eikek#2502 Added the option supply existing Kubernetes secrets to loa…

…d secret values.
TheAnachronism · Feb 18, 2024 · 8cf36db · 8cf36db
1 parent 53160d3
commit 8cf36db
Show file tree

Hide file tree

Showing 9 changed files with 220 additions and 34 deletions.
diff --git a/kubernetes/helm/docspell/templates/_configs.tpl b/kubernetes/helm/docspell/templates/_configs.tpl
@@ -15,7 +15,9 @@
 {{- $envPrefix = "DOCSPELL_JOEX_JDBC" -}}
 {{- end }}
 {{ $envPrefix }}_USER: {{ .context.Values.postgresql.global.postgresql.auth.username }}
+{{- if not .context.Values.postgresql.global.postgresql.auth.existingSecret }}
 {{ $envPrefix }}_PASSWORD: {{ .context.Values.postgresql.global.postgresql.auth.password }}
+{{- end }}
 {{ $envPrefix }}_URL: {{ include "postgresql.jdbcUrl" .context }}
 {{- end -}}
 {{- end -}}

diff --git a/kubernetes/helm/docspell/templates/_helpers.tpl b/kubernetes/helm/docspell/templates/_helpers.tpl
@@ -57,4 +57,4 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end -}}
-{{- end -}}
+{{- end -}}
diff --git a/kubernetes/helm/docspell/templates/joex/_existingSecrets.yaml b/kubernetes/helm/docspell/templates/joex/_existingSecrets.yaml
@@ -0,0 +1,10 @@
+{{- define "docspell.joex.secrets.existingSecrets" -}}
+{{/*PostgreSQL Password*/}}
+{{- if .Values.postgresql.global.postgresql.auth.existingSecret -}}
+- name: DOCSPELL_JOEX_JDBC_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.global.postgresql.auth.existingSecret }}
+      key: {{ .Values.postgresql.global.postgresql.auth.secretKeys.userPasswordKey | default "password" }}
+{{- end -}}
+{{- end -}}
diff --git a/kubernetes/helm/docspell/templates/joex/deployment.yaml b/kubernetes/helm/docspell/templates/joex/deployment.yaml
@@ -27,6 +27,7 @@ spec:
     metadata:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/joex/config.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/joex/secret.yaml") . | sha256sum }}
         {{- with .Values.joex.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -51,6 +52,8 @@ spec:
           ports:
           - containerPort: {{ .Values.joex.service.port }}
             name: http
+          env:
+          {{- include "docspell.joex.secrets.existingSecrets" . | nindent 10 }}
           envFrom:
           - configMapRef:
               name: {{ include "docspell.fullname" . }}-joex

diff --git a/kubernetes/helm/docspell/templates/restserver/_configs.tpl b/kubernetes/helm/docspell/templates/restserver/_configs.tpl
@@ -32,9 +32,14 @@
 
 {{/*Auth Secrets*/}}
 {{- define "docspell.server.secrets.auth" -}}
-{{- with .Values.docspell.server.auth.serverSecret }}
+{{- if .Values.docspell.server.auth.serverSecret -}}
+{{- if and .Values.docspell.server.auth.serverSecret.value .Values.docspell.server.auth.serverSecret.existingSecret -}}
+{{- fail "Only either a fixed server secret or an existing secret should be specified" -}}
+{{- end -}}
+{{- with .Values.docspell.server.auth.serverSecret.value }}
 DOCSPELL_SERVER_AUTH_SERVER__SECRET: {{ . }}
-{{- end }}
+{{- end -}}
+{{- end -}}
 {{- end -}}
 
 {{/*Download Config*/}}
@@ -71,7 +76,7 @@ DOCSPELL_SERVER_AUTH_SERVER__SECRET: {{ . }}
 {{- define "docspell.server.secrets.openid" -}}
 {{- $envPrefix := "DOCSPELL_SERVER_OPENID" -}}
 {{- range $index, $entry := .Values.docspell.server.openid -}}
-{{- if $entry.enabled -}}
+{{- if and $entry.enabled (not $entry.provider.existingSecret) -}}
 {{- $envPrefix = printf "%s_%s_PROVIDER" $envPrefix ($index | toString) }}
 {{ $envPrefix }}_CLIENT__ID: {{ $entry.provider.clientId }}
 {{ $envPrefix }}_CLIENT__SECRET: {{ $entry.provider.clientSecret }}
@@ -110,24 +115,40 @@ DOCSPELL_SERVER_AUTH_SERVER__SECRET: {{ . }}
 
