nautobot · ubajze · Mar 25, 2024 · Mar 19, 2024 · Mar 19, 2024 · Mar 19, 2024
@@ -50,24 +50,25 @@ https://docs.nautobot.com/projects/helm-charts/en/stable/configuration/reference
  echo "Nautobot URL: http://$NODE_IP:$NODE_PORT/"
 
 {{- end }}
-{{- if .Values.nautobot.superUser.enabled }}
+{{- if and .Values.nautobot.superUser.enabled (not .Values.nautobot.superUser.existingSecret) }}
 
 2. Get your Nautobot login admin credentials by running:
 
  echo Username: {{ .Values.nautobot.superUser.username }}
  echo Password: $(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }}-env -o jsonpath="{.data.NAUTOBOT_SUPERUSER_PASSWORD}" | base64 --decode)
  echo api-token: $(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }}-env -o jsonpath="{.data.NAUTOBOT_SUPERUSER_API_TOKEN}" | base64 --decode)
 {{- end }}
-{{- if not .Values.nautobot.secretKey }}
+{{- if not (or .Values.nautobot.secretKey .Values.nautobot.django.secretKey .Values.nautobot.django.existingSecret) }}
 
 Make sure you take note of your Nautobot `NAUTOBOT_SECRET_KEY` by running:
 
  echo Secret Key: $(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }}-env -o jsonpath="{.data.NAUTOBOT_SECRET_KEY}" | base64 --decode)
 {{- end }}
 {{- if .Values.postgresql.enabled }}
+
 To take a backup of the database run:
 
- export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }}-postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode)
+ export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }}-postgresql -o jsonpath="{.data.postgres-password}" | base64 --decode)
  echo $POSTGRES_PASSWORD | kubectl exec -itn {{ .Release.Namespace }} statefulset.apps/{{ include "common.names.fullname" . }}-postgresql -- pg_dump --username {{ .Values.postgresql.auth.username }} --clean --if-exists nautobot > backup.sql
 
 {{- end }}

@@ -57,28 +57,45 @@ Compile all warnings into a single message.
 {{- end -}}
 {{- end -}}
 
-{{- define "nautobot.encryptedSecretKey" -}}
- {{- if not .Values.nautobot.secretKey -}}
- {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-env" (include "nautobot.names.fullname" . )) "key" "NAUTOBOT_SECRET_KEY" "providedValues" (list "nautobot.secretKey") "length" 64 "strong" true "context" $) }}
- {{- else -}}
- {{- .Values.nautobot.secretKey | b64enc | quote -}}
- {{- end -}}
+{{/*
+The secret name where the nautobot secret_key used by django will exist.
+*/}}
+{{- define "nautobot.django.secretName" -}}
+ {{- default (printf "%s-env" (include "common.names.fullname" .)) .Values.nautobot.django.existingSecret -}}
 {{- end -}}
 
-{{- define "nautobot.encryptedSuperUserAPIToken" -}}
- {{- if not .Values.nautobot.superUser.apitoken -}}
- {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-env" (include "nautobot.names.fullname" . )) "key" "NAUTOBOT_SUPERUSER_API_TOKEN" "providedValues" (list "nautobot.superUserAPIToken") "length" 40 "strong" false "context" $) }}
- {{- else -}}
- {{- .Values.nautobot.superUser.apitoken | b64enc | quote -}}
- {{- end -}}
+{{/*
+The secret key where the nautobot secret_key used by django will exist.
+*/}}
+{{- define "nautobot.django.existingSecretSecretKeyKey" -}}
+ {{- default (printf "NAUTOBOT_SECRET_KEY") .Values.nautobot.django.existingSecretSecretKeyKey -}}
 {{- end -}}
 
