allow providing Redis password via secret ref

Utilize the Redis password supplied from the k8s secret reference instead of copying it into a Nautobot specific secret. This fixes issues with "helm template", fixing nautobot#355 and allows references, fixing nautobot#283.
cardoe · Feb 4, 2024 · 0d77e68 · 0d77e68
1 parent fb13d07
commit 0d77e68
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 51 deletions.
diff --git a/charts/nautobot/templates/_helpers.tpl b/charts/nautobot/templates/_helpers.tpl
@@ -235,62 +235,28 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 
 {{/*
-  Return the decoded redis password.  If redis is enabled check the existing secret passed to redis.
-  If not check the existing secret passed to Nautobot.  The existingSecretPasswordKey key is used to lookup the password
-
-  Pseudo Code:
-  if nautobot.redis.existingSecret:
-    return value from the secret at the key nautobot.redis.existingSecretPasswordKey
-  else if redis.enabled:
-    if redis.auth.existingSecret:
-      return value from the secret at the key redis.auth.existingSecretPasswordKey
-    else
-      return value from redis.auth.password
-  else if nautobot.redis.password:
-    return value from nautobot.redis.password
-  else
-    ERROR
+  Return the secret name where the redis password will exist.
+  Either in the value you've supplied to the Nautobot chart, the Redis chart
+  or if a password is being generated, where it will be generated at.
 */}}
-{{- define "nautobot.redis.rawPassword" -}}
+{{- define "nautobot.redis.secretName" -}}
   {{- if .Values.nautobot.redis.existingSecret -}}
-      {{- $password := "" -}}
-      {{- $secret := (lookup "v1" "Secret" $.Release.Namespace .Values.nautobot.redis.existingSecret) -}}
-      {{- if $secret -}}
-        {{- if index $secret.data .Values.nautobot.redis.existingSecretPasswordKey -}}
-          {{- $password = index $secret.data .Values.nautobot.redis.existingSecretPasswordKey -}}
-        {{- else -}}
-          {{- fail (printf "Key '%s' not found in secret '%s'" .Values.nautobot.redis.existingSecretPasswordKey .Values.nautobot.redis.existingSecret) -}}
-        {{- end -}}
-      {{- else -}}
-        {{- fail (printf "Existing secret '%s' not found!" .Values.nautobot.redis.existingSecret) -}}
-      {{- end -}}
-      {{- $password | b64dec -}}
-  {{- else if eq .Values.redis.enabled true -}}
-      {{- if .Values.redis.auth.existingSecret -}}
-        {{- $password := "" -}}
-        {{- $secret := (lookup "v1" "Secret" $.Release.Namespace .Values.redis.auth.existingSecret) -}}
-        {{- if $secret -}}
-          {{- if index $secret.data .Values.redis.auth.existingSecretPasswordKey -}}
-            {{- $password = index $secret.data .Values.redis.auth.existingSecretPasswordKey -}}
-          {{- else -}}
-            {{- fail (printf "Key '%s' not found in secret '%s'" .Values.redis.auth.existingSecretPasswordKey .Values.redis.auth.existingSecret) -}}
-          {{- end -}}
-        {{- else -}}
-          {{- fail (printf "Existing secret '%s' not found!" .Values.redis.auth.existingSecret) -}}
-        {{- end -}}
-        {{- $password | b64dec -}}
-      {{- else -}}
-        {{- required "A Redis Password is required. Path: .Values.redis.auth.password" .Values.redis.auth.password -}}
-      {{- end -}}
-  {{- else if .Values.nautobot.redis.password -}}
-    {{- .Values.nautobot.redis.password -}}
+    {{- .Values.nautobot.redis.existingSecret -}}
+  {{- else if .Values.redis.auth.existingSecret -}}
+    {{- .Values.redis.auth.existingSecret -}}
   {{- else -}}
-    {{- fail (printf "You have to configure redis credentials.") -}}
+    {{- printf "nautobot-redis" -}}
   {{- end -}}
 {{- end -}}
 
