From 456d7fc8932c6bb685afad6b5f7a014ff5003d3c Mon Sep 17 00:00:00 2001
From: Philipp Born <git@pborn.eu>
Date: Wed, 13 Dec 2023 07:31:07 +0100
Subject: [PATCH] move credentials to Secret

ConfigMaps are not intended to hold confidental data. Storing credentials in Secrets instead brings advantages of Encryption at Rest for Secrets and proper RBAC separation.
---
 charts/traccar/Chart.yaml                |  2 +-
 charts/traccar/templates/configmap.yaml  | 15 +-------------
 charts/traccar/templates/deployment.yaml |  8 ++++++++
 charts/traccar/templates/secret.yaml     | 26 ++++++++++++++++++++++++
 4 files changed, 36 insertions(+), 15 deletions(-)
 create mode 100644 charts/traccar/templates/secret.yaml

diff --git a/charts/traccar/Chart.yaml b/charts/traccar/Chart.yaml
index e20ba6b..b43124d 100644
--- a/charts/traccar/Chart.yaml
+++ b/charts/traccar/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: traccar
 description: A Helm chart for Traccar GPS Server
 type: application
-version: 1.7.1
+version: 1.8.0
 appVersion: "5.10"
 dependencies:
   - name: mysql
diff --git a/charts/traccar/templates/configmap.yaml b/charts/traccar/templates/configmap.yaml
index 021584a..6c1e7e7 100644
--- a/charts/traccar/templates/configmap.yaml
+++ b/charts/traccar/templates/configmap.yaml
@@ -13,6 +13,7 @@ data:
     <!DOCTYPE properties SYSTEM 'http://java.sun.com/dtd/properties.dtd'>
     <properties>
         <entry key='config.default'>./conf/default.xml</entry>
+        <entry key='config.useEnvironmentVariables'>true</entry>
 
 {{- if .Values.traccar.server }}
 {{- if .Values.traccar.server.statistics }}
@@ -155,8 +156,6 @@ data:
 {{- if .Values.mysql.enabled }}
         <entry key='database.driver'>com.mysql.cj.jdbc.Driver</entry>
         <entry key='database.url'>jdbc:mysql://{{ include "traccar.fullname" . }}-mysql:3306/{{ .Values.mysql.auth.database }}?serverTimezone=UTC&amp;useSSL=false&amp;allowMultiQueries=true&amp;autoReconnect=true&amp;useUnicode=yes&amp;characterEncoding=UTF-8&amp;sessionVariables=sql_mode=''</entry>
-        <entry key='database.user'>{{ .Values.mysql.auth.username }}</entry>
-        <entry key='database.password'>{{ .Values.mysql.auth.password }}</entry>
 {{- else }}
 {{- if .Values.traccar.database.driverFile }}
         <entry key='database.driverFile'>{{ .Values.traccar.database.driverFile }}</entry>
@@ -167,12 +166,6 @@ data:
 {{- if .Values.traccar.database.url }}
         <entry key='database.url'>{{ .Values.traccar.database.url }}</entry>
 {{- end }}
-{{- if .Values.traccar.database.user }}
-        <entry key='database.user'>{{ .Values.traccar.database.user }}</entry>
-{{- end }}
-{{- if .Values.traccar.database.password }}
-        <entry key='database.password'>{{ .Values.traccar.database.password }}</entry>
-{{- end }}
 {{- end }}
 {{- end }}
 {{- if .Values.traccar.database }}
@@ -311,12 +304,6 @@ data:
 {{- if .Values.traccar.mail.smtp.fromName }}
         <entry key='mail.smtp.fromName'>{{ .Values.traccar.mail.smtp.fromName }}</entry>
 {{- end }}
-{{- if .Values.traccar.mail.smtp.username }}
-        <entry key='mail.smtp.username'>{{ .Values.traccar.mail.smtp.username }}</entry>
-{{- end }}
-{{- if .Values.traccar.mail.smtp.password }}
-        <entry key='mail.smtp.password'>{{ .Values.traccar.mail.smtp.password }}</entry>
-{{- end }}
 {{- end }}
 {{- end }}
 
diff --git a/charts/traccar/templates/deployment.yaml b/charts/traccar/templates/deployment.yaml
index 46e8679..5da2bbe 100644
--- a/charts/traccar/templates/deployment.yaml
+++ b/charts/traccar/templates/deployment.yaml
@@ -19,6 +19,9 @@ spec:
     metadata:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        {{- if not .Values.configOverride }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+        {{- end }}
         {{- with .Values.podAnnotations }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -89,6 +92,11 @@ spec:
           env:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- if not .Values.configOverride }}
+          envFrom:
+            - secretRef:
+                name: {{ include "traccar.fullname" . }}
+          {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: http
diff --git a/charts/traccar/templates/secret.yaml b/charts/traccar/templates/secret.yaml
new file mode 100644
index 0000000..cbfe297
--- /dev/null
+++ b/charts/traccar/templates/secret.yaml
@@ -0,0 +1,26 @@
+{{- if not .Values.configOverride }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "traccar.fullname" . }}
+  labels:
+    {{- include "traccar.labels" . | nindent 4 }}
+stringData:
+  {{- if .Values.mysql.enabled }}
+  DATABASE_USER: {{ .Values.mysql.auth.username | quote }}
+  DATABASE_PASSWORD: {{ .Values.mysql.auth.password | quote }}
+  {{- else }}
+  {{- if ((.Values.traccar).database).user }}
+  DATABASE_USER: {{ .Values.traccar.database.user | quote }}
+  {{- end }}
+  {{- if ((.Values.traccar).database).password }}
+  DATABASE_PASSWORD: {{ .Values.traccar.database.password | quote }}
+  {{- end }}
+  {{- end }} {{/* end if mysql.enabled */}}
+  {{- if (((.Values.traccar).mail).smtp).username }}
+  MAIL_SMTP_USERNAME: {{ .Values.traccar.mail.smtp.username | quote }}
+  {{- end }}
+  {{- if (((.Values.traccar).mail).smtp).password }}
+  MAIL_SMTP_PASSWORD: {{ .Values.traccar.mail.smtp.password | quote }}
+  {{- end }}
+{{- end }}