Merge pull request #82 from Leukocyte-Lab/feat/db-secret-provision

feat/db secret provision
Leukocyte-Lab · Jan 12, 2023 · f453bf5 · f453bf5
2 parents 2a4b9e1 + 9ff7360
commit f453bf5
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 13 deletions.
diff --git a/charts/agh2/Chart.yaml b/charts/agh2/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.3.1
+version: 1.3.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

diff --git a/charts/agh2/README.md b/charts/agh2/README.md
@@ -68,6 +68,7 @@ Leave as default if using external DB
 | `postgresql.image.tag`                       | Internal database image tag (immutable tags are recommended)  | `v0.1.2-postgres-15.1.0-pgroonga-2.4.2-debian` |
 | `postgresql.image.pullPolicy`                | Internal database image pull policy                           | `IfNotPresent`                                 |
 | `postgresql.image.pullSecrets`               | Specify docker-registry secret names as an array              | `[]`                                           |
+| `postgresql.auth.enabled`                    | Enable postgresql auth secret generate                        | `true`                                         |
 | `postgresql.auth.username`                   | Internal database initial user                                | `argushack`                                    |
 | `postgresql.auth.password`                   | Internal database initial password                            | `""`                                           |
 | `postgresql.auth.postgresPassword`           | Internal database initial postgres admin password             | `""`                                           |
@@ -137,7 +138,7 @@ ref: https://github.com/Leukocyte-Lab/AGH2-ATTACK
 | `attack.secret.enabled`                 | Enable secret generate for ATTACK                              | `true`                                     |
 | `attack.secret.db.enabled`              | Enable secret generate for DB                                  | `true`                                     |
 | `attack.secret.db.name`                 | Database name                                                  | `attack-db`                                |
-| `attack.secret.db.user`                 | Database user                                                  | `""`                                       |
+| `attack.secret.db.user`                 | Database user                                                  | `agh-attack`                               |
 | `attack.secret.db.password`             | Database password                                              | `""`                                       |
 | `attack.service`                        | ATTACK service parameters                                      |                                            |
 | `attack.service.group.enabled`          | Enable ATTACK Group worker                                     | `true`                                     |
@@ -184,7 +185,7 @@ ref: https://github.com/Leukocyte-Lab/AGH2-Captain
 | `captain.secret.enabled`                          | Enable secret generate for Captain                        | `true`                                    |
 | `captain.secret.db.enabled`                       | Enable secret generate for Captain database               | `true`                                    |
 | `captain.secret.db.name`                          | Database name                                             | `captain-db`                              |
-| `captain.secret.db.user`                          | Database user                                             | `""`                                      |
+| `captain.secret.db.user`                          | Database user                                             | `agh-captain`                             |
 | `captain.secret.db.password`                      | Database password                                         | `""`                                      |
 | `captain.secret.minio.enabled`                    | Enable secret generate for Minio                          | `true`                                    |
 | `captain.secret.minio.secretName`                 | Secret name for Minio                                     | `capt-minio-secret`                       |
@@ -223,7 +224,7 @@ ref: https://github.com/Leukocyte-Lab/AGH2-Core
 | `core.secret.enabled`          | Enable secret generate for Core                  | `true`                          |
 | `core.secret.db.enabled`       | Enable secret generate for Core database         | `true`                          |
 | `core.secret.db.name`          | Database name                                    | `core-db`                       |
-| `core.secret.db.user`          | Database user                                    | `""`                            |
+| `core.secret.db.user`          | Database user                                    | `agh-core`                      |
 | `core.secret.db.password`      | Database password                                | `""`                            |
 | `core.secret.minio.enabled`    | Enable secret generate for Minio                 | `true`                          |
 | `core.secret.minio.secretName` | Secret name for Minio                            | `core-minio-secret`             |
@@ -251,7 +252,7 @@ ref: https://github.com/Leukocyte-Lab/AGH2-Exploit-Manager
 | `exploitmgr.secret.enabled`        | Enable secret generate for Exploit-Manager                 | `true`                                |
 | `exploitmgr.secret.db.enabled`     | Enable secret generate for Exploit-Manager database        | `true`                                |
 | `exploitmgr.secret.db.name`        | Database name                                              | `exploitmgr-db`                       |
-| `exploitmgr.secret.db.user`        | Database user                                              | `""`                                  |
+| `exploitmgr.secret.db.user`        | Database user                                              | `agh-exploit`                         |
 | `exploitmgr.secret.db.password`    | Database password                                          | `""`                                  |
 | `exploitmgr.service`               | Exploit-Manager service parameters                         |                                       |
 | `exploitmgr.service.redis.enabled` | Enable redis                                               | `true`                                |
@@ -288,7 +289,7 @@ ref: https://github.com/Leukocyte-Lab/AGH2-Template
 | `template.secret.enabled`          | Enable secret generate for Template                 | `true`                              |
 | `template.secret.db.enabled`       | Enable secret generate for Template database        | `true`                              |
 | `template.secret.db.name`          | Database name                                       | `template-db`                       |
-| `template.secret.db.user`          | Database user                                       | `""`                                |
+| `template.secret.db.user`          | Database user                                       | `agh-template`                      |
 | `template.secret.db.password`      | Database password                                   | `""`                                |
 | `template.secret.minio.enabled`    | Enable secret generate for Minio                    | `true`                              |
 | `template.secret.minio.secretName` | Secret name for Minio                               | `template-minio-secret`             |

