Skip to content

Commit

Permalink
allow providing passwords via secret ref (#356)
Browse files Browse the repository at this point in the history 
* allow providing DB password via secret ref

Utilize the DB password supplied from the k8s secret reference instead
of copying it into a Nautobot specific secret. This fixes issues with
"helm template", fixing #355 and allows references, fixing #283.

* allow providing Redis password via secret ref

Utilize the Redis password supplied from the k8s secret reference instead
of copying it into a Nautobot specific secret. This fixes issues with
"helm template", fixing #355 and allows references, fixing #283.
  • Loading branch information
@cardoe
cardoe authored Feb 26, 2024
1 parent fc581e6 commit d18cac3
Show file tree
Hide file tree
Showing 6 changed files with 112 additions and 145 deletions.
185 changes: 42 additions & 143 deletions charts/nautobot/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,107 +169,40 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- end -}}
{{- end -}}

{{/*
Return the decoded database password. If postgres is enabled check the existing secret passed to postgres.
If not check the existing secret passed to Nautobot with key "existingSecretPasswordKey".
Pseudo Code:
if nautobot.db.existingSecret:
return value from the secret at the key nautobot.db.existingSecretPasswordKey
else if postgres.enabled:
if postgresql.auth.existingSecret:
return value from the secret at key postgresql.auth.secretKeys.adminPasswordKey
else
return value from postgresql.auth.password
else if postgresqlha.enabled:
if postgresqlha.postgresql.existingSecret
return value from the secret at key "postgresql-password"
else
return value from postgresqlha.postgresql.password
else if mariadb.enabled
if mariadb.auth.existingSecret:
return the value from the secret at key "mariadb-password"
else
return value from mariadb.auth.password
else if nautobot.db.password:
return value from nautobot.db.password
else
ERROR
*/}}
{{- define "nautobot.database.rawPassword" -}}
{{- define "nautobot.database.passwordName" -}}
{{- if .Values.nautobot.db.existingSecret -}}
{{- $password := "" -}}
{{- $secret := (lookup "v1" "Secret" $.Release.Namespace .Values.nautobot.db.existingSecret) -}}
{{- if $secret -}}
{{- if index $secret.data .Values.nautobot.db.existingSecretPasswordKey -}}
{{- $password = index $secret.data .Values.nautobot.db.existingSecretPasswordKey -}}
{{- else -}}
{{- fail (printf "Key '%s' not found in secret '%s'" .Values.nautobot.db.existingSecretPasswordKey .Values.nautobot.db.existingSecret) -}}
{{- end -}}
{{- else -}}
{{- fail (printf "Existing Nautobot DB secret '%s' not found!" .Values.nautobot.db.existingSecret) -}}
{{- end -}}
{{- $password | b64dec -}}
{{- .Values.nautobot.db.existingSecret -}}
{{- else if eq .Values.postgresql.enabled true -}}
{{- if .Values.postgresql.auth.existingSecret -}}
{{- $password := "" -}}
{{- $secret := (lookup "v1" "Secret" $.Release.Namespace .Values.postgresql.auth.existingSecret) -}}
{{- if $secret -}}
