: secretKey + name: {{ include "pecan.betydb.secretName" . }} + key: {{ include "pecan.betydb.betydbEncryptionSecretKey" . }} + - name: BETYPASSWORD + valueFrom: + secretKeyRef: + name: {{ include "pecan.betydb.secretName" . }} + key: {{ include "pecan.betydb.betydbPasswordKey" . }} livenessProbe: tcpSocket: port: pecan-web diff --git a/values.yaml b/values.yaml index 1ca2494..0df2e93 100644 --- a/values.yaml +++ b/values.yaml @@ -91,6 +91,13 @@ betydb: ## path prefix for all applications (betydb is set below) path: /bety/ + ## Use existing bety password as secret + ## Create secret pecan-betydb-old with key betyPassword + auth: + existingSecret: "" + secretKeys: + betydbPasswordKey: "" + betydbEncryptionKey: "" ## ------------------------------------------------------------------------------- ## RABBITMQ APPLICATION ## ------------------------------------------------------------------------------- @@ -105,6 +112,11 @@ rabbitmq: enabled: false hostName: rabbitmq.localhost path: / + existingErlangSecret: "" + existingPasswordSecret: "" + secretKeys: + erlangCookieSecretKey: "" + rabbitmqPasswordSecretKey: "" ## ------------------------------------------------------------------------------- ## INGRESS RULES