Skip to content

Commit

Permalink
Secrets consistency for the chart. Bugfixing.
Browse files Browse the repository at this point in the history
- Enabling existing secrets for external MySQL and Redis
- Tolerate existing secrets for bundled charts.
- README.md: secrets handling explained.
- Fixed multiple bugs where missing required field was replaced with
  default instead of failing.
- PHONE_NOTIFICATIONS_LIMIT was on the wrong level: it was not set if
  existingSecret was true.

Next are the cosmetic changes. They improve chart consistency, e.g.
prevent generation of multiple new lines in certain cases:
- Common approach to spaces trimming. This typically allows curly blocks
  and actual strings indentation and nice `nindent` usage:
  - Two curly blocks should not trim the same space. I.e.
    "{{ ... -}} {{- ... }}" shouldn't happen.
  - Template generates either single line or multiline string. In both
    cases, no new line appears on both sides of the output string. So we
    delete unnecessary new lines inside and at the end of string with
    "trim-to-left" (`{{-` ) and the leading new line using
    "trim-to-right" (`-}}`).
    Note that trimming both leading and trailing new line is not
    always easily possible:
    Masterminds/sprig#357

    Example.

    ```
    {{- define "mytemplate" -}}
    {{ if someBoolean -}}
      {{ .Value.some }}
    {{- else -}}
      some string
    {{- end }}
    {{- end }}
    ```

- `template` replaced with `include`. It is often recommended to use
  `include` by default, as it allows pipelining.
  • Loading branch information
ksa-real committed Jun 22, 2023
1 parent 2cdab7e commit 293352f
Show file tree
Hide file tree
Showing 15 changed files with 480 additions and 294 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

### Added

- Secrets consistency for the chart. Bugfixing [#1016](https://github.com/grafana/oncall/pull/1016)
- Make it possible to completely delete a rotation oncall [1505](https://github.com/grafana/oncall/issues/1505)
- Polish rotation modal form oncall [1506](https://github.com/grafana/oncall/issues/1506)
- Quick actions when editing a schedule oncall [1507](https://github.com/grafana/oncall/issues/1507)
Expand Down
106 changes: 106 additions & 0 deletions helm/oncall/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,112 @@ helm upgrade \
grafana/oncall
```
### Passwords and external secrets
As OnCall subcharts are Bitname charts, there is a common approach to secrets. Bundled charts allow specifying passwords
in values.yaml explicitly or as K8s secret value. OnCall chart refers either to secret created in sub-chart or
to specified external secret.
Similarly, if component chart is disabled, the password(s) can be supplied in `external<Component>` value
(e.g. externalMysql) explicitly or as K8s secret value. In the first case, the secret is created with the specified
value. In the second case the external secret is used.
- If `<subchart>.auth.existingSecret` is non-empty, then this secret is used. Secret keys are pre-defined by chart.
- If subchart supports password files and `<subchart>.customPasswordFiles` dictionary is non-empty, then password files
are used. Dictionary keys are pre-defined per sub-chart. Password files are not supported by OnCall chart and should
not be used with bundled sub-charts.
- Passwords are specified via `auth` section values, e.g. `auth.password`. K8s secret is created.
- If `<subchart>.auth.forcePassword` is `true`, then passwords MUST be specified. Otherwise, missing passwords
are generated.
If external component is used instead of the bundled one:
- If existingSecret within appropriate external component values is non-empty (e.g. `externalMysql.existingSecret`) then
it is used together with corresponding key names, e.g. `externalMysql.passwordKey`.
- Otherwise, corresponding password values are used, e.g. `externalMysql.password`. K8s secret is created by OnCall chart.
Below is the summary for the dependent charts.
MySQL/MariaDB:
```yaml
database:
type: "mysql" # This is default
mariaDB:
enabled: true # Default
auth:
existingSecret: ""
forcePassword: false
# Secret name: `<release>-mariadb`
rootPassword: "" # Secret key: mariadb-root-password
password: "" # Secret key: mariadb-password
replicationPassword: "" # Secret key: mariadb-replication-password
externalMysql:
password: ""
existingSecret: ""
passwordKey: ""
```
Postgres:
```yaml
database:
type: postgresql
mariadb:
enabled: false # Must be set to false for Postgres
postgresql:
enabled: true # Must be set to true for bundled Postgres
auth:
existingSecret: ""
secretKeys:
adminPasswordKey: ""
userPasswordKey: "" # Not needed
replicationPasswordKey: "" # Not needed with disabled replication
# Secret name: `<release>-postgresql`
postgresPassword: "" # password for admin user postgres. As non-admin user is not created, only this one is relevant.
password: "" # Not needed
replicationPassword: "" # Not needed with disabled replication
externalPostgresql:
user: ""
password: ""
existingSecret: ""
passwordKey: ""
```
Rabbitmq:
```yaml
rabbitmq:
enabled: true
auth:
existingPasswordSecret: "" # Must contain `rabbitmq-password` key
existingErlangSecret: "" # Must contain `rabbitmq-erlang-cookie` key
# Secret name: `<release>-rabbitmq`
password: ""
erlangCookie: ""
externalRabbitmq:
user: ""
password: ""
existingSecret: ""
passwordKey: ""
usernameKey: ""
```
Redis:
```yaml
redis:
enabled: true
auth:
existingSecret: ""
existingSecretPasswordKey: ""
# Secret name: `<release>-redis`
password: ""
externalRedis:
password: ""
existingSecret: ""
passwordKey: ""
```
### Set up Slack and Telegram
You can set up Slack connection via following variables:
Expand Down
Loading

0 comments on commit 293352f

Please sign in to comment.