From 2f7cd7929af27ad5f88fe0234f0424e1f7c50356 Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Mon, 5 Feb 2024 19:38:41 +0100 Subject: [PATCH 1/8] Add chart's helper templates --- helm/flowforge/templates/_helpers.tpl | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 helm/flowforge/templates/_helpers.tpl diff --git a/helm/flowforge/templates/_helpers.tpl b/helm/flowforge/templates/_helpers.tpl new file mode 100644 index 00000000..e7d5747e --- /dev/null +++ b/helm/flowforge/templates/_helpers.tpl @@ -0,0 +1,21 @@ +{{/* +Get the postgresql secret object name. +*/}} +{{- define "forge.secretName" -}} +{{- if .Values.postgresql.auth.existingSecret -}} + {{- tpl .Values.postgresql.auth.existingSecret $ -}} +{{- else -}} + {{- printf "%s-%s" (tpl .Release.Name .) "postgresql" -}} +{{- end -}} +{{- end -}} + +{{/* +Get the flowfuse secret object name. +*/}} +{{- define "forge.applicationSecretName" -}} +{{- if .Values.postgresql.auth.existingSecret -}} + {{- tpl .Values.postgresql.auth.existingSecret $ -}} +{{- else -}} + {{- printf "flowfuse-secrets" -}} +{{- end -}} +{{- end -}} From c619499f78866de8bf8618f1ce985b8b65bd480c Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Mon, 5 Feb 2024 19:40:10 +0100 Subject: [PATCH 2/8] Update references to the secret name; small fix in db host templating in file-storage configmap --- helm/flowforge/templates/deployment.yaml | 2 +- helm/flowforge/templates/file-storage.yml | 6 +++--- helm/flowforge/templates/job-upgrade-db.yaml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/helm/flowforge/templates/deployment.yaml b/helm/flowforge/templates/deployment.yaml index f940ec84..c37a3083 100644 --- a/helm/flowforge/templates/deployment.yaml +++ b/helm/flowforge/templates/deployment.yaml @@ -36,7 +36,7 @@ spec: - name: PGPASSWORD valueFrom: secretKeyRef: - name: flowfuse-secrets + name: {{ include "forge.applicationSecretName" . }} key: password containers: - name: forge diff --git a/helm/flowforge/templates/file-storage.yml b/helm/flowforge/templates/file-storage.yml index 58735591..762817f8 100644 --- a/helm/flowforge/templates/file-storage.yml +++ b/helm/flowforge/templates/file-storage.yml @@ -23,11 +23,11 @@ data: {{- if .Values.forge.fileStore.context.quota }} quota: {{ .Values.forge.fileStore.context.quota }} {{- end }} - {{- if .Values.forge.fileStore.context.options }}} + {{- if .Values.forge.fileStore.context.options }} options: type: {{ .Values.forge.fileStore.context.options.type }} {{- if eq .Values.forge.fileStore.context.options.type "postgres" }} - host: {{ .Values.postgresql.host | default "{{ .Release.Name }}-postgresql" }} + host: {{ .Values.postgresql.host | default (print .Release.Name "-postgresql") }} port: {{ .Values.postgresql.port | default 5432 }} username: {{ .Values.postgresql.auth.username }} database: ff-context @@ -87,7 +87,7 @@ spec: - name: PGPASSWORD valueFrom: secretKeyRef: - name: flowfuse-secrets + name: {{ include "forge.applicationSecretName" . }} key: password containers: - name: file-storage diff --git a/helm/flowforge/templates/job-upgrade-db.yaml b/helm/flowforge/templates/job-upgrade-db.yaml index 2b133055..bf278d9c 100644 --- a/helm/flowforge/templates/job-upgrade-db.yaml +++ b/helm/flowforge/templates/job-upgrade-db.yaml @@ -37,7 +37,7 @@ spec: - name: PGPASSWORD valueFrom: secretKeyRef: - name: {{ .Release.Name }}-postgresql + name: {{ include "forge.secretName" . }} key: postgres-password volumeMounts: - name: upgrade-script From b526a4d22272f1ac0fe9efef24579f33d327ea60 Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Mon, 5 Feb 2024 19:40:47 +0100 Subject: [PATCH 3/8] Conditional creation of secret object --- helm/flowforge/templates/secrets.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/helm/flowforge/templates/secrets.yaml b/helm/flowforge/templates/secrets.yaml index e7289c92..ecaefd5c 100644 --- a/helm/flowforge/templates/secrets.yaml +++ b/helm/flowforge/templates/secrets.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.postgresql.auth.existingSecret -}} apiVersion: v1 kind: Secret metadata: @@ -7,3 +8,4 @@ type: Opaque data: password: {{ .Values.postgresql.auth.password | b64enc | quote }} postgres-password: {{ .Values.postgresql.auth.postgresPassword | b64enc | quote }} +{{- end -}} From a72b2d9062950cfae3fabc74cfdcf4e33d14de61 Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Mon, 5 Feb 2024 19:41:30 +0100 Subject: [PATCH 4/8] Document support for external secret configuration --- helm/flowforge/README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/helm/flowforge/README.md b/helm/flowforge/README.md index 339d1e2e..0a5cfb94 100644 --- a/helm/flowforge/README.md +++ b/helm/flowforge/README.md @@ -195,6 +195,16 @@ editors: - `postgresql.auth.password` - the password to use to connect to the database (default `Zai1Wied`) - `postgresql.auth.database` - the database to use (default `flowforge`) - `postgresql.auth.postgresPassword` - the password to use for the postgres user (default `Moomiet0`) + - `postgresql.auth.existingSecret` - the name of an Kubernetes secret object, within same namespace, with database credentials (default not set) + + Note: External secret must contain the following keys: + - `password` - the password to use to connect to the database (equivalent to `postgresql.auth.password` key) + - `postgress-password` - the