US-559800: Simplify Secrets creation in Pega helm charts (#632)

* US-559800: Simplify Secrets creation in Pega helm charts Co-authored-by: rajuu <[email protected]> Co-authored-by: MadhuriArugula <[email protected]>
pegasystems · Sep 21, 2023 · 97fe723 · 97fe723
1 parent ae608f1
commit 97fe723
Show file tree

Hide file tree

Showing 40 changed files with 953 additions and 770 deletions.
diff --git a/charts/pega/charts/hazelcast/templates/_helpers.tpl b/charts/pega/charts/hazelcast/templates/_helpers.tpl
@@ -36,22 +36,21 @@
   projected:
     defaultMode: 420
     sources:
-    - secret:
-        name: {{ template "pegaCredentialsSecret" $ }}
-  {{ if ((.Values.global.jdbc).external_secret_name) }}
-    - secret:
-        name: {{ .Values.global.jdbc.external_secret_name }}
-  {{- end }}
-  {{ if (.Values.external_secret_name)}}
-    - secret:
-        name: {{ .Values.external_secret_name }}
-  {{- end }}
-  {{ if ((.Values.global.customArtifactory.authentication).external_secret_name) }}
-    - secret:
-        name: {{ .Values.global.customArtifactory.authentication.external_secret_name }}
-  {{- end }}
+    {{- $d := dict "deploySecret" "deployHzServerSecret" "deployNonExtsecret" "deployNonExtHzServerSecret" "extSecretName" .Values.external_secret_name "nonExtSecretName" "pega-hz-secret-name" "context" $ -}}
+    {{ include "secretResolver" $d | indent 4}}
 {{- end}}
 
+{{- define "deployHzServerSecret" -}}
+true
+{{- end }}
+
+{{- define "deployNonExtHzServerSecret" }}
+{{- if and (eq (include "deployHzServerSecret" .) "true") (not (.Values).external_secret_name) -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end -}}
 
 # Override this template to generate additional pod annotations that are dynamically composed during helm deployment (do not indent annotations)
 {{- define "generatedHazelcastServicePodAnnotations" }}
@@ -84,4 +83,4 @@
   {{- else -}}
     false
   {{- end -}}
-{{- end }}
+{{- end }}
diff --git a/charts/pega/charts/hazelcast/templates/_supplemental.tpl b/charts/pega/charts/hazelcast/templates/_supplemental.tpl
@@ -1,14 +1,17 @@
 {{- /*
 deploymentName
-pegaCredentialsSecret
 pegaRegistrySecret
 imagePullSecrets
-pegaCredentialVolumeTemplate
 pegaVolumeCredentials
 customArtifactorySSLVerificationEnabled
 performDeployment
 performInstallAndDeployment
-performUpgradeAndDeployment are copied from pega/templates/_helpers.tpl because helm lint requires
+performUpgradeAndDeployment
+pega-db-secret-name
+pega-hz-secret-name
+deployDBSecret
+deployNonExtDBSecret
+secretResolver are copied from pega/templates/_helpers.tpl because helm lint requires
 charts to render standalone. See: https://github.com/helm/helm/issues/11260 for more details.
 */}}
 
@@ -17,11 +20,6 @@ charts to render standalone. See: https://github.com/helm/helm/issues/11260 for
 
 {{- define "pegaVolumeCredentials" }}pega-volume-credentials{{- end }}
 
-{{- define "pegaCredentialsSecret" }}
-{{- $depName := printf "%s" (include "deploymentName" $) -}}
-{{- $depName -}}-credentials-secret
-{{- end }}
-
 {{- define "initContainerResources" }}
   resources:
     # Resources requests/limits for initContainers
@@ -33,35 +31,6 @@ charts to render standalone. See: https://github.com/helm/helm/issues/11260 for
       memory: 64Mi
 {{- end }}
 
