From 0d77e6839bfc061154561a4153d9d9fae391cf58 Mon Sep 17 00:00:00 2001
From: Doug Goldstein <doug.goldstein@rackspace.com>
Date: Sat, 3 Feb 2024 20:39:57 -0600
Subject: [PATCH] allow providing Redis password via secret ref

Utilize the Redis password supplied from the k8s secret reference instead
of copying it into a Nautobot specific secret. This fixes issues with
"helm template", fixing #355 and allows references, fixing #283.
---
 charts/nautobot/templates/_helpers.tpl        | 66 +++++--------------
 charts/nautobot/templates/_secrets.tpl        |  1 -
 .../nautobot/templates/celery-deployment.yaml |  5 ++
 charts/nautobot/templates/job.yaml            |  5 ++
 .../templates/nautobot-deployment.yaml        | 15 +++++
 5 files changed, 41 insertions(+), 51 deletions(-)

diff --git a/charts/nautobot/templates/_helpers.tpl b/charts/nautobot/templates/_helpers.tpl
index 29f1a84e..db46ef66 100644
--- a/charts/nautobot/templates/_helpers.tpl
+++ b/charts/nautobot/templates/_helpers.tpl
@@ -235,62 +235,28 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 
 {{/*
-  Return the decoded redis password.  If redis is enabled check the existing secret passed to redis.
-  If not check the existing secret passed to Nautobot.  The existingSecretPasswordKey key is used to lookup the password
-
-  Pseudo Code:
-  if nautobot.redis.existingSecret:
-    return value from the secret at the key nautobot.redis.existingSecretPasswordKey
-  else if redis.enabled:
-    if redis.auth.existingSecret:
-      return value from the secret at the key redis.auth.existingSecretPasswordKey
-    else
-      return value from redis.auth.password
-  else if nautobot.redis.password:
-    return value from nautobot.redis.password
-  else
-    ERROR
+  Return the secret name where the redis password will exist.
+  Either in the value you've supplied to the Nautobot chart, the Redis chart
+  or if a password is being generated, where it will be generated at.
 */}}
-{{- define "nautobot.redis.rawPassword" -}}
+{{- define "nautobot.redis.secretName" -}}
   {{- if .Values.nautobot.redis.existingSecret -}}
-      {{- $password := "" -}}
-      {{- $secret := (lookup "v1" "Secret" $.Release.Namespace .Values.nautobot.redis.existingSecret) -}}
-      {{- if $secret -}}
-        {{- if index $secret.data .Values.nautobot.redis.existingSecretPasswordKey -}}
-          {{- $password = index $secret.data .Values.nautobot.redis.existingSecretPasswordKey -}}
-        {{- else -}}
-          {{- fail (printf "Key '%s' not found in secret '%s'" .Values.nautobot.redis.existingSecretPasswordKey .Values.nautobot.redis.existingSecret) -}}
-        {{- end -}}
-      {{- else -}}
-        {{- fail (printf "Existing secret '%s' not found!" .Values.nautobot.redis.existingSecret) -}}
-      {{- end -}}
-      {{- $password | b64dec -}}
-  {{- else if eq .Values.redis.enabled true -}}
-      {{- if .Values.redis.auth.existingSecret -}}
-        {{- $password := "" -}}
-        {{- $secret := (lookup "v1" "Secret" $.Release.Namespace .Values.redis.auth.existingSecret) -}}
-        {{- if $secret -}}
-          {{- if index $secret.data .Values.redis.auth.existingSecretPasswordKey -}}
-            {{- $password = index $secret.data .Values.redis.auth.existingSecretPasswordKey -}}
-          {{- else -}}
-            {{- fail (printf "Key '%s' not found in secret '%s'" .Values.redis.auth.existingSecretPasswordKey .Values.redis.auth.existingSecret) -}}
-          {{- end -}}
-        {{- else -}}
-          {{- fail (printf "Existing secret '%s' not found!" .Values.redis.auth.existingSecret) -}}
-        {{- end -}}
-        {{- $password | b64dec -}}
-      {{- else -}}
-        {{- required "A Redis Password is required. Path: .Values.redis.auth.password" .Values.redis.auth.password -}}
-      {{- end -}}
-  {{- else if .Values.nautobot.redis.password -}}
-    {{- .Values.nautobot.redis.password -}}
+    {{- .Values.nautobot.redis.existingSecret -}}
+  {{- else if .Values.redis.auth.existingSecret -}}
+    {{- .Values.redis.auth.existingSecret -}}
   {{- else -}}
-    {{- fail (printf "You have to configure redis credentials.") -}}
+    {{- printf "nautobot-redis" -}}
   {{- end -}}
 {{- end -}}
 