 {{/*Integration Endpoint Secrets*/}}
 {{- define "docspell.server.secrets.integrationEndpoint" -}}
-{{- if .Values.docspell.server.integrationEndpoint.httpBasic.enabled | quote -}}
-{{- $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT__HTTP__BASIC" -}}
+{{- if .Values.docspell.server.integrationEndpoint.httpBasic.enabled -}}
+{{- if and .Values.docspell.server.integrationEndpoint.httpBasic.credentials .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret -}}
+{{- fail "Only either the fixed credentials or an existing secret for the httpBasic integration endpoint should be set" -}}
+{{- end -}}
+{{- $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__BASIC" -}}
 {{ $envPrefix}}_REALM: {{ .Values.docspell.server.integrationEndpoint.httpBasic.realm }}
-{{ $envPrefix}}_USER: {{ .Values.docspell.server.integrationEndpoint.httpBasic.user }}
-{{ $envPrefix}}_PASSWORD: {{ .Values.docspell.server.integrationEndpoint.httpBasic.password }}
+{{- with .Values.docspell.server.integrationEndpoint.httpBasic.credentials }}
+{{ $envPrefix}}_USER: {{ .username }}
+{{ $envPrefix}}_PASSWORD: {{ .password }}
+{{- end -}}
 {{- end }}
-{{- if .Values.docspell.server.integrationEndpoint.httpHeader.enabled | quote -}}
-{{ $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT__HTTP__HEADER" }}
+{{- if .Values.docspell.server.integrationEndpoint.httpHeader.enabled -}}
+{{- if and .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.value .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret -}}
+{{- fail "Only either the fixed header value or an existing secret for the http header ingration endpoint should be set" -}}
+{{- end -}}
+{{ $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__HEADER" }}
 {{ $envPrefix }}_HEADER__NAME: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerName }}
-{{ $envPrefix }}_HEADER__VALUE: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue }}
+{{- with .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.value -}}
+{{ $envPrefix }}_HEADER__VALUE: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.value }}
+{{- end -}}
 {{- end }}
 {{- end -}}
 
 {{/*Admin Endpoint Secrets*/}}
 {{- define "docspell.server.secrets.adminEndpoint" -}}
-{{- with .Values.docspell.server.adminEndpoint.secret }}
-DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET: {{ . }}
-{{- end }}
+{{- if .Values.docspell.server.adminEndpoint.enabled -}}
+{{- $context := . -}}
+{{- with .Values.docspell.server.adminEndpoint.secret -}}
+{{- if $context.Values.docspell.server.adminEndpoint.existingSecret }}
+{{- fail "Only either the fixed value or an existing secret for the admin endpoint should be set" -}}
+{{- end -}}
+DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET: {{ .value }}
+{{- end -}}
+{{- end -}}
 {{- end -}}
 