-{{- define "pegaCredentialVolumeTemplate" }}
-- name: {{ template "pegaVolumeCredentials" }}
-  projected:
-    defaultMode: 420
-    sources:
-    - secret:
-        name: {{ template "pegaCredentialsSecret" $ }}
-  {{ if ((.Values.global.jdbc).external_secret_name) }}
-    - secret:
-        name: {{ .Values.global.jdbc.external_secret_name }}
-  {{- end }}
-  {{ if ((.Values.hazelcast).external_secret_name)}}
-    - secret:
-        name: {{ .Values.hazelcast.external_secret_name }}
-  {{- end }}
-  {{ if ((.Values.global.customArtifactory.authentication).external_secret_name) }}
-    - secret:
-        name: {{ .Values.global.customArtifactory.authentication.external_secret_name }}
-  {{- end }}
-  {{ if ((.Values.dds).external_secret_name)}}
-    - secret:
-        name: {{ .Values.dds.external_secret_name }}
-  {{- end }}
-  {{ if ((.Values.stream).external_secret_name)}}
-    - secret:
-        name: {{ .Values.stream.external_secret_name }}
-  {{- end }}
-{{- end}}
-
 {{- define "customArtifactorySSLVerificationEnabled" }}
 {{- if (.Values.global.customArtifactory) }}
 {{- if (.Values.global.customArtifactory.enableSSLVerification) }}
@@ -113,4 +82,37 @@ false
   {{- else -}}
     false
   {{- end -}}
-{{- end }}
+{{- end }}
+
+{{- define "pega-db-secret-name" }}
+{{- $depName := printf "%s" (include "deploymentName" $) -}}
+{{- $depName -}}-db-secret
+{{- end -}}
+
+{{- define "pega-hz-secret-name" }}
+{{- $depName := printf "%s" (include "deploymentName" $) -}}
+{{- $depName -}}-hz-secret
+{{- end -}}
+
+{{- define "deployDBSecret" -}} 
+true
+{{- end }}
+
+{{- define "deployNonExtDBSecret" }}
+{{- if and (eq (include "deployDBSecret" .) "true") (not (.Values.global.jdbc).external_secret_name) -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end -}}
+
+{{- define "secretResolver" }}
+{{- if (eq (include .deploySecret .context) "true") }}
+- secret:
+{{- if (eq (include .deployNonExtsecret .context) "true") }}
+    name: {{ include .nonExtSecretName .context}}
+{{- else }}
+    name: {{ .extSecretName }}
+{{- end -}}
+{{- end -}}
+{{- end  -}}
diff --git a/charts/pega/charts/installer/templates/_helpers.tpl b/charts/pega/charts/installer/templates/_helpers.tpl
@@ -249,4 +249,6 @@ currentFunctionPath=SYSIBM,SYSFUN,{{ include "resolvedDataSchema" . | upper }}
   {{- $webTierServiceName = printf "%s-web" $depName }}
 {{- end }}
 {{- $protocol }}://{{- $webTierServiceName -}}:{{- $port -}}/{{- $webAppContextPath -}}/PRRestService
-{{- end }}
+{{- end }}
+
+{{- define "pegaInstallerCredentialsVolume" }}pega-installer-credentials-volume{{- end }}
diff --git a/charts/pega/charts/installer/templates/_pega-installer-job.tpl b/charts/pega/charts/installer/templates/_pega-installer-job.tpl
@@ -50,8 +50,19 @@ spec:
 {{- end }}
 {{- if .root.Values.custom }}{{- if .root.Values.custom.volumes }}
 {{ toYaml .root.Values.custom.volumes | indent 6 }}          
-{{- end }}{{- end }}  
-{{- include "pegaCredentialVolumeTemplate" .root | indent 6 }}
+{{- end }}{{- end }}
+      - name: {{ template "pegaInstallerCredentialsVolume" }}
+        projected:
+          defaultMode: 420
+          sources:
+          {{- $d := dict "deploySecret" "deployDBSecret" "deployNonExtsecret" "deployNonExtDBSecret" "extSecretName" .root.Values.global.jdbc.external_secret_name "nonExtSecretName" "pega-db-secret-name" "context" .root  -}}
+          {{ include "secretResolver" $d | indent 10}}
+
+          # Fix it, Below peace of code always uses secret created from hz username & password. It cannot resolve hz external secret due to helm sub chart limitations. Modify it once hazelcast deployment is isolated.
+          {{- if ( eq .root.Values.upgrade.isHazelcastClientServer "true" ) }}
+          - secret:
+              name: {{ include  "pega-hz-secret-name" .root}}
+          {{- end }}
       - name: {{ template "pegaVolumeInstall" }}
         configMap:
           # This name will be referred in the volume mounts kind.
@@ -99,7 +110,7 @@ spec:
         # The given mountpath is mapped to volume with the specified name.  The config map files are mounted here.
         - name: {{ template "pegaVolumeInstall" }}
           mountPath: "/opt/pega/config"
-        - name: {{ template "pegaVolumeCredentials" }}
+        - name: {{ template "pegaInstallerCredentialsVolume" }}
           mountPath: "/opt/pega/secrets"
 {{- if and .root.Values.distributionKitVolumeClaimName (not .root.Values.distributionKitURL) }}          
         - name: {{ template "pegaDistributionKitVolume" }}

