From bc2b2179a72d80eee397003632943e470a2b7809 Mon Sep 17 00:00:00 2001 From: Henning Bredel Date: Wed, 6 Sep 2023 15:32:52 +0200 Subject: [PATCH 01/14] WIP: Provide confidential values as secret --- charts/geonode/README.md | 16 +++++++++ .../templates/geonode/geonode-deploy.yaml | 34 +++++++++++++++++++ .../templates/geonode/geonode-env.yaml | 5 --- .../templates/geonode/geonode-secret.yaml | 9 +++++ charts/geonode/values.yaml | 13 ++++--- docs/provide-custom-secret.md | 28 +++++++++++++++ 6 files changed, 96 insertions(+), 9 deletions(-) create mode 100644 charts/geonode/templates/geonode/geonode-secret.yaml create mode 100644 docs/provide-custom-secret.md diff --git a/charts/geonode/README.md b/charts/geonode/README.md index 9edca1b..3b06115 100644 --- a/charts/geonode/README.md +++ b/charts/geonode/README.md @@ -59,6 +59,7 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | geonode.general.ogc_request_timeout | int | `600` | OGC_REQUEST_TIMEOUT | | geonode.general.publishing.admin_moderate_uploads | bool | `false` | ADMIN_MODERATE_UPLOADS When this variable is set to True, every uploaded resource must be approved before becoming visible to the public users. Until a resource is in PENDING APPROVAL state, only the superusers, owner and group members can access it, unless specific edit permissions have been set for other users or groups. A Group Manager can approve the resource, but he cannot publish it whenever the setting RESOURCE_PUBLISHING is set to True. Otherwise, if RESOURCE_PUBLISHING (helm: resource_publishing_by_staff) is set to False, the resource becomes accessible as soon as it is approved. | | geonode.general.publishing.resource_publishing_by_staff | bool | `false` | RESOURCE_PUBLISHING By default, the GeoNode application allows GeoNode staff members to publish/unpublish resources. By default, resources are published when created. When this setting is set to True the staff members will be able to unpublish a resource (and eventually publish it back). | +| geonode.general.secretName | string | `"demo-secret"` | the secret name containing confidential values | | geonode.general.settings_module | string | `"geonode.settings"` | the settings module to load | | geonode.general.superUser.email | string | `"support@example.com"` | admin user password | | geonode.general.superUser.password | string | `"geonode"` | admin panel password | @@ -193,9 +194,24 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | postgres.operator_manifest.storageSize | string | `"3Gi"` | Database storage size | | postgres.schema | string | `"public"` | database schema | | postgres.username | string | `"postgres"` | postgres username | +| pycsw.config | string | [server] ... | pycsw config file parameters, see docs: https://docs.pycsw.org/_/downloads/en/latest/pdf/ | +| pycsw.container_name | string | `"pycsw"` | pycsw container name | +| pycsw.enabled | bool | `true` | enable single pycsw pod | +| pycsw.endpoint | string | `"/catalogue/csw"` | pycsw url below geonode.ingress.externalDomain | +| pycsw.image.name | string | `"geopython/pycsw"` | pycsw docker image | +| pycsw.image.tag | string | `"2.6.1"` | pycsw docker image tag | +| pycsw.mappings | string | MD_CORE_MODEL = { ... } | pycsw local mappings, copied from 4.1.x: https://github.com/GeoNode/geonode/blob/master/geonode/catalogue/backends/pycsw_local_mappings.py | +| pycsw.pod_name | string | `"pysw"` | pycsw pod name | +| pycsw.port | int | `8000` | pycsw endpoint port | +| pycsw.replicaCount | int | `1` | pycsw container replicas | +| pycsw.resources.limits.cpu | string | `"500m"` | limit cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| pycsw.resources.limits.memory | string | `"1Gi"` | limits memory as in resource.limits.