From 40890e26baf3662bc18b99c14703c4b1b82f51e4 Mon Sep 17 00:00:00 2001
From: Raz Amir <88726761+ramir-savvy@users.noreply.github.com>
Date: Tue, 13 Jun 2023 08:42:22 +0300
Subject: [PATCH] Helm: Allow using existing secrets for redis and mysql
 (#2156)

# What this PR does
This PR adds the ability to use an existing secret for external Redis
and external MySQL and it follows the same changes that PR #761 did for
RabbitMQ (including the fix that was done for it later in #775)

## Checklist

- [x] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not
required)

---------

Co-authored-by: Ildar Iskhakov <Ildar.iskhakov@grafana.com>
---
 CHANGELOG.md                                  |  6 ++
 helm/oncall/README.md                         |  5 ++
 helm/oncall/templates/_env.tpl                | 34 +++++++-
 helm/oncall/templates/secrets.yaml            |  8 +-
 .../oncall/tests/mysql_password_env_test.yaml | 61 ++++++++++++-
 .../tests/postgres_password_env_test.yaml     |  1 -
 .../oncall/tests/redis_password_env_test.yaml | 85 +++++++++++++++++++
 helm/oncall/values.yaml                       | 10 +++
 8 files changed, 201 insertions(+), 9 deletions(-)
 create mode 100644 helm/oncall/tests/redis_password_env_test.yaml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1ec0d04ea1..d4a86851a3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## Unreleased
+
+### Added
+
+- Add helm chart support for redis and mysql existing secrets [#2156](https://github.com/grafana/oncall/pull/2156)
+
 ## v1.2.43 (2023-06-12)
 
 ### Changed
diff --git a/helm/oncall/README.md b/helm/oncall/README.md
index 5e49c906e8..e8d7917f4f 100644
--- a/helm/oncall/README.md
+++ b/helm/oncall/README.md
@@ -182,6 +182,9 @@ externalMysql:
   db_name:
   user:
   password:
+  existingSecret: ""
+  usernameKey: username
+  passwordKey: password
 ```
 
 ### Connect external PostgreSQL
@@ -246,6 +249,8 @@ redis:
 externalRedis:
   host:
   password:
+  existingSecret: ""
+  passwordKey: password
 ```
 
 ## Update
diff --git a/helm/oncall/templates/_env.tpl b/helm/oncall/templates/_env.tpl
index a028907ab6..895d374a44 100644
--- a/helm/oncall/templates/_env.tpl
+++ b/helm/oncall/templates/_env.tpl
@@ -220,23 +220,41 @@ http://{{ include "oncall.grafana.fullname" . }}
   value: {{ include "snippet.mysql.port" . }}
 - name: MYSQL_DB_NAME
   value: {{ include "snippet.mysql.db" . }}
+{{- if and (not .Values.mariadb.enabled) .Values.externalMysql.existingSecret .Values.externalMysql.usernameKey (not .Values.externalMysql.user) }}
+- name: MYSQL_USER
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "snippet.mysql.password.secret.name" . }}
+      key: {{ .Values.externalMysql.usernameKey }}
+{{- else }}
 - name: MYSQL_USER
   value: {{ include "snippet.mysql.user" . }}
+{{- end }}
 - name: MYSQL_PASSWORD
   valueFrom:
     secretKeyRef:
       name: {{ include "snippet.mysql.password.secret.name" . }}
-      key: mariadb-root-password
+      key: {{ include "snippet.mysql.password.secret.key" . }}
 {{- end }}
 
 {{- define "snippet.mysql.password.secret.name" -}}
 {{- if and (not .Values.mariadb.enabled) .Values.externalMysql.password -}}
 {{ include "oncall.fullname" . }}-mysql-external
+{{- else if and (not .Values.mariadb.enabled) .Values.externalMysql.existingSecret -}}
+{{ .Values.externalMysql.existingSecret }}
 {{- else -}}
 {{ include "oncall.mariadb.fullname" . }}
 {{- end -}}
 {{- end -}}
 
+{{- define "snippet.mysql.password.secret.key" -}}
+{{- if and (not .Values.mariadb.enabled) .Values.externalMysql.passwordKey -}}
+{{ .Values.externalMysql.passwordKey }}
+{{- else -}}
+mariadb-root-password
+{{- end -}}
+{{- end -}}
+
 {{- define "snippet.mysql.host" -}}
 {{- if and (not .Values.mariadb.enabled) .Values.externalMysql.host -}}
 {{- required "externalMysql.host is required if not mariadb.enabled" .Values.externalMysql.host | quote }}
@@ -436,11 +454,21 @@ rabbitmq-password
 {{- define "snippet.redis.password.secret.name" -}}
 {{- if and (not .Values.redis.enabled) .Values.externalRedis.password -}}
 {{ include "oncall.fullname" . }}-redis-external
+{{- else if and (not .Values.redis.enabled) .Values.externalRedis.existingSecret -}}
+{{ .Values.externalRedis.existingSecret }}
 {{- else -}}
 {{ include "oncall.redis.fullname" . }}
 {{- end -}}
 {{- end -}}
 
