feat: Support sourcing database connection details from Kubernetes Secrets

charts/temporal/templates/_admintools-env.yaml

@@ -8,14 +8,43 @@
 {{- $driverConfig = $global.Values.elasticsearch -}}
 {{- end -}}
 {{- if eq $driver "cassandra" -}}
+{{- $eskKeys := $driverConfig.existingSecretKeys | default dict -}}
 - name: CASSANDRA_HOST
+{{- if and $driverConfig.existingSecret (hasKey $eskKeys "hosts") }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $driverConfig.existingSecret }}
+      key: {{ index $eskKeys "hosts" }}
+{{- else }}
   value: {{ first (splitList "," (include "temporal.persistence.cassandra.hosts" (list $global $store))) }}
+{{- end }}
 - name: CASSANDRA_PORT
+{{- if and $driverConfig.existingSecret (hasKey $eskKeys "port") }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $driverConfig.existingSecret }}
+      key: {{ index $eskKeys "port" }}
+{{- else }}
   value: {{ include "temporal.persistence.cassandra.port" (list $global $store) | quote }}
+{{- end }}
 - name: CASSANDRA_KEYSPACE
+{{- if and $driverConfig.existingSecret (hasKey $eskKeys "keyspace") }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $driverConfig.existingSecret }}
+      key: {{ index $eskKeys "keyspace" }}
+{{- else }}
   value: {{ $driverConfig.keyspace }}
+{{- end }}
 - name: CASSANDRA_USER
+{{- if and $driverConfig.existingSecret (hasKey $eskKeys "user") }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $driverConfig.existingSecret }}
+      key: {{ index $eskKeys "user" }}
+{{- else }}
   value: {{ $driverConfig.user }}
+{{- end }}
 - name: CASSANDRA_PASSWORD
   valueFrom:
     secretKeyRef:
@@ -34,16 +63,45 @@
     {{- end }}
   {{- end }}
 {{- else if eq $driver "sql" -}}
+{{- $eskKeys := $driverConfig.existingSecretKeys | default dict -}}
 - name: SQL_PLUGIN
   value: {{ include "temporal.persistence.sql.driver" (list $global $store) }}
 - name: SQL_HOST
+{{- if and $driverConfig.existingSecret (hasKey $eskKeys "host") }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $driverConfig.existingSecret }}
+      key: {{ index $eskKeys "host" }}
+{{- else }}
   value: {{ include "temporal.persistence.sql.host" (list $global $store) }}
+{{- end }}
 - name: SQL_PORT
+{{- if and $driverConfig.existingSecret (hasKey $eskKeys "port") }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $driverConfig.existingSecret }}
+      key: {{ index $eskKeys "port" }}
+{{- else }}
   value: {{ include "temporal.persistence.sql.port" (list $global $store) | quote }}
+{{- end }}
 - name: SQL_DATABASE
+{{- if and $driverConfig.existingSecret (hasKey $eskKeys "database") }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $driverConfig.existingSecret }}
+      key: {{ index $eskKeys "database" }}
+{{- else }}
   value: {{ include "temporal.persistence.sql.database" (list $global $store) }}
+{{- end }}
 - name: SQL_USER
+{{- if and $driverConfig.existingSecret (hasKey $eskKeys "user") }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $driverConfig.existingSecret }}
+      key: {{ index $eskKeys "user" }}
+{{- else }}
   value: {{ $driverConfig.user }}
+{{- end }}
 - name: SQL_PASSWORD
   valueFrom:
     secretKeyRef:

charts/temporal/templates/_helpers.tpl

@@ -220,8 +220,11 @@ Source: https://stackoverflow.com/a/52024583/3027614
 {{- $store := index . 1 -}}
 {{- $storeConfig := index $global.Values.server.config.persistence $store -}}
 {{- $driverConfig := $storeConfig.cassandra -}}
-{{- with $driverConfig.secretKey -}}
-{{- print . -}}
+{{- $eskKeys := $driverConfig.existingSecretKeys | default dict -}}
+{{- if hasKey $eskKeys "password" -}}
+{{- index $eskKeys "password" -}}
+{{- else if $driverConfig.secretKey -}}
+{{- print $driverConfig.secretKey -}}
 {{- else -}}
 {{/* Cassandra password is optional, but we will create an empty secret for it */}}
 {{- print "password" -}}
@@ -347,7 +350,10 @@ Source: https://stackoverflow.com/a/52024583/3027614
 {{- $store := index . 1 -}}
 {{- $storeConfig := index $global.Values.server.config.persistence $store -}}
 {{- $driverConfig := $storeConfig.sql -}}
-{{- if $driverConfig.secretKey -}}
+{{- $eskKeys := $driverConfig.existingSecretKeys | default dict -}}
+{{- if hasKey $eskKeys "password" -}}
+{{- index $eskKeys "password" -}}
+{{- else if $driverConfig.secretKey -}}
 {{- print $driverConfig.secretKey -}}
 {{- else if or $driverConfig.existingSecret $driverConfig.password -}}
 {{- print "password" -}}
@@ -440,6 +446,101 @@ Usage:
     {{- end }}
 {{- end -}}
 