{{- if index $secret.data .Values.postgresql.auth.secretKeys.adminPasswordKey -}}
{{- $password = index $secret.data .Values.postgresql.auth.secretKeys.adminPasswordKey -}}
{{- else -}}
{{- fail (printf "Key '%s' not found in secret %s" .Values.postgresql.auth.secretKeys.adminPasswordKey .Values.postgresql.auth.existingSecret) -}}
{{- end -}}
{{- else -}}
{{- fail (printf "Existing PostgreSQL secret %s not found in %s namespace!" .Values.postgresql.auth.existingSecret $.Release.Namespace) -}}
{{- end -}}
{{- $password | b64dec -}}
{{- else -}}
{{- required "A Postgres Password is required! Path: .Values.postgresql.auth.password" .Values.postgresql.auth.password -}}
{{- end -}}
{{- default (printf "%s-db-password" (include "common.names.fullname" .)) .Values.postgresql.auth.existingSecret -}}
{{- else if eq .Values.postgresqlha.enabled true -}}
{{- if .Values.postgresqlha.postgresql.existingSecret -}}
{{- $password := "" -}}
{{- $secret := (lookup "v1" "Secret" $.Release.Namespace .Values.postgresqlha.postgresql.existingSecret) -}}
{{- if $secret -}}
{{- if index $secret.data "postgresql-password" -}}
{{- $password = index $secret.data "postgresql-password" -}}
{{- else -}}
{{- fail (printf "Key 'postgresql-password' not found in secret %s" .Values.postgresqlha.postgresql.existingSecret) -}}
{{- end -}}
{{- else -}}
{{- fail (printf "Existing PostgreSQL-HA secret %s not found!" .Values.postgresqlha.postgresql.existingSecret) -}}
{{- end -}}
{{- $password | b64dec -}}
{{- else -}}
{{- required "A Postgres Password is required! Path: .Values.postgresqlha.postgresql.password" .Values.postgresqlha.postgresql.password -}}
{{- end -}}
{{- if .Values.postgresql.auth.existingSecret -}}
{{- default (printf "%s-db-password" (include "common.names.fullname" .)) .Values.postgresqlha.auth.existingSecret -}}
{{- else -}}
{{- printf "%s-db-password" (include "common.names.fullname" .) -}}
{{- end -}}
{{- else if eq .Values.mariadb.enabled true -}}
{{- if .Values.mariadb.auth.existingSecret -}}
{{- $password := "" -}}
{{- $secret := (lookup "v1" "Secret" $.Release.Namespace .Values.mariadb.auth.existingSecret) -}}
{{- if $secret -}}
{{- if index $secret.data "mariadb-password" -}}
{{- $password = index $secret.data "mariadb-password" -}}
{{- else -}}
{{- fail (printf "Key 'mariadb-password' not found in secret %s" .Values.mariadb.auth.existingSecret) -}}
{{- end -}}
{{- else -}}
{{- fail (printf "Existing MariaDB secret %s not found!" .Values.mariadb.auth.existingSecret) -}}
{{- end -}}
{{- $password | b64dec -}}
{{- else -}}
{{- required "A MariaDB Password is required!. Path: .Values.mariadb.auth.password" .Values.mariadb.auth.password -}}
{{- end -}}
{{- else if .Values.nautobot.db.password -}}
{{- .Values.nautobot.db.password -}}
{{- default (printf "%s-db-password" (include "common.names.fullname" .)) .Values.mariadb.auth.existingSecret -}}
{{- else -}}
{{- fail (printf "You have to configure database credentials.") -}}
{{- printf "%s-db-password" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}