+{{- define "snippet.redis.password.secret.key" -}}
+{{- if and (not .Values.redis.enabled) .Values.externalRedis.passwordKey -}}
+{{ .Values.externalRedis.passwordKey }}
+{{- else -}}
+redis-password
+{{- end -}}
+{{- end -}}
+
 {{- define "snippet.redis.env" -}}
 - name: REDIS_HOST
   value: {{ include "snippet.redis.host" . }}
@@ -449,8 +477,8 @@ rabbitmq-password
 - name: REDIS_PASSWORD
   valueFrom:
     secretKeyRef:
-      name: {{ template "snippet.redis.password.secret.name" . }}
-      key: redis-password
+      name: {{ include "snippet.redis.password.secret.name" . }}
+      key: {{ include "snippet.redis.password.secret.key" . }}
 {{- end }}
 
 {{- define "snippet.oncall.smtp.env" -}}
diff --git a/helm/oncall/templates/secrets.yaml b/helm/oncall/templates/secrets.yaml
index 62a9789622..aa1c86fe73 100644
--- a/helm/oncall/templates/secrets.yaml
+++ b/helm/oncall/templates/secrets.yaml
@@ -11,14 +11,14 @@ data:
   {{ template "snippet.oncall.secret.mirageSecretKey" . }}: {{ randAlphaNum 40 | b64enc | quote }}
 {{- end }}
 ---
-{{ if and (not .Values.mariadb.enabled) (eq .Values.database.type "mysql") -}}
+{{ if and (not .Values.mariadb.enabled) (eq .Values.database.type "mysql") (not .Values.externalMysql.existingSecret) -}}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "oncall.fullname" . }}-mysql-external
 type: Opaque
 data:
-  mariadb-root-password: {{ required "externalMysql.password is required if not mariadb.enabled" .Values.externalMysql.password | b64enc | quote }}
+  mariadb-root-password: {{ required "externalMysql.password is required if not mariadb.enabled and not externalMysql.existingSecret" .Values.externalMysql.password | b64enc | quote }}
 {{- end }}
 ---
 {{ if and (eq .Values.broker.type "rabbitmq") (not .Values.rabbitmq.enabled) (not .Values.externalRabbitmq.existingSecret) -}}
@@ -31,14 +31,14 @@ data:
   rabbitmq-password: {{ required "externalRabbitmq.password is required if not rabbitmq.enabled and not externalRabbitmq.existingSecret" .Values.externalRabbitmq.password | b64enc | quote }}
 {{- end }}
 ---
-{{ if not .Values.redis.enabled -}}
+{{ if and (not .Values.redis.enabled) (not .Values.externalRedis.existingSecret) -}}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "oncall.fullname" . }}-redis-external
 type: Opaque
 data:
-  redis-password: {{ required "externalRedis.password is required if not redis.enabled" .Values.externalRedis.password | b64enc | quote }}
+  redis-password: {{ required "externalRedis.password is required if not redis.enabled and not externalRedis.existingSecret" .Values.externalRedis.password | b64enc | quote }}
 {{- end }}
 ---
 {{ if and .Values.oncall.smtp.enabled .Values.oncall.smtp.password -}}
diff --git a/helm/oncall/tests/mysql_password_env_test.yaml b/helm/oncall/tests/mysql_password_env_test.yaml
index 96aca613de..b2447817f5 100644
--- a/helm/oncall/tests/mysql_password_env_test.yaml
+++ b/helm/oncall/tests/mysql_password_env_test.yaml
@@ -12,7 +12,7 @@ tests:
       mariadb.enabled: false
     asserts:
       - failedTemplate:
-          errorMessage: externalMysql.password is required if not mariadb.enabled
+          errorMessage: externalMysql.password is required if not mariadb.enabled and not externalMysql.existingSecret
         template: secrets.yaml
 
