From 8872abb806d0d71ee88e62038724fb0334f3a317 Mon Sep 17 00:00:00 2001
From: Dominik Ruf <dominik.ruf@sick.de>
Date: Mon, 15 May 2023 09:21:03 +0200
Subject: [PATCH] store opensearch-dashboards configs in Secret (#426)

opensearch_dashboards.yml contains values like
opensearch.password or opensearch_security.openid.client_secret
which should be stored in Secrets rather than ConfigMaps.

Signed-off-by: Dominik Ruf <dominik.ruf@sick.de>
---
 charts/opensearch-dashboards/CHANGELOG.md       |  1 +
 charts/opensearch-dashboards/README.md          |  2 +-
 .../templates/configmap.yaml                    | 16 ----------------
 .../templates/deployment.yaml                   |  8 ++++----
 .../opensearch-dashboards/templates/secret.yaml | 17 +++++++++++++++++
 5 files changed, 23 insertions(+), 21 deletions(-)
 delete mode 100644 charts/opensearch-dashboards/templates/configmap.yaml
 create mode 100644 charts/opensearch-dashboards/templates/secret.yaml

diff --git a/charts/opensearch-dashboards/CHANGELOG.md b/charts/opensearch-dashboards/CHANGELOG.md
index 5e726ae1..c5f3982d 100644
--- a/charts/opensearch-dashboards/CHANGELOG.md
+++ b/charts/opensearch-dashboards/CHANGELOG.md
@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ### Added
 - Added support for pod topology spread constraints in Dashboards
+- store opensearch-dashboards configs in Secret (#426)
 ### Changed
 ### Deprecated
 ### Removed
diff --git a/charts/opensearch-dashboards/README.md b/charts/opensearch-dashboards/README.md
index ebd356bd..747f39c3 100644
--- a/charts/opensearch-dashboards/README.md
+++ b/charts/opensearch-dashboards/README.md
@@ -84,7 +84,7 @@
 | `startupProbe`                     | Configuration fields for the startup [probe][]                                                                                                                                                                               | see [exampleStartup][] in `values.yaml`                                     |
 | `plugins.enabled`                     | Allow/disallow to add 3rd Party / Custom plugins not offered in the default OpenSearchDashboards image                    | false  |
 | `plugins.installList`                 | Array containing the Opensearch Dashboards plugins to be installed in container	                                        |   []   |
-| `opensearchDashboardsYml.defaultMode` | Allow you to set the defaultMode for the opensearch_dashboards.yml mounted as configMap                                   |        |
+| `opensearchDashboardsYml.defaultMode` | Allow you to set the defaultMode for the opensearch_dashboards.yml mounted as Secret                                   |        |
 | `dashboardAnnotations`               | Allows you to configure custom annotation in the deployement of the OpenSearchDashboards container   | {} |
 
 [probe]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes
diff --git a/charts/opensearch-dashboards/templates/configmap.yaml b/charts/opensearch-dashboards/templates/configmap.yaml
deleted file mode 100644
index ce335863..00000000
--- a/charts/opensearch-dashboards/templates/configmap.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-{{- if .Values.config -}}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ template "opensearch-dashboards.fullname" . }}-config
-  labels: {{ include "opensearch-dashboards.labels" . | nindent 4 }}
-data:
-{{- range $configName, $configYaml := .Values.config }}
-  {{ $configName }}: |
-  {{- if eq (kindOf $configYaml) "map" }}
-    {{- tpl (toYaml $configYaml) $ | nindent 4 }}
-  {{- else }}
-    {{- tpl $configYaml $ | nindent 4 -}}
-  {{- end -}}
-{{- end -}}
-{{- end -}}
diff --git a/charts/opensearch-dashboards/templates/deployment.yaml b/charts/opensearch-dashboards/templates/deployment.yaml
index f1d4916a..c323c258 100644
--- a/charts/opensearch-dashboards/templates/deployment.yaml
+++ b/charts/opensearch-dashboards/templates/deployment.yaml
@@ -27,9 +27,9 @@ spec:
         {{- range $key, $value := .Values.podAnnotations }}
         {{ $key }}: {{ $value | quote }}
         {{- end }}
-        {{- /* This forces a restart if the configmap has changed */}}
+        {{- /* This forces a restart if the secret has changed */}}
         {{- if .Values.config }}
-        configchecksum: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum | trunc 63 }}
+        configchecksum: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum | trunc 63 }}
         {{- end }}
     spec:
 {{- if .Values.priorityClassName }}
@@ -49,8 +49,8 @@ spec:
         {{- end }}
         {{- if .Values.config }}
         - name: config
-          configMap:
-            name: {{ template "opensearch-dashboards.fullname" . }}-config
+          secret:
+            secretName: {{ template "opensearch-dashboards.fullname" . }}-config
             {{- if .Values.opensearchDashboardsYml.defaultMode }}
             defaultMode: {{ .Values.opensearchDashboardsYml.defaultMode }}
             {{- end }}
diff --git a/charts/opensearch-dashboards/templates/secret.yaml b/charts/opensearch-dashboards/templates/secret.yaml
new file mode 100644
index 00000000..d0733895
--- /dev/null
+++ b/charts/opensearch-dashboards/templates/secret.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.config -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "opensearch-dashboards.fullname" . }}-config
+  labels: {{ include "opensearch-dashboards.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+{{- range $secretName, $secretYaml := .Values.config }}
+  {{ $secretName }}: |
+  {{- if eq (kindOf $secretYaml) "map" }}
+    {{- tpl (toYaml $secretYaml) $ | nindent 4 }}
+  {{- else }}
+    {{- tpl $secretYaml $ | nindent 4 -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}