More options for elasticsearch secret creation

andrii-korotkov-verkada · andrii-korotkov-verkada · commit ba83309730bb · 2024-12-22T05:04:25.000-08:00
Sometimes you don't want to include secret data in Git manifest for security reasons, e.g. when storing manifests in Git and deploying with ArgoCD. However, you may still want to generate a secret itself and then edit it's data section later, e.g. manually with kubectl. Provide more options of generating the secret while keeping backwards compatibility. Helps with: apache#45140 Signed-off-by: Andrii Korotkov <andrii.korotkov@verkada.com>
diff --git a/chart/templates/secrets/elasticsearch-secret.yaml b/chart/templates/secrets/elasticsearch-secret.yaml
@@ -20,11 +20,11 @@
 ################################
 ## Elasticsearch Secret
 #################################
-{{- if (and .Values.elasticsearch.enabled (not .Values.elasticsearch.secretName)) }}
+{{- if (and .Values.elasticsearch.enabled (or (not .Values.elasticsearch.secretName) .Values.elasticsearch.alwaysGenerateSecret)) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "airflow.fullname" . }}-elasticsearch
+  name: {{ template "elasticsearch_secret" . }}
   labels:
     release: {{ .Release.Name }}
     chart: {{ .Chart.Name }}
@@ -33,12 +33,14 @@ metadata:
       {{- toYaml . | nindent 4 }}
     {{- end }}
 type: Opaque
+{{- with .Values.elasticsearch.connection }}
+{{- if . }}
 data:
-  {{- with .Values.elasticsearch.connection }}
-    {{- if and .user .pass }}
-      connection: {{ urlJoin (dict "scheme" (default "http" .scheme) "userinfo" (printf "%s:%s" (.user | urlquery) (.pass | urlquery)) "host" (printf "%s:%s" .host ((default 9200 .port) | toString) ) ) | b64enc | quote }}
-    {{- else }}
-    connection: {{ urlJoin (dict "scheme" (default "http" .scheme) "host" (printf "%s:%s" .host ((default 9200 .port) | toString))) | b64enc | quote }}
-    {{- end }}
+  {{- if and .user .pass }}
+  connection: {{ urlJoin (dict "scheme" (default "http" .scheme) "userinfo" (printf "%s:%s" (.user | urlquery) (.pass | urlquery)) "host" (printf "%s:%s" .host ((default 9200 .port) | toString) ) ) | b64enc | quote }}
+  {{- else }}
+  connection: {{ urlJoin (dict "scheme" (default "http" .scheme) "host" (printf "%s:%s" .host ((default 9200 .port) | toString))) | b64enc | quote }}
   {{- end }}
 {{- end }}
+{{- end }}
+{{- end }}
diff --git a/chart/values.schema.json b/chart/values.schema.json
@@ -8000,6 +8000,11 @@
                     ],
                     "default": null
                 },
+                "alwaysGenerateSecret": {
+                    "description": "Whether to generate a secret even if secretName is specified.",
+                    "type": "boolean",
+                    "default": false
+                },
                 "connection": {
                     "description": "Elasticsearch connection configuration.",
                     "type": "object",
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -2463,6 +2463,8 @@ elasticsearch:
   enabled: false
   # A secret containing the connection
   secretName: ~
+  # Whether to generate a secret even if secretName is specified
+  alwaysGenerateSecret: false
   # Or an object representing the connection
   # Example:
   # connection:
