Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make password secret optional #45

Merged
merged 5 commits into from
May 14, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions templates/abandon-resources-hook.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,11 @@ spec:
if kubectl get configmap kotsadm-application-metadata -n {{ .Release.Namespace }} -o jsonpath='{.metadata.labels.app\.kubernetes\.io/managed-by}' | grep -q "Helm"; then
kubectl annotate configmap kotsadm-application-metadata -n {{ .Release.Namespace }} helm.sh/resource-policy=keep
fi
{{- if .Values.passwordSecretRef }}
if kubectl get secret kotsadm-password -n {{ .Release.Namespace }} -o jsonpath='{.metadata.labels.app\.kubernetes\.io/managed-by}' | grep -q "Helm"; then
kubectl annotate secret kotsadm-password -n {{ .Release.Namespace }} helm.sh/resource-policy=keep
fi
{{- end }}
Comment on lines +28 to +32
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would this effectively keep the secret around, but it would no longer be used by KOTS? is there a reason why we want to keep it around? kinda thinking out loud here...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't think we're deprecating the secret entirely? just pre-generating the secret if needed from EC

image: {{ .Values.images.kotsadm }}
imagePullPolicy: IfNotPresent
name: abandon-resources
Expand Down
23 changes: 17 additions & 6 deletions templates/kotsadm-statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,19 @@ spec:
- name: SHARED_PASSWORD_BCRYPT
valueFrom:
secretKeyRef:
{{- if .Values.passwordSecretRef }}
{{- with .Values.passwordSecretRef }}
key: {{ .key }}
name: {{ .name }}
- name: SHARED_PASSWORD_SECRET_NAME
value: {{ .name }}
- name: SHARED_PASSWORD_SECRET_KEY
value: {{ .key }}
{{- end }}
{{- else }}
key: passwordBcrypt
name: kotsadm-password
{{- end }}
- name: AUTO_CREATE_CLUSTER_TOKEN
valueFrom:
secretKeyRef:
Expand All @@ -40,7 +51,7 @@ spec:
secretKeyRef:
key: key
name: kotsadm-session
{{ if not .Values.isHelmManaged }}
{{- if not .Values.isHelmManaged }}
- name: RQLITE_PASSWORD
valueFrom:
secretKeyRef:
Expand All @@ -51,7 +62,7 @@ spec:
secretKeyRef:
key: uri
name: kotsadm-rqlite
{{ end }}
{{- end }}
- name: POD_NAMESPACE
valueFrom:
fieldRef:
Expand All @@ -65,14 +76,14 @@ spec:
value: http://kotsadm.{{ .Release.Namespace }}.svc.cluster.local:3000
- name: API_ADVERTISE_ENDPOINT
value: http://localhost:8800
{{ if .Values.embeddedClusterID }}
{{- if .Values.embeddedClusterID }}
- name: EMBEDDED_CLUSTER_ID
value: {{ .Values.embeddedClusterID | quote }}
{{ end }}
{{ if .Values.embeddedClusterVersion }}
{{- end }}
{{- if .Values.embeddedClusterVersion }}
- name: EMBEDDED_CLUSTER_VERSION
value: {{ .Values.embeddedClusterVersion | quote }}
{{ end }}
{{- end }}
- name: HTTP_PROXY
- name: HTTPS_PROXY
- name: NO_PROXY
Expand Down
5 changes: 4 additions & 1 deletion templates/secret-shared-password.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
# Default password is "password".
# Password specified in values or on command line overrides password currently in secret.
# If no password is specified, password in secret is preserved.
# If passwordSecretRef is defined this will be skipped entirely (useful for EC)
{{- if not .Values.passwordSecretRef }}
{{- $passwordBcrypt := "password" | bcrypt | b64enc }}
{{- if ne .Values.password "" }}
{{- $passwordBcrypt = .Values.password | bcrypt | b64enc }}
Expand All @@ -17,4 +19,5 @@ metadata:
{{- include "admin-console.labels" . | nindent 4 }}
name: kotsadm-password
data:
passwordBcrypt: {{ $passwordBcrypt }}
passwordBcrypt: {{ $passwordBcrypt }}
{{- end }}
1 change: 1 addition & 0 deletions values.yaml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ images:
rqlite: ${KOTSADM_REGISTRY}/rqlite:${RQLITE_TAG}
kurlProxy: ${KOTSADM_REGISTRY}/kurl-proxy:${KOTS_TAG}
password: ""
passwordSecretRef: {}
minimalRBAC: true
isHelmManaged: true
embeddedClusterID: ""
Expand Down