Support setting secrets in Helm chart

- allow specifying `conf.access_key` and `conf.secret_key` values - add `nginx.env` value for setting secret Nginx env vars
instrumentisto · Sep 12, 2022 · 5f419aa · 5f419aa
1 parent 4e760f0
commit 5f419aa
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 1 deletion.
diff --git a/helm/baza/CHANGELOG.md b/helm/baza/CHANGELOG.md
@@ -6,6 +6,17 @@ All user visible changes to this project will be documented in this file. This p
 
 
 
+## [0.3.0] · 2022-09-12
+[0.3.0]: https://github.com/instrumentisto/baza/tree/helm%2Fbaza%2F0.3.0/helm/baza
+
+### Added
+
+- Explicit `conf.access_key` and `conf.secret_key` values.
+- `nginx.env` value.
+
+
+
+
 ## [0.2.0] · 2022-08-24
 [0.2.0]: https://github.com/instrumentisto/baza/tree/helm%2Fbaza%2F0.2.0/helm/baza
 

diff --git a/helm/baza/Chart.yaml b/helm/baza/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: baza
 description: Simply scalable files storage without much fuss.
-version: 0.2.0
+version: 0.3.0
 appVersion: "0.2"
 type: application
 sources:

diff --git a/helm/baza/templates/secret.env.yaml b/helm/baza/templates/secret.env.yaml
@@ -0,0 +1,22 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: {{ printf "%s.env" (include "baza.fullname" .) | quote }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    helm.sh/chart: {{ include "baza.chart" . | quote }}
+    app.kubernetes.io/name: {{ include "baza.name" . | quote }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+  {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+type: Opaque
+data:
+  BAZA_ACCESS_KEY: {{ .Values.conf.access_key | b64enc | quote }}
+  BAZA_SECRET_KEY: {{ .Values.conf.secret_key | b64enc | quote }}
+{{- if and .Values.nginx.enabled .Values.nginx.env }}
+{{- range $name, $val := .Values.nginx.env }}
+  {{ $name | quote }}: {{ $val | b64enc | quote }}
+{{- end }}
+{{- end }}
diff --git a/helm/baza/templates/statefulset.yaml b/helm/baza/templates/statefulset.yaml
@@ -29,6 +29,7 @@ spec:
       {{- end }}
       annotations:
         kubectl.kubernetes.io/default-container: baza
+        checksum/env: {{ pick (include (print $.Template.BasePath "/secret.env.yaml") . | fromYaml) "data" | toYaml | sha256sum | quote }}
       {{- if .Values.nginx.enabled }}
         checksum/nginx.conf: {{ pick (include (print $.Template.BasePath "/configmap.nginx.yaml") . | fromYaml) "data" | toYaml | sha256sum | quote }}
       {{- end }}
@@ -95,6 +96,9 @@ spec:
             "-l", {{ .Values.conf.log.level | quote }},
             "-p", {{ .Values.conf.port | int | quote }},
           ]
+          envFrom:
+            - secretRef:
+                name: {{ printf "%s.env" (include "baza.fullname" .) | quote }}
           ports:
             - name: s3
               containerPort: {{ .Values.conf.port | int }}
@@ -109,6 +113,9 @@ spec:
         - name: nginx
           image: {{ printf "%s:%s" .Values.nginx.image.repository .Values.nginx.image.tag | quote }}
           imagePullPolicy: {{ .Values.nginx.image.pullPolicy | quote }}
+          envFrom:
+            - secretRef:
+                name: {{ printf "%s.env" (include "baza.fullname" .) | quote }}
           ports:
             - name: http
               containerPort: {{ .Values.nginx.port | int }}

diff --git a/helm/baza/values.yaml b/helm/baza/values.yaml
@@ -16,6 +16,8 @@ conf:
   port: 9294
   log:
     level: info
+  access_key: changeme
+  secret_key: changeme
 
 statefulset:
   replicas: 1
@@ -130,6 +132,9 @@ nginx:
 
   port: 8080
 
+  env: {}
+    #JWT_SECRET: changeme
+
   # Overwrites `/etc/nginx/nginx.conf`, if specified.
   conf: ""
   # Overwrites `/etc/nginx/conf.d/<file>`, if specified.