password to use for the postgres user (equivalent to `postgresql.auth.postgresPassword` key) + + Example for creating a external secret via `kubectl`: + ```bash + kubectl create secret generic database-credentials --from-literal=postgress-password=rootPassword --from-literal=password=applicationPassword + ``` ### Liveness, readiness and startup probes From eae694d4cb94dea271a7820f8dc08685a7a8af9f Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Mon, 5 Feb 2024 19:48:20 +0100 Subject: [PATCH 5/8] Update PostgreSQL configuration in README.md --- helm/flowforge/README.md | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/helm/flowforge/README.md b/helm/flowforge/README.md index 0a5cfb94..dd4e7b37 100644 --- a/helm/flowforge/README.md +++ b/helm/flowforge/README.md @@ -187,24 +187,21 @@ editors: name: editors ``` - ### Postgresql - - `postgresql.host` - the hostname of an external PostgreSQL database (default not set) - - `postgresql.port` - the port of an external PostgreSQL database (default `5432`) - - `postgresql.ssl` - sets the connection to the database to use SSL/TLS (default `false`) - - `postgresql.auth.username` - the username to use to connect to the database (default `forge`) - - `postgresql.auth.password` - the password to use to connect to the database (default `Zai1Wied`) - - `postgresql.auth.database` - the database to use (default `flowforge`) - - `postgresql.auth.postgresPassword` - the password to use for the postgres user (default `Moomiet0`) - - `postgresql.auth.existingSecret` - the name of an Kubernetes secret object, within same namespace, with database credentials (default not set) - - Note: External secret must contain the following keys: - - `password` - the password to use to connect to the database (equivalent to `postgresql.auth.password` key) - - `postgress-password` - the password to use for the postgres user (equivalent to `postgresql.auth.postgresPassword` key) - - Example for creating a external secret via `kubectl`: - ```bash - kubectl create secret generic database-credentials --from-literal=postgress-password=rootPassword --from-literal=password=applicationPassword - ``` +### Postgresql +- `postgresql.host` - the hostname of an external PostgreSQL database (default not set) +- `postgresql.port` - the port of an external PostgreSQL database (default `5432`) +- `postgresql.ssl` - sets the connection to the database to use SSL/TLS (default `false`) +- `postgresql.auth.username` - the username to use to connect to the database (default `forge`) +- `postgresql.auth.password` - the password to use to connect to the database (default `Zai1Wied`) +- `postgresql.auth.database` - the database to use (default `flowforge`) +- `postgresql.auth.postgresPassword` - the password to use for the postgres user (default `Moomiet0`) +- `postgresql.auth.existingSecret` - the name of an Kubernetes secret object with database credentials (If `postgresql.auth.existingSecret` is set, `postgresql.auth.password` and `postgresql.auth.postgresPassword` values are ignored; default not set) + + +Note: External secret must contain following keys: +- `password` - the password to use to connect to the database (equivalent to `postgresql.auth.password` key) +- `postgress-password` - the password to use for the postgres user (equivalent to `postgresql.auth.postgresPassword` key) + ### Liveness, readiness and startup probes From 548a2fed321f05e1a78832a81c85afafd382b395 Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Mon, 5 Feb 2024 20:43:49 +0100 Subject: [PATCH 6/8] Do not run checkov against subcharts --- .github/workflows/helm-chart.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml index 351e2410..f5c617b0 100644 --- a/.github/workflows/helm-chart.yml +++ b/.github/workflows/helm-chart.yml @@ -108,6 +108,7 @@ jobs: with: directory: ${{ github.workspace }}/helm var_file: ${{ github.workspace }}/helm/flowforge/ci/default-values.yaml + skip_path: "*/charts/*" framework: helm output_format: cli,sarif output_file_path: console,results.sarif From 75a8514aed93d5a0974b7465d75a88372f5baf7f Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Mon, 5 Feb 2024 20:48:05 +0100 Subject: [PATCH 7/8] Update skip_path in helm-chart.yml --- .github/workflows/helm-chart.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml index f5c617b0..f3055b0e 100644 --- a/.github/workflows/helm-chart.yml +++ b/.github/workflows/helm-chart.yml @@ -108,7 +108,7 @@ jobs: with: directory: ${{ github.workspace }}/helm var_file: ${{ github.workspace }}/helm/flowforge/ci/default-values.yaml - skip_path: "*/charts/*" + skip_path: "**/charts/**" framework: helm output_format: cli,sarif output_file_path: console,results.sarif From 62182923fd44e2c25990efb1f251f42225c7497a Mon Sep 17 00:00:00 2001 From: ppawlowski Date: Mon, 5 Feb 2024 20:50:05 +0100 Subject: [PATCH 8/8] Update skip_path in helm-chart.yml --- .github/workflows/helm-chart.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml index f3055b0e..25e1db52 100644 --- a/.github/workflows/helm-chart.yml +++ b/.github/workflows/helm-chart.yml @@ -108,7 +108,7 @@ jobs: with: directory: ${{ github.workspace }}/helm var_file: ${{ github.workspace }}/helm/flowforge/ci/default-values.yaml - skip_path: "**/charts/**" + skip_path: /flowforge/charts/ framework: helm output_format: cli,sarif output_file_path: console,results.sarif