Skip to content

Commit

Permalink
Feat: Additional existing secrets (#369)
Browse files Browse the repository at this point in the history
  • Loading branch information
m4rg4sh authored Mar 25, 2024
1 parent be87f99 commit af603ff
Show file tree
Hide file tree
Showing 10 changed files with 433 additions and 314 deletions.
284 changes: 145 additions & 139 deletions charts/nautobot/README.md

Large diffs are not rendered by default.

7 changes: 4 additions & 3 deletions charts/nautobot/templates/NOTES.txt
Original file line number Diff line number Diff line change
Expand Up @@ -50,24 +50,25 @@ https://docs.nautobot.com/projects/helm-charts/en/stable/configuration/reference
echo "Nautobot URL: http://$NODE_IP:$NODE_PORT/"

{{- end }}
{{- if .Values.nautobot.superUser.enabled }}
{{- if and .Values.nautobot.superUser.enabled (not .Values.nautobot.superUser.existingSecret) }}

2. Get your Nautobot login admin credentials by running:

echo Username: {{ .Values.nautobot.superUser.username }}
echo Password: $(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }}-env -o jsonpath="{.data.NAUTOBOT_SUPERUSER_PASSWORD}" | base64 --decode)
echo api-token: $(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }}-env -o jsonpath="{.data.NAUTOBOT_SUPERUSER_API_TOKEN}" | base64 --decode)
{{- end }}
{{- if not .Values.nautobot.secretKey }}
{{- if not (or .Values.nautobot.secretKey .Values.nautobot.django.secretKey .Values.nautobot.django.existingSecret) }}

Make sure you take note of your Nautobot `NAUTOBOT_SECRET_KEY` by running:

echo Secret Key: $(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }}-env -o jsonpath="{.data.NAUTOBOT_SECRET_KEY}" | base64 --decode)
{{- end }}
{{- if .Values.postgresql.enabled }}

To take a backup of the database run:

export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }}-postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode)
export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }}-postgresql -o jsonpath="{.data.postgres-password}" | base64 --decode)
echo $POSTGRES_PASSWORD | kubectl exec -itn {{ .Release.Namespace }} statefulset.apps/{{ include "common.names.fullname" . }}-postgresql -- pg_dump --username {{ .Values.postgresql.auth.username }} --clean --if-exists nautobot > backup.sql

{{- end }}
Expand Down
59 changes: 38 additions & 21 deletions charts/nautobot/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -57,28 +57,45 @@ Compile all warnings into a single message.
{{- end -}}
{{- end -}}

{{- define "nautobot.encryptedSecretKey" -}}
{{- if not .Values.nautobot.secretKey -}}
{{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-env" (include "nautobot.names.fullname" . )) "key" "NAUTOBOT_SECRET_KEY" "providedValues" (list "nautobot.secretKey") "length" 64 "strong" true "context" $) }}
{{- else -}}
{{- .Values.nautobot.secretKey | b64enc | quote -}}
{{- end -}}
{{/*
The secret name where the nautobot secret_key used by django will exist.
*/}}
{{- define "nautobot.django.secretName" -}}
{{- default (printf "%s-env" (include "common.names.fullname" .)) .Values.nautobot.django.existingSecret -}}
{{- end -}}

{{- define "nautobot.encryptedSuperUserAPIToken" -}}
{{- if not .Values.nautobot.superUser.apitoken -}}
{{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-env" (include "nautobot.names.fullname" . )) "key" "NAUTOBOT_SUPERUSER_API_TOKEN" "providedValues" (list "nautobot.superUserAPIToken") "length" 40 "strong" false "context" $) }}
{{- else -}}
{{- .Values.nautobot.superUser.apitoken | b64enc | quote -}}
{{- end -}}
{{/*
The secret key where the nautobot secret_key used by django will exist.
*/}}
{{- define "nautobot.django.existingSecretSecretKeyKey" -}}
{{- default (printf "NAUTOBOT_SECRET_KEY") .Values.nautobot.django.existingSecretSecretKeyKey -}}
{{- end -}}

