Skip to content
This repository has been archived by the owner on Oct 14, 2024. It is now read-only.

Commit

Permalink
feat(helm): postgres credentials moved to secret (#563)
Browse files Browse the repository at this point in the history
* Postgres credentials moved to secret

* Update charts/kubeclarity/templates/deployment.yaml

Co-authored-by: Sam Betts <[email protected]>

* Variable assignment simplified

* trailing spaces removed

* defaults removed from the DB envs

Defaults are already defined in values.yaml and are not optional.

* defaults removed from the DB envs

---------

Co-authored-by: Fabian Hirscher <[email protected]>
Co-authored-by: Sam Betts <[email protected]>
Co-authored-by: Fabian Hirscher <[email protected]>
  • Loading branch information
4 people authored Dec 26, 2023
1 parent 6ef30a4 commit d485744
Show file tree
Hide file tree
Showing 3 changed files with 82 additions and 20 deletions.
65 changes: 48 additions & 17 deletions charts/kubeclarity/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,14 @@
{{- end }}
{{- end }}
{{- $secretKey := index .Values "kubeclarity-postgresql-secret" "secretKey" -}}
{{- $usernameKey := index .Values "kubeclarity-postgresql-secret" "usernameKey" -}}
{{- $hostKey := index .Values "kubeclarity-postgresql-secret" "hostKey" -}}
{{- $portKey := index .Values "kubeclarity-postgresql-secret" "portKey" -}}
{{- $databaseKey := index .Values "kubeclarity-postgresql-secret" "databaseKey" -}}
{{- $sslmodeKey := index .Values "kubeclarity-postgresql-secret" "sslmodeKey" -}}
{{- $secretName := index .Values "kubeclarity-postgresql" "auth" "existingSecret" -}}
{{- $dbHost := print (include "kubeclarity.name" .) "-postgresql" -}}
{{- $dbPort := index .Values "kubeclarity-postgresql" "service" "ports" "postgresql" -}}
{{- $dbUser := index .Values "kubeclarity-postgresql" "auth" "username" -}}
{{- $dbName := index .Values "kubeclarity-postgresql" "auth" "database" -}}
{{- $dbSSLMode := index .Values "kubeclarity-postgresql" "auth" "sslMode" -}}
{{ if index .Values "kubeclarity-postgresql-external" "enabled" }}
{{- $secretName = index .Values "kubeclarity-postgresql-external" "auth" "existingSecret" -}}
{{- $dbHost = index .Values "kubeclarity-postgresql-external" "auth" "host" -}}
{{- $dbPort = index .Values "kubeclarity-postgresql-external" "auth" "port" -}}
{{- $dbUser = index .Values "kubeclarity-postgresql-external" "auth" "username" -}}
{{- $dbName = index .Values "kubeclarity-postgresql-external" "auth" "database" -}}
{{- $dbSSLMode = index .Values "kubeclarity-postgresql-external" "auth" "sslMode" -}}
{{ end }}
{{- $affinity := (coalesce .Values.kubeclarity.affinity .Values.global.affinity) -}}
{{- $nodeSelector := (coalesce .Values.kubeclarity.nodeSelector .Values.global.nodeSelector) -}}
Expand Down Expand Up @@ -50,8 +45,29 @@ spec:
initContainers:
- name: '{{ include "kubeclarity.name" . }}-wait-for-pg-db'
image: {{ index .Values "kubeclarity-postgresql" "image" "registry" }}/{{ index .Values "kubeclarity-postgresql" "image" "repository" }}:{{ index .Values "kubeclarity-postgresql" "image" "tag" }}
command: ['sh', '-c', 'until pg_isready -h {{ $dbHost }} -p {{ $dbPort }} -U {{ $dbUser | quote }} -d "dbname={{ $dbName }}";
command: ['sh', '-c', 'until pg_isready -h "$DB_HOST" -p "$DB_PORT_NUMBER" -U "$DB_USER" -d "dbname=$DB_NAME";
do echo waiting for database; sleep 2; done;']
env:
- name: DB_NAME
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: {{ $databaseKey }}
- name: DB_HOST
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: {{ $hostKey }}
- name: DB_PORT_NUMBER
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: {{ $portKey }}
- name: DB_USER
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: {{ $usernameKey }}
securityContext:
capabilities:
drop:
Expand Down Expand Up @@ -138,20 +154,35 @@ spec:
value: "{{ .Values.kubeclarity.dbViewRefreshInterval }}"
{{- end }}
- name: DB_NAME
value: {{ $dbName }}
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: {{ $databaseKey }}
- name: DB_HOST
value: {{ $dbHost | quote }}
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: {{ $hostKey }}
- name: DB_PORT_NUMBER
value: {{ $dbPort | quote }}
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: {{ $portKey }}
- name: DB_USER
value: {{ $dbUser | quote }}
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: {{ $usernameKey }}
- name: DB_SSL_MODE
value: {{ $dbSSLMode | quote }}
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: {{ $sslmodeKey }}
- name: DB_PASS
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: {{ $secretKey | default "postgres-password" }}
key: {{ $secretKey }}
# runtime-scan envs
- name: SCANNER_JOB_RESULT_LISTEN_PORT
value: "{{ index .Values "kubeclarity-runtime-scan" "resultServicePort" }}"
Expand Down
23 changes: 22 additions & 1 deletion charts/kubeclarity/templates/secret.yaml
Original file line number Diff line number Diff line change
@@ -1,9 +1,25 @@
{{- $secretName := index .Values "kubeclarity-postgresql" "auth" "existingSecret" -}}
{{- $postgresPassword := .Values.global.databasePassword | b64enc -}}
{{- $dbHost := print (include "kubeclarity.name" .) "-postgresql" | b64enc -}}
{{- $dbPort := index .Values "kubeclarity-postgresql" "service" "ports" "postgresql" | toString | b64enc -}}
{{- $dbUser := index .Values "kubeclarity-postgresql" "auth" "username" | b64enc -}}
{{- $dbName := index .Values "kubeclarity-postgresql" "auth" "database" | b64enc -}}
{{- $dbSSLMode := index .Values "kubeclarity-postgresql" "auth" "sslMode" | b64enc -}}
{{- if index .Values "kubeclarity-postgresql-external" "enabled" }}
{{- $secretName = index .Values "kubeclarity-postgresql-external" "auth" "existingSecret" -}}
{{- $dbHost = index .Values "kubeclarity-postgresql-external" "auth" "host" | b64enc -}}
{{- $dbPort = index .Values "kubeclarity-postgresql-external" "auth" "port" | toString | b64enc -}}
{{- $dbUser = index .Values "kubeclarity-postgresql-external" "auth" "username" | b64enc -}}
{{- $dbName = index .Values "kubeclarity-postgresql-external" "auth" "database" | b64enc -}}
{{- $dbSSLMode = index .Values "kubeclarity-postgresql-external" "auth" "sslMode" | b64enc -}}
{{- end }}
{{- $secretKey := index .Values "kubeclarity-postgresql-secret" "secretKey" -}}
{{- $postgresPassword := .Values.global.databasePassword | b64enc -}}
{{- $usernameKey := index .Values "kubeclarity-postgresql-secret" "usernameKey" -}}
{{- $hostKey := index .Values "kubeclarity-postgresql-secret" "hostKey" -}}
{{- $portKey := index .Values "kubeclarity-postgresql-secret" "portKey" -}}
{{- $databaseKey := index .Values "kubeclarity-postgresql-secret" "databaseKey" -}}
{{- $sslmodeKey := index .Values "kubeclarity-postgresql-secret" "sslmodeKey" -}}

