From c9dfd01a15bfd76ba7f2676c7fb41b7182bc5865 Mon Sep 17 00:00:00 2001
From: Esteban Mendoza <estemendoza@gmail.com>
Date: Thu, 11 Apr 2024 09:25:06 +0200
Subject: [PATCH] fix(opencti): env from secret variable not taking precedence
 over normal env (#50)

Co-authored-by: Esteban <mendoza@versprite.com>
---
 .../templates/connector/deployment.yaml       | 47 ++++++++++---------
 .../opencti/templates/server/deployment.yaml  | 28 +++++------
 .../opencti/templates/worker/deployment.yaml  | 37 ++++++++++-----
 3 files changed, 63 insertions(+), 49 deletions(-)

diff --git a/charts/opencti/templates/connector/deployment.yaml b/charts/opencti/templates/connector/deployment.yaml
index 7fb956d..8fa65c5 100644
--- a/charts/opencti/templates/connector/deployment.yaml
+++ b/charts/opencti/templates/connector/deployment.yaml
@@ -54,7 +54,27 @@ spec:
           {{- end }}
           imagePullPolicy: {{ .image.pullPolicy | default "IfNotPresent" }}
           env:
-          # Variables in plain text
+          # Variables from secrets have precedence
+          {{- $envList := dict -}}
+
+          {{- if .envFromSecrets }}
+          {{- range $key, $value := .envFromSecrets }}
+          - name: {{ $key | upper }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ $value.name }}
+                key: {{ $value.key | default $key }}
+          {{- $_ := set $envList $key true }}
+          {{- end }}
+          {{- end }}
+
+          {{- if and (not (hasKey $envList "OPENCTI_TOKEN")) (.env.APP__ADMIN__TOKEN) }}
+          - name: OPENCTI_TOKEN
+            value: "{{ .env.APP__ADMIN__TOKEN }}"
+          {{- end }}
+
+          # Special handling for OPENCTI_URL which is constructed from other values
+          {{- if not (hasKey $.Values.env "OPENCTI_URL") }}
           {{- if eq $.Values.env.APP__BASE_PATH "/" }}
           - name: OPENCTI_URL
             value: "http://{{ include "opencti.fullname" $ }}-server:{{ $.Values.service.port }}"
@@ -62,36 +82,19 @@ spec:
           - name: OPENCTI_URL
             value: "http://{{ include "opencti.fullname" $ }}-server:{{ $.Values.service.port }}{{ $.Values.env.APP__BASE_PATH }}"
           {{- end }}
-
-          {{- if $.Values.env.APP__ADMIN__TOKEN }}
-          - name: OPENCTI_TOKEN
-            value: "{{ $.Values.env.APP__ADMIN__TOKEN }}"
-          {{- end }}
-
-          {{- if $.Values.connectorsGlobalEnv }}
-          {{- range $key, $value := $.Values.connectorsGlobalEnv }}
-          - name: {{ $key | upper }}
-            value: {{ $value | quote }}
-          {{- end }}
           {{- end }}
 
+          # Add Variables in plain text if they were not already added from secrets
           {{- if .env }}
           {{- range $key, $value := .env }}
+          {{- if not (hasKey $envList $key) }}
           - name: {{ $key | upper }}
             value: {{ $value | quote }}
+          {{- $_ := set $envList $key true }}
           {{- end }}
           {{- end }}
-
-          # Variables from secrets
-          {{- if .envFromSecrets }}
-          {{- range $key, $value := .envFromSecrets }}
-          - name: {{ $key | upper }}
-            valueFrom:
-              secretKeyRef:
-                name: {{ $value.name }}
-                key: {{ $value.key | default $key }}
-          {{- end }}
           {{- end }}
+          
           resources:
             {{- toYaml .resources | nindent 12 }}
       {{- with .nodeSelector }}
diff --git a/charts/opencti/templates/server/deployment.yaml b/charts/opencti/templates/server/deployment.yaml
index 8869e5f..a173f50 100644
--- a/charts/opencti/templates/server/deployment.yaml
+++ b/charts/opencti/templates/server/deployment.yaml
@@ -123,34 +123,32 @@ spec:
           - name: PROVIDERS__LOCAL__STRATEGY
             value: LocalStrategy
 