-{{- define "nautobot.encryptedSuperUserPassword" -}}
- {{- if not .Values.nautobot.superUser.password -}}
- {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-env" (include "nautobot.names.fullname" . )) "key" "NAUTOBOT_SUPERUSER_PASSWORD" "providedValues" (list "nautobot.superUserPassword") "length" 64 "strong" true "context" $) }}
- {{- else -}}
- {{- .Values.nautobot.superUser.password | b64enc | quote -}}
- {{- end -}}
+{{/*
+Retrieve existing django/nautobot secret key, use one provided via values or generate a random one
+*/}}
+{{- define "nautobot.django.secretKey" -}}
+ {{- include "common.secrets.passwords.manage" (dict "secret" (include "nautobot.django.secretName" .) "key" (include "nautobot.django.existingSecretSecretKeyKey" .) "providedValues" (list .Values.nautobot.django.secretKey .Values.nautobot.secretKey) "length" 64 "strong" true "context" $) -}}
+{{- end -}}
+
+{{- define "nautobot.superUser.secretName" -}}
+ {{- default (printf "%s-env" (include "common.names.fullname" .)) .Values.nautobot.superUser.existingSecret -}}
+{{- end -}}
+
+{{- define "nautobot.superUser.existingSecretPasswordKey" -}}
+ {{- default (printf "NAUTOBOT_SUPERUSER_PASSWORD") .Values.nautobot.superUser.existingSecretPasswordKey -}}
+{{- end -}}
+
+{{- define "nautobot.superUser.existingSecretApiTokenKey" -}}
+ {{- default (printf "NAUTOBOT_SUPERUSER_API_TOKEN") .Values.nautobot.superUser.existingSecretApiTokenKey -}}
+{{- end -}}
+
+{{- define "nautobot.superUser.apiToken" -}}
+ {{- include "common.secrets.passwords.manage" (dict "secret" (include "nautobot.superUser.secretName" . ) "key" (include "nautobot.superUser.existingSecretApiTokenKey" .) "providedValues" (list .Values.nautobot.superUser.apitoken) "length" 40 "strong" false "context" $) -}}
+{{- end -}}
+
+{{- define "nautobot.superUser.password" -}}
+ {{- include "common.secrets.passwords.manage" (dict "secret" (include "nautobot.superUser.secretName" . ) "key" (include "nautobot.superUser.existingSecretPasswordKey" .) "providedValues" (list .Values.nautobot.superUser.password) "length" 64 "strong" true "context" $) -}}
 {{- end -}}
 
 {{/*
@@ -173,15 +190,15 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
  {{- if .Values.nautobot.db.existingSecret -}}
  {{- .Values.nautobot.db.existingSecret -}}
  {{- else if eq .Values.postgresql.enabled true -}}
- {{- default (printf "%s-db-password" (include "common.names.fullname" .)) .Values.postgresql.auth.existingSecret -}}
+ {{- default (printf "%s-postgresql" (include "common.names.fullname" .)) .Values.postgresql.auth.existingSecret -}}
  {{- else if eq .Values.postgresqlha.enabled true -}}
  {{- if .Values.postgresql.auth.existingSecret -}}
- {{- default (printf "%s-db-password" (include "common.names.fullname" .)) .Values.postgresqlha.auth.existingSecret -}}
+ {{- default (printf "%s-postgresql" (include "common.names.fullname" .)) .Values.postgresqlha.auth.existingSecret -}}
  {{- else -}}
  {{- printf "%s-db-password" (include "common.names.fullname" .) -}}
  {{- end -}}
  {{- else if eq .Values.mariadb.enabled true -}}
- {{- default (printf "%s-db-password" (include "common.names.fullname" .)) .Values.mariadb.auth.existingSecret -}}
+ {{- default (printf "%s-mariadb" (include "common.names.fullname" .)) .Values.mariadb.auth.existingSecret -}}
  {{- else -}}
  {{- printf "%s-db-password" (include "common.names.fullname" .) -}}
  {{- end -}}

@@ -1,7 +1,9 @@
-{{- define "nautobot.secret.env" -}}
-NAUTOBOT_SECRET_KEY: {{ include "nautobot.encryptedSecretKey" .}}
-{{- if .Values.nautobot.superUser.enabled }}
-NAUTOBOT_SUPERUSER_API_TOKEN: {{ include "nautobot.encryptedSuperUserAPIToken" .}}
-NAUTOBOT_SUPERUSER_PASSWORD: {{ include "nautobot.encryptedSuperUserPassword" .}}
+{{define "nautobot.secret.env" -}}
+{{- if not .Values.nautobot.django.existingSecret -}}
+NAUTOBOT_SECRET_KEY: {{ include "nautobot.django.secretKey" .}}
+{{ end -}}
+{{- if (and .Values.nautobot.superUser.enabled (not .Values.nautobot.superUser.existingSecret)) -}}
+NAUTOBOT_SUPERUSER_API_TOKEN: {{ include "nautobot.superUser.apiToken" .}}
+NAUTOBOT_SUPERUSER_PASSWORD: {{ include "nautobot.superUser.password" .}}
+{{- end -}}
 {{- end }}
-{{ end }}
@@ -81,6 +81,11 @@ spec:
  secretKeyRef:
  name: {{ include "nautobot.redis.passwordName" $ }}
  key: {{ include "nautobot.redis.passwordKey" $ }}
+ - name: NAUTOBOT_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "nautobot.django.secretName" $ }}
+ key: {{ include "nautobot.django.existingSecretSecretKeyKey" $ }}
  envFrom:
  - configMapRef:
  name: {{ include "common.names.fullname" $ }}-env-init

