allow secrets and variables to use valueFrom

[USA-RedDragon]

Relates to: https://github.com/hashicorp/terraform-enterprise-helm/issues/54
Also noticed as part of a support ticket.

This patch allows environment variables in external Secrets/ConfigMaps to be referenced under $.Values.env.secretKeyRefs and $.Values.env.configMapKeyRefs. This was implemented by adding a new helper to consume these values and template out env entries for the Deployment. This patch does not include any breaking changes, only new functionality.

Syntax in values.yaml:

env:
  secretKeyRefs: # or configMapKeyRefs
    - name: ENV_NAME_HERE
      key: SECRET_KEY
      secretName: SECRET_NAME # or configMapName

Usecase: I have an operator that creates PostgreSQL databases (i.e. CrunchyData PGO, CNPG, etc) and creates a secret with the authentication info. I would like to reference this secret in TFE_DATABASE_PASSWORD and TFE_DATABASE_USER, but prior to this patch, cannot.

Tests:

• helm template --namespace tfe tfe ., verify deployment doesn't have an env key by default and is unchanged from the previous release after this patch
• helm template tfe . --set 'env.secretKeyRefs[0].name=TFE_REDIS_PASSWORD' --set 'env.secretKeyRefs[0].secretName=tfe-external' --set 'env.secretKeyRefs[0].key=TFE_REDIS_PASSWORD' - verify TFE deployment contains a reference to TFE_REDIS_PASSWORD in secret tfe-external
• helm template tfe . --set 'env.configMapKeyRefs[0].name=TFE_DATABASE_USER' --set 'env.configMapKeyRefs[0].configMapName=tfe-external' --set 'env.configMapKeyRefs[0].key=TFE_DATABASE_USER' - verify TFE deployment contains a reference to TFE_DATABASE_USER in configmap tfe-external
• helm template tfe . --set 'env.configMapKeyRefs[0].name=TFE_DATABASE_USER' --set 'env.configMapKeyRefs[0].configMapName=tfe-external' --set 'env.configMapKeyRefs[0].key=TFE_DATABASE_USER' --set 'env.secretKeyRefs[0].name=TFE_REDIS_PASSWORD' --set 'env.secretKeyRefs[0].secretName=tfe-external' --set 'env.secretKeyRefs[0].key=TFE_REDIS_PASSWORD' - verify TFE deployment contains a references to TFE_DATABASE_USER and TFE_REDIS_PASSWORD in secret and configmap tfe-external

[USA-RedDragon]

@nikolasrieble any chance to get a review on this one?

[kosyfrances]

@USA-RedDragon thank you for the contribution.
This approach requires users to define the entire valueFrom structure for each secretKeyRef or configMapKeyRef they want to use. While this approach works, it places a burden on the user to provide the full structure every time they need to define an environment variable sourced from a secret or config map.

I suggest we define the environment variables in the values.yaml file with simplified keys and then iterating over these values in the deployment.yaml template. This way, users only need to provide the essential details (name, secretName/configMapName, and key) without worrying about the full valueFrom structure.

# deployment.yaml
env:
          {{- range .Values.env.secretKeyRefs }}
          - name: {{ .name }}
            valueFrom:
              secretKeyRef:
                name: {{ .secretName }}
                key: {{ .key }}
          {{- end }}
          {{- range .Values.env.configMapKeyRefs }}
          - name: {{ .name }}
            valueFrom:
              configMapKeyRef:
                name: {{ .configMapName }}
                key: {{ .key }}
          {{- end }}

# values.yaml
env:
  # configFilePath: env-config.yaml
  # secretsFilePath: # env-secrets.yaml
  # configMapRefs:
  #   - name:
  # secretRefs:
  #    - name:
  secrets: {}
    # TFE_ENCRYPTION_PASSWORD: "SECRET"
    ...
  variables: {}
    # TFE_HOSTNAME: ""
    ...
  secretKeyRefs: 
    # - name: SECRET_ENV_VAR
    #   secretName: my-secret
    #   key: secret-key
  configMapKeyRefs: 
    # - name: CONFIG_ENV_VAR
    #   configMapName: my-configmap
    #   key: config-key

[USA-RedDragon]

Ready for re-review

[kosyfrances]

Looks good to me. I validated that everything worked fine on a TFE installation. Just added small comments and after that I'll approve.