router - allow enrollment jwt from secret (#291)

* allow setting the enrollmentJwt from a secret * helm-docs: automated action * fix spelling mistake in description of enrollmentJwtFromSecret property * helm-docs: automated action * codespell * bump router chart version --------- Co-authored-by: Jan <[email protected]> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
openziti · Jan 23, 2025 · aa90dcc · aa90dcc
1 parent baa03d9
commit aa90dcc
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 3 deletions.
diff --git a/charts/ziti-controller/templates/ca-router-ctrl-identity.yaml b/charts/ziti-controller/templates/ca-router-ctrl-identity.yaml
@@ -2,7 +2,7 @@
 # CA to issue the controller's router control plane identity. This CA issues the
 # server certificate that is presented by the controller to routers when they
 # connect to the controller's "ctrl" endpoint, i.e. the router control plane. The
-# same server certificate is re-used as a default identity if an alternative
+# same server certificate is reused as a default identity if an alternative
 # identity is not configured for a particular server TLS binding, e.g., web
 # binding for the client API.
 ######

diff --git a/charts/ziti-router/Chart.yaml b/charts/ziti-router/Chart.yaml
@@ -3,4 +3,4 @@ appVersion: 1.1.16
 description: Host an OpenZiti router in Kubernetes
 name: ziti-router
 type: application
-version: 1.1.4
+version: 1.1.5
diff --git a/charts/ziti-router/README.md b/charts/ziti-router/README.md
@@ -1,7 +1,7 @@
 <!-- README.md generated by helm-docs from README.md.gotmpl -->
 # ziti-router
 
-![Version: 1.1.4](https://img.shields.io/badge/Version-1.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.16](https://img.shields.io/badge/AppVersion-1.1.16-informational?style=flat-square)
+![Version: 1.1.5](https://img.shields.io/badge/Version-1.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.16](https://img.shields.io/badge/AppVersion-1.1.16-informational?style=flat-square)
 
 Host an OpenZiti router in Kubernetes
 
@@ -267,6 +267,8 @@ identity:
 | edge.service.labels | object | `{}` | service labels |
 | edge.service.type | string | `"ClusterIP"` | expose the service as a ClusterIP, NodePort, or LoadBalancer; default is ClusterIP, but you could use NodePort or LoadBalancer instead of an ingress controller |
 | enrollmentJwt | string | `nil` | enrollment one time token from the controller's management API |
+| enrollmentJwtFromSecret | bool | `false` | allow for using a secret to specify the enrollment token instead of using the enrollmentJwt field if enabled, setting the enrollment token on the enrollmentJwt field has no effect |
+| enrollmentJwtSecretName | string | `""` | set the enrollment jwt from a secret The enrollment token secret must be of the following format: apiVersion: v1 kind: Secret metadata:   name: myEnrollmentJwtSecret type: Opaque data:   enrollmentJwt: |
 | env | object | `{}` | assign key=value in pod environment |
 | execMountDir | string | `"/usr/local/bin"` | read-only mountpoint for executables (must be in image's executable search PATH) |
 | fabric.metrics.enabled | bool | `false` | configure fabric metrics in the router config |

diff --git a/charts/ziti-router/templates/deployment.yaml b/charts/ziti-router/templates/deployment.yaml
@@ -59,7 +59,14 @@ spec:
             {{- end }}
           env:
             - name: ZITI_ENROLL_TOKEN
+              {{- if .Values.enrollmentJwtFromSecret }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ required (printf "You must set an enrollmentJwtSecretName, when using enrollmentJwtFromSecret. Try setting --set enrollmentJwtSecretName=myEnrollmentJwtSecret") .Values.enrollmentJwtSecretName }}
+                  key: enrollmentJwt
+              {{- else }}
               value: {{ .Values.enrollmentJwt | quote }}
+              {{- end }}
             # must be true or enroll() will not be called
             - name: ZITI_BOOTSTRAP
               value: "true"

diff --git a/charts/ziti-router/values.yaml b/charts/ziti-router/values.yaml
@@ -249,6 +249,19 @@ csr:
 execMountDir:     /usr/local/bin
 # -- enrollment one time token from the controller's management API
 enrollmentJwt:
+# -- allow for using a secret to specify the enrollment token instead of using the enrollmentJwt field
+# if enabled, setting the enrollment token on the enrollmentJwt field has no effect
+enrollmentJwtFromSecret: false
+# -- set the enrollment jwt from a secret
+# The enrollment token secret must be of the following format:
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: myEnrollmentJwtSecret
+# type: Opaque
+# data:
+#   enrollmentJwt:
+enrollmentJwtSecretName: ""
 # -- read-only mountpoint for router identity secret specified in deployment for use by router run container
 identityMountDir: /etc/ziti/identity
 # -- writeable mountpoint where read-only config file is projected to allow router