diff --git a/charts/agh2/templates/base/postgres-secret.yaml b/charts/agh2/templates/base/postgres-secret.yaml
@@ -0,0 +1,38 @@
+{{- if and .Values.postgresql.enabled .Values.postgresql.auth.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.postgresql.auth.existingSecret }}
+  labels:
+    {{- include "AGH2.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  password: {{
+    default
+      .Values.postgresql.auth.password
+      (
+        include "specify-password"
+          (
+            dict
+              "domain" (default .Values.ingress.host "app.argushack.com")
+              "token" .Values.captain.secret.keygen.apiToken
+              "prefix" (printf "%s--%s" .Values.postgresql.auth.existingSecret "password")
+          )
+      )
+    | quote
+  }}
+  postgres-password: {{
+    default
+      .Values.postgresql.auth.postgresPassword
+      (
+        include "specify-password"
+          (
+            dict
+              "domain" (default .Values.ingress.host "app.argushack.com")
+              "token" .Values.captain.secret.keygen.apiToken
+              "prefix" (printf "%s--%s" .Values.postgresql.auth.existingSecret "postgresql-password")
+          )
+      )
+    | quote
+  }}
+{{- end }}
diff --git a/charts/agh2/templates/db/postgres-init-configmap.yml b/charts/agh2/templates/db/postgres-init-configmap.yml
@@ -31,8 +31,20 @@ data:
       {{- if and $module.enabled (hasKey $module "secret") (hasKey $module.secret "db") }}
         {{- if and (hasKey $module.secret.db "user") (hasKey $module.secret.db "password") }}
           {{- $user := coalesce $module.secret.db.user $global.db.connection.user }}
-          {{- $password := coalesce $module.secret.db.password $global.db.connection.password }}
-          {{- if and (ne $user $global.db.connection.user) (ne $password $global.db.connection.password ) }}
+          {{- $password := coalesce
+            $module.secret.db.password
+            $global.db.connection.password
+            (
+              include "specify-password"
+                (
+                  dict
+                    "domain" (default $global.ingress.host "app.argushack.com")
+                    "token" $global.captain.secret.keygen.apiToken
+                    "prefix" $module.secret.db.secretName
+                )
+            )
+          }}
+          {{- if ne $user $global.db.connection.user }}
     CREATE ROLE "{{ $user }}" WITH
       LOGIN
       NOSUPERUSER

diff --git a/charts/agh2/values.yaml b/charts/agh2/values.yaml
@@ -118,11 +118,18 @@ postgresql:
     tag: v0.1.2-postgres-15.1.0-pgroonga-2.4.2-debian
     pullPolicy: IfNotPresent
     pullSecrets: []
+  ## @param postgresql.auth.enabled Enable postgresql auth secret generate
   ## @param postgresql.auth.username Internal database initial user
   ## @param postgresql.auth.password Internal database initial password
   ## @param postgresql.auth.postgresPassword Internal database initial postgres admin password
   ##
   auth:
+    ## @skip postgresql.auth.existingSecret
+    ## Name of the generated/existed db secret
+    ## !!! DO NOT CHANGE IF YOU DON'T KNOW WHAT YOU ARE DOING !!!
+    ##
+    existingSecret: "agh-db-secret"
+    enabled: true
     username: argushack
     password: ""
     postgresPassword: ""
@@ -288,7 +295,7 @@ attack:
       secretName: attack-db-secret
       enabled: true
       name: attack-db
-      user: ""
+      user: "agh-attack"
       password: ""
   ## @extra attack.service ATTACK service parameters
   ##
@@ -397,7 +404,7 @@ captain:
       secretName: capt-db-secret
       enabled: true
       name: captain-db
-      user: ""
+      user: "agh-captain"
       password: ""
     ## @param captain.secret.minio.enabled Enable secret generate for Minio
     ## @param captain.secret.minio.secretName Secret name for Minio
@@ -492,7 +499,7 @@ core:
       secretName: core-db-secret
       enabled: true
       name: core-db
-      user: ""
+      user: "agh-core"
       password: ""
     ## @param core.secret.minio.enabled Enable secret generate for Minio
     ## @param core.secret.minio.secretName Secret name for Minio
@@ -557,7 +564,7 @@ exploitmgr:
       secretName: expmgr-db-secret
       enabled: true
       name: exploitmgr-db
-      user: ""
+      user: "agh-exploit"
       password: ""
   ## @extra exploitmgr.service Exploit-Manager service parameters
   ##
@@ -631,7 +638,7 @@ template:
       secretName: template-db-secret
       enabled: true
       name: template-db
-      user: ""
+      user: "agh-template"
       password: ""
     ## @param template.secret.minio.enabled Enable secret generate for Minio
     ## @param template.secret.minio.secretName Secret name for Minio