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| pycsw.resources.requests.cpu | string | `"500m"` | requested cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| pycsw.resources.requests.memory | string | `"1Gi"` | requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | rabbitmq | object | `{"auth":{"erlangCookie":"jixYBsiZ9RivaLXC02pTwGjvIo0nHtVu","password":"rabbitpassword","username":"rabbituser"},"enabled":true,"limits":{"cpu":"750m","memory":"1Gi"},"persistence":{"enabled":false},"replicaCount":1,"requests":{"cpu":"500m","memory":"1Gi"}}` | VALUES DEFINITION https://github.com/bitnami/charts/blob/master/bitnami/rabbitmq/values.yaml | | rabbitmq.limits.cpu | string | `"750m"` | limit cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | rabbitmq.limits.memory | string | `"1Gi"` | limits memory as in resource.limits.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| rabbitmq.replicaCount | int | `1` | rabbitmq raplica count | | rabbitmq.requests.cpu | string | `"500m"` | requested cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | rabbitmq.requests.memory | string | `"1Gi"` | requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | diff --git a/charts/geonode/templates/geonode/geonode-deploy.yaml b/charts/geonode/templates/geonode/geonode-deploy.yaml index 13c48b6..c438a60 100644 --- a/charts/geonode/templates/geonode/geonode-deploy.yaml +++ b/charts/geonode/templates/geonode/geonode-deploy.yaml @@ -91,6 +91,23 @@ spec: name: {{ include "geonode_pod_name" . }}-env env: + {{- if .Values.geonode.general.secretName }} + - name: ADMIN_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.geonode.general.secretName }} + key: ADMIN_USERNAME + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.geonode.general.secretName }} + key: ADMIN_PASSWORD + - name: ADMIN_EMAIL + valueFrom: + secretKeyRef: + name: {{ .Values.geonode.general.secretName }} + key: ADMIN_EMAIL + {{ end }} - name: GEONODE_DATABASE_PASSWORD valueFrom: secretKeyRef: @@ -192,6 +209,23 @@ spec: name: {{ include "geonode_pod_name" . }}-env env: + {{- if .Values.geonode.general.secretName }} + - name: ADMIN_USERNAME + valueFrom: + secretKeyRef: + name: {{ .Values.geonode.general.secretName }} + key: ADMIN_USERNAME + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.geonode.general.secretName }} + key: ADMIN_PASSWORD + - name: ADMIN_EMAIL + valueFrom: + secretKeyRef: + name: {{ .Values.geonode.general.secretName }} + key: ADMIN_EMAIL + {{ end }} - name: GEONODE_DATABASE_PASSWORD valueFrom: secretKeyRef: diff --git a/charts/geonode/templates/geonode/geonode-env.yaml b/charts/geonode/templates/geonode/geonode-env.yaml index e736c99..c4b1b1c 100644 --- a/charts/geonode/templates/geonode/geonode-env.yaml +++ b/charts/geonode/templates/geonode/geonode-env.yaml @@ -47,11 +47,6 @@ data: ALLOWED_HOSTS: "['django', '*', '{{ .Values.geonode.general.externalDomain }}']" PROXY_ALLOWED_HOSTS: 'localhost,django,geonode,geoserver,spatialreference.org,nominatim.openstreetmap.org,dev.openlayers.org' - # Admin Settings - ADMIN_USERNAME: {{ .Values.geonode.general.superUser.username | quote }} - ADMIN_EMAIL: {{ .Values.geonode.general.superUser.email | quote }} - ADMIN_PASSWORD: {{ .Values.geonode.general.superUser.password | quote }} - # General settings FREETEXT_KEYWORDS_READONLY: {{ include "boolean2str" .Values.geonode.general.freetext_keywords_readonly | quote }} FIXTURE_DIRS: "[ '/usr/src/geonode/geonode/fixtures' ]" diff --git a/charts/geonode/templates/geonode/geonode-secret.yaml b/charts/geonode/templates/geonode/geonode-secret.yaml new file mode 100644 index 0000000..507bff3 --- /dev/null +++ b/charts/geonode/templates/geonode/geonode-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: demo-secret +type: Opaque +data: + ADMIN_USERNAME: admin + ADMIN_PASSWORD: geonode + ADMIN_EMAIL: support@example.com \ No newline at end of file diff --git a/charts/geonode/values.yaml b/charts/geonode/values.yaml index c14699f..53543c3 100644 --- a/charts/geonode/values.yaml +++ b/charts/geonode/values.yaml @@ -109,6 +109,9 @@ geonode: cheaper_busyness_backlog_step: 2 general: + # -- the secret name containing confidential values + secretName: demo-secret + # -- external ingress schema. If set to 'https', make