Allow more granular control for secrets (#15)

As it is, it's somewhat annoying to use some secrets and not others since the current mechanism to use external secrets is all-or-nothing with a whole block of env vars.

This allows you to optionally use:

- config.licenseKeySecretName instead of config.licenseKey
- config.jwtSecretSecretName instead of config.jwtSecret
- config.encryptionKeySecretName instead of config.encryptionKey
- config.auth.google.clientSecretSecretName instead of config.auth.google.clientSecret
- config.postgresql.passwordSecretName instead of config.postgresql.password

In all of these instances, the alternative <x>SecretName allows you to specify the name of the k8s secret as an alternative to hardcoding the secrets into values and having the chart put them in secrets.

Author: rhinon

templates/deployment_backend.yaml

@@ -67,18 +67,33 @@ spec:
           - name: LICENSE_KEY
             valueFrom:
               secretKeyRef:
+                {{- if .Values.config.licenseKeySecretName }}
+                name: {{ .Values.config.licenseKeySecretName }}
+                key: {{ .Values.config.licenseKeySecretKey | default "license-key" }}
+                {{- else }}
                 name: {{ template "retool.fullname" . }}
                 key: license-key
+                {{- end }}
           - name: JWT_SECRET
             valueFrom:
               secretKeyRef:
+                {{- if .Values.config.jwtSecretName }}
+                name: {{ .Values.config.jwtSecretName }}
+                key: {{ .Values.config.jwtSecretKey | default "jwt-secret" }}
+                {{- else }}
                 name: {{ template "retool.fullname" . }}
                 key: jwt-secret
+                {{- end }}
           - name: ENCRYPTION_KEY
             valueFrom:
               secretKeyRef:
+                {{- if .Values.config.encryptionKeySecretName }}
+                name: {{ .Values.config.encryptionKeySecretName }}
+                key: {{ .Values.config.encryptionKeySecretKey | default "encryption-key" }}
+                {{- else }}
                 name: {{ template "retool.fullname" . }}
                 key: encryption-key
+                {{- end }}
           - name: POSTGRES_USER
             value: {{ template "retool.postgresql.user" . }}
           - name: POSTGRES_SSL_ENABLED
@@ -88,17 +103,28 @@ spec:
               secretKeyRef:
           {{- if  .Values.postgresql.enabled }}
                 name: {{ template "retool.postgresql.fullname" . }}
-          {{- else  }}
+                key: postgresql-password
+          {{- else }}
+                {{- if .Values.config.postgresql.passwordSecretName }}
+                name: {{ .Values.config.postgresql.passwordSecretName }}
+                key: {{ .Values.config.postgresql.passwordSecretKey | default "postgresql-password" }}
+                {{- else }}
                 name: {{ template "retool.fullname" . }}
-          {{- end }}
                 key: postgresql-password
+                {{- end }}
+          {{- end }}
           - name: CLIENT_ID
             value: {{ default "" .Values.config.auth.google.clientId }}
           - name: CLIENT_SECRET
             valueFrom:
               secretKeyRef:
+                {{- if .Values.config.auth.google.clientSecretSecretName }}
+                name: {{ .Values.config.auth.google.clientSecretSecretName }}
+                key: {{ .Values.config.auth.google.clientSecretSecretKey | default "google-client-secret" }}
+                {{- else }}
                 name: {{ template "retool.fullname" . }}
                 key: google-client-secret
+                {{- end }}
           - name: RESTRICTED_DOMAIN
             value: {{ default "" .Values.config.auth.google.domain }}
           {{- end }}

templates/deployment_jobs.yaml

@@ -68,36 +68,62 @@ spec:
           - name: LICENSE_KEY
             valueFrom:
               secretKeyRef:
+                {{- if .Values.config.licenseKeySecretName }}
+                name: {{ .Values.config.licenseKeySecretName }}
+                key: {{ .Values.config.licenseKeySecretKey | default "license-key" }}
+                {{- else }}
                 name: {{ template "retool.fullname" . }}
                 key: license-key
+                {{- end }}
           - name: JWT_SECRET
             valueFrom:
               secretKeyRef:
+                {{- if .Values.config.jwtSecretName }}
+                name: {{ .Values.config.jwtSecretName }}
+                key: {{ .Values.config.jwtSecretKey | default "jwt-secret" }}
+                {{- else }}
                 name: {{ template "retool.fullname" . }}
                 key: jwt-secret
+                {{- end }}
           - name: ENCRYPTION_KEY
             valueFrom:
               secretKeyRef:
+                {{- if .Values.config.encryptionKeySecretName }}
+                name: {{ .Values.config.encryptionKeySecretName }}
+                key: {{ .Values.config.encryptionKeySecretKey | default "encryption-key" }}
+                {{- else }}
                 name: {{ template "retool.fullname" . }}
                 key: encryption-key
+                {{- end }}
           - name: POSTGRES_USER
             value: {{ template "retool.postgresql.user" . }}
           - name: POSTGRES_PASSWORD
             valueFrom:
               secretKeyRef:
           {{- if  .Values.postgresql.enabled }}
                 name: {{ template "retool.postgresql.fullname" . }}
-          {{- else  }}
+                key: postgresql-password
+          {{- else }}
+                {{- if .Values.config.postgresql.passwordSecretName }}
+                name: {{ .Values.config.postgresql.passwordSecretName }}
+                key: {{ .Values.config.postgresql.passwordSecretKey | default "postgresql-password" }}
+                {{- else }}
                 name: {{ template "retool.fullname" . }}
-          {{- end }}
                 key: postgresql-password
+                {{- end }}
+          {{- end }}
           - name: CLIENT_ID
             value: {{ default "" .Values.config.auth.google.clientId }}
           - name: CLIENT_SECRET
             valueFrom:
               secretKeyRef:
+                {{- if .Values.config.auth.google.clientSecretSecretName }}
+                name: {{ .Values.config.auth.google.clientSecretSecretName }}
+                key: {{ .Values.config.auth.google.clientSecretSecretKey | default "google-client-secret" }}
+                {{- else }}
                 name: {{ template "retool.fullname" . }}
                 key: google-client-secret
+                {{- end }}
           - name: RESTRICTED_DOMAIN
             value: {{ default "" .Values.config.auth.google.domain }}
           {{- end }}

templates/secret.yaml

@@ -11,7 +11,7 @@ metadata:
 {{- end }}
 type: Opaque
 data:
-  license-key: {{ .Values.config.licenseKey | b64enc | quote }}
+  license-key: {{ .Values.config.licenseKey | default "" | b64enc | quote }}
 
   {{ if .Values.config.jwtSecret }}
   jwt-secret: {{ .Values.config.jwtSecret | b64enc | quote }}
@@ -26,9 +26,9 @@ data:
   {{ end }}
 
   {{ if .Values.config.auth.google.clientSecret }}
-  google-client-secret: {{ .Values.config.auth.google.clientSecret | b64enc |quote }}
+  google-client-secret: {{ .Values.config.auth.google.clientSecret | b64enc | quote }}
   {{ else  }}
-  google-client-secret: "" 
+  google-client-secret: ""
   {{ end }}
 
   {{ if not .Values.postgresql.enabled }}

values.yaml

@@ -3,14 +3,30 @@
 
 config:
   licenseKey: "EXPIRED-LICENSE-KEY-TRIAL"
+  # licenseKeySecretName is the name of the secret where the Retool license key is stored (can be used instead of licenseKey)
+  # licenseKeySecretName:
+  # licenseKeySecretKey is the key in the k8s secret, default: license-key
+  # licenseKeySecretKey:
   useInsecureCookies: true
   auth:
     google:
       clientId:
       clientSecret:
+      # clientSecretSecretName is the name of the secret where the google client secret is stored (can be used instead of clientSecret)
+      # clientSecretSecretName:
+      # clientSecretSecretKey is the key in the k8s secret, default: google-client-secret
+      # clientSecretSecretKey:
       domain:
   encryptionKey:
+  # encryptionKeySecretName is the name of the secret where the encryption key is stored (can be used instead of encryptionKey)
+  # encryptionKeySecretName:
+  # encryptionKeySecretKey is the key in the k8s secret, default: encryption-key
+  # encryptionKeySecretKey:
   jwtSecret:
+  # jwtSecretSecretName is the name of the secret where the jwt secret is stored (can be used instead of jwtSecret)
+  # jwtSecretSecretName:
+  # jwtSecretSecretKey is the key in the k8s secret, default: jwt-secret
+  # jwtSecretSecretKey:
 
   postgresql: {}
     # Specify if postgresql subchart is disabled
@@ -19,6 +35,10 @@ config:
     # db:
     # user:
     # password:
+    # passwordSecretName is the name of the secret where the pg password is stored (can be used instead of password)
+    # passwordSecretName:
+    # passwordSecretKey is the key in the k8s secret, default: postgresql-password
+    # passwordSecretKey:
 
 image:
   repository: "tryretool/backend"