{{- define "nautobot.database.encryptedPassword" -}}
{{- include "nautobot.database.rawPassword" . | b64enc | quote -}}
{{- define "nautobot.database.passwordKey" -}}
{{- if .Values.nautobot.db.existingSecret -}}
{{- .Values.nautobot.db.existingSecretPasswordKey -}}
{{- else if eq .Values.postgresql.enabled true -}}
{{- if .Values.postgresql.auth.existingSecret -}}
{{- default "password" .Values.postgresql.auth.secretsKeys.adminPasswordKey -}}
{{- else -}}
{{- printf "password" -}}
{{- end -}}
{{- else if eq .Values.postgresqlha.enabled true -}}
{{- printf "postgresql-password" -}}
{{- else if eq .Values.mariadb.enabled true -}}
{{- printf "mariadb-password" -}}
{{- else -}}
{{- printf "password" -}}
{{- end -}}
{{- end -}}

{{/*
Expand Down Expand Up @@ -310,62 +243,28 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- end -}}

{{/*
Return the decoded redis password. If redis is enabled check the existing secret passed to redis.
If not check the existing secret passed to Nautobot. The existingSecretPasswordKey key is used to lookup the password
Pseudo Code:
if nautobot.redis.existingSecret:
return value from the secret at the key nautobot.redis.existingSecretPasswordKey
else if redis.enabled:
if redis.auth.existingSecret:
return value from the secret at the key redis.auth.existingSecretPasswordKey
else
return value from redis.auth.password
else if nautobot.redis.password:
return value from nautobot.redis.password
else
ERROR
Return the secret name where the redis password will exist.
Either in the value you've supplied to the Nautobot chart, the Redis chart
or if a password is being generated, where it will be generated at.
*/}}
{{- define "nautobot.redis.rawPassword" -}}
{{- define "nautobot.redis.passwordName" -}}
{{- if .Values.nautobot.redis.existingSecret -}}
{{- $password := "" -}}
{{- $secret := (lookup "v1" "Secret" $.Release.Namespace .Values.nautobot.redis.existingSecret) -}}
{{- if $secret -}}
{{- if index $secret.data .Values.nautobot.redis.existingSecretPasswordKey -}}
{{- $password = index $secret.data .Values.nautobot.redis.existingSecretPasswordKey -}}
{{- else -}}
{{- fail (printf "Key '%s' not found in secret '%s'" .Values.nautobot.redis.existingSecretPasswordKey .Values.nautobot.redis.existingSecret) -}}
{{- end -}}
{{- else -}}
{{- fail (printf "Existing secret '%s' not found!" .Values.nautobot.redis.existingSecret) -}}
{{- end -}}
{{- $password | b64dec -}}
{{- else if eq .Values.redis.enabled true -}}
{{- if .Values.redis.auth.existingSecret -}}
{{- $password := "" -}}
{{- $secret := (lookup "v1" "Secret" $.Release.Namespace .Values.redis.auth.existingSecret) -}}
{{- if $secret -}}
{{- if index $secret.data .Values.redis.auth.existingSecretPasswordKey -}}
{{- $password = index $secret.data .Values.redis.auth.existingSecretPasswordKey -}}
{{- else -}}
{{- fail (printf "Key '%s' not found in secret '%s'" .Values.redis.auth.existingSecretPasswordKey .Values.redis.auth.existingSecret) -}}
{{- end -}}
{{- else -}}
{{- fail (printf "Existing secret '%s' not found!" .Values.redis.auth.existingSecret) -}}
{{- end -}}
{{- $password | b64dec -}}
{{- else -}}
{{- required "A Redis Password is required. Path: .Values.redis.auth.password" .Values.redis.auth.password -}}
{{- end -}}
{{- else if .Values.nautobot.redis.password -}}
{{- .Values.nautobot.redis.password -}}
{{- .Values.nautobot.redis.existingSecret -}}
{{- else if .Values.redis.auth.existingSecret -}}
{{- .Values.redis.auth.existingSecret -}}
{{- else -}}
{{- fail (printf "You have to configure redis credentials.") -}}
{{- printf "nautobot-redis" -}}
{{- end -}}
{{- end -}}
{{- define "nautobot.redis.encryptedPassword" -}}
{{- include "nautobot.redis.rawPassword" . | b64enc | quote -}}
{{- define "nautobot.redis.passwordKey" -}}
{{- if .Values.nautobot.redis.existingSecretPasswordKey -}}
{{- .Values.nautobot.redis.existingSecretPasswordKey -}}
{{- else if .Values.redis.auth.existingSecretPasswordKey -}}
{{- .Values.redis.auth.existingSecretPasswordKey -}}
{{- else -}}
{{- printf "redis-password" -}}
{{- end -}}
{{- end -}}
{{/*
Expand Down
2 changes: 0 additions & 2 deletions charts/nautobot/templates/_secrets.tpl
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,4 @@
{{- define "nautobot.secret.env" -}}
NAUTOBOT_DB_PASSWORD: {{ include "nautobot.database.encryptedPassword" . }}