sure to configure TLS either by # configuring tls certificate or using cert-manager. Available options: (http|https) externalScheme: http @@ -356,7 +359,7 @@ nginx: # -- limit cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) cpu: "800m" -# -- pycsw integration is based on https://github.com/geopython/pycsw/blob/master/docker/kubernetes +# pycsw integration is based on https://github.com/geopython/pycsw/blob/master/docker/kubernetes pycsw: # -- enable single pycsw pod enabled: True @@ -386,8 +389,8 @@ pycsw: memory: "1Gi" # -- limit cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) cpu: "500m" - # copied from 4.1.x: https://github.com/GeoNode/geonode/blob/master/geonode/catalogue/backends/pycsw_local_mappings.py - # -- pycsw config file parameters, see docs: https://docs.pycsw.org/_/downloads/en/latest/pdf/ + # -- pycsw local mappings, copied from 4.1.x: https://github.com/GeoNode/geonode/blob/master/geonode/catalogue/backends/pycsw_local_mappings.py + # @default -- MD_CORE_MODEL = { ... } mappings: |- MD_CORE_MODEL = { "typename": "pycsw:CoreMetadata", @@ -452,7 +455,9 @@ pycsw: "pycsw:Links": "download_links", }, } - config: |- + # -- pycsw config file parameters, see docs: https://docs.pycsw.org/_/downloads/en/latest/pdf/ + # @default -- [server] ... + config: | [server] home=/home/pycsw url=$(PYCSW_SERVER_URL) diff --git a/docs/provide-custom-secret.md b/docs/provide-custom-secret.md new file mode 100644 index 0000000..21bfb8d --- /dev/null +++ b/docs/provide-custom-secret.md @@ -0,0 +1,28 @@ +# Provide Custom Secret + +Ensure to put confidential settings in a Kubernetes Secret. +By default, the `./charts/geonode/templates/geonode/demo-secret.yaml` is applied along the installation. + +Get the default secrets via `helm template -s templates/geonode/geonode-secret.yaml charts/geonode > custom-secret.yaml`. +Make your changes and apply the Secret using `kubectl apply -f .yml` in the namespace you want to install `geonode-k8s` into. + +> :bulb: **Note:** +> +> Once you configured the secret change the name. +> This name has to be set as `geonode.general.secretName` in the `values.yaml`. + +Alternatively, you may consider using `kustomization` which generates a secret from a given file (which you could exclude from version control as well) like so: + +```yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +# Generates a Kubernetes secret containing sensible configuration +# by reading a .env file you would have to create +# Make sure to apply this secret in that namespace Helm installs +# the geonode release into + +secretGenerator: +- name: my-custom-secret # the secret's name + env: .env +``` From 87e2b3b38ee27b85df9666216155be6cfa7fb2fb Mon Sep 17 00:00:00 2001 From: Henning Bredel Date: Wed, 6 Sep 2023 17:44:18 +0200 Subject: [PATCH 02/14] Fix parameter names in comment --- charts/geonode/templates/_helpers.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/geonode/templates/_helpers.tpl b/charts/geonode/templates/_helpers.tpl index e2c9e3d..540dbc1 100644 --- a/charts/geonode/templates/_helpers.tpl +++ b/charts/geonode/templates/_helpers.tpl @@ -42,7 +42,7 @@ {{- end -}} {{- end -}} -# secret key reference for the password of user: .Values.postgres.geonodedatabase_and_username +# secret key reference for the password of user: .Values.postgres.geonode_databasename_and_username {{- define "database_geonode_password_secret_key_ref" -}} {{- if (index .Values "postgres-operator" "enabled") -}} "{{ .Values.postgres.geonode_databasename_and_username }}.{{ include "postgres_pod_name" . }}.credentials.postgresql.acid.zalan.do" @@ -51,7 +51,7 @@ {{- end -}} {{- end -}} -# secret key reference for the password of user: .Values.postgres.geodatabasename_and_username +# secret key reference for the password of user: .Values.postgres.geonode_databasename_and_username {{- define "database_geodata_password_secret_key_ref" -}} {{- if (index .Values "postgres-operator" "enabled") -}} "{{ .Values.postgres.geodata_databasename_and_username }}.