templates/web-secrets.yaml

{{- if .Values.web.enabled  }}
{{- if .Values.secrets.create }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ template "concourse.web.fullname" . }}
  labels:
    app: {{ template "concourse.web.fullname" . }}
    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
    release: "{{ .Release.Name }}"
    heritage: "{{ .Release.Service }}"
  {{- if .Values.secrets.annotations }}
  annotations:
{{ toYaml .Values.secrets.annotations | indent 4 }}
  {{- end }}
type: Opaque
data:
  host-key: {{ .Values.secrets.hostKey | b64enc | quote }}
  session-signing-key: {{ .Values.secrets.sessionSigningKey | b64enc | quote }}
  worker-key-pub: {{ .Values.secrets.workerKeyPub | b64enc | quote }}
  {{- if .Values.concourse.web.clientConfig.enabled }}
  client-id: {{ template "concourse.secret.required" dict "key" "clientId" "is" "concourse.web.clientConfig.enabled" "root" . }}
  client-secret: {{ template "concourse.secret.required" dict "key" "clientSecret" "is" "concourse.web.clientConfig.enabled" "root" . }}
  {{- end }}
  {{- if .Values.concourse.web.tsa.clientConfig.enabled }}
  tsa-client-id: {{ template "concourse.secret.required" dict "key" "tsaClientId" "is" "concourse.web.tsa.clientConfig.enabled" "root" . }}
  tsa-client-secret: {{ template "concourse.secret.required" dict "key" "tsaClientSecret" "is" "concourse.web.tsa.clientConfig.enabled" "root" . }}
  {{- end }}
  {{- if not .Values.postgresql.enabled }}
  postgresql-user: {{ template "concourse.secret.required" dict "key" "postgresUser" "isnt" "postgresql.enabled" "root" . }}
  postgresql-password: {{ template "concourse.secret.required" dict "key" "postgresPassword" "isnt" "postgresql.enabled" "root" . }}
  postgresql-ca-cert: {{ default "" .Values.secrets.postgresCaCert | b64enc | quote }}
  postgresql-client-cert: {{ default "" .Values.secrets.postgresClientCert | b64enc | quote }}
  postgresql-client-key: {{ default "" .Values.secrets.postgresClientKey | b64enc | quote }}
  {{- end }}
  {{- if .Values.concourse.web.encryption.enabled }}
  encryption-key: {{ template "concourse.secret.required" dict "key" "encryptionKey" "is" "concourse.encryption.enabled" "root" . }}
  old-encryption-key: {{ default "" .Values.secrets.oldEncryptionKey | b64enc | quote }}
  {{- end }}
  {{- if .Values.concourse.web.localAuth.enabled }}
  local-users: {{ .Values.secrets.localUsers | b64enc | quote }}
  {{- end }}
  {{- if .Values.concourse.web.auth.cf.enabled }}
  cf-client-id: {{ template "concourse.secret.required" dict "key" "cfClientId" "is" "concourse.web.auth.cf.enabled" "root" . }}
  cf-client-secret: {{ template "concourse.secret.required" dict "key" "cfClientSecret" "is" "concourse.web.auth.cf.enabled" "root" . }}
  cf-ca-cert: {{ default "" .Values.secrets.cfCaCert | b64enc | quote }}
  {{- end }}
  {{- if .Values.concourse.web.auth.bitbucketCloud.enabled }}
  bitbucket-cloud-client-id: {{ template "concourse.secret.required" dict "key" "bitbucketCloudClientId" "is" "concourse.web.auth.bitbucketCloud.enabled" "root" . }}
  bitbucket-cloud-client-secret: {{ template "concourse.secret.required" dict "key" "bitbucketCloudClientSecret" "is" "concourse.web.auth.bitbucketCloud.enabled" "root" . }}
  {{- end }}