NAUTOBOT_REDIS_PASSWORD: {{ include "nautobot.redis.encryptedPassword" . }}
NAUTOBOT_SECRET_KEY: {{ include "nautobot.encryptedSecretKey" .}}
{{- if .Values.nautobot.superUser.enabled }}
NAUTOBOT_SUPERUSER_API_TOKEN: {{ include "nautobot.encryptedSuperUserAPIToken" .}}
Expand Down
10 changes: 10 additions & 0 deletions charts/nautobot/templates/celery-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,16 @@ spec:
{{- if $celery.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" $celery.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
- name: NAUTOBOT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "nautobot.database.passwordName" $ }}
key: {{ include "nautobot.database.passwordKey" $ }}
- name: NAUTOBOT_REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "nautobot.redis.passwordName" $ }}
key: {{ include "nautobot.redis.passwordKey" $ }}
envFrom:
- configMapRef:
name: {{ include "common.names.fullname" $ }}-env
Expand Down
10 changes: 10 additions & 0 deletions charts/nautobot/templates/job.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,16 @@ spec:
{{- if $initJob.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" $initJob.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
- name: NAUTOBOT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "nautobot.database.passwordName" $ }}
key: {{ include "nautobot.database.passwordKey" $ }}
- name: NAUTOBOT_REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "nautobot.redis.passwordName" $ }}
key: {{ include "nautobot.redis.passwordKey" $ }}
envFrom:
- configMapRef:
name: {{ include "common.names.fullname" $ }}-env-init
Expand Down
30 changes: 30 additions & 0 deletions charts/nautobot/templates/nautobot-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,16 @@ spec:
{{- if $nautobot.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" $nautobot.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
- name: NAUTOBOT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "nautobot.database.passwordName" $ }}
key: {{ include "nautobot.database.passwordKey" $ }}
- name: NAUTOBOT_REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "nautobot.redis.passwordName" $ }}
key: {{ include "nautobot.redis.passwordKey" $ }}
envFrom:
- configMapRef:
name: {{ include "common.names.fullname" $ }}-env
Expand Down Expand Up @@ -139,6 +149,16 @@ spec:
{{- if $nautobot.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" $nautobot.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
- name: NAUTOBOT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "nautobot.database.passwordName" $ }}
key: {{ include "nautobot.database.passwordKey" $ }}
- name: NAUTOBOT_REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "nautobot.redis.passwordName" $ }}
key: {{ include "nautobot.redis.passwordKey" $ }}
envFrom:
- configMapRef:
name: {{ include "common.names.fullname" $ }}-env
Expand Down Expand Up @@ -193,6 +213,16 @@ spec:
{{- if $nautobot.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" $nautobot.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
- name: NAUTOBOT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "nautobot.database.passwordName" $ }}
key: {{ include "nautobot.database.passwordKey" $ }}
- name: NAUTOBOT_REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "nautobot.redis.passwordName" $ }}
key: {{ include "nautobot.redis.passwordKey" $ }}
envFrom:
- configMapRef:
name: {{ include "common.names.fullname" $ }}-env
Expand Down
20 changes: 20 additions & 0 deletions charts/nautobot/templates/secret.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,26 @@ type: Opaque
data:
{{- include "nautobot.secret.env" . | nindent 2 }}

{{- if not .Values.nautobot.db.existingSecret }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "nautobot.database.passwordName" . }}
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: nautobot
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{ include "nautobot.database.passwordKey" . }}: {{ .Values.nautobot.db.password | b64enc | quote }}
{{- end }}

{{- if $.Values.nautobot.singleInit -}}
{{- $initJob := (include "nautobot.initJob" .) | mustFromJson -}}
# Duplicate the configmaps for the init job only, they will be deleted by helm after the job succeeds.
Expand Down

0 comments on commit d18cac3

Please sign in to comment.