-          # Variables in plain text
-          {{- if .Values.env }}
-          {{- range $key, $value := .Values.env }}
-          - name: {{ $key | upper }}
-            value: {{ $value | quote }}
-          {{- end }}
-          {{- end }}
-
-          # Variables from secrets
+          # Variables from secrets have precedence
+          {{- $envList := dict -}}
           {{- if .Values.envFromSecrets }}
           {{- range $key, $value := .Values.envFromSecrets }}
+          {{- if not (hasKey $envList $key) }}
           - name: {{ $key | upper }}
             valueFrom:
               secretKeyRef:
                 name: {{ $value.name }}
                 key: {{ $value.key | default $key }}
+          {{- $_ := set $envList $key true }}
+          {{- end }}
           {{- end }}
           {{- end }}
 
-          {{- if .Values.envFromSecrets }}
-          {{- range $key, $value := .Values.envFromSecrets }}
+          # Add Variables in plain text if they were not already added from secrets
+          {{- if .Values.env }}
+          {{- range $key, $value := .Values.env }}
+          {{- if not (hasKey $envList $key) }}
           - name: {{ $key | upper }}
-            valueFrom:
-              secretKeyRef:
-                name: {{ $value.name }}
-                key: {{ $value.key | default $key }}
+            value: {{ $value | quote }}
+          {{- $_ := set $envList $key true }}
           {{- end }}
           {{- end }}
+          {{- end }}
+
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}
diff --git a/charts/opencti/templates/worker/deployment.yaml b/charts/opencti/templates/worker/deployment.yaml
index f127526..cc75da1 100644
--- a/charts/opencti/templates/worker/deployment.yaml
+++ b/charts/opencti/templates/worker/deployment.yaml
@@ -64,7 +64,23 @@ spec:
               protocol: TCP
             {{- end }}
           env:
-          # Variables in plain text
+          # Variables from secrets have precedence
+
+          {{- $envList := dict -}}
+
+          {{- if .Values.worker.envFromSecrets }}
+          {{- range $key, $value := .Values.worker.envFromSecrets }}
+          - name: {{ $key | upper }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ $value.name }}
+                key: {{ $value.key | default $key }}
+          {{- $_ := set $envList $key true }}
+          {{- end }}
+          {{- end }}
+
+          # Special handling for OPENCTI_URL which is constructed from other values
+          {{- if not (hasKey $envList "OPENCTI_URL") }}
           {{- if eq .Values.env.APP__BASE_PATH "/" }}
           - name: OPENCTI_URL
             value: "http://{{ include "opencti.fullname" . }}-server:{{ .Values.service.port }}"
@@ -72,27 +88,24 @@ spec:
           - name: OPENCTI_URL
             value: "http://{{ include "opencti.fullname" . }}-server:{{ .Values.service.port }}{{ .Values.env.APP__BASE_PATH }}"
           {{- end }}
-          {{- if .Values.env.APP__ADMIN__TOKEN }}
+          {{- end }}
+
+          {{- if and (not (hasKey $envList "OPENCTI_TOKEN")) (.Values.env.APP__ADMIN__TOKEN) }}
           - name: OPENCTI_TOKEN
             value: "{{ .Values.env.APP__ADMIN__TOKEN }}"
           {{- end }}
+
+          # Add Variables in plain text from .Values.worker.env if they were not already added from secrets
           {{- if .Values.worker.env }}
           {{- range $key, $value := .Values.worker.env }}
+          {{- if not (hasKey $envList $key) }}
           - name: {{ $key | upper }}
             value: {{ $value | quote }}
+          {{- $_ := set $envList $key true }}
           {{- end }}
           {{- end }}
-
-          # Variables from secrets
-          {{- if .Values.worker.envFromSecrets }}
-          {{- range $key, $value := .Values.worker.envFromSecrets }}
-          - name: {{ $key | upper }}
-            valueFrom:
-              secretKeyRef:
-                name: {{ $value.name }}
-                key: {{ $value.key | default $key }}
-          {{- end }}
           {{- end }}
+
           resources:
             {{- toYaml .Values.worker.resources | nindent 12 }}
       {{- with .Values.worker.nodeSelector }}