CLD-740: Registry Secret Removal and Allow User to Provide Own Auth Secret (#115)

pengzhouml · rwinieski · Barkha Choithani · pengzhouml · commit 684c2bea92ce · 2023-04-18T14:50:11.000-07:00
* CLD-740: remove registry secret and use registry secret name instead
Co-authored-by: rwinieski &lt;romain.winieski@marklogic.com&gt;
Co-authored-by: Barkha Choithani &lt;barkha.choithani@marklogic.com&gt;
diff --git a/charts/templates/_helpers.tpl b/charts/templates/_helpers.tpl
@@ -76,6 +76,25 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
+{{/*
+Get the name for secret that is used for auth and managed by the Chart.
+*/}}
+{{- define "marklogic.authSecretName" -}}
+{{- printf "%s-admin" (include "marklogic.fullname" .) }}
+{{- end }}
+
+{{/*
+Get the secret name to mount to statefulSet.
+Use the auth.secretName value if set, otherwise use the name from marklogic.authSecretName.
+*/}}
+{{- define "marklogic.authSecretNameToMount" -}}
+{{- if .Values.auth.secretName }}
+{{- .Values.auth.secretName }}
+{{- else }}
+{{- include "marklogic.authSecretName" . }}
+{{- end }}
+{{- end }}
+
 {{/*
 Fully qualified domain name
 */}}
diff --git a/charts/templates/secret-registry.yaml b/charts/templates/secret-registry.yaml
diff --git a/charts/templates/secret.yaml b/charts/templates/secret.yaml
@@ -1,19 +1,24 @@
+{{- if not .Values.auth.secretName -}}
+{{- $adminUsername := (default (printf "admin-%s" (randAlphaNum 5)) .Values.auth.adminUsername) | b64enc | quote }}
 {{- $adminPassword := (default (randAlphaNum 10) .Values.auth.adminPassword) | b64enc | quote }}
+{{- $walletPassword := (default (randAlphaNum 10) .Values.auth.adminPassword) | b64enc | quote }}
 {{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-admin" (include "marklogic.fullname" .))) }}
 {{- if $secret }}
+{{- $adminUsername = index $secret.data "username" }}
 {{- $adminPassword = index $secret.data "password" }}
+{{- $walletPassword = index $secret.data "wallet-password" }}
 {{- end }}
 
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "marklogic.fullname" . }}-admin
+  name: {{ include "marklogic.authSecretName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "marklogic.labels" . | nindent 4 }}
 type: Opaque
 data:
     password: {{ $adminPassword }}
-    username: {{ .Values.auth.adminUsername | b64enc | quote }}
-    wallet-password: {{ .Values.auth.walletPassword | b64enc | quote }}
-
+    username: {{ $adminUsername }}
+    wallet-password: {{ $walletPassword }}
+{{- end }}
diff --git a/charts/templates/statefulset.yaml b/charts/templates/statefulset.yaml
@@ -299,17 +299,16 @@ spec:
       {{- with .Values.nodeSelector }}
       nodeSelector: {{- toYaml . | nindent 8}}
       {{- end }}
-      {{- if .Values.imagePullSecret }}
-      imagePullSecrets:
-        - name: {{ include "marklogic.fullname" . }}-registry
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets: {{- toYaml .Values.imagePullSecrets | nindent 8 }}
       {{- end }}
       dnsConfig:
         searches:
           - {{ include "marklogic.headlessURL" . }}
       volumes:
         - name: mladmin-secrets
           secret:
-            secretName: {{ include "marklogic.fullname" . }}-admin
+            secretName: {{ include "marklogic.authSecretNameToMount" . }}
         {{- if .Values.logCollection.enabled }}
         - name: {{ include "marklogic.fullname" . }}-fb-config-map
           configMap:
diff --git a/charts/values.yaml b/charts/values.yaml
@@ -37,12 +37,10 @@ initContainerImage:
   tag: 7.87.0
   pullPolicy: IfNotPresent
 
