diff --git a/charts/geonode/README.md b/charts/geonode/README.md index 9edca1b..5309d32 100644 --- a/charts/geonode/README.md +++ b/charts/geonode/README.md @@ -60,9 +60,6 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | geonode.general.publishing.admin_moderate_uploads | bool | `false` | ADMIN_MODERATE_UPLOADS When this variable is set to True, every uploaded resource must be approved before becoming visible to the public users. Until a resource is in PENDING APPROVAL state, only the superusers, owner and group members can access it, unless specific edit permissions have been set for other users or groups. A Group Manager can approve the resource, but he cannot publish it whenever the setting RESOURCE_PUBLISHING is set to True. Otherwise, if RESOURCE_PUBLISHING (helm: resource_publishing_by_staff) is set to False, the resource becomes accessible as soon as it is approved. | | geonode.general.publishing.resource_publishing_by_staff | bool | `false` | RESOURCE_PUBLISHING By default, the GeoNode application allows GeoNode staff members to publish/unpublish resources. By default, resources are published when created. When this setting is set to True the staff members will be able to unpublish a resource (and eventually publish it back). | | geonode.general.settings_module | string | `"geonode.settings"` | the settings module to load | -| geonode.general.superUser.email | string | `"support@example.com"` | admin user password | -| geonode.general.superUser.password | string | `"geonode"` | admin panel password | -| geonode.general.superUser.username | string | `"admin"` | admin username | | geonode.haystack.enabled | bool | `false` | enable hystack | | geonode.haystack.engine_index_name | string | `"haystack"` | hystack index name | | geonode.haystack.engine_url | string | `"http://elasticsearch:9200/"` | hystack url | @@ -78,7 +75,6 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | geonode.ldap.attr_map_first_name | string | `"givenName"` | given name attribute used from ldap | | geonode.ldap.attr_map_last_name | string | `"sn"` | last name attribute used from ldap | | geonode.ldap.bind_dn | string | `"CN=Users,DC=ad,DC=example,DC=com"` | ldap user bind dn | -| geonode.ldap.bind_password | string | `"password"` | ldap password | | geonode.ldap.enabled | bool | `false` | enable ldap AUTHENTICATION_BACKENDS in DJANGO Geonode | | geonode.ldap.group_search_dn | string | `"OU=Groups,DC=ad,DC=example,DC=com"` | ldap group search dn | | geonode.ldap.group_search_filterstr | string | `"(objectClass=group)"` | ldap group filterstr | @@ -88,13 +84,10 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | geonode.ldap.user_search_filterstr | string | `"(sAMAccountName=%(user)s)"` | ldap user filterstr | | geonode.mail.backend | string | `"django.core.mail.backends.smtp.EmailBackend"` | set mail backend in geonode settings | | geonode.mail.enabled | bool | `false` | enables mail configuration for geonode | -| geonode.mail.from | string | `"changeme@web.de"` | define from mail-addr | | geonode.mail.host | string | `"smtp.gmail.com"` | set mail host for genode mail | -| geonode.mail.password | string | `"changeme"` | set password for mailuser in geonode | | geonode.mail.port | string | `"587"` | mail port fo geonode mail | | geonode.mail.tls | bool | `true` | activate tls for geonode mail (only tls or ssl can be true not both) | | geonode.mail.use_ssl | bool | `false` | enable ssl for geonode mail (only tls or ssl can be true not both) | -| geonode.mail.user | string | `"changeme"` | define mail user to send mails from | | geonode.memcached.enabled | bool | `true` | enable memcache, this will spawn one or more seperate memcache container(s) and configure django geonode repsectivly. Dynamic caching (see https://docs.djangoproject.com/en/4.0/topics/cache/) | | geonode.memcached.lock_expire | string | `"3600"` | memcached lock expire time | | geonode.memcached.lock_timeout | string | `"10"` | memcached lock timeout | @@ -105,9 +98,9 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | geonode.monitoring.user_analytics_gzip | bool | `true` | | | geonode.persistant.storageSize | string | `"10Gi"` | size of persistant geonode storage | | geonode.pod_name | string | `"geonode"` | pod name | -| geonode.register | object | `{"approval_required":false,"authentication_method":"user_email","auto_assign_registered_members_to_registered":true,"confirm_email_on_get":true,"conformation_required":true,"email_required":true,"email_verification":"mandatory","open_signup":true,"registered_members_group_name":null,"show_profile_email":true}` | Find