+{{/*
+Generate env vars for a persistence store's connection params.
+For each field, emit secretKeyRef if existingSecretKeys has the key, else plain value.
+Args: list of ($global, $store)
+*/}}
+{{- define "temporal.persistence.storeEnvVars" -}}
+{{- $global := index . 0 -}}
+{{- $store := index . 1 -}}
+{{- $storeConfig := index $global.Values.server.config.persistence $store -}}
+{{- $driver := include "temporal.persistence.driver" (list $global $store) -}}
+{{- $prefix := "TEMPORAL_STORE" -}}
+{{- if eq $store "visibility" -}}
+{{- $prefix = "TEMPORAL_VISIBILITY_STORE" -}}
+{{- end -}}
+{{- if eq $driver "sql" -}}
+{{- $driverConfig := $storeConfig.sql -}}
+{{- $eskKeys := $driverConfig.existingSecretKeys | default dict -}}
+- name: {{ $prefix }}_HOST
+{{- if and $driverConfig.existingSecret (hasKey $eskKeys "host") }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $driverConfig.existingSecret }}
+      key: {{ index $eskKeys "host" }}
+{{- else }}
+  value: {{ include "temporal.persistence.sql.host" (list $global $store) | quote }}
+{{- end }}
+- name: {{ $prefix }}_PORT
+{{- if and $driverConfig.existingSecret (hasKey $eskKeys "port") }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $driverConfig.existingSecret }}
+      key: {{ index $eskKeys "port" }}
+{{- else }}
+  value: {{ include "temporal.persistence.sql.port" (list $global $store) | quote }}
+{{- end }}
+- name: {{ $prefix }}_USER
+{{- if and $driverConfig.existingSecret (hasKey $eskKeys "user") }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $driverConfig.existingSecret }}
+      key: {{ index $eskKeys "user" }}
+{{- else }}
+  value: {{ include "temporal.persistence.sql.user" (list $global $store) | quote }}
+{{- end }}
+- name: {{ $prefix }}_DATABASE
+{{- if and $driverConfig.existingSecret (hasKey $eskKeys "database") }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $driverConfig.existingSecret }}
+      key: {{ index $eskKeys "database" }}
+{{- else }}
+  value: {{ include "temporal.persistence.sql.database" (list $global $store) | quote }}
+{{- end }}
+{{- else if eq $driver "cassandra" -}}
+{{- $driverConfig := $storeConfig.cassandra -}}
+{{- $eskKeys := $driverConfig.existingSecretKeys | default dict -}}
+- name: {{ $prefix }}_HOSTS
+{{- if and $driverConfig.existingSecret (hasKey $eskKeys "hosts") }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $driverConfig.existingSecret }}
+      key: {{ index $eskKeys "hosts" }}
+{{- else }}
+  value: {{ include "temporal.persistence.cassandra.hosts" (list $global $store) | quote }}
+{{- end }}
+- name: {{ $prefix }}_PORT
+{{- if and $driverConfig.existingSecret (hasKey $eskKeys "port") }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $driverConfig.existingSecret }}
+      key: {{ index $eskKeys "port" }}
+{{- else }}
+  value: {{ include "temporal.persistence.cassandra.port" (list $global $store) | quote }}
+{{- end }}
+- name: {{ $prefix }}_USER
+{{- if and $driverConfig.existingSecret (hasKey $eskKeys "user") }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $driverConfig.existingSecret }}
+      key: {{ index $eskKeys "user" }}
+{{- else }}
+  value: {{ $driverConfig.user | quote }}
+{{- end }}
+- name: {{ $prefix }}_KEYSPACE
+{{- if and $driverConfig.existingSecret (hasKey $eskKeys "keyspace") }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $driverConfig.existingSecret }}
+      key: {{ index $eskKeys "keyspace" }}
+{{- else }}
+  value: {{ $driverConfig.keyspace | quote }}
+{{- end }}
+{{- end -}}
+{{- end -}}
+
 {{/*
 To modify camelCase to hyphenated internal-frontend service name
 */}}