@@ -91,6 +91,23 @@ spec:
  secretKeyRef:
  name: {{ include "nautobot.redis.passwordName" $ }}
  key: {{ include "nautobot.redis.passwordKey" $ }}
+ - name: NAUTOBOT_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "nautobot.django.secretName" $ }}
+ key: {{ include "nautobot.django.existingSecretSecretKeyKey" $ }}
+ {{ if $nautobot.superUser.existingSecret -}}
+ - name: NAUTOBOT_SUPERUSER_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "nautobot.superUser.secretName" $ }}
+ key: {{ include "nautobot.superUser.existingSecretPasswordKey" $ }}
+ - name: NAUTOBOT_SUPERUSER_API_TOKEN
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "nautobot.superUser.secretName" $ }}
+ key: {{ include "nautobot.superUser.existingSecretApiTokenKey" $ }}
+ {{- end }}
  envFrom:
  - configMapRef:
  name: {{ include "common.names.fullname" $ }}-env
@@ -223,6 +240,23 @@ spec:
  secretKeyRef:
  name: {{ include "nautobot.redis.passwordName" $ }}
  key: {{ include "nautobot.redis.passwordKey" $ }}
+ - name: NAUTOBOT_SECRET_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "nautobot.django.secretName" $ }}
+ key: {{ include "nautobot.django.existingSecretSecretKeyKey" $ }}
+ {{ if $nautobot.superUser.existingSecret -}}
+ - name: NAUTOBOT_SUPERUSER_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "nautobot.superUser.secretName" $ }}
+ key: {{ include "nautobot.superUser.existingSecretPasswordKey" $ }}
+ - name: NAUTOBOT_SUPERUSER_API_TOKEN
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "nautobot.superUser.secretName" $ }}
+ key: {{ include "nautobot.superUser.existingSecretApiTokenKey" $ }}
+ {{- end }}
  envFrom:
  - configMapRef:
  name: {{ include "common.names.fullname" $ }}-env

@@ -14,9 +14,13 @@ metadata:
  {{- end }}
 type: Opaque
 data:
-{{- include "nautobot.secret.env" . | nindent 2 }}
+{{- if (include "nautobot.secret.env" .) }}
+{{ include "nautobot.secret.env" . | indent 2 }}
+{{- else }}
+{{ "{}" | indent 2 }}
+{{- end }}
 
-{{- if not ( or .Values.nautobot.db.existingSecret .Values.postgresql.auth.existingSecret .Values.mariadb.auth.existingSecret ) }}
+{{- if .Values.nautobot.db.password }}
 ---
 apiVersion: v1
 kind: Secret

@@ -354,7 +354,7 @@ nautobot:
  # -- Name of existing secret to use for Database passwords<sup>[1](#notes)</sup>
  existingSecret: ""
  # -- Password key to be retrieved from existing secret<sup>[1](#notes)</sup>
- existingSecretPasswordKey: "NAUTOBOT_DB_PASSWORD"
+ existingSecretPasswordKey: ""
  # -- [[ref](https://docs.nautobot.com/projects/core/en/stable/configuration/required-settings/#databases)] Nautobot external database hostname, ignored if `postgresql.enabled` is `true` (NAUTOBOT_DB_HOST)<sup>[1](#notes)</sup>
  host: "postgres"
  # -- [[ref](https://docs.nautobot.com/projects/core/en/stable/configuration/required-settings/#databases)] Nautobot external database name, ignored if `postgresql.enabled` is `true` (NAUTOBOT_DB_NAME)<sup>[1](#notes)</sup>
@@ -378,7 +378,7 @@ nautobot:
  # -- Name of existing secret to use for Redis passwords<sup>[1](#notes)</sup>
  existingSecret: ""
  # -- Password key to be retrieved from existing secret<sup>[1](#notes)</sup>
- existingSecretPasswordKey: "NAUTOBOT_REDIS_PASSWORD"
+ existingSecretPasswordKey: ""
  # -- [[ref](https://docs.nautobot.com/projects/core/en/stable/configuration/required-settings/#rq_queues)] Nautobot external Redis hostname, ignored if `redis.enabled` is `true` (NAUTOBOT_REDIS_HOST)<sup>[1](#notes)</sup>
  host: ""
  # -- [[ref](https://docs.nautobot.com/projects/core/en/stable/configuration/required-settings/#rq_queues)] Nautobot external Redis password, ignored if `redis.enabled` is `true` (NAUTOBOT_REDIS_PASSWORD)<sup>[1](#notes)</sup>
@@ -392,7 +392,22 @@ nautobot:
 
