From c97b090e94ea04e77baf32c450fd9ed5083f443d Mon Sep 17 00:00:00 2001 From: danj-replicated Date: Mon, 13 May 2024 13:39:24 +0100 Subject: [PATCH 1/5] Make password secret optional createPasswordSecret defaults to true as to not break current behaviour --- templates/secret-shared-password.yaml | 5 ++++- values.yaml.tmpl | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/templates/secret-shared-password.yaml b/templates/secret-shared-password.yaml index c2edb3a..0643157 100644 --- a/templates/secret-shared-password.yaml +++ b/templates/secret-shared-password.yaml @@ -1,6 +1,8 @@ # Default password is "password". # Password specified in values or on command line overrides password currently in secret. # If no password is specified, password in secret is preserved. +# If createPasswordSecret is `false` this will be skipped entirely (useful for EC) +{{- if .Values.createPasswordSecret }} {{- $passwordBcrypt := "password" | bcrypt | b64enc }} {{- if ne .Values.password "" }} {{- $passwordBcrypt = .Values.password | bcrypt | b64enc }} @@ -17,4 +19,5 @@ metadata: {{- include "admin-console.labels" . | nindent 4 }} name: kotsadm-password data: - passwordBcrypt: {{ $passwordBcrypt }} \ No newline at end of file + passwordBcrypt: {{ $passwordBcrypt }} +{{- end }} diff --git a/values.yaml.tmpl b/values.yaml.tmpl index 24ad14a..1e8b6b1 100644 --- a/values.yaml.tmpl +++ b/values.yaml.tmpl @@ -8,6 +8,7 @@ images: rqlite: ${KOTSADM_REGISTRY}/rqlite:${RQLITE_TAG} kurlProxy: ${KOTSADM_REGISTRY}/kurl-proxy:${KOTS_TAG} password: "" +createPasswordSecret: true minimalRBAC: true isHelmManaged: true embeddedClusterID: "" From d0aa93007b1fbf46c9d074958f83f0cea0af234f Mon Sep 17 00:00:00 2001 From: danj-replicated Date: Mon, 13 May 2024 17:22:59 +0100 Subject: [PATCH 2/5] Switch on definition of secretKeyRef instead of bool --- templates/kotsadm-statefulset.yaml | 19 +++++++++++++------ templates/secret-shared-password.yaml | 4 ++-- values.yaml.tmpl | 2 +- 3 files changed, 16 insertions(+), 9 deletions(-) diff --git a/templates/kotsadm-statefulset.yaml b/templates/kotsadm-statefulset.yaml index 010e039..6c456f9 100644 --- a/templates/kotsadm-statefulset.yaml +++ b/templates/kotsadm-statefulset.yaml @@ -28,8 +28,15 @@ spec: - name: SHARED_PASSWORD_BCRYPT valueFrom: secretKeyRef: +{{- if .Values.passwordSecretRef }} +{{- with .Values.passwordSecretRef }} + key: {{ .key }} + name: {{ .name }} +{{- end }} +{{- else }} key: passwordBcrypt name: kotsadm-password +{{- end }} - name: AUTO_CREATE_CLUSTER_TOKEN valueFrom: secretKeyRef: @@ -40,7 +47,7 @@ spec: secretKeyRef: key: key name: kotsadm-session -{{ if not .Values.isHelmManaged }} +{{- if not .Values.isHelmManaged }} - name: RQLITE_PASSWORD valueFrom: secretKeyRef: @@ -51,7 +58,7 @@ spec: secretKeyRef: key: uri name: kotsadm-rqlite -{{ end }} +{{- end }} - name: POD_NAMESPACE valueFrom: fieldRef: @@ -65,14 +72,14 @@ spec: value: http://kotsadm.{{ .Release.Namespace }}.svc.cluster.local:3000 - name: API_ADVERTISE_ENDPOINT value: http://localhost:8800 -{{ if .Values.embeddedClusterID }} +{{- if .Values.embeddedClusterID }} - name: EMBEDDED_CLUSTER_ID value: {{ .Values.embeddedClusterID | quote }} -{{ end }} -{{ if .Values.embeddedClusterVersion }} +{{- end }} +{{- if .Values.embeddedClusterVersion }} - name: EMBEDDED_CLUSTER_VERSION value: {{ .Values.embeddedClusterVersion | quote }} -{{ end }} +{{- end }} - name: HTTP_PROXY - name: HTTPS_PROXY - name: NO_PROXY diff --git a/templates/secret-shared-password.yaml b/templates/secret-shared-password.yaml index 0643157..88e80e1 100644 --- a/templates/secret-shared-password.yaml +++ b/templates/secret-shared-password.yaml @@ -1,8 +1,8 @@ # Default password is "password". # Password specified in