{{ include "postgres_pod_name" . }}.credentials.postgresql.acid.zalan.do" From e6bea3d16f3091c93e915a62ae99bf94029ef552 Mon Sep 17 00:00:00 2001 From: Henning Bredel Date: Wed, 6 Sep 2023 18:00:11 +0200 Subject: [PATCH 03/14] Provide demo credentials as base64 --- charts/geonode/templates/geonode/geonode-secret.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/geonode/templates/geonode/geonode-secret.yaml b/charts/geonode/templates/geonode/geonode-secret.yaml index 507bff3..a20605c 100644 --- a/charts/geonode/templates/geonode/geonode-secret.yaml +++ b/charts/geonode/templates/geonode/geonode-secret.yaml @@ -4,6 +4,6 @@ metadata: name: demo-secret type: Opaque data: - ADMIN_USERNAME: admin - ADMIN_PASSWORD: geonode - ADMIN_EMAIL: support@example.com \ No newline at end of file + ADMIN_USERNAME: YWRtaW4= + ADMIN_PASSWORD: Z2Vvbm9kZQ== + ADMIN_EMAIL: c3VwcG9ydEBleGFtcGxlLmNvbQ== \ No newline at end of file From ee9aa346f03a730431e74ad0dbc34a1ea05c44d6 Mon Sep 17 00:00:00 2001 From: Henning Bredel Date: Thu, 7 Sep 2023 10:44:27 +0200 Subject: [PATCH 04/14] Add named secret in values.yaml with default content --- charts/geonode/README.md | 2 + .../templates/geonode/geonode-deploy.yaml | 22 ++------- .../templates/geonode/geonode-secret.yaml | 12 ++--- charts/geonode/values.yaml | 18 +++++++- docs/provide-custom-secret.md | 46 +++++++++++++------ 5 files changed, 58 insertions(+), 42 deletions(-) diff --git a/charts/geonode/README.md b/charts/geonode/README.md index 3b06115..6a894f2 100644 --- a/charts/geonode/README.md +++ b/charts/geonode/README.md @@ -122,6 +122,8 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | geonode.resources.limits.memory | string | `"2Gi"` | limits memory as in resource.limits.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | geonode.resources.requests.cpu | int | `1` | requested cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | geonode.resources.requests.memory | string | `"1Gi"` | requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| geonode.secret.content | string | `"apiVersion: v1\nkind: Secret\nmetadata:\n name: geonode-secret\ntype: Opaque\ndata:\n # superuser\n ADMIN_USERNAME: {{ admin | base64 }}\n ADMIN_PASSWORD: {{ geonode | base64 }}\n ADMIN_EMAIL: {{ support@example.com | base64 }}\n"` | Default contents of the secret | +| geonode.secret.name | string | `"geonode-secret"` | the name of the secret to use | | geonode.sentry.build_number | int | `0` | sentry build number | | geonode.sentry.dsn | string | `""` | sentry dsn url | | geonode.sentry.enabled | bool | `false` | enable sentry integration for geonode | diff --git a/charts/geonode/templates/geonode/geonode-deploy.yaml b/charts/geonode/templates/geonode/geonode-deploy.yaml index c438a60..dc2e5c5 100644 --- a/charts/geonode/templates/geonode/geonode-deploy.yaml +++ b/charts/geonode/templates/geonode/geonode-deploy.yaml @@ -206,26 +206,12 @@ spec: envFrom: - configMapRef: - name: {{ include "geonode_pod_name" . }}-env + name: {{ include "geonode_pod_name" . }}-env + {{- if .Values.geonode.general.secretName }} + - secretRef: + name: {{ .Values.geonode.general.secretName }} env: - {{- if .Values.geonode.general.secretName }} - - name: ADMIN_USERNAME - valueFrom: - secretKeyRef: - name: {{ .Values.geonode.general.secretName }} - key: ADMIN_USERNAME - - name: ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.geonode.general.secretName }} - key: ADMIN_PASSWORD - - name: ADMIN_EMAIL - valueFrom: - secretKeyRef: - name: {{ .Values.geonode.general.secretName }} - key: ADMIN_EMAIL - {{ end }} - name: GEONODE_DATABASE_PASSWORD valueFrom: secretKeyRef: diff --git a/charts/geonode/templates/geonode/geonode-secret.yaml b/charts/geonode/templates/geonode/geonode-secret.yaml index a20605c..f86cbb4 100644 --- a/charts/geonode/templates/geonode/geonode-secret.yaml +++ b/charts/geonode/templates/geonode/geonode-secret.yaml @@ -1,9 +1,3 @@ -apiVersion: v1 -kind: Secret -metadata: - name: demo-secret -type: