Add support for external postgres secrets

CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
 
 ## Added
 - Option to override Relay external host in config from [plejik](https://github.com/plejik)
+- Option to provide existing Kubernetes secret for Database credentials
 
 ### Changed
 - Updated Kubernetes labels from [nlamirault](https://github.com/nlamirault)

charts/ztka/README.md

@@ -114,6 +114,14 @@ helm show values paralus/ztka
 | deploy.postgresql.database | string | `""` | Postgresql database name. Required when `deploy.postgresql.enable` is unset and dsn is not specified. |
 | deploy.postgresql.dsn | string | `""` | Postgresql DSN for example, "postgres://user:password@host:5432/db". Required when `deploy.postgresql.enable` is unset and individual components are not specified. Overrides individual components (address, username, password, database) |
 | deploy.postgresql.enable | bool | `false` | Postgresql db is auto deployed and managed by Helm release when true. (It is recommended to manage your own DB instance separately or use DB services like Amazon RDS in production) |
+| deploy.postgresql.existingSecret | object | `{"keys":{"address":"","database":"","dsn":"","password":"","username":""},"name":""}` | Configuration for using an existing Kubernetes secret for database credentials |
+| deploy.postgresql.existingSecret.keys | object | `{"address":"","database":"","dsn":"","password":"","username":""}` | Mapping of database credential keys in the existing secret |
+| deploy.postgresql.existingSecret.keys.address | string | `""` | Key in the secret containing the database address |
+| deploy.postgresql.existingSecret.keys.database | string | `""` | Key in the secret containing the database name |
+| deploy.postgresql.existingSecret.keys.dsn | string | `""` | Key in the secret containing the database DSN |
+| deploy.postgresql.existingSecret.keys.password | string | `""` | Key in the secret containing the database password |
+| deploy.postgresql.existingSecret.keys.username | string | `""` | Key in the secret containing the database username |
+| deploy.postgresql.existingSecret.name | string | `""` | Name of the existing Kubernetes secret containing database credentials |
 | deploy.postgresql.password | string | `""` | Postgresql password. Required when `deploy.postgresql.enable`   is unset and dsn is not specified. |
 | deploy.postgresql.username | string | `""` | Postgresql username. Required when `deploy.postgresql.enable` is unset and dsn is not specified. |
 | elasticsearch.minimumMasterNodes | int | `1` |  |
@@ -173,3 +181,5 @@ helm show values paralus/ztka
 | services.relay | object | `{"name":"relay","ports":[{"containerPort":443,"name":"https"}],"type":"ClusterIP"}` | relay service config |
 | tolerations | list | `[]` |  |
 
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/ztka/docker-compose.yaml

@@ -0,0 +1,8 @@
+version: '3'
+services:
+  unit-test:
+    image: helmunittest/helm-unittest
+    volumes:
+      - ./:/app
+    working_dir: /app
+    entrypoint: helm unittest . -q -f tests/**/*.yml

charts/ztka/templates/_helpers.tpl

@@ -159,6 +159,38 @@ postgres://{{ $username }}:{{ $password }}@{{ $address }}:5432/{{ $database }}?s
 {{- end }}
 
 
+{{/*
+External Secrets Environment Variables
+*/}}
+{{- define "ztka.externalSecretsEnv" -}}
+- name: DB_ADDR
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.deploy.postgresql.existingSecret.name }}
+      key: {{ .Values.deploy.postgresql.existingSecret.keys.address | default "DB_ADDR" }}
+- name: DB_USER
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.deploy.postgresql.existingSecret.name }}
+      key: {{ .Values.deploy.postgresql.existingSecret.keys.username | default "DB_USER" }}
+- name: DB_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.deploy.postgresql.existingSecret.name }}
+      key: {{ .Values.deploy.postgresql.existingSecret.keys.password | default "DB_PASSWORD" }}
+- name: DB_NAME
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.deploy.postgresql.existingSecret.name }}
+      key: {{ .Values.deploy.postgresql.existingSecret.keys.database | default "DB_NAME" }}
+- name: DSN
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.deploy.postgresql.existingSecret.name }}
+      key: {{ .Values.deploy.postgresql.existingSecret.keys.dsn | default "DSN" }}
+{{- end }}
+
+
 {{/*
 Get console full-qualified domain.
 */}}