-# Configure the imagePullSecret to pull the image from private repository that requires credential
-imagePullSecret: {}
-## docker hub registry: https://index.docker.io/v1/
-# registry: "https://index.docker.io/v1/"
-# username: "your username"
-# password: "your password"
+# Configure the imagePullSecrets to pull the image from private repository that requires credential
+imagePullSecrets: []
+# - name: "your-secret-name-1"
+# - name: "your-secret-name-2"
 
 # Marklogic pods' resource requests and limits
 # ref: https://kubernetes.io/docs/user-guide/compute-resources/
@@ -57,11 +55,19 @@ resources: {}
 nameOverride: ""
 fullnameOverride: ""
 
-# Configure Marklogic Admin Username and Password
+# Configure Marklogic Admin Username and Password. Create a secret and specify the name via "secretName"
+# with the following keys:
+#   * username
+#   * password
+#   * wallet-password
+# 
+# If no secret is specified and the admin credentials are not provided, a secret will be automatically
+# generated with random admin and wallet passwords.
 auth:
-  adminUsername: "admin"
-  adminPassword: ""
-  walletPassword: ""
+  secretName: ""
+#  adminUsername: "admin"
+#  adminPassword: ""
+#  walletPassword: ""
 
 # Optionally install converters package on MarkLogic
 enableConverters: false
diff --git a/test/e2e/install_test.go b/test/e2e/install_test.go
@@ -95,9 +95,8 @@ func TestHelmInstall(t *testing.T) {
 	assert.Equal(t, 10, len(password))
 	usernameArr := secret.Data["username"]
 	username := string(usernameArr[:])
-	expectedUsername := "admin"
-	// the username from secret expected to be "admin"
-	assert.Equal(t, expectedUsername, username)
+	// the random generated username should have length of 11"
+	assert.Equal(t, 11, len(username))
 
 	tunnel8002 := k8s.NewTunnel(kubectlOptions, k8s.ResourceTypePod, podName, 8002, 8002)
 	defer tunnel8002.Close()
diff --git a/test/template/admin_sec_templ_test.go b/test/template/admin_sec_templ_test.go
@@ -0,0 +1,53 @@
+package template_test
+
+import (
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	appsv1 "k8s.io/api/apps/v1"
+
+	"github.com/gruntwork-io/terratest/modules/helm"
+	"github.com/gruntwork-io/terratest/modules/k8s"
+	"github.com/gruntwork-io/terratest/modules/random"
+)
+
+func TestChartTemplateAdminSecret(t *testing.T) {
+
+	// Path to the helm chart we will test
+	helmChartPath, err := filepath.Abs("../../charts")
+	releaseName := "marklogic-admin-sec-test"
+	t.Log(helmChartPath, releaseName)
+	require.NoError(t, err)
+
+	// Set up the namespace; confirm that the template renders the expected value for the namespace.
+	namespaceName := "marklogic-" + strings.ToLower(random.UniqueId())
+	t.Logf("Namespace: %s\n", namespaceName)
+
+	// Setup the args for helm install
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"image.repository":                 "marklogicdb/marklogic-db",
+			"image.tag":                        "latest",
+			"persistence.enabled":              "false",
+			"containerSecurityContext.enabled": "true",
+			"secretName":                       "marklogic-admin-sec-test-admin",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", namespaceName),
+	}
+
+	// render the tempate
+	output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"templates/statefulset.yaml"})
+
+	var statefulset appsv1.StatefulSet
+	helm.UnmarshalK8SYaml(t, output, &statefulset)
+
+	// Verify the name and namespace matches
+	require.Equal(t, namespaceName, statefulset.Namespace)
+
+	// Verify the secret name is passed for MarkLogic admin credentials
+	expectedAdminSecName := "marklogic-admin-sec-test-admin"
+	actualAdminSecName := statefulset.Spec.Template.Spec.Volumes[0].Secret.SecretName
+	require.Equal(t, actualAdminSecName, expectedAdminSecName)
+}