   - it: externalMySQL.password -> should create a Secret -mariadb-external
@@ -23,8 +23,14 @@ tests:
     set:
       mariadb.enabled: false
       externalMysql:
+        user: user123
         password: abcd123
     asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: MYSQL_USER
+            value: user123
       - contains:
           path: spec.template.spec.containers[0].env
           content:
@@ -44,3 +50,56 @@ tests:
           decodeBase64: true
         documentIndex: 1
         template: secrets.yaml
+
+  - it: externalMysql.existingSecret -> should use existing secret
+    templates:
+      - engine/deployment.yaml
+      - engine/job-migrate.yaml
+      - celery/deployment-celery.yaml
+    set:
+      mariadb.enabled: false
+      externalMysql:
+        existingSecret: some-mysql-secret
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: MYSQL_USER
+            value: root
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: MYSQL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: some-mysql-secret
+                key: mariadb-root-password
+
+  - it: externalMysql.usernameKey and externalMysql.passwordKey -> should be used for existing secret
+    templates:
+      - engine/deployment.yaml
+      - engine/job-migrate.yaml
+      - celery/deployment-celery.yaml
+    set:
+      mariadb.enabled: false
+      externalMysql:
+        existingSecret: some-mysql-secret
+        usernameKey: mysql.user
+        passwordKey: mysql.key
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: MYSQL_USER
+            valueFrom:
+              secretKeyRef:
+                name: some-mysql-secret
+                key: mysql.user
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: MYSQL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: some-mysql-secret
+                key: mysql.key
diff --git a/helm/oncall/tests/postgres_password_env_test.yaml b/helm/oncall/tests/postgres_password_env_test.yaml
index 83c2cc0217..997e6984d7 100644
--- a/helm/oncall/tests/postgres_password_env_test.yaml
+++ b/helm/oncall/tests/postgres_password_env_test.yaml
@@ -109,4 +109,3 @@ tests:
               secretKeyRef:
                 name: oncall-postgresql
                 key: password
-
diff --git a/helm/oncall/tests/redis_password_env_test.yaml b/helm/oncall/tests/redis_password_env_test.yaml
new file mode 100644
index 0000000000..c5eff6a5d9
--- /dev/null
+++ b/helm/oncall/tests/redis_password_env_test.yaml
@@ -0,0 +1,85 @@
+suite: test Redis password envs for deployments
+release:
+  name: oncall
+templates:
+  - engine/deployment.yaml
+  - engine/job-migrate.yaml
+  - celery/deployment-celery.yaml
+  - secrets.yaml
+tests:
+  - it: secrets -> should fail if externalRedis.password not set
+    set:
+      redis.enabled: false
+    asserts:
+      - failedTemplate:
+          errorMessage: externalRedis.password is required if not redis.enabled and not externalRedis.existingSecret
+        template: secrets.yaml
+
+  - it: externalRedis.password -> should create a Secret -redis-external
+    templates:
+      - engine/deployment.yaml
+      - engine/job-migrate.yaml
+      - celery/deployment-celery.yaml
+    set:
+      redis.enabled: false
+      externalRedis:
+        password: abcd123
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: oncall-redis-external
+                key: redis-password
+      - containsDocument:
+          kind: Secret
+          apiVersion: v1
+          name: oncall-redis-external
+        template: secrets.yaml
+      - equal:
+          path: data.redis-password
+          value: abcd123
+          decodeBase64: true
+        documentIndex: 1
+        template: secrets.yaml
+
+  - it: externalRedis.existingSecret -> should use existing secret
+    templates:
+      - engine/deployment.yaml
+      - engine/job-migrate.yaml
+      - celery/deployment-celery.yaml
+    set:
+      redis.enabled: false
+      externalRedis:
+        existingSecret: some-redis-secret
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: some-redis-secret
+                key: redis-password
+
+  - it: externalRedis.passwordKey -> should be used for existing secret
+    templates:
+      - engine/deployment.yaml
+      - engine/job-migrate.yaml
+      - celery/deployment-celery.yaml
+    set:
+      redis.enabled: false
+      externalRedis:
+        existingSecret: some-redis-secret
+        passwordKey: redis.key
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: some-redis-secret
+                key: redis.key
diff --git a/helm/oncall/values.yaml b/helm/oncall/values.yaml
index d7333149f8..248108e27d 100644
--- a/helm/oncall/values.yaml
+++ b/helm/oncall/values.yaml
@@ -273,6 +273,12 @@ externalMysql:
   db_name:
   user:
   password:
+  # use an existing secret for the mysql password
+  existingSecret: ""
+  # the key in the secret containing the mysql username
+  usernameKey:
+  # the key in the secret containing the mysql password
+  passwordKey:
 
 # PostgreSQL is included into this release for the convenience.
 # It is recommended to host it separately from this release
@@ -326,6 +332,10 @@ redis:
 externalRedis:
   host:
   password:
+  # use an existing secret for the redis password
+  existingSecret: ""
+  # the key in the secret containing the redis password
+  passwordKey:
 
 # Grafana is included into this release for the convenience.
 # It is recommended to host it separately from this release