diff --git a/charts/pega/charts/installer/templates/_supplemental.tpl b/charts/pega/charts/installer/templates/_supplemental.tpl
@@ -1,14 +1,17 @@
 {{- /*
 deploymentName
-pegaCredentialsSecret
 pegaRegistrySecret
 imagePullSecrets
-pegaCredentialVolumeTemplate
 pegaVolumeCredentials
 customArtifactorySSLVerificationEnabled
 performDeployment
 performInstallAndDeployment
-performUpgradeAndDeployment are copied from pega/templates/_helpers.tpl because helm lint requires
+performUpgradeAndDeployment
+pega-db-secret-name
+pega-hz-secret-name
+deployDBSecret
+deployNonExtDBSecret
+secretResolver are copied from pega/templates/_helpers.tpl because helm lint requires
 charts to render standalone. See: https://github.com/helm/helm/issues/11260 for more details.
 */}}
 
@@ -17,11 +20,6 @@ charts to render standalone. See: https://github.com/helm/helm/issues/11260 for
 
 {{- define "pegaVolumeCredentials" }}pega-volume-credentials{{- end }}
 
-{{- define "pegaCredentialsSecret" }}
-{{- $depName := printf "%s" (include "deploymentName" $) -}}
-{{- $depName -}}-credentials-secret
-{{- end }}
-
 {{- define "initContainerResources" }}
   resources:
     # Resources requests/limits for initContainers
@@ -33,35 +31,6 @@ charts to render standalone. See: https://github.com/helm/helm/issues/11260 for
       memory: 64Mi
 {{- end }}
 
-{{- define "pegaCredentialVolumeTemplate" }}
-- name: {{ template "pegaVolumeCredentials" }}
-  projected:
-    defaultMode: 420
-    sources:
-    - secret:
-        name: {{ template "pegaCredentialsSecret" $ }}
-  {{ if ((.Values.global.jdbc).external_secret_name) }}
-    - secret:
-        name: {{ .Values.global.jdbc.external_secret_name }}
-  {{- end }}
-  {{ if ((.Values.hazelcast).external_secret_name)}}
-    - secret:
-        name: {{ .Values.hazelcast.external_secret_name }}
-  {{- end }}
-  {{ if ((.Values.global.customArtifactory.authentication).external_secret_name) }}
-    - secret:
-        name: {{ .Values.global.customArtifactory.authentication.external_secret_name }}
-  {{- end }}
-  {{ if ((.Values.dds).external_secret_name)}}
-    - secret:
-        name: {{ .Values.dds.external_secret_name }}
-  {{- end }}
-  {{ if ((.Values.stream).external_secret_name)}}
-    - secret:
-        name: {{ .Values.stream.external_secret_name }}
-  {{- end }}
-{{- end}}
-
 {{- define "customArtifactorySSLVerificationEnabled" }}
 {{- if (.Values.global.customArtifactory) }}
 {{- if (.Values.global.customArtifactory.enableSSLVerification) }}
@@ -113,4 +82,37 @@ false
   {{- else -}}
     false
   {{- end -}}
-{{- end }}
+{{- end }}
+
+{{- define "pega-db-secret-name" }}
+{{- $depName := printf "%s" (include "deploymentName" $) -}}
+{{- $depName -}}-db-secret
+{{- end -}}
+
+{{- define "pega-hz-secret-name" }}
+{{- $depName := printf "%s" (include "deploymentName" $) -}}
+{{- $depName -}}-hz-secret
+{{- end -}}
+
+{{- define "deployDBSecret" -}} 
+true
+{{- end }}
+
+{{- define "deployNonExtDBSecret" }}
+{{- if and (eq (include "deployDBSecret" .) "true") (not (.Values.global.jdbc).external_secret_name) -}}
+true
+{{- else -}}
+false
+{{- end -}}
+{{- end -}}
+
+{{- define "secretResolver" }}
+{{- if (eq (include .deploySecret .context) "true") }}
+- secret:
+{{- if (eq (include .deployNonExtsecret .context) "true") }}
+    name: {{ include .nonExtSecretName .context}}
+{{- else }}
+    name: {{ .extSecretName }}
+{{- end -}}
+{{- end -}}
+{{- end  -}}