-{{- define "nautobot.redis.encryptedPassword" -}}
-  {{- include "nautobot.redis.rawPassword" . | b64enc | quote -}}
+{{- define "nautobot.redis.secretKey" -}}
+  {{- if .Values.nautobot.redis.existingSecretPassswordKey -}}
+    {{- .Values.nautobot.redis.existingSecretPasswordKey -}}
+  {{- else if .Values.redis.auth.existingSecretPasswordKey -}}
+    {{- .Values.redis.auth.existingSecretPasswordKey -}}
+  {{- else -}}
+    {{- printf "redis-password" -}}
+  {{- end -}}
 {{- end -}}
 
 {{/*
diff --git a/charts/nautobot/templates/_secrets.tpl b/charts/nautobot/templates/_secrets.tpl
index 25be51df..cbb4458c 100644
--- a/charts/nautobot/templates/_secrets.tpl
+++ b/charts/nautobot/templates/_secrets.tpl
@@ -1,5 +1,4 @@
 {{- define "nautobot.secret.env" -}}
-NAUTOBOT_REDIS_PASSWORD: {{ include "nautobot.redis.encryptedPassword" . }}
 NAUTOBOT_SECRET_KEY: {{ include "nautobot.encryptedSecretKey" .}}
 {{- if .Values.nautobot.superUser.enabled }}
 NAUTOBOT_SUPERUSER_API_TOKEN: {{ include "nautobot.encryptedSuperUserAPIToken" .}}
diff --git a/charts/nautobot/templates/celery-deployment.yaml b/charts/nautobot/templates/celery-deployment.yaml
index f0a01997..de8904bf 100644
--- a/charts/nautobot/templates/celery-deployment.yaml
+++ b/charts/nautobot/templates/celery-deployment.yaml
@@ -106,6 +106,11 @@ spec:
                 secretKeyRef:
                   name: {{ include "nautobot.database.secretName" $ }}
                   key: {{ include "nautobot.database.secretKey" $ }}
+            - name: NAUTOBOT_REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "nautobot.redis.secretName" $ }}
+                  key: {{ include "nautobot.redis.secretKey" $ }}
           envFrom:
             - configMapRef:
                 name: {{ include "common.names.fullname" $ }}-env
diff --git a/charts/nautobot/templates/job.yaml b/charts/nautobot/templates/job.yaml
index 03d89c93..19604e49 100644
--- a/charts/nautobot/templates/job.yaml
+++ b/charts/nautobot/templates/job.yaml
@@ -76,6 +76,11 @@ spec:
                 secretKeyRef:
                   name: {{ include "nautobot.database.secretName" $ }}
                   key: {{ include "nautobot.database.secretKey" $ }}
+            - name: NAUTOBOT_REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "nautobot.redis.secretName" $ }}
+                  key: {{ include "nautobot.redis.secretKey" $ }}
           envFrom:
             - configMapRef:
                 name: {{ include "common.names.fullname" $ }}-env-init
diff --git a/charts/nautobot/templates/nautobot-deployment.yaml b/charts/nautobot/templates/nautobot-deployment.yaml
index 85e9922e..960196a2 100644
--- a/charts/nautobot/templates/nautobot-deployment.yaml
+++ b/charts/nautobot/templates/nautobot-deployment.yaml
@@ -86,6 +86,11 @@ spec:
                 secretKeyRef:
                   name: {{ include "nautobot.database.secretName" $ }}
                   key: {{ include "nautobot.database.secretKey" $ }}
+            - name: NAUTOBOT_REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "nautobot.redis.secretName" $ }}
+                  key: {{ include "nautobot.redis.secretKey" $ }}
           envFrom:
             - configMapRef:
                 name: {{ include "common.names.fullname" $ }}-env
@@ -149,6 +154,11 @@ spec:
                 secretKeyRef:
                   name: {{ include "nautobot.database.secretName" $ }}
                   key: {{ include "nautobot.database.secretKey" $ }}
+            - name: NAUTOBOT_REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "nautobot.redis.secretName" $ }}
+                  key: {{ include "nautobot.redis.secretKey" $ }}
           envFrom:
             - configMapRef:
                 name: {{ include "common.names.fullname" $ }}-env
@@ -208,6 +218,11 @@ spec:
                 secretKeyRef:
                   name: {{ include "nautobot.database.secretName" $ }}
                   key: {{ include "nautobot.database.secretKey" $ }}
+            - name: NAUTOBOT_REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "nautobot.redis.secretName" $ }}
+                  key: {{ include "nautobot.redis.secretKey" $ }}
           envFrom:
             - configMapRef:
                 name: {{ include "common.names.fullname" $ }}-env