charts/ztka/templates/deployment-paralus.yaml

@@ -45,8 +45,13 @@ spec:
             - name: DSN
               valueFrom:
                 secretKeyRef:
+                  {{- if and .Values.deploy.postgresql.existingSecret.name .Values.deploy.postgresql.existingSecret.keys.dsn }}
+                  name: {{ .Values.deploy.postgresql.existingSecret.name }}
+                  key: {{ .Values.deploy.postgresql.existingSecret.keys.dsn }}
+                  {{- else }}
                   name: paralus-db
                   key: DSN
+                  {{- end }}
           imagePullPolicy: {{ .Values.images.pullPolicy }}
         {{- end }}
         {{- if .Values.paralus.automigrate }}
@@ -58,8 +63,13 @@ spec:
             - name: DSN
               valueFrom:
                 secretKeyRef:
+                  {{- if and .Values.deploy.postgresql.existingSecret.name .Values.deploy.postgresql.existingSecret.keys.dsn }}
+                  name: {{ .Values.deploy.postgresql.existingSecret.name }}
+                  key: {{ .Values.deploy.postgresql.existingSecret.keys.dsn }}
+                  {{- else }}
                   name: paralus-db
                   key: DSN
+                  {{- end }}
           imagePullPolicy: {{ .Values.images.pullPolicy }}
         {{- end }}
         - name: initialize
@@ -75,11 +85,17 @@ spec:
             "-admin-first-name", {{.Values.paralus.initialize.adminFirstName|quote}},
             "-admin-last-name", {{.Values.paralus.initialize.adminLastName|quote}},
              ]
+          {{- if and .Values.deploy.postgresql.existingSecret.name .Values.deploy.postgresql.existingSecret.keys }}
+          env:
+            {{- include "ztka.externalSecretsEnv" . | nindent 14 }}
+          {{- end }}
           envFrom:
           - configMapRef:
               name: paralus-config
+          {{- if not .Values.deploy.postgresql.existingSecret.name }}
           - secretRef:
               name: paralus-db
+          {{- end }}
           imagePullPolicy: {{ .Values.images.pullPolicy }}
       containers:
         - name: paralus-tail
@@ -103,8 +119,14 @@ spec:
           envFrom:
           - configMapRef:
               name: paralus-config
+          {{- if not .Values.deploy.postgresql.existingSecret.name }}
           - secretRef:
               name: paralus-db
+          {{- end }}
+          {{- if and .Values.deploy.postgresql.existingSecret.name .Values.deploy.postgresql.existingSecret.keys }}
+          env:
+            {{- include "ztka.externalSecretsEnv" . | nindent 14 }}
+          {{- end }}
           ports:
             {{- range .Values.services.paralus.ports }}
             - name: {{ .name }}

charts/ztka/templates/deployment-prompt.yaml

@@ -61,8 +61,14 @@ spec:
           envFrom:
           - configMapRef:
               name: prompt-config
+          {{- if not .Values.deploy.postgresql.existingSecret.name }}
           - secretRef:
               name: paralus-db
+          {{- end }}
+          {{- if and .Values.deploy.postgresql.existingSecret.name .Values.deploy.postgresql.existingSecret.keys }}
+          env:
+            {{- include "ztka.externalSecretsEnv" . | nindent 14 }}
+          {{- end }}
           ports:
             {{- range .Values.services.prompt.ports }}
             - name: {{ .name }}

charts/ztka/templates/secret-database.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.deploy.postgresql.existingSecret.name }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -12,3 +13,4 @@ data:
   DB_PASSWORD: {{ include "ztka.dbPassword" . | b64enc | quote }}
   DB_NAME: {{ include "ztka.dbName" . | b64enc | quote }}
   DSN: {{ include "ztka.dsn" . | b64enc | quote }}
+{{ end }}