  # -- [[ref](https://docs.nautobot.com/projects/core/en/stable/configuration/required-settings/#secret_key)] Nautobot Secret Key (NAUTOBOT_SECRET_KEY)<sup>[1](#notes)</sup>
  secretKey: ""
+
+ django:
+ # -- Name of existing secret to use for NAUTOBOT_SECRET_KEY<sup>[1](#notes)</sup>
+ existingSecret: ""
+ # -- SecretKey key to be retrieved from existing secret<sup>[1](#notes)</sup>
+ existingSecretSecretKeyKey: ""
+ # -- [[ref](https://docs.nautobot.com/projects/core/en/stable/configuration/required-settings/#secret_key)] Nautobot Secret Key (NAUTOBOT_SECRET_KEY), takes priority over nautobot.secretKey<sup>[1](#notes)</sup>
+ secretKey: ""
+
  superUser:
+ # -- Name of existing secret to use for superuser password and API token<sup>[1](#notes)</sup>
+ existingSecret: ""
+ # -- Password key to be retrieved from existing secret<sup>[1](#notes)</sup>
+ existingSecretPasswordKey: ""
+ # -- API Token key to be retrieved from existing secret<sup>[1](#notes)</sup>
+ existingSecretApiTokenKey: ""
  # -- [[ref](https://nautobot.readthedocs.io/en/stable/docker/#nautobot_create_superuser)] Create a new super user account in Nautobot once deployed (NAUTOBOT_CREATE_SUPERUSER)<sup>[1](#notes)</sup>
  enabled: true
  # -- [[ref](https://nautobot.readthedocs.io/en/stable/docker/#nautobot_superuser_api_token)] Configure an API key for the super user if `nautobot.superUser.enabled` is `true` (NAUTOBOT_SUPERUSER_API_TOKEN)<sup>[1](#notes)</sup>

@@ -1,6 +1,16 @@
 # Existing Secrets
 
-If you don't want to pass values through helm for either Redis or PostgreSQL there are a few options. If you want to deploy PostgreSQL and Redis with this chart:
+If you don't want to pass values through helm for...
+
+- Redis
+- PostgreSQL
+- MariaDB
+- Nautobot Secret Key
+- Superuser password and API token
+
+...there's the option of creating these secrets manually and referencing them in the configuration.
+
+For example, if you want to deploy PostgreSQL and Redis with this chart:
 
 1. Create a secret with both PostgreSQL and Redis passwords:
 
@@ -39,4 +49,23 @@ redis:
  enabled: false
 ```
 
-You can use various combinations of `existingSecret` and `existingSecretPasswordKey` options depending on the existing secrets you have deployed. (NOTE: The Bitnami PostgreSQL chart does require the key name to be "postgresql-password")
+To reference an existing NAUTOBOT_SECRET_KEY you can use the following values:
+
+```yaml
+nautobot:
+ django:
+ existingSecret: "my-secret"
+ existingSecretSecretKeyKey: "NAUTOBOT_SECRET_KEY"
+```
+
+And/or for the superuser credentials you can use this configuration:
+
+```yaml
+nautobot:
+ superUser:
+ existingSecret: "my-secret"
+ existingSecretPasswordKey: "NAUTOBOT_SUPERUSER_PASSWORD"
+ existingSecretApiTokenKey: "NAUTOBOT_SUPERUSER_API_TOKEN"
+```
+
+You can use various combinations of `existingSecret` and `*Key` options depending on the existing secrets you have deployed.