Merge pull request #381 from nautobot/fix_secrets

Fix DB and Redis secrets
nautobot · Apr 25, 2024 · 6c735c9 · 6c735c9
2 parents a39e5d8 + cd393e4
commit 6c735c9
Showing 1 changed file with 81 additions and 8 deletions.
diff --git a/charts/nautobot/templates/_helpers.tpl b/charts/nautobot/templates/_helpers.tpl
@@ -186,35 +186,106 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
   {{- end -}}
 {{- end -}}
 
+
+{{/*
+Generate the secret that is used for `NAUTOBOT_DB_PASSWORD` environmental variable
+in nautobot-deployment.yaml.
+
+The following is the logic:
+* If you have an existing K8s Secret containing the password it will take the secret from there.
+  Note: If you deploy PostgreSQL as part of this chart (postgresql.enabled==true) you have to
+        also define `postgresql.auth.existingSecret`
+  Test:
+    nautobot:
+      db:
+        existingSecret: "my-db-secret"
+        existingSecretPasswordKey: "password"
+
+* If the existing secret is not defined and you deploy PostgreSQL as part of this chart
+  it either takes the values from the existing secret defined in the postgresql
+  subchart (if defined) or it takes the secret that is generated by the subchart, which
+  is done automatically when the subchart is enabled. The name of the secret that
+  the subchart generates consists of <release name>-<nameOverride>. If you don't
+  define the postgresql.nameOverride it takes "postgresql".
+
+  Test1:
+    `kubectl create secret generic my-db-secret --from-literal=password=database-password --from-literal=postgresql-password=database-admin-password`
+
+    postgresql:
+      enabled: true
+      auth:
+        existingSecret: "my-db-secret"
+
+  Test2:
+    postgresql:
+      enabled: true
+
+* The same logic is used for PostgreSQL in HA mode.
+
+* If you enable mariadb then you have to disable postgresql. If you define
+  the existing secret, it will use that one. If not, if will create a secret name
+  from '<release name>-' and either 'nameOverride' if defined, or 'mariadb'.
+
+  Test:
+    postgresql:
+      enabled: false
+    mariadb:
+      auth:
+        existingSecret: "my-db-secret"
+
+* If you defined the password in "nautobot.db.password" it will create the
+  K8s Secret. This scenario is used for cases when you are using the external
+  database, so you should also disable postgresql: postgresql.enabled=false.
+
+  Test:
+    nautobot:
+      db:
+        password: "database-password"
+    postgresql:
+      enabled: false
+
+*/}}
 {{- define "nautobot.database.passwordName" -}}
   {{- if .Values.nautobot.db.existingSecret -}}
     {{- .Values.nautobot.db.existingSecret -}}
   {{- else if eq .Values.postgresql.enabled true -}}
-      {{- default (printf "%s-postgresql" (include "common.names.fullname" .)) .Values.postgresql.auth.existingSecret -}}
-  {{- else if eq .Values.postgresqlha.enabled true -}}
     {{- if .Values.postgresql.auth.existingSecret -}}
-      {{- default (printf "%s-postgresql" (include "common.names.fullname" .)) .Values.postgresqlha.auth.existingSecret -}}
+      {{- .Values.postgresql.auth.existingSecret -}}
     {{- else -}}
-      {{- printf "%s-db-password" (include "common.names.fullname" .) -}}
+      {{- printf "%s-%s" .Release.Name (default "postgresql" .Values.postgresql.nameOverride) -}}
+    {{- end -}}
+  {{- else if eq .Values.postgresqlha.enabled true -}}
+    {{- if .Values.postgresqlha.postgresql.existingSecret -}}
+      {{- .Values.postgresqlha.postgresql.existingSecret -}}
+    {{- else -}}
+      {{- printf "%s-%s-postgresql" .Release.Name (default "postgresqlha" .Values.postgresqlha.nameOverride) -}}
     {{- end -}}
   {{- else if eq .Values.mariadb.enabled true -}}
-      {{- default (printf "%s-mariadb" (include "common.names.fullname" .)) .Values.mariadb.auth.existingSecret -}}
+    {{- if .Values.mariadb.auth.existingSecret -}}
+      {{- .Values.mariadb.auth.existingSecret -}}
+    {{- else -}}
+      {{- printf "%s-%s" .Release.Name (default "mariadb" .Values.mariadb.nameOverride) -}}
+    {{- end -}}
   {{- else -}}
     {{- printf "%s-db-password" (include "common.names.fullname" .) -}}
   {{- end -}}
 {{- end -}}
 
+
 {{- define "nautobot.database.passwordKey" -}}
   {{- if .Values.nautobot.db.existingSecret -}}
     {{- .Values.nautobot.db.existingSecretPasswordKey -}}
   {{- else if eq .Values.postgresql.enabled true -}}
-    {{- if .Values.postgresql.auth.existingSecret -}}
+    {{- if and .Values.postgresql.auth.existingSecret .Values.postgresql.auth.secretKeys -}}
       {{- default "password" .Values.postgresql.auth.secretKeys.userPasswordKey -}}
     {{- else -}}
       {{- printf "password" -}}
     {{- end -}}
   {{- else if eq .Values.postgresqlha.enabled true -}}
-      {{- printf "postgresql-password" -}}
+    {{/* PostgresqlHA & MariaDB sub-charts don't specify a Secret Key,
+      you need always to create the secrets with necessary keys like `password` before the helm install.
+    */}}
+    {{- printf "password" -}}
   {{- else if eq .Values.mariadb.enabled true -}}
       {{- printf "mariadb-password" -}}
   {{- else -}}
@@ -269,8 +340,10 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
     {{- .Values.nautobot.redis.existingSecret -}}
   {{- else if .Values.redis.auth.existingSecret -}}
     {{- .Values.redis.auth.existingSecret -}}
+  {{- else if .Values.redis.nameOverride -}}
+    {{- printf "%s-%s" .Release.Name .Values.redis.nameOverride -}}
   {{- else -}}
-    {{- printf "nautobot-redis" -}}
+    {{- printf "%s-redis" .Release.Name -}}
   {{- end -}}
 {{- end -}}