Skip to content

Commit f1f2f96

Browse files
LewisKSaintLewisKSaint
authored
Release 3.9.0: Add support for existing Kubernetes secret resources (#164)
1 parent 4deab96 commit f1f2f96

File tree

7 files changed

+517
-289
lines changed

7 files changed

+517
-289
lines changed

.github/workflows/build-test.yml

Lines changed: 469 additions & 284 deletions
Large diffs are not rendered by default.

pubsubplus/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
apiVersion: v2
22
description: Deploy Solace Event Broker Singleton or HA redundancy group onto a Kubernetes Cluster
33
name: pubsubplus
4-
version: 3.8.0
4+
version: 3.9.0
55
icon: https://solaceproducts.github.io/pubsubplus-kubernetes-helm-quickstart/images/solace.png
66
kubeVersion: '>= 1.10.0-0'
77
maintainers:

pubsubplus/README.md

Lines changed: 17 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,19 @@ solace:
7272
# Now use the file:
7373
helm install my-release -f my-values.yaml solacecharts/pubsubplus
7474
```
75+
76+
For production environments, we recommend using an existing Kubernetes secret for the admin password instead of specifying it in plain text:
77+
78+
```bash
79+
# Create a Kubernetes secret with the admin password
80+
# IMPORTANT: The key in the secret MUST be 'username_admin_password'
81+
kubectl create secret generic my-admin-secret --from-literal=username_admin_password=secretpassword
82+
83+
# Install the chart using the existing secret
84+
helm install my-release \
85+
--set solace.redundancy=true,solace.usernameAdminPasswordSecretName=my-admin-secret \
86+
solacecharts/pubsubplus
87+
```
7588
> Note: as an alternative to creating a new file you can [download](https://raw.githubusercontent.com/SolaceProducts/pubsubplus-kubernetes-helm-quickstart/master/pubsubplus/values.yaml) the `values.yaml` file with default values and edit that for overrides.
7689
7790
For more ways to override default chart values, refer to [Customizing the Helm Chart Before Installing](//helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
@@ -85,9 +98,10 @@ For more ways to override default chart values, refer to [Customizing the Helm C
8598
| `solace.size` | Event broker simple vertical scaling by number of client connections. **Ignored** if `solace.systemScaling` is set. Options: `dev` (requires minimum resources but no guaranteed performance), `prod1k`, `prod10k`, `prod100k` | `prod1k` |
8699
| `solace.systemScaling.*` | Event broker fine-grained vertical scaling definition. If defined, all sub-settings must be provided and these settings will **override** `solace.size`. For scaling documentation, look for "system scaling" at [docs.solace.com](https://docs.solace.com/Search.htm?q=system%20scaling). Use the [online calculator](https://docs.solace.com/Assistance-Tools/Resource-Calculator/pubsubplus-resource-calculator.html) to determine CPU, Memory and Storage requirements for "Container (messaging)" type. </br> `maxConnections`: max supported number of client connections </br> `maxQueueMessages`: max number of queue messages, in millions of messages </br> `maxSpoolUsage`: max Spool Usage, in MB. Also ensure adequate storage.size parameter, use the calculator </br> `cpu`: CPUs in cores </br> `memory`: host Virtual Memory, in MiB | Undefined |
87100
| `solace.podModifierEnabled` | Enables modifying (reducing) CPU and memory resources for Monitoring nodes in an HA deployment. Also requires the ["solace-pod-modifier" Kubernetes admission plugin](https://github.com/SolaceProducts/pubsubplus-kubernetes-helm-quickstart/blob/master/solace-pod-modifier-admission-plugin/README.md#how-to-use) deployed to work. | Undefined, meaning not enabled. |
88-
| `solace.usernameAdminPassword` | The password for the "admin" management user. Will autogenerate it if not provided. **Important:** refer to the the information from `helm status` how to retrieve it and use it for `helm upgrade`. | Undefined, meaning autogenerate |
89-
| `solace.timezone` | Timezone setting for the Solace container. Valid values are tz database time zone names. | Undefined, default is UTC |
90-
| `solace.extraEnvVars` | List of extra environment variables to be added to the Solace Event Broker container. A primary use case is to specify [configuration keys](https://docs.solace.com/Software-Broker/Configuration-Keys-Reference.htm). Important: env variables defined here will not override the ones defined in solaceConfigMap. | Undefined |
101+
| `solace.usernameAdminPassword` | The password for the "admin" management user. The password will autogenerate it if not provided. Important: see `helm status` for information on how to retrieve the password and use it for `helm upgrade`. Note: This method passes the password as plain text in the values.yaml file, which is not recommended for production. | Undefined, meaning autogenerate |
102+