values or on command line overrides password currently in secret. # If no password is specified, password in secret is preserved. -# If createPasswordSecret is `false` this will be skipped entirely (useful for EC) -{{- if .Values.createPasswordSecret }} +# If passwordSecretRef is defined this will be skipped entirely (useful for EC) +{{- if .Values.passwordSecretRef }} {{- $passwordBcrypt := "password" | bcrypt | b64enc }} {{- if ne .Values.password "" }} {{- $passwordBcrypt = .Values.password | bcrypt | b64enc }} diff --git a/values.yaml.tmpl b/values.yaml.tmpl index 1e8b6b1..7444fa0 100644 --- a/values.yaml.tmpl +++ b/values.yaml.tmpl @@ -8,7 +8,7 @@ images: rqlite: ${KOTSADM_REGISTRY}/rqlite:${RQLITE_TAG} kurlProxy: ${KOTSADM_REGISTRY}/kurl-proxy:${KOTS_TAG} password: "" -createPasswordSecret: true +passwordSecretRef: {} minimalRBAC: true isHelmManaged: true embeddedClusterID: "" From 9fceb94ba4d0556efa9d9dfd0626ebdb6a2f7e59 Mon Sep 17 00:00:00 2001 From: danj-replicated Date: Tue, 14 May 2024 09:09:03 +0100 Subject: [PATCH 3/5] flip check for passwordSecretRef --- templates/secret-shared-password.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/secret-shared-password.yaml b/templates/secret-shared-password.yaml index 88e80e1..1e35152 100644 --- a/templates/secret-shared-password.yaml +++ b/templates/secret-shared-password.yaml @@ -2,7 +2,7 @@ # Password specified in values or on command line overrides password currently in secret. # If no password is specified, password in secret is preserved. # If passwordSecretRef is defined this will be skipped entirely (useful for EC) -{{- if .Values.passwordSecretRef }} +{{- if not .Values.passwordSecretRef }} {{- $passwordBcrypt := "password" | bcrypt | b64enc }} {{- if ne .Values.password "" }} {{- $passwordBcrypt = .Values.password | bcrypt | b64enc }} From 82ad67255c353eaa2855a7f0f3e864efeef81641 Mon Sep 17 00:00:00 2001 From: danj-replicated Date: Tue, 14 May 2024 09:23:07 +0100 Subject: [PATCH 4/5] Add env vars so kots knows what secret to update --- templates/kotsadm-statefulset.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/templates/kotsadm-statefulset.yaml b/templates/kotsadm-statefulset.yaml index 6c456f9..1aa528d 100644 --- a/templates/kotsadm-statefulset.yaml +++ b/templates/kotsadm-statefulset.yaml @@ -32,6 +32,10 @@ spec: {{- with .Values.passwordSecretRef }} key: {{ .key }} name: {{ .name }} + - name: SHARED_PASSWORD_SECRET_NAME + value: {{ .name }} + - name: SHARED_PASSWORD_SECRET_KEY + value: {{ .key }} {{- end }} {{- else }} key: passwordBcrypt From f59adf8b2eb5e689d2717d1fa6cd978782472ca5 Mon Sep 17 00:00:00 2001 From: danj-replicated Date: Tue, 14 May 2024 10:39:44 +0100 Subject: [PATCH 5/5] Disown kotsadm password --- templates/abandon-resources-hook.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/templates/abandon-resources-hook.yaml b/templates/abandon-resources-hook.yaml index 68fbfe6..dc79feb 100644 --- a/templates/abandon-resources-hook.yaml +++ b/templates/abandon-resources-hook.yaml @@ -25,6 +25,11 @@ spec: if kubectl get configmap kotsadm-application-metadata -n {{ .Release.Namespace }} -o jsonpath='{.metadata.labels.app\.kubernetes\.io/managed-by}' | grep -q "Helm"; then kubectl annotate configmap kotsadm-application-metadata -n {{ .Release.Namespace }} helm.sh/resource-policy=keep fi + {{- if .Values.passwordSecretRef }} + if kubectl get secret kotsadm-password -n {{ .Release.Namespace }} -o jsonpath='{.metadata.labels.app\.kubernetes\.io/managed-by}' | grep -q "Helm"; then + kubectl annotate secret kotsadm-password -n {{ .Release.Namespace }} helm.sh/resource-policy=keep + fi + {{- end }} image: {{ .Values.images.kotsadm }} imagePullPolicy: IfNotPresent name: abandon-resources