lemmy: Handle existing secrets for passwords

2023-06-22 13:35:46 +02:00 · 2023-06-22 13:35:46 +02:00 · b1833029cc
commit b1833029cc
parent 652a28c4b2
4 changed files with 79 additions and 23 deletions
--- a/charts/lemmy/templates/_helpers.tpl
+++ b/charts/lemmy/templates/_helpers.tpl
@ -35,6 +35,43 @@ If release name contains chart name it will be used as a full name.
 {{- printf "%s-%s" (include "lemmy.fullname" $) "pictrs" | trunc 63 | trimSuffix "-" }}
 {{- end }}

+{{/*
+Retreive secrets for Lemmy configuration
+*/}}
+{{- define "lemmy.adminpassword" -}}
+{{- if .Values.admin.existingSecret -}}
+{{-   $existingAdmin := lookup "v1" "Secret" .Release.Namespace .Values.admin.existingSecret -}}
+{{-   if not $existingAdmin -}}
+{{-     fail "Provided existing admin secret %s does not exist" -}}
+{{-   end -}}
+{{-   b64dec (get $existingAdmin.data (.Values.admin.existingSecretKey | default "password")) -}}
+{{- else -}}
+{{-   $existing := (lookup "v1" "Secret" .Release.Namespace (include "lemmy.fullname" .)) -}}
+{{-   if and $existing $existing.data.admin_password -}}
+{{-     b64dec $existing.data.admin_password }}
+{{-   else -}}
+{{-     randAlphaNum 32 }}
+{{-   end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "lemmy.pictrsapikey" -}}
+{{- if .Values.pictrs.existingSecret }}
+{{-   $existingPictrs := (lookup "v1" "Secret" .Release.Namespace .Values.pictrs.existingSecret) -}}
+{{-   if not $existingPictrs }}
+{{-     fail "Provided existing pictrs secret does not exist" }}
+{{-   end }}
+{{-   b64dec (get $existingPictrs.data (.Values.pictrs.existingSecretKey | default "apikey")) }}
+{{- else -}}
+{{-   $existing := (lookup "v1" "Secret" .Release.Namespace (include "lemmy.fullname" .)) -}}
+{{-   if and $existing $existing.data.pictrs_apikey -}}
+{{-     b64dec $existing.data.pictrs_apikey }}
+{{-   else -}}
+{{-     randAlphaNum 64 }}
+{{-   end -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@ -135,10 +172,19 @@ Set postgresql username
 Set postgresql password
 */}}
 {{- define "lemmy.postgresql.password" -}}
-{{- if .Values.postgresql.enabled -}}
-{{- .Values.postgresql.auth.password | default "" }}
-{{- else -}}
-{{ required "A valid postgresql.auth.password is required" .Values.postgresql.auth.password }}
+{{- if .Values.postgresql.auth.existingSecret -}}
+{{-   $existing := lookup "v1" "Secret" .Release.Namespace .Values.postgresql.auth.existingSecret -}}
+{{-   if not $existing -}}
+{{-     fail "Can't find provided existing postgresql secret" -}}
+{{-   end -}}
+{{-   get $existing.data (.Values.postgresql.auth.secretKeys.userPasswordKey | default "password") | b64dec -}}
+{{- else if .Values.postgresql.enabled -}}
+{{-   if .Values.postgresql.auth.password -}}
+{{-     .Values.postgresql.auth.password -}}
+{{-   else -}}
+{{-     $existing := lookup "v1" "Secret" .Release.Namespace (include "lemmy.postgresql.secret" .) -}}
+{{-     $existing.data.password | b64dec -}}
+{{-   end -}}
 {{- end -}}
 {{- end -}}

--- a/charts/lemmy/templates/deployment-pictrs.yaml
+++ b/charts/lemmy/templates/deployment-pictrs.yaml
@ -44,8 +44,13 @@ spec:
            - name: PICTRS__API_KEY
              valueFrom:
                secretKeyRef:
+                {{- if .Values.pictrs.existingSecret }}
+                  name: {{ .Values.pictrs.existingSecret }}
+                  key: {{ .Values.pictrs.existingSecretKey | default "apikey" }}
+                {{- else }}
                  name: {{ include "lemmy.fullname" . }}
                  key: pictrs_apikey
+                {{- end }}
          {{- with .Values.pictrs.env }}
            {{- range $key, $value := . }}
            - name: {{ $key }}
--- a/charts/lemmy/templates/secret-configuration.yaml
+++ b/charts/lemmy/templates/secret-configuration.yaml
@ -1,21 +1,5 @@
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "lemmy.fullname" . }}
-  labels:
-    {{- include "lemmy.labels" . | nindent 4 }}
-{{- $adminPassword := randAlphaNum 32 }}
-{{- $pictrsApikey := randAlphaNum 64 }}
-
-{{- $existing := (lookup "v1" "Secret" .Release.Namespace (include "lemmy.fullname" .)) -}}
-{{- if and $existing $existing.data.admin_password }}
-  {{- $adminPassword := b64dec $existing.data.admin_password }}
-{{- end }}
-{{- if and $existing $existing.data.pictrs_apikey }}
-  {{- $pictrsApikey := b64dec $existing.data.pictrs_apikey }}
-{{- end }}
-
+{{- $adminPassword := include "lemmy.adminpassword" . -}}
+{{- $pictrsApikey := include "lemmy.pictrsapikey" . -}}
 {{- $config := dict
  "database"
    (dict
@ -49,8 +33,19 @@ metadata:
  "bind" "0.0.0.0"
  "port" 8536
  "tls_enabled" (.Values.config.tls | default true)
-}}
+-}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "lemmy.fullname" . }}
+  labels:
+    {{- include "lemmy.labels" . | nindent 4 }}
 data:
+{{- if not .Values.admin.existingSecret }}
  admin_password: {{ $adminPassword | b64enc }}
+{{- end }}
+{{- if not .Values.pictrs.existingSecret }}
  pictrs_apikey: {{ $pictrsApikey | b64enc }}
+{{- end }}
  config.hjson: {{ $config | toPrettyJson | b64enc }}
--- a/charts/lemmy/values.yaml
+++ b/charts/lemmy/values.yaml
@ -21,6 +21,11 @@ admin:
  # password:
  email: lemmy@example.com

+  ## Password can also be provided using an existing secret, note that the value
+  ## is only updated on helm upgrades due to Lemmy's configuration system
+  # existingSecret: ""
+  existingSecretKey: password
+
 config:
  siteName: Lemmy on Kubernetes
  ## Requires valid certificates, but is also required for federation support
@ -147,6 +152,11 @@ pictrs:
  ## Generated on first install if left empty
  # apiKey:

+  ## Can also be provided using an existing secret, note that the value is only
+  ## updated on helm upgrades due to Lemmy's configuration system
+  # existingSecret: ""
+  existingSecretKey: apikey
+
  storage:
    ## Storage method for media, can be filesystem or object_storage
    method: filesystem