charts/temporal/templates/server-configmap.yaml

@@ -22,22 +22,24 @@ data:
         default:
           {{- if eq (include "temporal.persistence.driver" (list $ "default")) "cassandra" }}
           cassandra:
-            hosts: "{{ include "temporal.persistence.cassandra.hosts" (list $ "default") }}"
-            port: {{ include "temporal.persistence.cassandra.port" (list $ "default") }}
+            hosts: "{{ `{{ .Env.TEMPORAL_STORE_HOSTS }}` }}"
+            port: {{ `{{ .Env.TEMPORAL_STORE_PORT }}` }}
+            user: {{ `{{ .Env.TEMPORAL_STORE_USER }}` }}
+            keyspace: {{ `{{ .Env.TEMPORAL_STORE_KEYSPACE }}` }}
             password: {{ `{{ .Env.TEMPORAL_STORE_PASSWORD | quote }}` }}
-            {{- with (omit $server.config.persistence.default.cassandra "hosts" "port" "password" "existingSecret") }}
+            {{- with (omit $server.config.persistence.default.cassandra "hosts" "port" "user" "keyspace" "password" "existingSecret" "existingSecretKeys") }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
           {{- else if eq (include "temporal.persistence.driver" (list $ "default")) "sql" }}
           sql:
             pluginName: "{{ include "temporal.persistence.sql.driver" (list $ "default") }}"
             driverName: "{{ include "temporal.persistence.sql.driver" (list $ "default") }}"
-            databaseName: "{{ $server.config.persistence.default.sql.database }}"
-            connectAddr: "{{ include "temporal.persistence.sql.host" (list $ "default") }}:{{ include "temporal.persistence.sql.port" (list $ "default") }}"
+            databaseName: {{ `{{ .Env.TEMPORAL_STORE_DATABASE | quote }}` }}
+            connectAddr: "{{ `{{ .Env.TEMPORAL_STORE_HOST }}` }}:{{ `{{ .Env.TEMPORAL_STORE_PORT }}` }}"
             connectProtocol: "tcp"
-            user: {{ include "temporal.persistence.sql.user" (list $ "default") }}
+            user: {{ `{{ .Env.TEMPORAL_STORE_USER }}` }}
             password: {{ `{{ .Env.TEMPORAL_STORE_PASSWORD | quote }}` }}
-            {{- with (omit $server.config.persistence.default.sql "driver" "driverName" "host" "port" "connectAddr" "connectProtocol" "database" "databaseName" "user" "password" "existingSecret") }}
+            {{- with (omit $server.config.persistence.default.sql "driver" "driverName" "host" "port" "connectAddr" "connectProtocol" "database" "databaseName" "user" "password" "existingSecret" "existingSecretKeys") }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
           {{- end }}
@@ -69,12 +71,12 @@ data:
           sql:
             pluginName: "{{ include "temporal.persistence.sql.driver" (list $ "visibility") }}"
             driverName: "{{ include "temporal.persistence.sql.driver" (list $ "visibility") }}"
-            databaseName: "{{ $server.config.persistence.visibility.sql.database }}"
-            connectAddr: "{{ include "temporal.persistence.sql.host" (list $ "visibility") }}:{{ include "temporal.persistence.sql.port" (list $ "visibility") }}"
+            databaseName: {{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_DATABASE | quote }}` }}
+            connectAddr: "{{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_HOST }}` }}:{{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_PORT }}` }}"
             connectProtocol: "tcp"
-            user: "{{ include "temporal.persistence.sql.user" (list $ "visibility") }}"
+            user: {{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_USER }}` }}
             password: {{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_PASSWORD  | quote }}` }}
-            {{- with (omit $server.config.persistence.visibility.sql "driver" "driverName" "host" "port" "connectAddr" "connectProtocol" "database" "databaseName" "user" "password" "existingSecret") }}
+            {{- with (omit $server.config.persistence.visibility.sql "driver" "driverName" "host" "port" "connectAddr" "connectProtocol" "database" "databaseName" "user" "password" "existingSecret" "existingSecretKeys") }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
         {{- end }}

charts/temporal/templates/server-deployment.yaml

@@ -91,13 +91,15 @@ spec:
                 secretKeyRef:
                   name: {{ include "temporal.persistence.secretName" (list $ "default") }}
                   key: {{ include "temporal.persistence.secretKey" (list $ "default") }}
+            {{- include "temporal.persistence.storeEnvVars" (list $ "default") | nindent 12 }}
             {{- end }}
             {{- if ne (include "temporal.persistence.driver" (list $ "visibility")) "custom" }}
             - name: TEMPORAL_VISIBILITY_STORE_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: {{ include "temporal.persistence.secretName" (list $ "visibility") }}
                   key: {{ include "temporal.persistence.secretKey" (list $ "visibility") }}
+            {{- include "temporal.persistence.storeEnvVars" (list $ "visibility") | nindent 12 }}
             {{- end }}
           {{- if and (hasKey $.Values.server "internalFrontend") $.Values.server.internalFrontend.enabled }}
             - name: USE_INTERNAL_FRONTEND

charts/temporal/templates/server-job.yaml

@@ -58,7 +58,7 @@ spec:
           image: "{{ $.Values.admintools.image.repository }}:{{ $.Values.admintools.image.tag }}"
           imagePullPolicy: {{ $.Values.admintools.image.pullPolicy }}
               {{- if eq $driver "cassandra" }}
-          command: ['temporal-cassandra-tool', 'create', '-k', '{{ $storeConfig.cassandra.keyspace }}', '--replication-factor', '{{ $storeConfig.cassandra.replicationFactor }}'{{- if $storeConfig.cassandra.datacenter }}, '--datacenter', '{{ $storeConfig.cassandra.datacenter }}'{{- end }}]
+          command: ['temporal-cassandra-tool', 'create', '-k', '$(CASSANDRA_KEYSPACE)', '--replication-factor', '{{ $storeConfig.cassandra.replicationFactor }}'{{- if $storeConfig.cassandra.datacenter }}, '--datacenter', '{{ $storeConfig.cassandra.datacenter }}'{{- end }}]
               {{- else if eq $driver "sql" }}
           command: ['temporal-sql-tool', 'create-database']
               {{- end }}