{{- if (index .Values "kubeclarity-postgresql-secret" "create") }}
apiVersion: v1
kind: Secret
Expand All @@ -14,4 +30,9 @@ metadata:
{{- include "kubeclarity.labels" . | nindent 4 }}
data:
{{ $secretKey }}: {{ $postgresPassword }}
{{ $usernameKey }}: {{ $dbUser }}
{{ $hostKey }}: {{ $dbHost }}
{{ $portKey }}: {{ $dbPort }}
{{ $databaseKey }}: {{ $dbName }}
{{ $sslmodeKey }}: {{ $dbSSLMode }}
{{- end }}
14 changes: 12 additions & 2 deletions charts/kubeclarity/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -455,7 +455,17 @@ kubeclarity-postgresql-external:
kubeclarity-postgresql-secret:
# Set create to true if you want this helm chart to create a secret holding pgsql password
# based on global.databasePassword value
# If create is set to false, a secret should already exist which has PostgreSQL
# password under secretKey key
# If create is set to false, a secret should already exist which contains the following keys:
# PostgreSQL password under secretKey
# PostgreSQL username under usernameKey
# PostgreSQL host under hostKey
# PostgreSQL port under portKey
# PostgreSQL database name under databaseKey
# SSL mode under sslmodeKey (disable/enable)
create: true
secretKey: "postgres-password"
usernameKey: "postgres-username"
hostKey: "postgres-host"
portKey: "postgres-port"
databaseKey: "postgres-database"
sslmodeKey: "postgres-sslmode"

0 comments on commit d485744

Please sign in to comment.