From b1833029cc61aee24ceec31e881a13b8c0c3089c Mon Sep 17 00:00:00 2001 From: Alexander Olofsson Date: Thu, 22 Jun 2023 13:35:46 +0200 Subject: [PATCH] lemmy: Handle existing secrets for passwords --- charts/lemmy/templates/_helpers.tpl | 54 +++++++++++++++++-- charts/lemmy/templates/deployment-pictrs.yaml | 5 ++ .../lemmy/templates/secret-configuration.yaml | 33 +++++------- charts/lemmy/values.yaml | 10 ++++ 4 files changed, 79 insertions(+), 23 deletions(-) diff --git a/charts/lemmy/templates/_helpers.tpl b/charts/lemmy/templates/_helpers.tpl index c5d8254..8e96513 100644 --- a/charts/lemmy/templates/_helpers.tpl +++ b/charts/lemmy/templates/_helpers.tpl @@ -35,6 +35,43 @@ If release name contains chart name it will be used as a full name. {{- printf "%s-%s" (include "lemmy.fullname" $) "pictrs" | trunc 63 | trimSuffix "-" }} {{- end }} +{{/* +Retreive secrets for Lemmy configuration +*/}} +{{- define "lemmy.adminpassword" -}} +{{- if .Values.admin.existingSecret -}} +{{- $existingAdmin := lookup "v1" "Secret" .Release.Namespace .Values.admin.existingSecret -}} +{{- if not $existingAdmin -}} +{{- fail "Provided existing admin secret %s does not exist" -}} +{{- end -}} +{{- b64dec (get $existingAdmin.data (.Values.admin.existingSecretKey | default "password")) -}} +{{- else -}} +{{- $existing := (lookup "v1" "Secret" .Release.Namespace (include "lemmy.fullname" .)) -}} +{{- if and $existing $existing.data.admin_password -}} +{{- b64dec $existing.data.admin_password }} +{{- else -}} +{{- randAlphaNum 32 }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "lemmy.pictrsapikey" -}} +{{- if .Values.pictrs.existingSecret }} +{{- $existingPictrs := (lookup "v1" "Secret" .Release.Namespace .Values.pictrs.existingSecret) -}} +{{- if not $existingPictrs }} +{{- fail "Provided existing pictrs secret does not exist" }} +{{- end }} +{{- b64dec (get $existingPictrs.data (.Values.pictrs.existingSecretKey | default "apikey")) }} +{{- else -}} +{{- $existing := (lookup "v1" "Secret" .Release.Namespace (include "lemmy.fullname" .)) -}} +{{- if and $existing $existing.data.pictrs_apikey -}} +{{- b64dec $existing.data.pictrs_apikey }} +{{- else -}} +{{- randAlphaNum 64 }} +{{- end -}} +{{- end -}} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} @@ -135,10 +172,19 @@ Set postgresql username Set postgresql password */}} {{- define "lemmy.postgresql.password" -}} -{{- if .Values.postgresql.enabled -}} -{{- .Values.postgresql.auth.password | default "" }} -{{- else -}} -{{ required "A valid postgresql.auth.password is required" .Values.postgresql.auth.password }} +{{- if .Values.postgresql.auth.existingSecret -}} +{{- $existing := lookup "v1" "Secret" .Release.Namespace .Values.postgresql.auth.existingSecret -}} +{{- if not $existing -}} +{{- fail "Can't find provided existing postgresql secret" -}} +{{- end -}} +{{- get $existing.data (.Values.postgresql.auth.secretKeys.userPasswordKey | default "password") | b64dec -}} +{{- else if .Values.postgresql.enabled -}} +{{- if .Values.postgresql.auth.password -}} +{{- .Values.postgresql.auth.password -}} +{{- else -}} +{{- $existing := lookup "v1" "Secret" .Release.Namespace (include "lemmy.postgresql.secret" .) -}} +{{- $existing.data.password | b64dec -}} +{{- end -}} {{- end -}} {{- end -}} diff --git a/charts/lemmy/templates/deployment-pictrs.yaml b/charts/lemmy/templates/deployment-pictrs.yaml index 86a9e71..297ae7b 100644 --- a/charts/lemmy/templates/deployment-pictrs.yaml +++ b/charts/lemmy/templates/deployment-pictrs.yaml @@ -44,8 +44,13 @@ spec: - name: PICTRS__API_KEY valueFrom: secretKeyRef: + {{- if .Values.pictrs.existingSecret }} + name: {{ .Values.pictrs.existingSecret }} + key: {{ .Values.pictrs.existingSecretKey | default "apikey" }} + {{- else }} name: {{ include "lemmy.fullname" . }} key: pictrs_apikey + {{- end }} {{- with .Values.pictrs.env }} {{- range $key, $value := . }} - name: {{ $key }} diff --git a/charts/lemmy/templates/secret-configuration.yaml b/charts/lemmy/templates/secret-configuration.yaml index 93f7a9f..373bd78 100644 --- a/charts/lemmy/templates/secret-configuration.yaml +++ b/charts/lemmy/templates/secret-configuration.yaml @@ -1,21 +1,5 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "lemmy.fullname" . }} - labels: - {{- include "lemmy.labels" . | nindent 4 }} -{{- $adminPassword := randAlphaNum 32 }} -{{- $pictrsApikey := randAlphaNum 64 }} - -{{- $existing := (lookup "v1" "Secret" .Release.Namespace (include "lemmy.fullname" .)) -}} -{{- if and $existing $existing.data.admin_password }} - {{- $adminPassword := b64dec $existing.data.admin_password }} -{{- end }} -{{- if and $existing $existing.data.pictrs_apikey }} - {{- $pictrsApikey := b64dec $existing.data.pictrs_apikey }} -{{- end }} - +{{- $adminPassword := include "lemmy.adminpassword" . -}} +{{- $pictrsApikey := include "lemmy.pictrsapikey" . -}} {{- $config := dict "database" (dict @@ -49,8 +33,19 @@ metadata: "bind" "0.0.0.0" "port" 8536 "tls_enabled" (.Values.config.tls | default true) -}} +-}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "lemmy.fullname" . }} + labels: + {{- include "lemmy.labels" . | nindent 4 }} data: +{{- if not .Values.admin.existingSecret }} admin_password: {{ $adminPassword | b64enc }} +{{- end }} +{{- if not .Values.pictrs.existingSecret }} pictrs_apikey: {{ $pictrsApikey | b64enc }} +{{- end }} config.hjson: {{ $config | toPrettyJson | b64enc }} diff --git a/charts/lemmy/values.yaml b/charts/lemmy/values.yaml index 390cb6a..bd80e95 100644 --- a/charts/lemmy/values.yaml +++ b/charts/lemmy/values.yaml @@ -21,6 +21,11 @@ admin: # password: email: lemmy@example.com + ## Password can also be provided using an existing secret, note that the value + ## is only updated on helm upgrades due to Lemmy's configuration system + # existingSecret: "" + existingSecretKey: password + config: siteName: Lemmy on Kubernetes ## Requires valid certificates, but is also required for federation support @@ -147,6 +152,11 @@ pictrs: ## Generated on first install if left empty # apiKey: + ## Can also be provided using an existing secret, note that the value is only + ## updated on helm upgrades due to Lemmy's configuration system + # existingSecret: "" + existingSecretKey: apikey + storage: ## Storage method for media, can be filesystem or object_storage method: filesystem