feat(cerebro): application.conf env vars from secret (#753)

Author: maxime1907

charts/cerebro/Chart.yaml

@@ -1,5 +1,5 @@
 name: cerebro
-version: 2.1.0
+version: 2.2.0
 appVersion: 0.9.4
 apiVersion: v2
 description: A Helm chart for Cerebro - a web admin tool to manage ElasticSearch

charts/cerebro/templates/deployment.yaml

@@ -30,7 +30,7 @@ spec:
         {{- toYaml .Values.deployment.podLabels | nindent 8 }}
         {{- end }}
       annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+        checksum/config: {{ include (print $.Template.BasePath "/secret-app.yaml") . | sha256sum }}
         {{- if .Values.deployment.podAnnotations }}
         {{- toYaml .Values.deployment.podAnnotations | nindent 8 }}
         {{- end }}
@@ -77,11 +77,13 @@ spec:
             value: {{ $element | quote }}
           {{- end }}
           {{- end }}
-          {{- if .Values.envFromSecretRef }}
           envFrom:
+            - secretRef:
+                name: {{ template "cerebro.fullname" . }}-vars
+            {{- if .Values.envFromSecretRef }}
             - secretRef:
                 name: "{{ .Values.envFromSecretRef }}"
-          {{- end }}
+            {{- end }}
           {{- if .Values.deployment.livenessProbe.enabled}}
           livenessProbe:
             httpGet:
@@ -117,7 +119,7 @@ spec:
     {{- else }}
         - name: config
           secret:
-            secretName: {{ template "cerebro.fullname" . }}
+            secretName: {{ template "cerebro.fullname" . }}-app
     {{- end }}
     {{- with .Values.nodeSelector }}
       nodeSelector:

charts/cerebro/templates/secret.yaml renamed to charts/cerebro/templates/secret-app.yaml

@@ -3,19 +3,15 @@ apiVersion: v1
 kind: Secret
 type: Opaque
 metadata:
-  name: {{ template "cerebro.fullname" . }}
+  name: {{ template "cerebro.fullname" . }}-app
   labels:
     app: {{ template "cerebro.name" . }}
     chart: {{ template "cerebro.chart" . }}
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 stringData:
   application.conf: |-
-    {{- if .Values.config.secret }}
-    secret = {{ .Values.config.secret | quote }}
-    {{- else }}
-    secret = {{ randAlphaNum 64 | quote }}
-    {{- end }}
+    secret = ${?CEREBRO_COOKIE_SECRET}
 
     {{- if .Values.config.tlsVerify }}
     play.ws.ssl.loose.acceptAnyCertificate = false
@@ -79,8 +75,16 @@ stringData:
         {{- end }}
         {{- if $element.auth }}
         auth = {
+          {{- if hasPrefix "${?" $element.auth.username }}
+          username = {{ $element.auth.username }}
+          {{- else }}
           username = {{ $element.auth.username | quote }}
+          {{- end }}
+          {{- if hasPrefix "${?" $element.auth.password }}
+          password = {{ $element.auth.password }}
+          {{- else }}
           password = {{ $element.auth.password | quote }}
+          {{- end }}
         }
         {{- end }}
       }

charts/cerebro/templates/secret-vars.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ template "cerebro.fullname" . }}-vars
+  labels:
+    app: {{ template "cerebro.name" . }}
+    chart: {{ template "cerebro.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+  {{- if .Values.config.secret }}
+  CEREBRO_COOKIE_SECRET: {{ .Values.config.secret | b64enc | quote }}
+  {{- else }}
+  CEREBRO_COOKIE_SECRET: {{ randAlphaNum 64 | b64enc | quote }}
+  {{- end }}
+  {{- range $index, $element := .Values.secretEnv }}
+  {{ $index }}: {{ $element | b64enc | quote }}
+  {{- end }}

charts/cerebro/values.yaml

@@ -67,6 +67,9 @@ env: {}
   # AUTH_TYPE: "basic"
   # BASIC_AUTH_USER: "admin"
 
+secretEnv: {}
+  # BASIC_AUTH_PWD: "secretpass"
+
 # Reference to a Secret object with environment variables
 # envFromSecretRef: 'my-secret-ref'