Skip to content

Commit

Permalink
nats-streaming-rc7: Fix secretStore in ExternalSecret manifest (#104)
Browse files Browse the repository at this point in the history 
* Fix secretStore in ExternalSecret manifest

* Bump RC version to 7
  • Loading branch information
@michaelbui99
michaelbui99 authored Nov 19, 2024
1 parent 774bfbe commit dac6ada
Show file tree
Hide file tree
Showing 15 changed files with 1,188 additions and 0 deletions.
23 changes: 23 additions & 0 deletions charts/nats-streaming/.helmignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
4 changes: 4 additions & 0 deletions charts/nats-streaming/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v2
name: nats-streaming
description: Stan helm chart fork that supports configuring auth through secrets. Only used for migration purposes and no maintenance effort planned.
version: 0.1.0-rc7
6 changes: 6 additions & 0 deletions charts/nats-streaming/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# NATS-streaming Chart

Fork of https://github.com/nats-io/k8s/blob/main/helm/charts/stan/values.yaml that allows specifying auth credentials through a secret. The auth credentials can also be synced through an ExternalSecret using the `stan.auth.secretRef.externalSecret` options.
This fork also removes a lot of the original configuration options as well as setting some default values that are specific to the Gen 2 on-prem cluster.

There will be no maintenance efforts for this chart other than fixes to critical bugs and secrutiy issues.
47 changes: 47 additions & 0 deletions charts/nats-streaming/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
{/*
Expand the name of the chart.
*/}}
{{- define "stan.name" -}}
{{- default (printf "%s-%s" .Release.Name $.Values.kubernetesNamespace) .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Return the list of peers in a NATS Streaming cluster.
*/}}
{{- define "stan.clusterPeers" -}}
{{- range $i, $e := until (int $.Values.stan.replicas) -}}
{{- printf "'%s-%d'," (include "stan.name" $) $i -}}
{{- end -}}
{{- end }}

{{- define "stan.replicaCount" -}}
{{- $replicas := (int $.Values.stan.replicas) -}}
{{- if and $.Values.store.cluster.enabled (lt $replicas 3) -}}
{{- $replicas = "" -}}
{{- end -}}
{{ print $replicas }}
{{- end -}}

{{/*
Define the serviceaccountname
*/}}
{{- define "stan.serviceAccountName" -}}
{{- default "nats-streaming" .Values.serviceAccountName | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Return the proper NATS image name
*/}}
{{- define "nats.clusterAdvertise" -}}
{{- printf "$(POD_NAME).%s.$(POD_NAMESPACE).svc" (include "stan.name" . ) }}
{{- end }}

