Merge pull request #235 from openziti/env_secrets_block

Add support for injecting secrets as environment variables (ziti-controller chart)
openziti · Jul 23, 2024 · ffb69ea · ffb69ea
2 parents 3fc1f5c + c512080
commit ffb69ea
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 2 deletions.
diff --git a/charts/ziti-controller/Chart.yaml b/charts/ziti-controller/Chart.yaml
@@ -16,4 +16,4 @@ dependencies:
 description: Host an OpenZiti controller in Kubernetes
 name: ziti-controller
 type: application
-version: 1.0.11
+version: 1.0.12
diff --git a/charts/ziti-controller/README.md b/charts/ziti-controller/README.md
@@ -2,7 +2,7 @@
 
 # ziti-controller
 
-![Version: 1.0.11](https://img.shields.io/badge/Version-1.0.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.3](https://img.shields.io/badge/AppVersion-1.1.3-informational?style=flat-square)
+![Version: 1.0.12](https://img.shields.io/badge/Version-1.0.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.3](https://img.shields.io/badge/AppVersion-1.1.3-informational?style=flat-square)
 
 Host an OpenZiti controller in Kubernetes
 
@@ -235,6 +235,7 @@ For more information, please check [here](https://openziti.io/docs/learn/core-co
 | edgeSignerPki.admin_client_cert.renewBefore | string | `"720h"` | renew admin client certificate before expiry as Go time.Duration |
 | edgeSignerPki.enabled | bool | `true` | generate a separate PKI root of trust for the edge signer CA |
 | env | string | `nil` | set name to value in containers' environment |
+| envSecrets | string | `nil` | set secrets as environment variables in the container |
 | fabric.events.enabled | bool | `false` | enable fabric event logger and file handler |
 | fabric.events.fileName | string | `"fabric-events.json"` |  |
 | fabric.events.mountDir | string | `"/var/run/ziti"` |  |

diff --git a/charts/ziti-controller/templates/deployment.yaml b/charts/ziti-controller/templates/deployment.yaml
@@ -132,10 +132,19 @@ spec:
                 secretKeyRef:
                   name:  {{ include "ziti-controller.fullname" . }}-admin-secret
                   key: admin-password
+            # Add additional environment variables
             {{- range $key, $val := .Values.env }}
             - name: {{ $key | quote }}
               value: {{ $val | quote }}
             {{- end }}
+            # Add additional secrets as environment variables
+            {{- range .Values.envSecrets }}
+            - name: {{ .name | quote }}
+              valueFrom:
+               secretKeyRef:
+                 name: {{ .valueFrom.secretKeyRef.name | quote }}
+                 key: {{ .valueFrom.secretKeyRef.key | quote }}
+            {{- end }}
           volumeMounts:
             - mountPath: {{ include "dataMountDir" . }}
               name: data

diff --git a/charts/ziti-controller/values.yaml b/charts/ziti-controller/values.yaml
@@ -74,6 +74,14 @@ managementApi:
 env:
 # SOME_ENV: "true"
 
+# -- set secrets as environment variables in the container
+envSecrets:
+#  - name: SOME_SECRET_ENV
+#    valueFrom:
+#      secretKeyRef:
+#        name: some-secret
+#        key: some_secret_key
+
 prometheus:
   # -- cluster service target port on the container
   containerPort: 9090