  {{- if .Values.concourse.web.auth.github.enabled }}
  github-client-id: {{ template "concourse.secret.required" dict "key" "githubClientId" "is" "concourse.web.auth.github.enabled" "root" . }}
  github-client-secret: {{ template "concourse.secret.required" dict "key" "githubClientSecret" "is" "concourse.web.auth.github.enabled" "root" . }}
  github-ca-cert: {{ default "" .Values.secrets.githubCaCert | b64enc | quote }}
  {{- end }}
  {{- if .Values.concourse.web.auth.gitlab.enabled }}
  gitlab-client-id: {{ template "concourse.secret.required" dict "key" "gitlabClientId" "is" "concourse.web.auth.gitlab.enabled" "root" . }}
  gitlab-client-secret: {{ template "concourse.secret.required" dict "key" "gitlabClientSecret" "is" "concourse.web.auth.gitlab.enabled" "root" . }}
  {{- end }}
  {{- if .Values.concourse.web.auth.ldap.enabled }}
  ldap-ca-cert: {{ default "" .Values.secrets.ldapCaCert | b64enc | quote }}
  {{- end }}
  {{- if .Values.concourse.web.auth.saml.enabled }}
  {{- if not .Values.concourse.web.auth.saml.insecureSkipVerify }}
  saml-ca-cert: {{ default "" .Values.secrets.samlCaCert | b64enc | quote }}
  {{- end }}
  {{- end }}
  {{- if .Values.concourse.web.auth.oauth.enabled }}
  oauth-client-id: {{ template "concourse.secret.required" dict "key" "oauthClientId" "is" "concourse.web.auth.oauth.enabled" "root" . }}
  oauth-client-secret: {{ template "concourse.secret.required" dict "key" "oauthClientSecret" "is" "concourse.web.auth.oauth.enabled" "root" . }}
  oauth-ca-cert: {{ default "" .Values.secrets.oauthCaCert | b64enc | quote }}
  {{- end }}
  {{- if .Values.concourse.web.auth.oidc.enabled }}
  oidc-client-id: {{ template "concourse.secret.required" dict "key" "oidcClientId" "is" "concourse.web.auth.oidc.enabled" "root" . }}
  oidc-client-secret: {{ template "concourse.secret.required" dict "key" "oidcClientSecret" "is" "concourse.web.auth.oidc.enabled" "root" . }}
  oidc-ca-cert: {{ default "" .Values.secrets.oidcCaCert | b64enc | quote }}
  {{- end }}
  {{- if .Values.concourse.web.auth.microsoft.enabled }}
  microsoft-client-id: {{ template "concourse.secret.required" dict "key" "microsoftClientId" "is" "concourse.web.auth.microsoft.enabled" "root" . }}
  microsoft-client-secret: {{ template "concourse.secret.required" dict "key" "microsoftClientSecret" "is" "concourse.web.auth.microsoft.enabled" "root" . }}
  {{- end }}
  {{- if .Values.concourse.web.tls.enabled }}
  {{- if not .Values.concourse.web.letsEncrypt.enabled }}
  web-tls-cert: {{ template "concourse.secret.required" dict "key" "webTlsCert" "is" "concourse.web.tls.enabled" "root" . }}
  web-tls-key: {{ template "concourse.secret.required" dict "key" "webTlsKey" "is" "concourse.web.tls.enabled" "root" . }}
  {{- if .Values.secrets.webTlsCaCert }}
  web-tls-ca-cert: {{ template "concourse.secret.required" dict "key" "webTlsCaCert" "is" "concourse.web.tls.enabled" "root" . }}
  {{- end }}
  {{- end }}
  {{- end }}
  {{- if .Values.concourse.web.vault.enabled }}
  vault-ca-cert: {{ default "" .Values.secrets.vaultCaCert | b64enc | quote }}
  vault-client-token: {{ default "" .Values.secrets.vaultClientToken | b64enc | quote }}
  vault-client-cert: {{ default "" .Values.secrets.vaultClientCert | b64enc | quote }}
  vault-client-key: {{ default "" .Values.secrets.vaultClientKey | b64enc | quote }}