{{- define "nautobot.encryptedSuperUserPassword" -}}
{{- if not .Values.nautobot.superUser.password -}}
{{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-env" (include "nautobot.names.fullname" . )) "key" "NAUTOBOT_SUPERUSER_PASSWORD" "providedValues" (list "nautobot.superUserPassword") "length" 64 "strong" true "context" $) }}
{{- else -}}
{{- .Values.nautobot.superUser.password | b64enc | quote -}}
{{- end -}}
{{/*
Retrieve existing django/nautobot secret key, use one provided via values or generate a random one
*/}}
{{- define "nautobot.django.secretKey" -}}
{{- include "common.secrets.passwords.manage" (dict "secret" (include "nautobot.django.secretName" .) "key" (include "nautobot.django.existingSecretSecretKeyKey" .) "providedValues" (list .Values.nautobot.django.secretKey .Values.nautobot.secretKey) "length" 64 "strong" true "context" $) -}}
{{- end -}}

{{- define "nautobot.superUser.secretName" -}}
{{- default (printf "%s-env" (include "common.names.fullname" .)) .Values.nautobot.superUser.existingSecret -}}
{{- end -}}

{{- define "nautobot.superUser.existingSecretPasswordKey" -}}
{{- default (printf "NAUTOBOT_SUPERUSER_PASSWORD") .Values.nautobot.superUser.existingSecretPasswordKey -}}
{{- end -}}

{{- define "nautobot.superUser.existingSecretApiTokenKey" -}}
{{- default (printf "NAUTOBOT_SUPERUSER_API_TOKEN") .Values.nautobot.superUser.existingSecretApiTokenKey -}}
{{- end -}}

{{- define "nautobot.superUser.apiToken" -}}
{{- include "common.secrets.passwords.manage" (dict "secret" (include "nautobot.superUser.secretName" . ) "key" (include "nautobot.superUser.existingSecretApiTokenKey" .) "providedValues" (list .Values.nautobot.superUser.apitoken) "length" 40 "strong" false "context" $) -}}
{{- end -}}

{{- define "nautobot.superUser.password" -}}
{{- include "common.secrets.passwords.manage" (dict "secret" (include "nautobot.superUser.secretName" . ) "key" (include "nautobot.superUser.existingSecretPasswordKey" .) "providedValues" (list .Values.nautobot.superUser.password) "length" 64 "strong" true "context" $) -}}
{{- end -}}

