From 861818fddaeec85580df52a04e7602761de63787 Mon Sep 17 00:00:00 2001
From: Ciaran Liedeman <ciaran@stackworx.io>
Date: Sun, 25 Nov 2018 14:05:19 +0200
Subject: [PATCH] Adding existing secret

Signed-off-by: cliedeman <ciaranliedeman@gmail.com>
---
 stable/postgresql/Chart.yaml             |  2 +-
 stable/postgresql/README.md              |  5 +++++
 stable/postgresql/templates/NOTES.txt    | 21 ++++++++++++++++++---
 stable/postgresql/templates/secrets.yaml |  2 ++
 stable/postgresql/values.yaml            |  4 ++++
 5 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/stable/postgresql/Chart.yaml b/stable/postgresql/Chart.yaml
index c3c3ad678837..8eb5cfc1f3be 100644
--- a/stable/postgresql/Chart.yaml
+++ b/stable/postgresql/Chart.yaml
@@ -1,5 +1,5 @@
 name: postgresql
-version: 2.6.4
+version: 2.6.5
 appVersion: 10.6.0
 description: Chart for PostgreSQL, an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance.
 keywords:
diff --git a/stable/postgresql/README.md b/stable/postgresql/README.md
index be84efb2c605..3a664336456f 100644
--- a/stable/postgresql/README.md
+++ b/stable/postgresql/README.md
@@ -65,6 +65,7 @@ The following tables lists the configurable parameters of the PostgreSQL chart a
 | `replication.slaveReplicas`                   | Number of slaves replicas                          | `1`                                                       |
 | `postgresqlUsername`                          | PostgreSQL admin user                              | `postgres`                                                |
 | `postgresqlPassword`                          | PostgreSQL admin password                          | _random 10 character alphanumeric string_                 |
+| `existingSecret`                              | Use Existing secret for postgresl passwords        | `nil`                                                     |
 | `postgresqlDatabase`                          | PostgreSQL database                                | `nil`                                                     |
 | `postgresqlConfiguration`                     | Runtime Config Parameters                          | `nil`                                                     |
 | `pgHbaConfiguration`                          | Content of pg\_hba.conf                            | `nil (do not create pg_hba.conf)`                         |
@@ -170,6 +171,10 @@ The chart optionally can start a metrics exporter for [prometheus](https://prome
 
 The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details.
 
+## Passwords
+
+If you do not want to provide the postgresqlPassword variable you can use the existingSecret option to use a secret not managed by helm
+
 ## NetworkPolicy
 
 To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`.
diff --git a/stable/postgresql/templates/NOTES.txt b/stable/postgresql/templates/NOTES.txt
index 8b30cfbecc98..3e3f7ee9b48c 100644
--- a/stable/postgresql/templates/NOTES.txt
+++ b/stable/postgresql/templates/NOTES.txt
@@ -34,13 +34,28 @@ To connect to your database run the following command:
 Note: Since NetworkPolicy is enabled, only pods with label {{ template "postgresql.fullname" . }}-client=true" will be able to connect to this PostgreSQL cluster.
 {{- end }}
 
+{{- if .Values.existingSecret }}
+If you have not already created the postgres admin secret:
+    By specifying "serviceType=LoadBalancer" and not specifying "postgresqlPassword"
+    you have most likely exposed the PostgreSQL service externally without any
+    authentication mechanism.
+    kubectl create secret generic {{ .Values.existingSecret }} --namespace {{ .Release.Namespace }} --from-file=./postgresql-password {{ if .Values.replication.enabled }}--from-file=./postgresql-replication-password{{- end }}
+{{- end }}
+
 To connect to your database from outside the cluster execute the following commands:
 
+{{ if .Values.postgresqlPassword }}
+    export PGPASSWORD={{ .Values.postgresqlPassword}}
+{{- end }}
+{{ if .Values.existingSecret }}
+    export PGPASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "postgresql.fullname" . }} -o jsonpath="{.data.postgresql-password}" | base64 --decode; echo)
+{{- end }}
+
 {{- if contains "NodePort" .Values.service.type }}
 
     export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
     export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "postgresql.fullname" . }})
-    {{ if .Values.postgresqlPassword }}PGPASSWORD={{ .Values.postgresqlPassword}} "{{- end }}psql --host $NODE_IP --port $NODE_PORT -U {{ .Values.postgresqlUsername }}
+    psql --host $NODE_IP --port $NODE_PORT -U {{ .Values.postgresqlUsername }}
 
 {{- else if contains "LoadBalancer" .Values.service.type }}
 
@@ -48,11 +63,11 @@ To connect to your database from outside the cluster execute the following comma
         Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "postgresql.fullname" . }}'
 
     export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "postgresql.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-    {{ if .Values.postgresqlPassword }}PGPASSWORD={{ .Values.postgresqlPassword}} "{{- end }}psql --host $SERVICE_IP --port {{ .Values.service.port }} -U {{ .Values.postgresqlUsername }}
+    psql --host $SERVICE_IP --port {{ .Values.service.port }} -U {{ .Values.postgresqlUsername }}
 
 {{- else if contains "ClusterIP" .Values.service.type }}
 
     kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "postgresql.fullname" . }} 5432:5432 &
-    {{ if .Values.postgresqlPassword }}PGPASSWORD={{ .Values.postgresqlPassword}} "{{- end }}psql --host 127.0.0.1 -U {{ .Values.postgresqlUsername }}
+    psql --host 127.0.0.1 -U {{ .Values.postgresqlUsername }}
 
 {{- end }}
diff --git a/stable/postgresql/templates/secrets.yaml b/stable/postgresql/templates/secrets.yaml
index 3ba26396f5da..d607995fee94 100644
--- a/stable/postgresql/templates/secrets.yaml
+++ b/stable/postgresql/templates/secrets.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -21,3 +22,4 @@ data:
   postgresql-replication-password: {{ randAlphaNum 10 | b64enc | quote }}
   {{ end }}
   {{ end }}
+{{- end }}
\ No newline at end of file
diff --git a/stable/postgresql/values.yaml b/stable/postgresql/values.yaml
index ad5c0e3b8147..0b256f3fc671 100644
--- a/stable/postgresql/values.yaml
+++ b/stable/postgresql/values.yaml
@@ -60,6 +60,10 @@ replication:
 ## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run
 postgresqlUsername: postgres
 
+## Use Existing secret instead of creating one
+## It must have a postgresql-password key containing the desired password and postgresql-replication-password if replication is enabled
+# existingSecret: 'secret'
+
 ## PostgreSQL password
 ## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run
 ##