Opaque -data: - ADMIN_USERNAME: YWRtaW4= - ADMIN_PASSWORD: Z2Vvbm9kZQ== - ADMIN_EMAIL: c3VwcG9ydEBleGFtcGxlLmNvbQ== \ No newline at end of file +{{- if .Values.geonode.secret.content }} +{{ .Values.geonode.secret.content | toYaml }} +{{ end }} \ No newline at end of file diff --git a/charts/geonode/values.yaml b/charts/geonode/values.yaml index 53543c3..21e0c6e 100644 --- a/charts/geonode/values.yaml +++ b/charts/geonode/values.yaml @@ -1,10 +1,10 @@ - global: # -- storageClass used by helm dependencies pvc storageClass: # -- storage access mode used by helm dependency pvc accessMode: ReadWriteMany + # geonode configuration geonode: # -- pod name @@ -31,6 +31,22 @@ geonode: tasks_post_script: | print("tasks_post_script not defined ...") + secret: + # -- the name of the secret to use + name: geonode-secret + # -- Default contents of the secret + content: | + apiVersion: v1 + kind: Secret + metadata: + name: geonode-secret + type: Opaque + data: + # superuser + ADMIN_USERNAME: {{ admin | base64 }} + ADMIN_PASSWORD: {{ geonode | base64 }} + ADMIN_EMAIL: {{ support@example.com | base64 }} + resources: requests: # -- requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) diff --git a/docs/provide-custom-secret.md b/docs/provide-custom-secret.md index 21bfb8d..a282ba6 100644 --- a/docs/provide-custom-secret.md +++ b/docs/provide-custom-secret.md @@ -1,28 +1,46 @@ -# Provide Custom Secret +# Maintain Secrets Ensure to put confidential settings in a Kubernetes Secret. -By default, the `./charts/geonode/templates/geonode/demo-secret.yaml` is applied along the installation. +By default, each service provides a secret template which is filled by the `secret.content` value given in the `values.yaml` for each component. -Get the default secrets via `helm template -s templates/geonode/geonode-secret.yaml charts/geonode > custom-secret.yaml`. -Make your changes and apply the Secret using `kubectl apply -f .yml` in the namespace you want to install `geonode-k8s` into. +In your `values.yaml` you have two options: + +1. Override the `secret.content` to set project specific secrets +1. Create custom Kubernetes Secrets and configure `secret.name` accordingly > :bulb: **Note:** > -> Once you configured the secret change the name. -> This name has to be set as `geonode.general.secretName` in the `values.yaml`. +> Make sure to not expose your secrets, e.g. via Git! +> Consider to pass secrets from a CD pipeline via masked environment settings. +> By referencing a custom Secret (leaving `secret.content` empty), you would have to create and maintain a Secret by yourself. + +## Tooling + -Alternatively, you may consider using `kustomization` which generates a secret from a given file (which you could exclude from version control as well) like so: +### Kustomize + +Kubernetes Secrets contain base64 encoded strings which makes it cumbersome to maintain. +Consider to use `kustomize` to generate and apply a Secret from a given file. +In all cases, remember to exclude files from version control which contain sensitive data. ```yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -# Generates a Kubernetes secret containing sensible configuration -# by reading a .env file you would have to create -# Make sure to apply this secret in that namespace Helm installs -# the geonode release into - secretGenerator: -- name: my-custom-secret # the secret's name - env: .env +- name: geonode-secret # the secret's name + env: geonode-secret.properties ``` + +To exclude `geonode-secret.properties` from version control, just add it to `.gitignore`: + +```sh +echo geonode-secret.properties >> .gitignore +``` + +### Helm Plugins + +There are Helm plugins which helps you maintaining secrets within your deploy chain. + +* https://medium.com/@Devopscontinens/encrypting-helm-secrets-7f37a0ccabeb +* https://github.com/getsops/sops From 9bfb9721192f25777b80111c5f530d9ac21597ae Mon Sep 17 00:00:00 2001 From: Henning Bredel Date: Thu, 7 Sep 2023 12:11:18 +0200 Subject: [PATCH 05/14] Remove secret boilerplate in values.yaml --- charts/geonode/README.md | 4 ++-- .../templates/geonode/geonode-secret.yaml | 10 +++++++++- charts/geonode/values.yaml | 19 ++++++------------- 3 files changed, 17 insertions(+), 16 deletions(-) diff --git a/charts/geonode/README.md b/charts/geonode/README.md index 6a894f2..cc107ea 100644 --- a/charts/geonode/README.md +++ b/charts/geonode/README.md @@ -122,8 +122,8 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | geonode.resources.limits.memory | string | `"2Gi"` | limits memory as in resource.limits.