move database credentials to Secret

ConfigMaps are not intended to hold confidental data. Storing credentials in Secrets instead brings advantages of Encryption at Rest for Secrets and proper RBAC separation.
traccar · Dec 13, 2023 · 68a9f00 · 68a9f00
1 parent ae85446
commit 68a9f00
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 15 deletions.
diff --git a/charts/traccar/Chart.yaml b/charts/traccar/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: traccar
 description: A Helm chart for Traccar GPS Server
 type: application
-version: 1.7.1
+version: 1.8.0
 appVersion: "5.10"
 dependencies:
   - name: mysql

diff --git a/charts/traccar/templates/configmap.yaml b/charts/traccar/templates/configmap.yaml
@@ -13,6 +13,7 @@ data:
     <!DOCTYPE properties SYSTEM 'http://java.sun.com/dtd/properties.dtd'>
     <properties>
         <entry key='config.default'>./conf/default.xml</entry>
+        <entry key='config.useEnvironmentVariables'>true</entry>
 
 {{- if .Values.traccar.server }}
 {{- if .Values.traccar.server.statistics }}
@@ -155,8 +156,6 @@ data:
 {{- if .Values.mysql.enabled }}
         <entry key='database.driver'>com.mysql.cj.jdbc.Driver</entry>
         <entry key='database.url'>jdbc:mysql://{{ include "traccar.fullname" . }}-mysql:3306/{{ .Values.mysql.auth.database }}?serverTimezone=UTC&amp;useSSL=false&amp;allowMultiQueries=true&amp;autoReconnect=true&amp;useUnicode=yes&amp;characterEncoding=UTF-8&amp;sessionVariables=sql_mode=''</entry>
-        <entry key='database.user'>{{ .Values.mysql.auth.username }}</entry>
-        <entry key='database.password'>{{ .Values.mysql.auth.password }}</entry>
 {{- else }}
 {{- if .Values.traccar.database.driverFile }}
         <entry key='database.driverFile'>{{ .Values.traccar.database.driverFile }}</entry>
@@ -167,12 +166,6 @@ data:
 {{- if .Values.traccar.database.url }}
         <entry key='database.url'>{{ .Values.traccar.database.url }}</entry>
 {{- end }}
-{{- if .Values.traccar.database.user }}
-        <entry key='database.user'>{{ .Values.traccar.database.user }}</entry>
-{{- end }}
-{{- if .Values.traccar.database.password }}
-        <entry key='database.password'>{{ .Values.traccar.database.password }}</entry>
-{{- end }}
 {{- end }}
 {{- end }}
 {{- if .Values.traccar.database }}
@@ -311,12 +304,6 @@ data:
 {{- if .Values.traccar.mail.smtp.fromName }}
         <entry key='mail.smtp.fromName'>{{ .Values.traccar.mail.smtp.fromName }}</entry>
 {{- end }}
-{{- if .Values.traccar.mail.smtp.username }}
-        <entry key='mail.smtp.username'>{{ .Values.traccar.mail.smtp.username }}</entry>
-{{- end }}
-{{- if .Values.traccar.mail.smtp.password }}
-        <entry key='mail.smtp.password'>{{ .Values.traccar.mail.smtp.password }}</entry>
-{{- end }}
 {{- end }}
 {{- end }}
 

diff --git a/charts/traccar/templates/deployment.yaml b/charts/traccar/templates/deployment.yaml
@@ -19,6 +19,9 @@ spec:
     metadata:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        {{- if not .Values.configOverride }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+        {{- end }}
         {{- with .Values.podAnnotations }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -89,6 +92,11 @@ spec:
           env:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- if not .Values.configOverride }}
+          envFrom:
+            - secretRef:
+                name: {{ include "traccar.fullname" . }}
+          {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: http

diff --git a/charts/traccar/templates/secret.yaml b/charts/traccar/templates/secret.yaml
@@ -0,0 +1,26 @@
+{{- if not .Values.configOverride }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "traccar.fullname" . }}
+  labels:
+    {{- include "traccar.labels" . | nindent 4 }}
+stringData:
+  {{- if .Values.mysql.enabled }}
+  DATABASE_USER: {{ .Values.mysql.auth.username | quote }}
+  DATABASE_PASSWORD: {{ .Values.mysql.auth.password | quote }}
+  {{- else }}
+  {{- if ((.Values.traccar).database).user }}
+  DATABASE_USER: {{ .Values.traccar.database.user | quote }}
+  {{- end }}
+  {{- if ((.Values.traccar).database).password }}
+  DATABASE_PASSWORD: {{ .Values.traccar.database.password | quote }}
+  {{- end }}
+  {{- end }} {{/* end if mysql.enabled */}}
+  {{- if (((.Values.traccar).mail).smtp).username }}
+  MAIL_SMTP_USERNAME: {{ .Values.traccar.mail.smtp.username | quote }}
+  {{- end }}
+  {{- if (((.Values.traccar).mail).smtp).password }}
+  MAIL_SMTP_PASSWORD: {{ .Values.traccar.mail.smtp.password | quote }}
+  {{- end }}
+{{- end }}