| `solace.usernameAdminPasswordSecretName` | The name of an existing Kubernetes secret containing the admin password. This is the recommended approach for production environments to avoid storing passwords in plain text. If specified, this takes precedence over usernameAdminPassword. | Undefined |
103+
| `solace.timezone` | The timezone setting for the Solace container. The valid values are tz database time zone names. | Undefined, default is UTC |
104+
| `solace.extraEnvVars` | The list of extra environment variables to be added to the Solace Event Broker container. A primary use case is to specify [configuration keys](https://docs.solace.com/Software-Broker/Configuration-Keys-Reference.htm). Important: env variables defined here will not override the ones defined in solaceConfigMap. | Undefined |
91105
| `solace.extraEnvVarsCM` | The name of an existing ConfigMap containing extra environment variables | Undefined |
92106
| `solace.extraEnvVarsSecret` | The name of an existing Secret containing extra environment variables (in case of sensitive data) | Undefined |
93107
| `image.repository` | The image repo name and path to the Solace Event Broker container image | `solace/solace-pubsub-standard` |

pubsubplus/templates/secret.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,12 @@
1+
{{- if .Values.solace.usernameAdminPasswordSecretName }}
2+
{{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace .Values.solace.usernameAdminPasswordSecretName) }}
3+
{{- if not $existingSecret }}
4+
{{- fail (printf "Error: Secret '%s' not found in namespace '%s'. Please create the secret before deploying." .Values.solace.usernameAdminPasswordSecretName .Release.Namespace) }}
5+
{{- end }}
6+
{{- if not (index $existingSecret.data "username_admin_password") }}
7+
{{- fail (printf "Error: Secret '%s' does not contain the required key 'username_admin_password'. Please ensure the secret has the required key." .Values.solace.usernameAdminPasswordSecretName) }}
8+
{{- end }}
9+
{{- else }}
110
{{- $secretBase := include "solace.fullname" . }}
211
{{- $secretName := printf "%s-%s" $secretBase "secrets" }}
312
{{- $adminPasswordValue := (randAlpha 10) | b64enc | quote }}
@@ -21,3 +30,5 @@ data:
2130
{{ else }}
2231
username_admin_password: {{ $adminPasswordValue}}
2332
{{ end }}
33+
{{- end }}
34+

pubsubplus/templates/solaceStatefulSet.yaml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -133,6 +133,13 @@ spec:
133133
value: {{ printf "%s/%s" ":/usr/share/zoneinfo" (default "UTC" .Values.solace.timezone) }}
134134
- name: UMASK
135135
value: "0022"
136+
{{- if .Values.solace.usernameAdminPasswordSecretName }}
137+
- name: EXTERNAL_USER_ADMIN_PASSWORD
138+
valueFrom:
139+
secretKeyRef:
140+
name: {{ .Values.solace.usernameAdminPasswordSecretName }}
141+
key: username_admin_password
142+
{{- end }}
136143
{{- if .Values.solace.systemScaling }}
137144
{{- if hasKey .Values.solace.systemScaling "maxKafkaBridgeCount" }}
138145
- name: SYSTEM_SCALING_MAXKAFKABRIDGECOUNT
@@ -302,7 +309,7 @@ spec:
302309
defaultMode: 0755
303310
- name: admin-secrets
304311
secret:
305-
secretName: {{ template "solace.fullname" . }}-secrets
312+
secretName: {{ if .Values.solace.usernameAdminPasswordSecretName }}{{ .Values.solace.usernameAdminPasswordSecretName }}{{ else }}{{ template "solace.fullname" . }}-secrets{{ end }}
306313
defaultMode: 0400
307314
{{- if .Values.insights.enabled }}
308315
- name: insights-secrets

pubsubplus/values.schema.json

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -157,6 +157,10 @@
157157
"usernameAdminPassword": {
158158
"type": ["string", "null"]
159159
},
160+
"usernameAdminPasswordSecretName": {
161+
"type": ["string", "null"],
162+
"description": "The name of an existing Kubernetes secret containing the admin password."
163+
},
160164
"affinity": {
161165
"$ref": "#/definitions/io.k8s.api.core.v1.Affinity",
162166
"description": "If specified, the PubSubPlus+ STS scheduling constraints"

pubsubplus/values.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,8 +60,15 @@ solace:
6060
# obtain the generated password and provide it for each upgrade.
6161
# Obtain the generated password from the deployment using
6262
# kubectl get secret <release-name>-solace-secrets -o jsonpath="{.data.username_admin_password}" | base64 --decode
63+
# Note: This method passes the password as plain text in values.yaml, which is not recommended for production.
6364
usernameAdminPassword:
6465

66+
# solace.usernameAdminPasswordSecretName specifies the name of an existing Kubernetes secret containing the admin password.
67+
# This is the recommended approach for production environments to avoid storing passwords in plain text.
68+
# If specified, this takes precedence over usernameAdminPassword.
69+
# The secret must contain a key named 'username_admin_password' with the admin password.
70+
# usernameAdminPasswordSecretName:
71+
6572
# solace.timezone setting for the Solace Event Broker container, if undefined default is UTC. Valid values are tz database time zone names.
6673
# timezone: UTC
6774

0 commit comments

Comments
 (0)