{{/*
Expand Down Expand Up @@ -173,15 +190,15 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
{{- if .Values.nautobot.db.existingSecret -}}
{{- .Values.nautobot.db.existingSecret -}}
{{- else if eq .Values.postgresql.enabled true -}}
{{- default (printf "%s-db-password" (include "common.names.fullname" .)) .Values.postgresql.auth.existingSecret -}}
{{- default (printf "%s-postgresql" (include "common.names.fullname" .)) .Values.postgresql.auth.existingSecret -}}
{{- else if eq .Values.postgresqlha.enabled true -}}
{{- if .Values.postgresql.auth.existingSecret -}}
{{- default (printf "%s-db-password" (include "common.names.fullname" .)) .Values.postgresqlha.auth.existingSecret -}}
{{- default (printf "%s-postgresql" (include "common.names.fullname" .)) .Values.postgresqlha.auth.existingSecret -}}
{{- else -}}
{{- printf "%s-db-password" (include "common.names.fullname" .) -}}
{{- end -}}
{{- else if eq .Values.mariadb.enabled true -}}
{{- default (printf "%s-db-password" (include "common.names.fullname" .)) .Values.mariadb.auth.existingSecret -}}
{{- default (printf "%s-mariadb" (include "common.names.fullname" .)) .Values.mariadb.auth.existingSecret -}}
{{- else -}}
{{- printf "%s-db-password" (include "common.names.fullname" .) -}}
{{- end -}}
Expand Down
14 changes: 8 additions & 6 deletions charts/nautobot/templates/_secrets.tpl
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
{{- define "nautobot.secret.env" -}}
NAUTOBOT_SECRET_KEY: {{ include "nautobot.encryptedSecretKey" .}}
{{- if .Values.nautobot.superUser.enabled }}
NAUTOBOT_SUPERUSER_API_TOKEN: {{ include "nautobot.encryptedSuperUserAPIToken" .}}
NAUTOBOT_SUPERUSER_PASSWORD: {{ include "nautobot.encryptedSuperUserPassword" .}}
{{define "nautobot.secret.env" -}}
{{- if not .Values.nautobot.django.existingSecret -}}
NAUTOBOT_SECRET_KEY: {{ include "nautobot.django.secretKey" .}}
{{ end -}}
{{- if (and .Values.nautobot.superUser.enabled (not .Values.nautobot.superUser.existingSecret)) -}}
NAUTOBOT_SUPERUSER_API_TOKEN: {{ include "nautobot.superUser.apiToken" .}}
NAUTOBOT_SUPERUSER_PASSWORD: {{ include "nautobot.superUser.password" .}}
{{- end -}}
{{- end }}
{{ end }}
5 changes: 5 additions & 0 deletions charts/nautobot/templates/job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,11 @@ spec:
secretKeyRef:
name: {{ include "nautobot.redis.passwordName" $ }}
key: {{ include "nautobot.redis.passwordKey" $ }}
- name: NAUTOBOT_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ include "nautobot.django.secretName" $ }}
key: {{ include "nautobot.django.existingSecretSecretKeyKey" $ }}
envFrom:
- configMapRef:
name: {{ include "common.names.fullname" $ }}-env-init
Expand Down
34 changes: 34 additions & 0 deletions charts/nautobot/templates/nautobot-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,23 @@ spec:
secretKeyRef:
name: {{ include "nautobot.redis.passwordName" $ }}
key: {{ include "nautobot.redis.passwordKey" $ }}
- name: NAUTOBOT_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ include "nautobot.django.secretName" $ }}
key: {{ include "nautobot.django.existingSecretSecretKeyKey" $ }}
{{ if $nautobot.superUser.existingSecret -}}
- name: NAUTOBOT_SUPERUSER_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "nautobot.superUser.secretName" $ }}
key: {{ include "nautobot.superUser.existingSecretPasswordKey" $ }}
- name: NAUTOBOT_SUPERUSER_API_TOKEN
valueFrom:
secretKeyRef:
name: {{ include "nautobot.superUser.secretName" $ }}
key: {{ include "nautobot.superUser.existingSecretApiTokenKey" $ }}
{{- end }}
envFrom:
- configMapRef:
name: {{ include "common.names.fullname" $ }}-env
Expand Down Expand Up @@ -223,6 +240,23 @@ spec:
secretKeyRef:
name: {{ include "nautobot.redis.passwordName" $ }}
key: {{ include "nautobot.redis.passwordKey" $ }}
- name: NAUTOBOT_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ include "nautobot.django.secretName" $ }}
key: {{ include "nautobot.django.existingSecretSecretKeyKey" $ }}
{{ if $nautobot.superUser.existingSecret -}}
- name: NAUTOBOT_SUPERUSER_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "nautobot.superUser.secretName" $ }}
key: {{ include "nautobot.superUser.existingSecretPasswordKey" $ }}
- name: NAUTOBOT_SUPERUSER_API_TOKEN
valueFrom:
secretKeyRef:
name: {{ include "nautobot.superUser.secretName" $ }}
key: {{ include "nautobot.superUser.existingSecretApiTokenKey" $ }}
{{- end }}
envFrom:
- configMapRef:
name: {{ include "common.names.fullname" $ }}-env
Expand Down
8 changes: 6 additions & 2 deletions charts/nautobot/templates/secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,13 @@ metadata:
{{- end }}
type: Opaque
data:
{{- include "nautobot.secret.env" . | nindent 2 }}
{{- if (include "nautobot.secret.env" .) }}
{{ include "nautobot.secret.env" . | indent 2 }}
{{- else }}
{{ "{}" | indent 2 }}
{{- end }}

{{- if not ( or .Values.nautobot.db.existingSecret .Values.postgresql.auth.existingSecret .Values.mariadb.auth.existingSecret ) }}
{{- if .Values.nautobot.db.password }}
---
apiVersion: v1
kind: Secret
Expand Down
19 changes: 17 additions & 2 deletions charts/nautobot/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -354,7 +354,7 @@ nautobot:
# -- Name of existing secret to use for Database passwords<sup>[1](#notes)</sup>
existingSecret: ""
# -- Password key to be retrieved from existing secret<sup>[1](#notes)</sup>
existingSecretPasswordKey: "NAUTOBOT_DB_PASSWORD"
existingSecretPasswordKey: ""
# -- [[ref](https://docs.nautobot.com/projects/core/en/stable/configuration/required-settings/#databases)] Nautobot external database hostname, ignored if `postgresql.enabled` is `true` (NAUTOBOT_DB_HOST)<sup>[1](#notes)</sup>
host: "postgres"
# -- [[ref](https://docs.nautobot.com/projects/core/en/stable/configuration/required-settings/#databases)] Nautobot external database name, ignored if `postgresql.enabled` is `true` (NAUTOBOT_DB_NAME)<sup>[1](#notes)</sup>
Expand All @@ -378,7 +378,7 @@ nautobot:
# -- Name of existing secret to use for Redis passwords<sup>[1](#notes)</sup>
existingSecret: ""
# -- Password key to be retrieved from existing secret<sup>[1](#notes)</sup>
existingSecretPasswordKey: "NAUTOBOT_REDIS_PASSWORD"
existingSecretPasswordKey: ""
# -- [[ref](https://docs.nautobot.com/projects/core/en/stable/configuration/required-settings/#rq_queues)] Nautobot external Redis hostname, ignored if `redis.enabled` is `true` (NAUTOBOT_REDIS_HOST)<sup>[1](#notes)</sup>
host: ""
# -- [[ref](https://docs.nautobot.com/projects/core/en/stable/configuration/required-settings/#rq_queues)] Nautobot external Redis password, ignored if `redis.enabled` is `true` (NAUTOBOT_REDIS_PASSWORD)<sup>[1](#notes)</sup>
Expand All @@ -392,7 +392,22 @@ nautobot:

# -- [[ref](https://docs.nautobot.com/projects/core/en/stable/configuration/required-settings/#secret_key)] Nautobot Secret Key (NAUTOBOT_SECRET_KEY)<sup>[1](#notes)</sup>
secretKey: ""

django:
# -- Name of existing secret to use for NAUTOBOT_SECRET_KEY<sup>[1](#notes)</sup>
existingSecret: ""
# -- SecretKey key to be retrieved from existing secret<sup>[1](#notes)</sup>
existingSecretSecretKeyKey: ""
# -- [[ref](https://docs.nautobot.com/projects/core/en/stable/configuration/required-settings/#secret_key)] Nautobot Secret Key (NAUTOBOT_SECRET_KEY), takes priority over nautobot.secretKey<sup>[1](#notes)</sup>
secretKey: ""

superUser:
# -- Name of existing secret to use for superuser password and API token<sup>[1](#notes)</sup>
existingSecret: ""
# -- Password key to be retrieved from existing secret<sup>[1](#notes)</sup>
existingSecretPasswordKey: ""
# -- API Token key to be retrieved from existing secret<sup>[1](#notes)</sup>
existingSecretApiTokenKey: ""
# -- [[ref](https://nautobot.readthedocs.io/en/stable/docker/#nautobot_create_superuser)] Create a new super user account in Nautobot once deployed (NAUTOBOT_CREATE_SUPERUSER)<sup>[1](#notes)</sup>
enabled: true
# -- [[ref](https://nautobot.readthedocs.io/en/stable/docker/#nautobot_superuser_api_token)] Configure an API key for the super user if `nautobot.superUser.enabled` is `true` (NAUTOBOT_SUPERUSER_API_TOKEN)<sup>[1](#notes)</sup>
Expand Down
33 changes: 31 additions & 2 deletions docs/advanced-features/existing-secrets.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,16 @@
# Existing Secrets

If you don't want to pass values through helm for either Redis or PostgreSQL there are a few options. If you want to deploy PostgreSQL and Redis with this chart:
If you don't want to pass values through helm for...

- Redis
- PostgreSQL
- MariaDB
- Nautobot Secret Key
- Superuser password and API token

...there's the option of creating these secrets manually and referencing them in the configuration.

For example, if you want to deploy PostgreSQL and Redis with this chart:

1. Create a secret with both PostgreSQL and Redis passwords:

Expand Down Expand Up @@ -39,4 +49,23 @@ redis:
enabled: false
```

You can use various combinations of `existingSecret` and `existingSecretPasswordKey` options depending on the existing secrets you have deployed. (NOTE: The Bitnami PostgreSQL chart does require the key name to be "postgresql-password")
To reference an existing NAUTOBOT_SECRET_KEY you can use the following values:

```yaml
nautobot:
django:
existingSecret: "my-secret"
existingSecretSecretKeyKey: "NAUTOBOT_SECRET_KEY"
```
And/or for the superuser credentials you can use this configuration:
```yaml
nautobot:
superUser:
existingSecret: "my-secret"
existingSecretPasswordKey: "NAUTOBOT_SUPERUSER_PASSWORD"
existingSecretApiTokenKey: "NAUTOBOT_SUPERUSER_API_TOKEN"
```
You can use various combinations of `existingSecret` and `*Key` options depending on the existing secrets you have deployed.
Loading

0 comments on commit af603ff

Please sign in to comment.