-{{- define "nautobot.redis.encryptedPassword" -}}
-  {{- include "nautobot.redis.rawPassword" . | b64enc | quote -}}
+{{- define "nautobot.redis.secretKey" -}}
+  {{- if .Values.nautobot.redis.existingSecretPassswordKey -}}
+    {{- .Values.nautobot.redis.existingSecretPasswordKey -}}
+  {{- else if .Values.redis.auth.existingSecretPasswordKey -}}
+    {{- .Values.redis.auth.existingSecretPasswordKey -}}
+  {{- else -}}
+    {{- printf "redis-password" -}}
+  {{- end -}}
 {{- end -}}
 
 {{/*

diff --git a/charts/nautobot/templates/_secrets.tpl b/charts/nautobot/templates/_secrets.tpl
@@ -1,5 +1,4 @@
 {{- define "nautobot.secret.env" -}}
-NAUTOBOT_REDIS_PASSWORD: {{ include "nautobot.redis.encryptedPassword" . }}
 NAUTOBOT_SECRET_KEY: {{ include "nautobot.encryptedSecretKey" .}}
 {{- if .Values.nautobot.superUser.enabled }}
 NAUTOBOT_SUPERUSER_API_TOKEN: {{ include "nautobot.encryptedSuperUserAPIToken" .}}

diff --git a/charts/nautobot/templates/celery-deployment.yaml b/charts/nautobot/templates/celery-deployment.yaml
@@ -106,6 +106,11 @@ spec:
                 secretKeyRef:
                   name: {{ include "nautobot.database.secretName" $ }}
                   key: {{ include "nautobot.database.secretKey" $ }}
+            - name: NAUTOBOT_REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "nautobot.redis.secretName" $ }}
+                  key: {{ include "nautobot.redis.secretKey" $ }}
           envFrom:
             - configMapRef:
                 name: {{ include "common.names.fullname" $ }}-env

diff --git a/charts/nautobot/templates/job.yaml b/charts/nautobot/templates/job.yaml
@@ -76,6 +76,11 @@ spec:
                 secretKeyRef:
                   name: {{ include "nautobot.database.secretName" $ }}
                   key: {{ include "nautobot.database.secretKey" $ }}
+            - name: NAUTOBOT_REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "nautobot.redis.secretName" $ }}
+                  key: {{ include "nautobot.redis.secretKey" $ }}
           envFrom:
             - configMapRef:
                 name: {{ include "common.names.fullname" $ }}-env-init

diff --git a/charts/nautobot/templates/nautobot-deployment.yaml b/charts/nautobot/templates/nautobot-deployment.yaml
@@ -86,6 +86,11 @@ spec:
                 secretKeyRef:
                   name: {{ include "nautobot.database.secretName" $ }}
                   key: {{ include "nautobot.database.secretKey" $ }}
+            - name: NAUTOBOT_REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "nautobot.redis.secretName" $ }}
+                  key: {{ include "nautobot.redis.secretKey" $ }}
           envFrom:
             - configMapRef:
                 name: {{ include "common.names.fullname" $ }}-env
@@ -149,6 +154,11 @@ spec:
                 secretKeyRef:
                   name: {{ include "nautobot.database.secretName" $ }}
                   key: {{ include "nautobot.database.secretKey" $ }}
+            - name: NAUTOBOT_REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "nautobot.redis.secretName" $ }}
+                  key: {{ include "nautobot.redis.secretKey" $ }}
           envFrom:
             - configMapRef:
                 name: {{ include "common.names.fullname" $ }}-env
@@ -208,6 +218,11 @@ spec:
                 secretKeyRef:
                   name: {{ include "nautobot.database.secretName" $ }}
                   key: {{ include "nautobot.database.secretKey" $ }}
+            - name: NAUTOBOT_REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "nautobot.redis.secretName" $ }}
+                  key: {{ include "nautobot.redis.secretKey" $ }}
           envFrom:
             - configMapRef:
                 name: {{ include "common.names.fullname" $ }}-env