diff --git a/charts/traction/Chart.yaml b/charts/traction/Chart.yaml index d95daba9f..53d4e178a 100644 --- a/charts/traction/Chart.yaml +++ b/charts/traction/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: traction description: The Traction service allows organizations to verify, hold, and issue verifiable credentials. The Traction Tenant UI allows tenants to manage their agent. type: application -version: 0.3.4 +version: 0.3.3 appVersion: 0.5.1 home: "https://github.com/bcgov/traction" sources: ["https://github.com/bcgov/traction"] diff --git a/charts/traction/README.md b/charts/traction/README.md index a4bd89807..b4300af2d 100644 --- a/charts/traction/README.md +++ b/charts/traction/README.md @@ -1,6 +1,6 @@ # Traction -![version: 0.3.4](https://img.shields.io/badge/Version-0.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.5.1](https://img.shields.io/badge/AppVersion-0.5.1-informational?style=flat-square) +![version: 0.3.3](https://img.shields.io/badge/Version-0.3.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.5.1](https://img.shields.io/badge/AppVersion-0.5.1-informational?style=flat-square) The Traction service allows organizations to verify, hold, and issue verifiable credentials. @@ -52,12 +52,6 @@ kubectl delete secret,pvc --selector "app.kubernetes.io/instance"=my-release ## Parameters -| Name | Description | Value | -| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------ | -| `nameOverride` | String to override the helm chart name, second part of the prefix | '""' | -| `fullnameOverride` | String to fully override the helm chart name, full prefix. ***Must be set when using a custom release name that does not include the word traction.*** | '""' | -| `ingressSuffix` | Domain suffix to be used for default hostpaths in ingress | `-dev.example.com` | - ### Acapy Configuration | Name | Description | Value | @@ -132,16 +126,14 @@ kubectl delete secret,pvc --selector "app.kubernetes.io/instance"=my-release ### Wallet Storage Credentials -| Name | Description | Value | -| ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------- | -| `acapy.walletStorageCredentials.json` | Raw json with database credentials. Overrides all other values including postgres subchart values. e.g.: '{"account":"postgres","password":"mysecretpassword","admin_account":"postgres","admin_password":"mysecretpassword"}' | `""` | -| `acapy.walletStorageCredentials.account` | Database account name. | `""` | -| `acapy.walletStorageCredentials.password` | Database password. | `""` | -| `acapy.walletStorageCredentials.admin_account` | Database account with CREATEDB role used to create additional databases per wallet. | `postgres` | -| `acapy.walletStorageCredentials.admin_password` | Database password for admin account. | `""` | -| `acapy.walletStorageCredentials.existingSecret` | Name of an existing secret containing database user, password, and admin password. | `""` | -| `acapy.walletStorageCredentials.secretKeys.adminPasswordKey` | Key in existing secret containing admin account password. | `postgres-password` | -| `acapy.walletStorageCredentials.secretKeys.userPasswordKey` | Key in existing secret containing account password. | `password` | +| Name | Description | Value | +| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------- | +| `acapy.walletStorageCredentials.json` | Raw json with database credentials. Overrides all other values including postgres subchart values. e.g.: '{"account":"postgres","password":"mysecretpassword","admin_account":"postgres","admin_password":"mysecretpassword"}' | `""` | +| `acapy.walletStorageCredentials.account` | Database account name. | `""` | +| `acapy.walletStorageCredentials.password` | Database password. | `""` | +| `acapy.walletStorageCredentials.admin_account` | Database account with CREATEDB role used to create additional databases per wallet. | `postgres` | +| `acapy.walletStorageCredentials.admin_password` | Database password for admin account. | `""` | +| `acapy.walletStorageCredentials.existingSecret` | Name of an existing secret containing 'database-user', 'database-password', 'admin-password' keys. ### Multitenancy Configuration @@ -341,7 +333,7 @@ kubectl delete secret,pvc --selector "app.kubernetes.io/instance"=my-release | `ui.oidc.extraQueryParams` | OIDC client login additional parameters | `{}` | | `ui.smtp.server` | SMTP server | `""` | | `ui.smtp.port` | SMTP port | `25` | -| `ui.smtp.secure` | If true the connection will use TLS when connecting to server. If false (the default) then TLS is used if server supports the STARTTLS extension. In most cases set this value to true if you are connecting to port 465. For port 587 or 25 keep it false | `false` | +| `ui.smtp.secure` | if true the connection will use TLS when connecting to server. If false (the default) then TLS is used if server supports the STARTTLS extension. In most cases set this value to true if you are connecting to port 465. For port 587 or 25 keep it false | `false` | | `ui.smtp.user` | SMTP user (Requires setting `ui.existingSecret` with the name of a secret containing `SERVER_SMTP_PASSWORD`) | `""` | | `ui.smtp.senderAddress` | SMTP sender address | `""` | | `ui.smtp.innkeeperInbox` | innkeeper notification inbox | `""` | @@ -396,25 +388,29 @@ kubectl delete secret,pvc --selector "app.kubernetes.io/instance"=my-release ### PostgreSQL parameters -| Name | Description | Value | -| ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | -| `postgresql.enabled` | Deploy Bitnami PostgreSQL chart. | `true` | -| `postgresql.fullnameOverride` | When overriding fullnameOverride, you must override this to match. | `""` | -| `postgresql.architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` | -| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user. Not recommended for production deployment. | `true` | -| `postgresql.auth.database` | Name for a custom database to create | `traction` | -| `postgresql.auth.username` | Name for a custom user to create | `acapy` | -| `postgresql.primary.persistence.enabled` | Enable PostgreSQL Primary data persistence using PVC | `true` | -| `postgresql.primary.persistence.size` | PVC Storage Request for PostgreSQL volume | `1Gi` | -| `postgresql.primary.containerSecurityContext.enabled` | Enable container security context | `false` | -| `postgresql.primary.podSecurityContext.enabled` | Enable security context | `false` | -| `postgresql.primary.resources.limits.memory` | The memory limit for the PostgreSQL Primary containers | `2600Mi` | -| `postgresql.primary.resources.limits.cpu` | The cpu limit for the PostgreSQL Primary containers | `600m` | -| `postgresql.primary.resources.requests.memory` | The requested memory for the PostgreSQL Primary containers | `1300Mi` | -| `postgresql.primary.resources.requests.cpu` | The requested cpu for the PostgreSQL Primary containers | `300m` | -| `postgresql.primary.service.ports.postgresql` | PostgreSQL service port | `5432` | -| `postgresql.primary.extendedConfiguration` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | `max_connections = 500` | -| `postgresql-ha.enabled` | Deploy HA PostgreSQL chart. Not currently supported, provided for future use. | `false` | +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------- | +| `postgresql.enabled` | Deploy Bitnami PostgreSQL chart. | `true` | +| `postgresql.fullnameOverride` | When overriding fullnameOverride, you must override this to match. | `""` | +| `postgresql.architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` | +| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `true` | +| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials. `postgresql.auth.postgresPassword`, `postgresql.auth.password`, and `postgresql.auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. | `{{ include "global.fullname" . }}` | +| `postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `admin-password` | +| `postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `database-password` | +| `postgresql.auth.database` | Name for a custom database to create | `traction` | +| `postgresql.auth.username` | Name for a custom user to create | `acapy` | +| `postgresql.primary.persistence.enabled` | Enable PostgreSQL Primary data persistence using PVC | `true` | +| `postgresql.primary.persistence.size` | PVC Storage Request for PostgreSQL volume | `1Gi` | +| `postgresql.primary.containerSecurityContext.enabled` | Enable container security context | `false` | +| `postgresql.primary.podSecurityContext.enabled` | Enable security context | `false` | +| `postgresql.primary.resources.limits.memory` | The memory limit for the PostgreSQL Primary containers | `2600Mi` | +| `postgresql.primary.resources.limits.cpu` | The cpu limit for the PostgreSQL Primary containers | `600m` | +| `postgresql.primary.resources.requests.memory` | The requested memory for the PostgreSQL Primary containers | `1300Mi` | +| `postgresql.primary.resources.requests.cpu` | The requested cpu for the PostgreSQL Primary containers | `300m` | +| `postgresql.primary.service.ports.postgresql` | PostgreSQL service port | `5432` | +| `postgresql.primary.extendedConfiguration` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | `max_connections = 500 | +| ` | +| `postgresql-ha.enabled` | Deploy HA PostgreSQL chart. Not currently supported, provided for future use. | `false` | ## Maintainers diff --git a/charts/traction/templates/_helpers.tpl b/charts/traction/templates/_helpers.tpl index ff7c2d639..39c4d617d 100755 --- a/charts/traction/templates/_helpers.tpl +++ b/charts/traction/templates/_helpers.tpl @@ -79,6 +79,15 @@ it randomly. {{- end -}} {{- end }} +{{/* +Return true if a database secret should be created +*/}} +{{- define "acapy.database.createSecret" -}} +{{- if not .Values.acapy.walletStorageCredentials.existingSecret -}} +{{- true -}} +{{- end -}} +{{- end -}} + {{/* Return true if a api secret should be created */}} @@ -122,10 +131,14 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this Get the admin-password key. */}} {{- define "acapy.database.adminPasswordKey" -}} -{{- if .Values.acapy.walletStorageCredentials.secretKeys.adminPasswordKey -}} - {{- printf "%s" (tpl .Values.acapy.walletStorageCredentials.secretKeys.adminPasswordKey $) -}} -{{- else if .Values.postgresql.auth.secretKeys.adminPasswordKey -}} - {{- printf "%s" (tpl .Values.postgresql.auth.secretKeys.adminPasswordKey $) -}} +{{- if .Values.acapy.walletStorageCredentials.existingSecret -}} + {{- if .Values.acapy.walletStorageCredentials.secretKeys.adminPasswordKey -}} + {{- printf "%s" (tpl .Values.acapy.walletStorageCredentials.secretKeys.adminPasswordKey $) -}} + {{- else if .Values.postgresql.auth.secretKeys.adminPasswordKey -}} + {{- printf "%s" (tpl .Values.postgresql.auth.secretKeys.adminPasswordKey $) -}} + {{- end -}} +{{- else -}} + {{- "admin-password" -}} {{- end -}} {{- end -}} @@ -133,12 +146,16 @@ Get the admin-password key. Get the user-password key. */}} {{- define "acapy.database.userPasswordKey" -}} -{{- if or (empty .Values.acapy.walletStorageCredentials.account) (eq .Values.acapy.walletStorageCredentials.account "postgres") -}} - {{- printf "%s" (include "acapy.database.adminPasswordKey" .) -}} -{{- else -}} - {{- if .Values.acapy.walletStorageCredentials.secretKeys.userPasswordKey -}} - {{- printf "%s" (tpl .Values.acapy.walletStorageCredentials.secretKeys.userPasswordKey $) -}} +{{- if .Values.acapy.walletStorageCredentials.existingSecret -}} + {{- if or (empty .Values.acapy.walletStorageCredentials.account) (eq .Values.acapy.walletStorageCredentials.account "postgres") -}} + {{- printf "%s" (include "acapy.database.adminPasswordKey" .) -}} + {{- else -}} + {{- if .Values.acapy.walletStorageCredentials.secretKeys.userPasswordKey -}} + {{- printf "%s" (tpl .Values.acapy.walletStorageCredentials.secretKeys.userPasswordKey $) -}} + {{- end -}} {{- end -}} +{{- else -}} + {{- "database-password" -}} {{- end -}} {{- end -}} diff --git a/charts/traction/templates/acapy/database_secret.yaml b/charts/traction/templates/acapy/database_secret.yaml new file mode 100644 index 000000000..21f37877e --- /dev/null +++ b/charts/traction/templates/acapy/database_secret.yaml @@ -0,0 +1,16 @@ +{{- if (include "acapy.database.createSecret" .) -}} +apiVersion: v1 +kind: Secret +metadata: + annotations: + "helm.sh/resource-policy": keep + name: {{ template "acapy.database.secret.name" . }} + labels: + {{- include "common.selectorLabels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + admin-password: {{ include "getOrGeneratePass" (dict "Namespace" .Release.Namespace "Kind" "Secret" "Name" (include "acapy.database.secret.name" .) "Key" (include "acapy.database.adminPasswordKey" .)) }} + database-user: {{ .Values.acapy.walletStorageCredentials.account | b64enc }} + database-password: {{ include "getOrGeneratePass" (dict "Namespace" .Release.Namespace "Kind" "Secret" "Name" (include "acapy.database.secret.name" .) "Key" (include "acapy.database.userPasswordKey" .)) }} +{{- end -}} diff --git a/charts/traction/values.yaml b/charts/traction/values.yaml index 09829a0de..caaef7314 100644 --- a/charts/traction/values.yaml +++ b/charts/traction/values.yaml @@ -1,6 +1,6 @@ -## @param nameOverride String to override the helm chart name, second part of the prefix +## @param nameOverride nameOverride: "" -## @param fullnameOverride String to fully override the helm chart name, full prefix. *Must be provided if using a custom release name that does not include the word traction.* +## @param fullnameOverride fullnameOverride: "" ## @param ingressSuffix Domain suffix to be used for default hostpaths in ingress ingressSuffix: -dev.example.com @@ -173,8 +173,8 @@ acapy: ## @param acapy.walletStorageCredentials.admin_account Database account with CREATEDB role used to create additional databases per wallet. ## @param acapy.walletStorageCredentials.admin_password Database password for admin account. ## @param acapy.walletStorageCredentials.existingSecret Name of an existing secret containing database user, password, and admin password. - ## @param acapy.walletStorageCredentials.secretKeys.adminPasswordKey Key in existing secret containing admin account password. - ## @param acapy.walletStorageCredentials.secretKeys.userPasswordKey Key in existing secret containing account password. + ## @param acapy.walletStorageCredentials.secretKeys.adminPasswordKey Key in existing secret containing admin password. + ## @param acapy.walletStorageCredentials.secretKeys.userPasswordKey Key in existing secret containing password . ## walletStorageCredentials: json: '' @@ -182,8 +182,8 @@ acapy: admin_account: postgres existingSecret: "" secretKeys: - adminPasswordKey: postgres-password - userPasswordKey: password + adminPasswordKey: admin-password + userPasswordKey: database-password ## @section ACA-Py Multitenancy Configuration ## Specifies the multitenancy config. ## Possible values: wallet_type, wallet_name, wallet_key, cache_size, 'key_derivation_method. @@ -871,12 +871,21 @@ postgresql: ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-user-on-first-run ## auth: - ## @param postgresql.auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user. Not recommended for production deployment. + ## @param postgresql.auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user ## enablePostgresUser: true + ## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials. `postgresql.auth.postgresPassword`, `postgresql.auth.password`, and `postgresql.auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. + ## + existingSecret: '{{ include "global.fullname" . }}' + ## @param postgresql.auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. + ## @param postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. + ## + secretKeys: + adminPasswordKey: admin-password + userPasswordKey: database-password ## @param postgresql.auth.database Name for a custom database to create ## - database: askar-wallet + database: traction ## @param postgresql.auth.username Name for a custom user to create ## username: acapy