charts/ztka/tests/__snapshot__/deployment-paralus.yml.snap

@@ -0,0 +1,209 @@
+should include external secrets env when configured:
+  1: |
+    apiVersion: v1
+    data:
+      AUDIT_LOG_FILE: /audit-logs/audit.log
+      AUDIT_LOG_STORAGE: database
+      CORE_RELAY_CONNECTOR_HOST: '*.core-connector.paralus.local:443'
+      CORE_RELAY_USER_HOST: '*.user.paralus.local:443'
+      DEV: "false"
+      ES_END_POINT: ""
+      ES_INDEX_PREFIX: ralog-system
+      KRATOS_ADDR: http://RELEASE-NAME-kratos-admin
+      KRATOS_PUB_ADDR: http://RELEASE-NAME-kratos-public
+      RELAY_AUDITS_ES_INDEX_PREFIX: ralog-relay
+      RELAY_COMMANDS_ES_INDEX_PREFIX: ralog-prompt
+      RELAY_IMAGE: paralusio/relay:v0.1.8
+      SCHEDULER_NAMESPACE: NAMESPACE
+      SENTRY_BOOTSTRAP_ADDR: console.paralus.local:80
+      SENTRY_PEERING_HOST: paralus:10001
+    kind: ConfigMap
+    metadata:
+      labels:
+        app.kubernetes.io/component: configuration
+        app.kubernetes.io/instance: RELEASE-NAME
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: paralus
+        app.kubernetes.io/part-of: paralus
+        app.kubernetes.io/version: v0.2.8
+        helm.sh/chart: ztka-0.2.9
+      name: paralus-config
+  2: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      labels:
+        app.kubernetes.io/component: workload
+        app.kubernetes.io/instance: RELEASE-NAME
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: paralus
+        app.kubernetes.io/part-of: paralus
+        app.kubernetes.io/version: v0.2.8
+        helm.sh/chart: ztka-0.2.9
+      name: paralus
+    spec:
+      replicas: 1
+      selector:
+        matchLabels:
+          app.kubernetes.io/instance: RELEASE-NAME
+          app.kubernetes.io/name: paralus
+      template:
+        metadata:
+          annotations:
+            checksum/config: 4297441245c73841ed2a81d95ec8cb57e9f7b769758fb20300507243724937b7
+          labels:
+            app.kubernetes.io/component: workload
+            app.kubernetes.io/instance: RELEASE-NAME
+            app.kubernetes.io/managed-by: Helm
+            app.kubernetes.io/name: paralus
+            app.kubernetes.io/part-of: paralus
+            app.kubernetes.io/version: v0.2.8
+            helm.sh/chart: ztka-0.2.9
+        spec:
+          containers:
+            - command:
+                - sh
+                - -c
+                - tail -F /audit-logs/audit.log 2>/tmp/tail-err
+              image: busybox:latest
+              imagePullPolicy: IfNotPresent
+              name: paralus-tail
+              securityContext: {}
+              volumeMounts:
+                - mountPath: /audit-logs
+                  name: audit-logs
+            - command:
+                - ./paralus
+              env:
+                - name: DB_ADDR
+                  valueFrom:
+                    secretKeyRef:
+                      key: address-key
+                      name: my-external-secret
+                - name: DB_USER
+                  valueFrom:
+                    secretKeyRef:
+                      key: username-key
+                      name: my-external-secret
+                - name: DB_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password-key
+                      name: my-external-secret
+                - name: DB_NAME
+                  valueFrom:
+                    secretKeyRef:
+                      key: database-key
+                      name: my-external-secret
+                - name: DSN
+                  valueFrom:
+                    secretKeyRef:
+                      key: dsn-key
+                      name: my-external-secret
+              envFrom:
+                - configMapRef:
+                    name: paralus-config
+              image: paralusio/paralus:v0.2.8
+              imagePullPolicy: IfNotPresent
+              name: paralus
+              ports:
+                - containerPort: 11000
+                  name: http
+                - containerPort: 10000
+                  name: rpc
+                - containerPort: 10001
+                  name: relay-peering
+              resources: {}
+              securityContext: {}
+              volumeMounts:
+                - mountPath: /audit-logs
+                  name: audit-logs
+          initContainers:
+            - args:
+                - migrate
+                - sql
+                - -e
+                - --yes
+              command:
+                - kratos
+              env:
+                - name: DSN
+                  valueFrom:
+                    secretKeyRef:
+                      key: dsn-key
+                      name: my-external-secret
+              image: paralusio/paralus-init:v0.2.8
+              imagePullPolicy: IfNotPresent
+              name: kratos-automigrate
+            - args:
+                - -path=/data/migrations/admindb
+                - -database
+                - $(DSN)
+                - up
+              command:
+                - migrate
+              env:
+                - name: DSN
+                  valueFrom:
+                    secretKeyRef:
+                      key: dsn-key
+                      name: my-external-secret
+              image: paralusio/paralus-init:v0.2.8
+              imagePullPolicy: IfNotPresent
+              name: migrate-admindb
+            - args:
+                - -partner
+                - Paralus
+                - -partner-desc
+                - Default Partner
+                - -partner-host
+                - paralus.local
+                - -org
+                - ParalusOrg
+                - -org-desc
+                - Default Organization
+                - -admin-email
+                - [email protected]
+                - -admin-first-name
+                - Admin
+                - -admin-last-name
+                - User
+              command:
+                - paralus-init
+              env:
+                - name: DB_ADDR
+                  valueFrom:
+                    secretKeyRef:
+                      key: address-key
+                      name: my-external-secret
+                - name: DB_USER
+                  valueFrom:
+                    secretKeyRef:
+                      key: username-key
+                      name: my-external-secret
+                - name: DB_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: password-key
+                      name: my-external-secret
+                - name: DB_NAME
+                  valueFrom:
+                    secretKeyRef:
+                      key: database-key
+                      name: my-external-secret
+                - name: DSN
+                  valueFrom:
+                    secretKeyRef:
+                      key: dsn-key
+                      name: my-external-secret
+              envFrom:
+                - configMapRef:
+                    name: paralus-config
+              image: paralusio/paralus-init:v0.2.8
+              imagePullPolicy: IfNotPresent
+              name: initialize
+          securityContext: {}
+          serviceAccountName: RELEASE-NAME-ztka
+          volumes:
+            - emptyDir: {}
+              name: audit-logs