  vault-client-auth-param: {{ default "" .Values.secrets.vaultAuthParam | b64enc | quote }}
  {{- end }}
  {{- if .Values.concourse.web.credhub.enabled }}
  credhub-ca-cert: {{ default "" .Values.secrets.credhubCaCert | b64enc | quote }}
  {{- if eq .Values.concourse.web.credhub.authenticationMode "secrets" }}
  credhub-client-id: {{ template "concourse.secret.required" dict "key" "credhubClientId" "is" "authenticationMode set to 'secrets' with concourse.web.credhub.enabled" "root" . }}
  credhub-client-secret: {{ template "concourse.secret.required" dict "key" "credhubClientSecret" "is" "authenticationMode set to 'secrets' with concourse.web.credhub.enabled" "root" . }}
  {{- else if eq .Values.concourse.web.credhub.authenticationMode "mtls" }}
  credhub-client-cert: {{ template "concourse.secret.required" dict "key" "credhubClientCert" "is" "authenticationMode set to 'mtls' with concourse.web.credhub.enabled" "root" . }}
  credhub-client-key: {{ template "concourse.secret.required" dict "key" "credhubClientKey" "is" "authenticationMode set to 'mtls' with concourse.web.credhub.enabled" "root" . }}
  {{- else }}
  {{- required (printf "value %s is not recognized as an option for concourse.web.credhub.authenticationMode" .Values.concourse.web.credhub.authenticationMode) "" }}
  {{- end }}
  {{- end }}
  {{- if .Values.concourse.web.conjur.enabled }}
  conjur-account: {{ template "concourse.secret.required" dict "key" "conjurAccount" "is" "concourse.web.auth.conjur.enabled" "root" . }}
  conjur-authn-login: {{ template "concourse.secret.required" dict "key" "conjurAuthnLogin" "is" "concourse.web.auth.conjur.enabled" "root" . }}
  conjur-authn-api-key: {{ default "" .Values.secrets.conjurAuthnApiKey | b64enc | quote }}
  conjur-authn-token-file: {{ default "" .Values.secrets.conjurAuthnTokenFile | b64enc | quote }}
  conjur-ca-cert: {{ default "" .Values.secrets.conjurCACert | b64enc | quote }}
  {{- end }}
  {{- if .Values.concourse.web.awsSsm.enabled }}
  aws-ssm-access-key: {{ default "" .Values.secrets.awsSsmAccessKey | b64enc | quote }}
  aws-ssm-secret-key: {{ default "" .Values.secrets.awsSsmSecretKey | b64enc | quote }}
  {{- if .Values.secrets.awsSsmSessionToken }}
  aws-ssm-session-token: {{ .Values.secrets.awsSsmSessionToken | b64enc | quote }}
  {{- end }}
  {{- end }}
  {{- if .Values.concourse.web.awsSecretsManager.enabled }}
  aws-secretsmanager-access-key: {{ default "" .Values.secrets.awsSecretsmanagerAccessKey | b64enc | quote }}
  aws-secretsmanager-secret-key: {{ default "" .Values.secrets.awsSecretsmanagerSecretKey | b64enc | quote }}
  {{- if .Values.secrets.awsSecretsmanagerSessionToken }}
  aws-secretsmanager-session-token: {{ .Values.secrets.awsSecretsmanagerSessionToken | b64enc | quote }}
  {{- end }}
  {{- end }}
  {{- if .Values.concourse.web.influxdb.enabled }}
  influxdb-password: {{ default "" .Values.secrets.influxdbPassword | b64enc | quote }}
  {{- end }}
  {{- if .Values.concourse.web.syslog.enabled }}
  syslog-ca-cert: {{ default "" .Values.secrets.syslogCaCert | b64enc | quote }}
  {{- end }}
  {{- range .Values.secrets.teamAuthorizedKeys}}
  {{ .team }}-team-authorized-key: {{ .key | b64enc | quote }}
  {{- end}}
{{- end }}
{{- end }}