 {{/*Signup Settings*/}}
@@ -142,6 +163,12 @@ DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET: {{ . }}
 {{/*Signup Secrets*/}}
 {{- define "docspell.server.secrets.signup" -}}
 {{- if eq .Values.docspell.server.backend.signup.mode "invite" }}
-DOCSPELL_SERVER_BACKEND_SIGNUP_NEW__INVITE__PASSWORD: {{ .Values.docspell.server.backend.signup.newInvitePassword }}
+{{- $context := . -}}
+{{- with .Values.docspell.server.backend.signup.newInvitePassword.value -}}
+{{- if $context.Values.docspell.server.backend.signup.newInvitePassword.existingSecret -}}
+{{- fail "Only either the fixed value or an existing secret for the new invite password should be set" -}}
+{{- end -}}
+DOCSPELL_SERVER_BACKEND_SIGNUP_NEW__INVITE__PASSWORD: {{ . }}
+{{- end -}}
 {{- end -}}
 {{- end -}}
diff --git a/kubernetes/helm/docspell/templates/restserver/_existingSecrets.tpl b/kubernetes/helm/docspell/templates/restserver/_existingSecrets.tpl
@@ -0,0 +1,86 @@
+{{- define "docspell.server.secrets.existingSecrets" -}}
+{{/*Server Secret*/}}
+{{- if .Values.docspell.server.auth.serverSecret -}}
+{{- if and .Values.docspell.server.auth.serverSecret.existingSecret (not .Values.docspell.server.auth.serverSecret.value) -}}
+- name: DOCSPELL_SERVER_AUTH_SERVER__SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.docspell.server.auth.serverSecret.existingSecret.name }}
+      key: {{ .Values.docspell.server.auth.serverSecret.existingSecret.key }}
+{{- end -}}
+{{- end }}
+{{/*OIDC Secrets*/}}
+{{- range $index, $entry := .Values.docspell.server.openid -}}
+{{- if and $entry.enabled $entry.provider.existingSecret -}}
+{{- $envPrefix := printf "%s_%s_PROVIDER" "DOCSPELL_SERVER_OPENID" ($index | toString) -}}
+- name: {{ $envPrefix }}_CLIENT__ID
+  valueFrom:
+    secretKeyRef:
+      name: {{ $entry.provider.existingSecret.name }}
+      key: {{ $entry.provider.existingSecret.clientIdKey }}
+- name: {{ $envPrefix }}_CLIENT__SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ $entry.provider.existingSecret.name }}
+      key: {{ $entry.provider.existingSecret.clientSecretKey }}
+- name: {{ $envPrefix }}_SIGN__KEY
+{{- if $entry.provider.existingSecret.signKeyKey -}}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $entry.provider.existingSecret.name }}
+      key: {{ $entry.provider.existingSecret.signKeyKey }}
+{{- else }}
+  value: ""
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{/*Integration Endpoint Http Basic Auth*/}}
+{{- if .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret }}
+- name: DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__BASIC_USER
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.name }}
+      key: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.usernameKey }}
+- name: DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__BASIC_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.name }}
+      key: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.passwordKey }}
+{{- end }}
+{{/*Integration Endpoint Http Header Auth*/}}
+{{- if and .Values.docspell.server.integrationEndpoint.enabled .Values.docspell.server.integrationEndpoint.httpHeader.enabled -}}
+{{- if .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret }}
+- name: DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__HEADER_HEADER__VALUE
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret.name }}
+      key: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret.key }}
+{{- end -}}
+{{- end }}
+{{/*Admin Endpoint Secret*/}}
+{{- with .Values.docspell.server.adminEndpoint.existingSecret }}
+- name: DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ .name }}
+      key: {{ .key }}
+{{- end }}
+{{/*Sign Up Invitation Generation Password*/}}
+{{- if eq .Values.docspell.server.backend.signup.mode "invite" -}}
+{{- with .Values.docspell.server.backend.signup.newInvitePassword.existingSecret }}
+- name: DOCSPELL_SERVER_BACKEND_SIGNUP_NEW__INVITE__PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ .name }}
+      key: {{ .key }}
+{{- end -}}
+{{- end }}
+{{/*PostgreSQL Password*/}}
+{{- if .Values.postgresql.global.postgresql.auth.existingSecret -}}
+- name: DOCSPELL_SERVER_BACKEND_JDBC_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.postgresql.global.postgresql.auth.existingSecret }}
+      key: {{ .Values.postgresql.global.postgresql.auth.secretKeys.userPasswordKey | default "password" }}
+{{- end -}}
+{{- end -}}
diff --git a/kubernetes/helm/docspell/templates/restserver/deployment.yaml b/kubernetes/helm/docspell/templates/restserver/deployment.yaml
@@ -27,6 +27,7 @@ spec:
     metadata:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/restserver/config.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/restserver/secret.yaml") . | sha256sum }}
         {{- with .Values.restserver.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -47,6 +48,8 @@ spec:
           ports:
           - containerPort: {{ .Values.restserver.service.port }}
             name: http
+          env:
+          {{- include "docspell.server.secrets.existingSecrets" . | nindent 10 }}
           envFrom:
           - configMapRef:
               name: {{ include "docspell.fullname" . }}-restserver

diff --git a/kubernetes/helm/docspell/templates/restserver/secret.yaml b/kubernetes/helm/docspell/templates/restserver/secret.yaml
@@ -7,11 +7,19 @@ metadata:
 type: Opaque
 stringData:
     assertions:
-      {{- if and (gt .Values.restserver.replicaCount 1.0) (not .Values.docspell.server.auth.serverSecret) -}}
+      {{- if gt .Values.restserver.replicaCount 1.0 }}
+      {{- if not .Values.docspell.server.auth.serverSecret -}}
       {{- fail "If multiple replicas are running of the rest server, the server secret has to be fixed." -}}
+      {{- else if not (or  .Values.docspell.server.auth.serverSecret.existingSecret .Values.docspell.server.auth.serverSecret.value) }}
+      {{- end -}}
+      {{- if and .Values.docspell.server.adminEndpoint.enabled (and (not .Values.docspell.server.adminEndpoint.existingSecret) (not .Values.docspell.server.adminEndpoint.secret)) -}}
+      {{- fail "When enabling the administration endpoint, a value for authentication has the supplied." -}}
+      {{- end -}}
+      {{- end -}}
+      {{- if eq .Values.docspell.server.backend.signup.mode "invite" -}}
+      {{- if not .Values.docspell.server.backend.signup.newInvitePassword -}}
+      {{- fail "Invite password has to be set, when using signup mode 'invite'." -}}
       {{- end -}}
-      {{- if and (eq .Values.docspell.server.backend.signup.mode "invite") (not .Values.docspell.server.backend.signup.newInvitePassword) -}}
-      {{- fail "Invite password has to be set, when using signup mode 'invite'" -}}
       {{- end -}}
     {{- include "docspell.server.secrets.auth" . | nindent 4 }}
     {{- include "docspell.server.secrets.openid" . | nindent 4 }}