docs for register values under: - https://docs.geonode.org/en/3.3.x/basic/settings/index.html - https://github.com/pinax/django-user-accounts/blob/master/docs/settings.rst - https://django-allauth.readthedocs.io/en/latest/configuration.html | +| geonode.register | object | `{"approval_required":false,"authentication_method":"username_email","auto_assign_registered_members_to_registered":true,"confirm_email_on_get":true,"conformation_required":true,"email_required":true,"email_verification":"mandatory","open_signup":true,"registered_members_group_name":null,"show_profile_email":true}` | Find docs for register values under: - https://docs.geonode.org/en/3.3.x/basic/settings/index.html - https://github.com/pinax/django-user-accounts/blob/master/docs/settings.rst - https://django-allauth.readthedocs.io/en/latest/configuration.html | | geonode.register.approval_required | bool | `false` | approve given email with registration | -| geonode.register.authentication_method | string | `"user_email"` | Specifies the login method to use – whether the user logs in by entering their username, e-mail address, or either one of both. Setting this to “email” requires email_required=True | +| geonode.register.authentication_method | string | `"username_email"` | Specifies the login method to use – whether the user logs in by entering their username, e-mail address, or either one of both. Setting this to “email” requires email_required=True | | geonode.register.auto_assign_registered_members_to_registered | bool | `true` | if set to True new registered user will be add to defined group in registered_members_group_name | | geonode.register.confirm_email_on_get | bool | `true` | send confirm email on get | | geonode.register.conformation_required | bool | `true` | If True, new user accounts will be created as inactive. The user must use the activation link to activate his account. | @@ -121,6 +114,14 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | geonode.resources.limits.memory | string | `"2Gi"` | limits memory as in resource.limits.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | geonode.resources.requests.cpu | int | `1` | requested cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | geonode.resources.requests.memory | string | `"1Gi"` | requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| geonode.secret.existingSecretName | string | `""` | name of an existing Secret to use. Set, if you want to separately maintain the Secret. | +| geonode.secret.ldap.bind_password | string | `"password"` | ldap password | +| geonode.secret.mail.from | string | `"changeme@web.de"` | define from mail-addr | +| geonode.secret.mail.password | string | `"changeme"` | set password for mailuser in geonode | +| geonode.secret.mail.user | string | `"changeme"` | define mail user to send mails from | +| geonode.secret.superUser.email | string | `"support@example.com"` | admin user password | +| geonode.secret.superUser.password | string | `"geonode"` | admin panel password | +| geonode.secret.superUser.username | string | `"admin"` | admin username | | geonode.sentry.build_number | int | `0` | sentry build number | | geonode.sentry.dsn | string | `""` | sentry dsn url | | geonode.sentry.enabled | bool | `false` | enable sentry integration for geonode | @@ -145,9 +146,7 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | geonode.uwsgi.reload_on_rss | int | `2048` | Restart workers after this much resident memory | | geonode.uwsgi.worker_reload_mercy | int | `60` | How long to wait before forcefully killing workers | | geonodeFixtures | map of fixture files | `{"somefixture.json":"[\n {\n \"pk\": 0,\n \"model\": \"myapp.sample\"\n \"description\": \"nice little content\"\n }\n]\n"}` | Fixture files which shall be made available under /usr/src/geonode/geonode/fixtures (refer to https://docs.djangoproject.com/en/4.2/howto/initial-data/) | -| geoserver | object | `{"admin_password":"geoserver","admin_username":"admin","container_name":"geoserver","image":{"name":"geonode/geoserver","tag":"2.23.0"},"pod_name":"geoserver","port":8080,"resources":{"limits":{"cpu":2,"memory":"4Gi"},"requests":{"cpu":1,"memory":"1Gi"}}}` | CONFIGURATION FOR GEOSERVER DEPLOYMENT | -| geoserver.admin_password | string | `"geoserver"` | geoserver admin password | -| geoserver.admin_username | string | `"admin"` | geoserver admin username | +| geoserver | object | `{"container_name":"geoserver","image":{"name":"geonode/geoserver","tag":"2.23.0"},"pod_name":"geoserver","port":8080,"resources":{"limits":{"cpu":2,"memory":"4Gi"},"requests":{"cpu":1,"memory":"1Gi"}},"secret":{"admin_password":"geoserver","admin_username":"admin","existingSecretName":""}}` | CONFIGURATION FOR GEOSERVER DEPLOYMENT | | geoserver.container_name | string | `"geoserver"` | geoserver container name | | geoserver.image.name | string | `"geonode/geoserver"` | geoserver image docker image (default in zalf namespace because geonode one was not up to date) | | geoserver.image.tag | string | `"2.23.0"` | geoserver docker image tag | @@ -158,6 +157,9 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | geoserver.resources.limits.memory | string | `"4Gi"` | limits memory as in resource.limits.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | geoserver.resources.requests.cpu | int | `1` | requested cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | geoserver.resources.requests.memory | string | `"1Gi"` | requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| geoserver.secret.admin_password | string | `"geoserver"` | geoserver admin password | +| geoserver.secret.admin_username | string | `"admin"` | geoserver admin username | +| geoserver.secret.existingSecretName | string | `""` | name of an existing Secret to use. Set, if you want to separately maintain the Secret. | | global.accessMode | string | `"ReadWriteMany"` | storage access mode used by helm dependency pvc | | global.storageClass | string | `nil` | storageClass used by helm dependencies pvc | | memcached.architecture | string | `"high-availability"` | memcached replica. Loadbalanaced via kubernetes. (only one entry in django settings.py) im memcached is activated under geonode.memcached.enabled this takes place | @@ -179,11 +181,12 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | postgres-operator.podServiceAccount | object | `{"name":""}` | not setting the podServiceAccount name will leed to generation of this name. This allows to run multiple postgres-operators in a single kubernetes cluster. just seperating them by namespace. | | postgres-operator.storageClass | string | `nil` | postgress pv storageclass | | postgres.external_postgres.enabled | bool | `false` | | -| postgres.external_postgres.geodata_password | string | `"geogeonode"` | | -| postgres.external_postgres.geonode_password | string | `"geonode"` | | | postgres.external_postgres.hostname | string | `"my-external-postgres.com"` | | | postgres.external_postgres.port | int | `5432` | | -| postgres.external_postgres.postgres_password | string | `"postgres"` | | +| postgres.external_postgres.secret.existingSecretName | string | `""` | name of an existing Secret to use. Set, if you want to separately maintain the Secret. | +| postgres.external_postgres.secret.geodata_password | string | `"geogeonode"` | | +| postgres.external_postgres.secret.geonode_password | string | `"geonode"` | | +| postgres.external_postgres.secret.postgres_password | string | `"postgres"` | | | postgres.geodata_databasename_and_username | string | `"geodata"` | geoserver database name and username | | postgres.geonode_databasename_and_username | string | `"geonode"` | geonode database name and username | | postgres.operator_manifest | object | `{"numberOfInstances":1,"pod_name":"postgresql","postgres_version":15,"storageSize":"3Gi"}` | configuration for postgres operator database manifest | @@ -193,9 +196,24 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | postgres.operator_manifest.storageSize | string | `"3Gi"` | Database storage size | | postgres.schema | string | `"public"` | database schema | | postgres.username | string | `"postgres"` | postgres username | -| rabbitmq | object | `{"auth":{"erlangCookie":"jixYBsiZ9RivaLXC02pTwGjvIo0nHtVu","password":"rabbitpassword","username":"rabbituser"},"enabled":true,"limits":{"cpu":"750m","memory":"1Gi"},"persistence":{"enabled":false},"replicaCount":1,"requests":{"cpu":"500m","memory":"1Gi"}}` | VALUES DEFINITION https://github.com/bitnami/charts/blob/master/bitnami/rabbitmq/values.yaml | +| pycsw.config | string | [server] ... | pycsw config file parameters, see docs: https://docs.pycsw.org/_/downloads/en/latest/pdf/ | +| pycsw.container_name | string | `"pycsw"` | pycsw container name | +| pycsw.enabled | bool | `true` | enable single pycsw pod | +| pycsw.endpoint | string | `"/catalogue/csw"` | pycsw url below geonode.ingress.externalDomain | +| pycsw.image.name | string | `"geopython/pycsw"` | pycsw docker image | +| pycsw.image.tag | string | `"2.6.1"` | pycsw docker image tag | +| pycsw.mappings | string | MD_CORE_MODEL = { ... } | pycsw local mappings, copied from 4.1.x: https://github.com/GeoNode/geonode/blob/master/geonode/catalogue/backends/pycsw_local_mappings.py | +| pycsw.pod_name | string | `"pysw"` | pycsw pod name | +| pycsw.port | int | `8000` | pycsw endpoint port | +| pycsw.replicaCount | int | `1` | pycsw container replicas | +| pycsw.resources.limits.cpu | string | `"500m"` | limit cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| pycsw.resources.limits.memory | string | `"1Gi"` | limits memory as in resource.limits.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| pycsw.resources.requests.cpu | string | `"500m"` | requested cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| pycsw.resources.requests.memory | string | `"1Gi"` | requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| rabbitmq | object | `{"auth":{"erlangCookie":"jixYBsiZ9RivaLXC02pTwGjvIo0nHtVu","existingErlangSecret":"","existingPasswordSecret":"","password":"rabbitpassword","username":"rabbituser"},"enabled":true,"limits":{"cpu":"750m","memory":"1Gi"},"persistence":{"enabled":false},"replicaCount":1,"requests":{"cpu":"500m","memory":"1Gi"}}` | VALUES DEFINITION https://github.com/bitnami/charts/blob/master/bitnami/rabbitmq/values.yaml | | rabbitmq.limits.cpu | string | `"750m"` | limit cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | rabbitmq.limits.memory | string | `"1Gi"` | limits memory as in resource.limits.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| rabbitmq.replicaCount | int | `1` | rabbitmq raplica count | | rabbitmq.requests.cpu | string | `"500m"` | requested cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | rabbitmq.requests.memory | string | `"1Gi"` | requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | diff --git a/charts/geonode/templates/_helpers.tpl b/charts/geonode/templates/_helpers.tpl index e2c9e3d..540dbc1 100644 --- a/charts/geonode/templates/_helpers.tpl +++ b/charts/geonode/templates/_helpers.tpl @@ -42,7 +42,7 @@ {{- end -}} {{- end -}} -# secret key reference for the password of user: .Values.postgres.geonodedatabase_and_username +# secret key reference for the password of user: .Values.postgres.geonode_databasename_and_username {{- define "database_geonode_password_secret_key_ref" -}} {{- if (index .Values "postgres-operator" "enabled") -}} "{{ .Values.postgres.geonode_databasename_and_username }}.{{ include "postgres_pod_name" . }}.credentials.postgresql.acid.zalan.do" @@ -51,7 +51,7 @@ {{- end -}} {{- end -}} -# secret key reference for the password of user: .Values.postgres.geodatabasename_and_username +# secret key reference for the password of user: .Values.postgres.geonode_databasename_and_username {{- define "database_geodata_password_secret_key_ref" -}} {{- if (index .Values "postgres-operator" "enabled") -}} "{{ .Values.postgres.geodata_databasename_and_username }}.{{ include "postgres_pod_name" . }}.credentials.postgresql.acid.zalan.do" diff --git a/charts/geonode/templates/geonode/geonode-deploy.yaml b/charts/geonode/templates/geonode/geonode-deploy.yaml index 13c48b6..06a15b7 100644 --- a/charts/geonode/templates/geonode/geonode-deploy.yaml +++ b/charts/geonode/templates/geonode/geonode-deploy.yaml @@ -87,13 +87,17 @@ spec: - containerPort: 8001 envFrom: - - configMapRef: - name: {{ include "geonode_pod_name" . }}-env + - configMapRef: + name: {{ include "geonode_pod_name" . }}-env + - secretRef: + name: {{ default "geonode-secret" .Values.geonode.secret.existingSecretName | quote }} + - secretRef: + name: {{ default "geoserver-secret" .Values.geoserver.secret.existingSecretName | quote }} env: - name: GEONODE_DATABASE_PASSWORD valueFrom: - secretKeyRef: + secretKeyRef: name: {{ include "database_geonode_password_secret_key_ref" . }} key: password - name: GEONODE_GEODATABASE_PASSWORD @@ -158,7 +162,6 @@ spec: # Celery is the task worker - name: {{ .Values.geonode.celery.container_name }} image: "{{ .Values.geonode.image.name }}:{{ .Values.geonode.image.tag }}" - command: - bash - -c @@ -176,6 +179,7 @@ spec: cd /usr/src/geonode-contribs/ldap; pip install --upgrade -e . cd /usr/src/geonode/ {{ end }} + {{ if .Values.geonode.sentry.enabled }} pip install sentry-sdk {{ end }} @@ -188,13 +192,17 @@ spec: dockerize -stdout /var/log/celery.log /usr/src/geonode/entrypoint.sh celery-cmd envFrom: - - configMapRef: - name: {{ include "geonode_pod_name" . }}-env + - configMapRef: + name: {{ include "geonode_pod_name" . }}-env + - secretRef: + name: {{ default "geonode-secret" .Values.geonode.secret.existingSecretName | quote }} + - secretRef: + name: {{ default "geoserver-secret" .Values.geoserver.secret.existingSecretName | quote }} env: - name: GEONODE_DATABASE_PASSWORD valueFrom: - secretKeyRef: + secretKeyRef: name: {{ include "database_geonode_password_secret_key_ref" . }} key: password - name: GEONODE_GEODATABASE_PASSWORD diff --git a/charts/geonode/templates/geonode/geonode-env.yaml b/charts/geonode/templates/geonode/geonode-env.yaml index e736c99..b539cf3 100644 --- a/charts/geonode/templates/geonode/geonode-env.yaml +++ b/charts/geonode/templates/geonode/geonode-env.yaml @@ -47,11 +47,6 @@ data: ALLOWED_HOSTS: "['django', '*', '{{ .Values.geonode.general.externalDomain }}']" PROXY_ALLOWED_HOSTS: 'localhost,django,geonode,geoserver,spatialreference.org,nominatim.openstreetmap.org,dev.openlayers.org' - # Admin Settings - ADMIN_USERNAME: {{ .Values.geonode.general.superUser.username | quote }} - ADMIN_EMAIL: {{ .Values.geonode.general.superUser.email | quote }} - ADMIN_PASSWORD: {{ .Values.geonode.general.superUser.password | quote }} - # General settings FREETEXT_KEYWORDS_READONLY: {{ include "boolean2str" .Values.geonode.general.freetext_keywords_readonly | quote }} FIXTURE_DIRS: "[ '/usr/src/geonode/geonode/fixtures' ]" @@ -71,11 +66,8 @@ data: DJANGO_EMAIL_BACKEND: {{ .Values.geonode.mail.backend | quote }} DJANGO_EMAIL_HOST: {{ .Values.geonode.mail.host | quote }} DJANGO_EMAIL_PORT: {{ .Values.geonode.mail.port | quote }} - DJANGO_EMAIL_HOST_USER: {{ .Values.geonode.mail.user | quote }} - DJANGO_EMAIL_HOST_PASSWORD: {{ .Values.geonode.mail.password | quote }} DJANGO_EMAIL_USE_TLS: {{ include "boolean2str" .Values.geonode.mail.tls | quote }} DJANGO_EMAIL_USE_SSL: {{ include "boolean2str" .Values.geonode.mail.use_ssl | quote }} - DEFAULT_FROM_EMAIL: {{ .Values.geonode.mail.from | quote }} # PATH # TODO (mwall) allign with volumeMount locations @@ -115,7 +107,6 @@ data: LDAP_ENABLED: {{ include "boolean2str" .Values.geonode.ldap.enabled | quote }} LDAP_SERVER_URL: {{ .Values.geonode.ldap.uri | quote }} LDAP_BIND_DN: {{ .Values.geonode.ldap.bind_dn | quote }} - LDAP_BIND_PASSWORD: {{ .Values.geonode.ldap.bind_password | quote }} LDAP_USER_SEARCH_DN: {{ .Values.geonode.ldap.user_search_dn | quote }} LDAP_USER_SEARCH_FILTERSTR: {{ .Values.geonode.ldap.user_search_filterstr | quote }} LDAP_ALWAYS_UPDATE_USER: {{ .Values.geonode.ldap.always_update_user | quote }} @@ -180,8 +171,6 @@ data: GEOSERVER_PUBLIC_LOCATION: "{{ include "public_url" . }}/geoserver/" GEOSERVER_PUBLIC_SCHEMA: {{ .Values.geonode.general.externalScheme | quote }} GEOSERVER_LOCATION: "http://{{ include "geoserver_pod_name" . }}:{{ .Values.geoserver.port }}/geoserver/" - GEOSERVER_ADMIN_USER: {{ .Values.geoserver.admin_username | quote }} - GEOSERVER_ADMIN_PASSWORD: {{ .Values.geoserver.admin_password | quote }} OGC_REQUEST_TIMEOUT: {{ .Values.geonode.general.ogc_request_timeout | quote }} OGC_REQUEST_MAX_RETRIES: '1' diff --git a/charts/geonode/templates/geonode/geonode-secret.yaml b/charts/geonode/templates/geonode/geonode-secret.yaml new file mode 100644 index 0000000..556517f --- /dev/null +++ b/charts/geonode/templates/geonode/geonode-secret.yaml @@ -0,0 +1,21 @@ +{{- if empty .Values.geonode.secret.existingSecretName }} +apiVersion: v1 +kind: Secret +metadata: + name: geonode-secret + namespace: {{ .Release.Namespace }} +type: Opaque +data: + # superuser credentials + ADMIN_USERNAME: {{ .Values.geonode.secret.superUser.username | b64enc }} + ADMIN_PASSWORD: {{ .Values.geonode.secret.superUser.password | b64enc }} + ADMIN_EMAIL: {{ .Values.geonode.secret.superUser.email | b64enc }} + + # mail secrets + DJANGO_EMAIL_HOST_USER: {{ .Values.geonode.secret.mail.user | b64enc }} + DJANGO_EMAIL_HOST_PASSWORD: {{ .Values.geonode.secret.mail.password | b64enc }} + DEFAULT_FROM_EMAIL: {{ .Values.geonode.secret.mail.from | b64enc }} + + # ldap secrets + LDAP_BIND_PASSWORD: {{ .Values.geonode.secret.ldap.bind_password | b64enc }} +{{ end }} \ No newline at end of file diff --git a/charts/geonode/templates/geoserver/geoserver-deploy.yaml b/charts/geonode/templates/geoserver/geoserver-deploy.yaml index 29be5b0..52371df 100644 --- a/charts/geonode/templates/geoserver/geoserver-deploy.yaml +++ b/charts/geonode/templates/geoserver/geoserver-deploy.yaml @@ -63,8 +63,10 @@ spec: - containerPort: {{ .Values.geoserver.port }} envFrom: - - configMapRef: - name: {{ include "geoserver_pod_name" . }}-env + - configMapRef: + name: {{ include "geoserver_pod_name" . }}-env + - secretRef: + name: {{ default "geoserver-secret" .Values.geoserver.secret.existingSecretName | quote }} env: # read auto generated password from secret diff --git a/charts/geonode/templates/geoserver/geoserver-env.yaml b/charts/geonode/templates/geoserver/geoserver-env.yaml index fd2ffc1..810893b 100644 --- a/charts/geonode/templates/geoserver/geoserver-env.yaml +++ b/charts/geonode/templates/geoserver/geoserver-env.yaml @@ -17,6 +17,3 @@ data: DATABASE_PORT: "{{ include "database_port" . }}" GEONODE_GEODATABASE: {{ .Values.postgres.geonode_databasename_and_username | quote }} GEONODE_GEODATABASE_SCHEMA: {{ .Values.postgres.schema | quote }} - - GEOSERVER_ADMIN_USER: {{ .Values.geoserver.admin_username | quote }} - GEOSERVER_ADMIN_PASSWORD: {{ .Values.geoserver.admin_password | quote }} \ No newline at end of file diff --git a/charts/geonode/templates/geoserver/geoserver-secret.yaml b/charts/geonode/templates/geoserver/geoserver-secret.yaml new file mode 100644 index 0000000..ce861c9 --- /dev/null +++ b/charts/geonode/templates/geoserver/geoserver-secret.yaml @@ -0,0 +1,12 @@ +{{- if empty .Values.geoserver.secret.existingSecretName }} +apiVersion: v1 +kind: Secret +metadata: + name: geoserver-secret + namespace: {{ .Release.Namespace }} +type: Opaque +data: + # geoserver admin credentials + GEOSERVER_ADMIN_USER: {{ .Values.geoserver.secret.admin_username | b64enc }} + GEOSERVER_ADMIN_PASSWORD: {{ .Values.geoserver.secret.admin_password | b64enc }} +{{ end }} \ No newline at end of file diff --git a/charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml b/charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml index c1fbcd5..cdd0a09 100644 --- a/charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml +++ b/charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml @@ -1,10 +1,11 @@ -{{ if .Values.postgres.external_postgres.enabled }} +{{ if and .Values.postgres.external_postgres.enabled (not .Values.postgres.external_postgres.secret.existingSecretName )}} apiVersion: v1 kind: Secret metadata: name: {{ .Release.Name }}-geodata-external-secrets + namespace: {{ .Release.Namespace }} type: Opaque data: - username: {{ .Values.postgres.geodatabasename_and_username | quote }} - password: {{ .Values.postgres.external_postgres.geodata_password | b64enc }} + username: {{ .Values.postgres.geodata_databasename_and_username | b64enc }} + password: {{ .Values.postgres.external_postgres.secret.geodata_password | b64enc }} {{ end }} diff --git a/charts/geonode/templates/postgres/postgres-external-geonode-secrets.yaml b/charts/geonode/templates/postgres/postgres-external-geonode-secrets.yaml index a51593a..7e1ef1b 100644 --- a/charts/geonode/templates/postgres/postgres-external-geonode-secrets.yaml +++ b/charts/geonode/templates/postgres/postgres-external-geonode-secrets.yaml @@ -1,10 +1,11 @@ -{{ if .Values.postgres.external_postgres.enabled }} +{{ if and .Values.postgres.external_postgres.enabled (not .Values.postgres.external_postgres.secret.existingSecretName )}} apiVersion: v1 kind: Secret metadata: name: {{ .Release.Name }}-geonode-external-secrets + namespace: {{ .Release.Namespace }} type: Opaque data: - username: {{ .Values.postgres.username | quote }} - password: {{ .Values.postgres.external_postgres.geonode_password | b64enc }} + username: {{ .Values.postgres.username | b64enc }} + password: {{ .Values.postgres.external_postgres.secret.geonode_password | b64enc }} {{ end }} diff --git a/charts/geonode/templates/postgres/postgres-external-postgres-secrets.yaml b/charts/geonode/templates/postgres/postgres-external-postgres-secrets.yaml index a601325..e1262e9 100644 --- a/charts/geonode/templates/postgres/postgres-external-postgres-secrets.yaml +++ b/charts/geonode/templates/postgres/postgres-external-postgres-secrets.yaml @@ -1,10 +1,11 @@ -{{ if .Values.postgres.external_postgres.enabled }} +{{ if and .Values.postgres.external_postgres.enabled (not .Values.postgres.external_postgres.secret.existingSecretName )}} apiVersion: v1 kind: Secret metadata: name: {{ .Release.Name }}-postgres-external-secrets + namespace: {{ .Release.Namespace }} type: Opaque data: - username: {{ .Values.postgres.username | quote }} - password: {{ .Values.postgres.external_postgres.postgres_password | b64enc }} + username: {{ .Values.postgres.username | b64enc }} + password: {{ .Values.postgres.external_postgres.secret.postgres_password | b64enc }} {{ end }} diff --git a/charts/geonode/templates/postgres/geonode-manifest.yaml b/charts/geonode/templates/postgres/postgresql-operator.yaml similarity index 100% rename from charts/geonode/templates/postgres/geonode-manifest.yaml rename to charts/geonode/templates/postgres/postgresql-operator.yaml diff --git a/charts/geonode/values.yaml b/charts/geonode/values.yaml index c14699f..182fca0 100644 --- a/charts/geonode/values.yaml +++ b/charts/geonode/values.yaml @@ -1,10 +1,10 @@ - global: # -- storageClass used by helm dependencies pvc storageClass: # -- storage access mode used by helm dependency pvc accessMode: ReadWriteMany + # geonode configuration geonode: # -- pod name @@ -31,6 +31,28 @@ geonode: tasks_post_script: | print("tasks_post_script not defined ...") + secret: + # -- name of an existing Secret to use. Set, if you want to separately maintain the Secret. + existingSecretName: "" + superUser: + # -- admin username + username: admin + # -- admin panel password + password: geonode + # -- admin user password + email: support@example.com + mail: + # -- define mail user to send mails from + user: "changeme" + # -- set password for mailuser in geonode + password: "changeme" + # -- define from mail-addr + from: "changeme@web.de" + ldap: + # -- ldap password + bind_password: password + + resources: requests: # -- requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) @@ -109,6 +131,7 @@ geonode: cheaper_busyness_backlog_step: 2 general: + # -- external ingress schema. If set to 'https', make sure to configure TLS either by # configuring tls certificate or using cert-manager. Available options: (http|https) externalScheme: http @@ -139,14 +162,6 @@ geonode: # -- OGC_REQUEST_POOL_CONNECTIONS ogc_request_pool_connections: 10 - superUser: - # -- admin username - username: admin - # -- admin panel password - password: geonode - # -- admin user password - email: support@example.com - publishing: # -- RESOURCE_PUBLISHING By default, the GeoNode application allows GeoNode staff members to publish/unpublish resources. # By default, resources are published when created. When this setting is set to True the staff members will be able to unpublish @@ -183,12 +198,6 @@ geonode: tls: true # -- enable ssl for geonode mail (only tls or ssl can be true not both) use_ssl: False - # -- define mail user to send mails from - user: "changeme" - # -- set password for mailuser in geonode - password: "changeme" - # -- define from mail-addr - from: "changeme@web.de" ldap: # -- enable ldap AUTHENTICATION_BACKENDS in DJANGO Geonode @@ -197,8 +206,6 @@ geonode: uri: ldap://example.com # -- ldap user bind dn bind_dn: "CN=Users,DC=ad,DC=example,DC=com" - # -- ldap password - bind_password: password # -- ldap user search dn user_search_dn: "OU=User,DC=ad,DC=example,DC=com" # -- ldap user filterstr @@ -244,7 +251,7 @@ geonode: # -- If True, new user accounts will be created as inactive. The user must use the activation link to activate his account. conformation_required: True # -- Specifies the login method to use – whether the user logs in by entering their username, e-mail address, or either one of both. Setting this to “email” requires email_required=True - authentication_method: "user_email" + authentication_method: "username_email" # -- group name to add new registered users to, requires auto_assign_registered_members_to_registered: True. registered_members_group_name: # -- if set to True new registered user will be add to defined group in registered_members_group_name @@ -309,10 +316,14 @@ geoserver: tag: '2.23.0' # -- geoserver port port: 8080 - # -- geoserver admin username - admin_username: admin - # -- geoserver admin password - admin_password: "geoserver" + + secret: + # -- name of an existing Secret to use. Set, if you want to separately maintain the Secret. + existingSecretName: "" + # -- geoserver admin username + admin_username: admin + # -- geoserver admin password + admin_password: "geoserver" # -- geoserver kube resources resources: @@ -356,7 +367,7 @@ nginx: # -- limit cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) cpu: "800m" -# -- pycsw integration is based on https://github.com/geopython/pycsw/blob/master/docker/kubernetes +# pycsw integration is based on https://github.com/geopython/pycsw/blob/master/docker/kubernetes pycsw: # -- enable single pycsw pod enabled: True @@ -386,8 +397,8 @@ pycsw: memory: "1Gi" # -- limit cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) cpu: "500m" - # copied from 4.1.x: https://github.com/GeoNode/geonode/blob/master/geonode/catalogue/backends/pycsw_local_mappings.py - # -- pycsw config file parameters, see docs: https://docs.pycsw.org/_/downloads/en/latest/pdf/ + # -- pycsw local mappings, copied from 4.1.x: https://github.com/GeoNode/geonode/blob/master/geonode/catalogue/backends/pycsw_local_mappings.py + # @default -- MD_CORE_MODEL = { ... } mappings: |- MD_CORE_MODEL = { "typename": "pycsw:CoreMetadata", @@ -452,7 +463,9 @@ pycsw: "pycsw:Links": "download_links", }, } - config: |- + # -- pycsw config file parameters, see docs: https://docs.pycsw.org/_/downloads/en/latest/pdf/ + # @default -- [server] ... + config: | [server] home=/home/pycsw url=$(PYCSW_SERVER_URL) @@ -532,6 +545,8 @@ rabbitmq: username: rabbituser password: rabbitpassword erlangCookie: jixYBsiZ9RivaLXC02pTwGjvIo0nHtVu + existingPasswordSecret: "" + existingErlangSecret: "" persistence: enabled: False @@ -574,9 +589,12 @@ postgres: enabled: False hostname: my-external-postgres.com port: 5432 - postgres_password: postgres - geonode_password: geonode - geodata_password: geogeonode + secret: + # -- name of an existing Secret to use. Set, if you want to separately maintain the Secret. + existingSecretName: "" + postgres_password: postgres + geonode_password: geonode + geodata_password: geogeonode # VALUES DEFINITION: https://github.com/zalando/postgres-operator/blob/master/charts/postgres-operator/values.yaml postgres-operator: diff --git a/docs/provide-custom-secret.md b/docs/provide-custom-secret.md new file mode 100644 index 0000000..7129a40 --- /dev/null +++ b/docs/provide-custom-secret.md @@ -0,0 +1,59 @@ +# Maintain Secrets + +Ensure to put confidential settings in a Kubernetes Secret. +By default, each service provides a secret template which is filled by the values within the `secret` section given in the `values.yaml` for each component. + +In your `values.yaml` you have two options: + +1. Set the secret values directly within the `secret` section +1. Override the `secret.existingSecretName` to reference a secret which you maintain separately + + +> :bulb: **Note:** +> +> Make sure to not expose your secrets, e.g. via Git! +> Consider to pass secrets from a CD pipeline via masked environment settings. + +Consult the documentation of Chart dependencies how this is done there (most of them handle it similarly). +For example, you can configure externally managed Secrets [in the `auth` section of the rabbitmq config](https://github.com/bitnami/charts/blob/main/bitnami/rabbitmq/values.yaml#L130): + +```yaml +rabbitmq: + auth: + username: rabbituser + existingPasswordSecret: "rabbitmq-password-secret" + existingErlangSecret: "rabbitmq-erlang-secret" + +``` + + +## Tooling + + +### Kustomize + +Kubernetes Secrets contain base64 encoded strings which makes it cumbersome to maintain. +Consider to use `kustomize` to generate and apply a Secret from a given file. +In all cases, remember to exclude files from version control which contain sensitive data. + +```yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +secretGenerator: +- name: geonode-secret # the secret's name + env: geonode-secret.properties +``` + +To exclude `geonode-secret.properties` from version control, just add it to `.gitignore`: + +```sh +echo geonode-secret.properties >> .gitignore +``` + +### Helm Plugins + +There are Helm plugins which helps you maintaining secrets within your deploy chain. + +* https://medium.com/@Devopscontinens/encrypting-helm-secrets-7f37a0ccabeb +* https://github.com/getsops/sops diff --git a/minikube-values-external-db.yaml b/minikube-values-external-db.yaml index 66f2e68..173cb75 100644 --- a/minikube-values-external-db.yaml +++ b/minikube-values-external-db.yaml @@ -16,8 +16,9 @@ geonode: ingress: enabled: False - superUser: - password: geonode + secret: + superUser: + password: geonode mail: enabled: False @@ -45,9 +46,10 @@ postgres: enabled: True hostname: "external-postgres.com" port: 5432 - postgres_password: - geonode_password: - geodata_password: + secret: + postgres_password: + geonode_password: + geodata_password: postgres-operator: enabled: False diff --git a/minikube-values.yaml b/minikube-values.yaml index 8ded9c1..66a6aae 100644 --- a/minikube-values.yaml +++ b/minikube-values.yaml @@ -16,8 +16,9 @@ geonode: ingress: enabled: False - superUser: - password: geonode + secret: + superUser: + password: geonode mail: enabled: False