{{/*
Return the NATS cluster routes.
*/}}
{{- define "nats.clusterRoutes" -}}
{{- $name := default (printf "%s-%s" .Release.Name $.Values.kubernetesNamespace) .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- range $i, $e := until (.Values.stan.replicas | int) -}}
{{- printf "nats://%s-%d.%s.%s.svc:6222," $name $i $name $.Values.kubernetesNamespace -}}
{{- end -}}
{{- end }}
147 changes: 147 additions & 0 deletions charts/nats-streaming/templates/configmap.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "stan.name" . }}-config
labels:
app: {{ template "stan.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
data:
stan.conf: |-
#########################
# NATS Streaming Config #
#########################
streaming {
{{- if .Values.stan.clusterID }}
id: {{ .Values.stan.clusterID }}
{{- else }}
id: {{ template "stan.name" . }}
{{- end }}
{{- if .Values.stan.logging.debug }}
sd: true
{{- end }}
{{- if .Values.stan.logging.trace }}
sv: true
{{- end }}
{{- if .Values.stan.credentials }}
credentials: "/etc/stan-creds/{{ .Values.stan.credentials.secret.key }}"
{{- end }}
{{- if .Values.stan.auth.enabled }}
{{- if (and .Values.stan.auth.username .Values.stan.auth.password) }}
username: $AUTH_USER
password: $AUT_PASSWORD
{{- end }}
{{- if .Values.stan.auth.token }}
token: {{ .Values.stan.auth.token }}
{{- end }}
{{- if .Values.stan.auth.nkeySeedFile }}
nkey_seed_file: "/etc/nkey-seed-file"
{{- end }}
{{- end }}
{{- with .Values.store.ft.group }}
ft_group_name: {{ . }}
{{- end }}
###############################
# Store Config #
###############################
store: "file"
dir: {{ .Values.store.file.path }}
{{- with .Values.store.file.options }}
file_options: {{ toPrettyJson . | indent 6 }}
{{- end }}
{{- if .Values.store.cluster.enabled }}
###############################
# NATS Streaming Clustering #
###############################
cluster {
node_id: $POD_NAME
{{- with .Values.store.cluster.logPath }}
log_path: {{ . }}
{{- end }}
# Explicit names of resulting peers
peers: [
{{ template "stan.clusterPeers" . }}
]
}
{{- end }}
{{- with .Values.store.partitioning }}
partitioning: {{ .enabled }}
{{- end }}
{{- with .Values.store.limits }}
store_limits: {
{{- if kindIs "float64" .max_channels }}
max_channels: {{ .max_channels | int }}
{{- end }}
{{- if kindIs "float64" .max_msgs }}
max_msgs: {{ .max_msgs | int }}
{{- end }}
{{- if .max_bytes }}
max_bytes: {{ .max_bytes }}
{{- end }}
{{- if .max_age }}
max_age: {{ .max_age | quote }}
{{- end }}
{{- if kindIs "float64" .max_subs }}
max_subs: {{ .max_subs | int }}
{{- end }}
{{- if .max_inactivity }}
max_inactivity: {{ .max_inactivity | quote }}
{{- end }}
{{- if .channels }}
channels {
{{- range $channel, $limits := .channels }}
{{ $channel }}: {
{{- if $limits }}
{{- if kindIs "float64" $limits.max_subs }}
max_subs: {{ $limits.max_subs | int }}
{{- end }}
{{- if kindIs "float64" $limits.max_msgs }}
max_msgs: {{ $limits.max_msgs | int }}
{{- end }}
{{- if $limits.max_bytes }}
max_bytes: {{ $limits.max_bytes }}
{{- end }}
{{- if $limits.max_age }}
max_age: {{ $limits.max_age | quote }}
{{- end }}
{{- if $limits.max_inactivity }}
max_inactivity: {{ $limits.max_inactivity | quote }}
{{- end }}
{{- end }}
}
{{- end }}
}
{{- end }}
}
{{- end }}
}
###############################################
# #
# Embedded NATS Config #
# #
###############################################
{{ include "nats-configmap" . | nindent 4 }}
23 changes: 23 additions & 0 deletions charts/nats-streaming/templates/externalsecret.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
{{- if and $.Values.stan.auth.enabled $.Values.stan.auth.secretRef.externalSecret.enable }}
---
{{- $secretName := ($.Values.stan.auth.secretRef.secret | default "google-secret-manager") }}
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: {{ $.Values.stan.auth.secretRef.secret }}
spec:
refreshInterval: 1h
secretStoreRef:
kind: SecretStore
name: {{ $.Values.stan.auth.secretRef.externalSecret.secretStore }}
target:
name: {{ $secretName }}
creationPolicy: Owner
data:
- secretKey: {{ $.Values.stan.auth.secretRef.usernameKey }}
remoteRef:
key: {{ $.Values.stan.auth.secretRef.externalSecret.remoteUsernameRef }}
- secretKey: {{ $.Values.stan.auth.secretRef.passwordKey }}
remoteRef:
key: {{ $.Values.stan.auth.secretRef.externalSecret.remotePasswordRef }}
{{- end }}
47 changes: 47 additions & 0 deletions charts/nats-streaming/templates/initdb.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
---
{{- if eq .Values.store.type "sql" }}
{{- if .Values.store.sql.initdb.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: '{{ .Release.Name }}-init-db'
annotations:
"helm.sh/hook": "pre-install"
spec:
template:
metadata:
{{- with .Values.store.sql.initdb.annotations }}
annotations:
{{ toYaml . | indent 8 }}
{{- end }}
spec:
terminationGracePeriodSeconds: 0
restartPolicy: Never
{{- if eq .Values.store.sql.driver "postgres" }}
containers:
- name: init-database
image: {{ .Values.store.sql.initdb.image }}
env:
- name: PGPASSWORD
value: {{ .Values.store.sql.dbPassword }}
command: ['psql']
args: [
'--host', '{{ .Values.store.sql.dbHost }}',
'-U', '{{ .Values.store.sql.dbUser }}',
'-d', '{{ .Values.store.sql.dbName }}',
'-p', '{{ .Values.store.sql.dbPort }}',
'-c', 'CREATE TABLE IF NOT EXISTS ServerInfo (uniquerow INTEGER DEFAULT 1, id VARCHAR(1024), proto BYTEA, version INTEGER, PRIMARY KEY (uniquerow));
CREATE TABLE IF NOT EXISTS Clients (id VARCHAR(1024), hbinbox TEXT, PRIMARY KEY (id));
CREATE TABLE IF NOT EXISTS Channels (id INTEGER, name VARCHAR(1024) NOT NULL, maxseq BIGINT DEFAULT 0, maxmsgs INTEGER DEFAULT 0, maxbytes BIGINT DEFAULT 0, maxage BIGINT DEFAULT 0, deleted BOOL DEFAULT FALSE, PRIMARY KEY (id));
CREATE INDEX IF NOT EXISTS Idx_ChannelsName ON Channels (name(256));
CREATE TABLE IF NOT EXISTS Messages (id INTEGER, seq BIGINT, timestamp BIGINT, size INTEGER, data BYTEA, CONSTRAINT PK_MsgKey PRIMARY KEY(id, seq));
CREATE INDEX IF NOT EXISTS Idx_MsgsTimestamp ON Messages (timestamp);
CREATE TABLE IF NOT EXISTS Subscriptions (id INTEGER, subid BIGINT, lastsent BIGINT DEFAULT 0, proto BYTEA, deleted BOOL DEFAULT FALSE, CONSTRAINT PK_SubKey PRIMARY KEY(id, subid));
CREATE TABLE IF NOT EXISTS SubsPending (subid BIGINT, row BIGINT, seq BIGINT DEFAULT 0, lastsent BIGINT DEFAULT 0, pending BYTEA, acks BYTEA, CONSTRAINT PK_MsgPendingKey PRIMARY KEY(subid, row));
CREATE INDEX IF NOT EXISTS Idx_SubsPendingSeq ON SubsPending (seq);
CREATE TABLE IF NOT EXISTS StoreLock (id VARCHAR(30), tick BIGINT DEFAULT 0);
ALTER TABLE Clients ADD IF NOT EXISTS proto BYTEA;'
]
{{- end }}
{{- end }}
{{- end }}
Loading

0 comments on commit dac6ada

Please sign in to comment.