chore: add secret template for the chart

Refs: CPLP-3362
eclipse-tractusx · Nov 29, 2023 · 4a726d3 · 4a726d3
1 parent 8f1d958
commit 4a726d3
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 1 deletion.
diff --git a/charts/policy-hub/templates/configmap-backend-postgres-init.yaml b/charts/policy-hub/templates/configmap-backend-postgres-init.yaml
@@ -26,7 +26,7 @@ metadata:
 data:
   01-init-db-user.sh: |
     postgresql_create_hub_user() {
-      local -r escaped_password="${POLICYHUB_PASSWORD//\'/\'\'}"
+      local -r escaped_password="${POLICY_HUB_PASSWORD//\'/\'\'}"
       info "Creating user hub"
       export PGPASSWORD="$POSTGRES_PASSWORD"
       echo "CREATE USER hub WITH PASSWORD '${escaped_password}';" | psql -U postgres

diff --git a/charts/policy-hub/templates/secret-backend-postgres-init.yaml b/charts/policy-hub/templates/secret-backend-postgres-init.yaml
@@ -0,0 +1,44 @@
+{{- /*
+* Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation
+*
+* See the NOTICE file(s) distributed with this work for additional
+* information regarding copyright ownership.
+*
+* This program and the accompanying materials are made available under the
+* terms of the Apache License, Version 2.0 which is available at
+* https://www.apache.org/licenses/LICENSE-2.0.
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+* License for the specific language governing permissions and limitations
+* under the License.
+*
+* SPDX-License-Identifier: Apache-2.0
+*/}}
+
+{{- if .Values.postgresql.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.postgresql.auth.existingSecret }}
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+# use lookup function to check if secret exists
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.postgresql.auth.existingSecret) }}
+{{ if $secret -}}
+data:
+  # if secret exists, use value provided from values file (to cover update scenario) or existing value from secret
+  # use data map instead of stringData to prevent base64 encoding of already base64-encoded existing value from secret
+  # use index function for secret keys with hyphen otherwise '$secret.data.secretKey' works too
+  postgres-password: {{ ( .Values.postgresql.auth.password | b64enc )  | default ( index $secret.data "postgres-password" ) | quote }}
+  replication-password: {{ ( .Values.postgresql.auth.replicationPassword | b64enc )  | default ( index $secret.data "replication-password" ) | quote }}
+  policy-hub-password: {{ ( .Values.postgresql.auth.policyHubPassword | b64enc ) | default ( index $secret.data "policy-hub-password" ) | quote }}
+{{ else -}}
+stringData:
+  # if secret doesn't exist, use provided value from values file or generate a random one
+  postgres-password: {{ .Values.postgresql.auth.password | default ( randAlphaNum 32 ) | quote }}
+  replication-password: {{ .Values.postgresql.auth.replicationPassword | default ( randAlphaNum 32 ) | quote }}
+  policy-hub-password: {{ .Values.postgresql.auth.policyHubPassword | default ( randAlphaNum 32 ) | quote }}
+{{ end }}
+{{- end -}}