Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make password secret optional #45

Merged
merged 5 commits into from
May 14, 2024
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 13 additions & 6 deletions templates/kotsadm-statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,15 @@ spec:
- name: SHARED_PASSWORD_BCRYPT
valueFrom:
secretKeyRef:
{{- if .Values.passwordSecretRef }}
{{- with .Values.passwordSecretRef }}
key: {{ .key }}
name: {{ .name }}
{{- end }}
{{- else }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe we will also need to somehow tell KOTS what this new secret name is as it updates it at runtime when the password is changed. The kotsadm-password name is currently hard-coded in a few places.

One example where it updates the secret: https://github.com/replicatedhq/kots/blob/v1.109.0/pkg/password/password.go#L80

key: passwordBcrypt
name: kotsadm-password
{{- end }}
- name: AUTO_CREATE_CLUSTER_TOKEN
valueFrom:
secretKeyRef:
Expand All @@ -40,7 +47,7 @@ spec:
secretKeyRef:
key: key
name: kotsadm-session
{{ if not .Values.isHelmManaged }}
{{- if not .Values.isHelmManaged }}
- name: RQLITE_PASSWORD
valueFrom:
secretKeyRef:
Expand All @@ -51,7 +58,7 @@ spec:
secretKeyRef:
key: uri
name: kotsadm-rqlite
{{ end }}
{{- end }}
- name: POD_NAMESPACE
valueFrom:
fieldRef:
Expand All @@ -65,14 +72,14 @@ spec:
value: http://kotsadm.{{ .Release.Namespace }}.svc.cluster.local:3000
- name: API_ADVERTISE_ENDPOINT
value: http://localhost:8800
{{ if .Values.embeddedClusterID }}
{{- if .Values.embeddedClusterID }}
- name: EMBEDDED_CLUSTER_ID
value: {{ .Values.embeddedClusterID | quote }}
{{ end }}
{{ if .Values.embeddedClusterVersion }}
{{- end }}
{{- if .Values.embeddedClusterVersion }}
- name: EMBEDDED_CLUSTER_VERSION
value: {{ .Values.embeddedClusterVersion | quote }}
{{ end }}
{{- end }}
- name: HTTP_PROXY
- name: HTTPS_PROXY
- name: NO_PROXY
Expand Down
5 changes: 4 additions & 1 deletion templates/secret-shared-password.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
# Default password is "password".
# Password specified in values or on command line overrides password currently in secret.
# If no password is specified, password in secret is preserved.
# If passwordSecretRef is defined this will be skipped entirely (useful for EC)
{{- if .Values.passwordSecretRef }}
danj-replicated marked this conversation as resolved.
Show resolved Hide resolved
{{- $passwordBcrypt := "password" | bcrypt | b64enc }}
{{- if ne .Values.password "" }}
{{- $passwordBcrypt = .Values.password | bcrypt | b64enc }}
Expand All @@ -17,4 +19,5 @@ metadata:
{{- include "admin-console.labels" . | nindent 4 }}
name: kotsadm-password
data:
passwordBcrypt: {{ $passwordBcrypt }}
passwordBcrypt: {{ $passwordBcrypt }}
{{- end }}
1 change: 1 addition & 0 deletions values.yaml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ images:
rqlite: ${KOTSADM_REGISTRY}/rqlite:${RQLITE_TAG}
kurlProxy: ${KOTSADM_REGISTRY}/kurl-proxy:${KOTS_TAG}
password: ""
passwordSecretRef: {}
minimalRBAC: true
isHelmManaged: true
embeddedClusterID: ""
Expand Down