lemmy: Handle existing secrets for passwords

charts/lemmy/templates/_helpers.tpl

@@ -35,6 +35,43 @@ If release name contains chart name it will be used as a full name.
 {{- printf "%s-%s" (include "lemmy.fullname" $) "pictrs" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
+{{/*
+Retreive secrets for Lemmy configuration
+*/}}
+{{- define "lemmy.adminpassword" -}}
+{{- if .Values.admin.existingSecret -}}
+{{-   $existingAdmin := lookup "v1" "Secret" .Release.Namespace .Values.admin.existingSecret -}}
+{{-   if not $existingAdmin -}}
+{{-     fail "Provided existing admin secret %s does not exist" -}}
+{{-   end -}}
+{{-   b64dec (get $existingAdmin.data (.Values.admin.existingSecretKey | default "password")) -}}
+{{- else -}}
+{{-   $existing := (lookup "v1" "Secret" .Release.Namespace (include "lemmy.fullname" .)) -}}
+{{-   if and $existing $existing.data.admin_password -}}
+{{-     b64dec $existing.data.admin_password }}
+{{-   else -}}
+{{-     randAlphaNum 32 }}
+{{-   end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "lemmy.pictrsapikey" -}}
+{{- if .Values.pictrs.existingSecret }}
+{{-   $existingPictrs := (lookup "v1" "Secret" .Release.Namespace .Values.pictrs.existingSecret) -}}
+{{-   if not $existingPictrs }}
+{{-     fail "Provided existing pictrs secret does not exist" }}
+{{-   end }}
+{{-   b64dec (get $existingPictrs.data (.Values.pictrs.existingSecretKey | default "apikey")) }}
+{{- else -}}
+{{-   $existing := (lookup "v1" "Secret" .Release.Namespace (include "lemmy.fullname" .)) -}}
+{{-   if and $existing $existing.data.pictrs_apikey -}}
+{{-     b64dec $existing.data.pictrs_apikey }}
+{{-   else -}}
+{{-     randAlphaNum 64 }}
+{{-   end -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@@ -135,10 +172,19 @@ Set postgresql username
 Set postgresql password
 */}}
 {{- define "lemmy.postgresql.password" -}}
-{{- if .Values.postgresql.enabled -}}
+{{- if .Values.postgresql.auth.existingSecret -}}
-{{- .Values.postgresql.auth.password | default "" }}
+{{-   $existing := lookup "v1" "Secret" .Release.Namespace .Values.postgresql.auth.existingSecret -}}
+{{-   if not $existing -}}
+{{-     fail "Can't find provided existing postgresql secret" -}}
+{{-   end -}}
+{{-   get $existing.data (.Values.postgresql.auth.secretKeys.userPasswordKey | default "password") | b64dec -}}
+{{- else if .Values.postgresql.enabled -}}
+{{-   if .Values.postgresql.auth.password -}}
+{{-     .Values.postgresql.auth.password -}}
 {{-   else -}}
-{{ required "A valid postgresql.auth.password is required" .Values.postgresql.auth.password }}
+{{-     $existing := lookup "v1" "Secret" .Release.Namespace (include "lemmy.postgresql.secret" .) -}}
+{{-     $existing.data.password | b64dec -}}
+{{-   end -}}
 {{- end -}}
 {{- end -}}
 

charts/lemmy/templates/deployment-pictrs.yaml

@@ -44,8 +44,13 @@ spec:
             - name: PICTRS__API_KEY
               valueFrom:
                 secretKeyRef:
+                {{- if .Values.pictrs.existingSecret }}
+                  name: {{ .Values.pictrs.existingSecret }}
+                  key: {{ .Values.pictrs.existingSecretKey | default "apikey" }}
+                {{- else }}
                   name: {{ include "lemmy.fullname" . }}
                   key: pictrs_apikey
+                {{- end }}
           {{- with .Values.pictrs.env }}
             {{- range $key, $value := . }}
             - name: {{ $key }}

charts/lemmy/templates/secret-configuration.yaml

@@ -1,21 +1,5 @@
----
+{{- $adminPassword := include "lemmy.adminpassword" . -}}
-apiVersion: v1
+{{- $pictrsApikey := include "lemmy.pictrsapikey" . -}}
-kind: Secret
-metadata:
-  name: {{ include "lemmy.fullname" . }}
-  labels:
-    {{- include "lemmy.labels" . | nindent 4 }}
-{{- $adminPassword := randAlphaNum 32 }}
-{{- $pictrsApikey := randAlphaNum 64 }}
-
-{{- $existing := (lookup "v1" "Secret" .Release.Namespace (include "lemmy.fullname" .)) -}}
-{{- if and $existing $existing.data.admin_password }}
-  {{- $adminPassword := b64dec $existing.data.admin_password }}
-{{- end }}
-{{- if and $existing $existing.data.pictrs_apikey }}
-  {{- $pictrsApikey := b64dec $existing.data.pictrs_apikey }}
-{{- end }}
-
 {{- $config := dict
   "database"
     (dict
@@ -49,8 +33,19 @@ metadata:
   "bind" "0.0.0.0"
   "port" 8536
   "tls_enabled" (.Values.config.tls | default true)
-}}
+-}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "lemmy.fullname" . }}
+  labels:
+    {{- include "lemmy.labels" . | nindent 4 }}
 data:
+{{- if not .Values.admin.existingSecret }}
   admin_password: {{ $adminPassword | b64enc }}
+{{- end }}
+{{- if not .Values.pictrs.existingSecret }}
   pictrs_apikey: {{ $pictrsApikey | b64enc }}
+{{- end }}
   config.hjson: {{ $config | toPrettyJson | b64enc }}

charts/lemmy/values.yaml

@@ -21,6 +21,11 @@ admin:
   # password:
   email: lemmy@example.com
 
+  ## Password can also be provided using an existing secret, note that the value
+  ## is only updated on helm upgrades due to Lemmy's configuration system
+  # existingSecret: ""
+  existingSecretKey: password
+
 config:
   siteName: Lemmy on Kubernetes
   ## Requires valid certificates, but is also required for federation support
@@ -147,6 +152,11 @@ pictrs:
   ## Generated on first install if left empty
   # apiKey:
 
+  ## Can also be provided using an existing secret, note that the value is only
+  ## updated on helm upgrades due to Lemmy's configuration system
+  # existingSecret: ""
+  existingSecretKey: apikey
+
   storage:
     ## Storage method for media, can be filesystem or object_storage
     method: filesystem