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | geonode.resources.requests.cpu | int | `1` | requested cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | geonode.resources.requests.memory | string | `"1Gi"` | requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | -| geonode.secret.content | string | `"apiVersion: v1\nkind: Secret\nmetadata:\n name: geonode-secret\ntype: Opaque\ndata:\n # superuser\n ADMIN_USERNAME: {{ admin | base64 }}\n ADMIN_PASSWORD: {{ geonode | base64 }}\n ADMIN_EMAIL: {{ support@example.com | base64 }}\n"` | Default contents of the secret | -| geonode.secret.name | string | `"geonode-secret"` | the name of the secret to use | +| geonode.secret.content | object | `{"email":"support@example.com","password":"geonode","username":"admin"}` | Values of the Secret. If empty, the Secret will not be created from template. In this case, you have to either create the Secret on your own (you may choose a different name). | +| geonode.secret.name | string | `"geonode-secret"` | name of the secret to use. Change, if you want to maintain them separately. | | geonode.sentry.build_number | int | `0` | sentry build number | | geonode.sentry.dsn | string | `""` | sentry dsn url | | geonode.sentry.enabled | bool | `false` | enable sentry integration for geonode | diff --git a/charts/geonode/templates/geonode/geonode-secret.yaml b/charts/geonode/templates/geonode/geonode-secret.yaml index f86cbb4..ebe930a 100644 --- a/charts/geonode/templates/geonode/geonode-secret.yaml +++ b/charts/geonode/templates/geonode/geonode-secret.yaml @@ -1,3 +1,11 @@ {{- if .Values.geonode.secret.content }} -{{ .Values.geonode.secret.content | toYaml }} +apiVersion: v1 +kind: Secret +metadata: + name: geonode-secret +type: Opaque +data: + ADMIN_USERNAME: {{ .Values.geonode.secret.content.superuser.username | base64 }} + ADMIN_PASSWORD: {{ .Values.geonode.secret.content.superuser.password | base64 }} + ADMIN_EMAIL: {{ .Values.geonode.secret.content.superuser.email | base64 }} {{ end }} \ No newline at end of file diff --git a/charts/geonode/values.yaml b/charts/geonode/values.yaml index 21e0c6e..537dd0b 100644 --- a/charts/geonode/values.yaml +++ b/charts/geonode/values.yaml @@ -32,20 +32,13 @@ geonode: print("tasks_post_script not defined ...") secret: - # -- the name of the secret to use + # -- name of the secret to use. Change, if you want to maintain them separately. name: geonode-secret - # -- Default contents of the secret - content: | - apiVersion: v1 - kind: Secret - metadata: - name: geonode-secret - type: Opaque - data: - # superuser - ADMIN_USERNAME: {{ admin | base64 }} - ADMIN_PASSWORD: {{ geonode | base64 }} - ADMIN_EMAIL: {{ support@example.com | base64 }} + # -- Values of the Secret. If empty, the Secret will not be created from template. In this case, you have to either create the Secret on your own (you may choose a different name). + content: + username: admin + password: geonode + email: support@example.com resources: requests: From a7fa6f7317179b041a875ae73da0078a61d6532e Mon Sep 17 00:00:00 2001 From: Henning Bredel Date: Thu, 7 Sep 2023 12:41:34 +0200 Subject: [PATCH 06/14] Configure secret creation via flag --- charts/geonode/README.md | 3 ++- charts/geonode/templates/geonode/geonode-secret.yaml | 2 +- charts/geonode/values.yaml | 9 ++++++--- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/charts/geonode/README.md b/charts/geonode/README.md index cc107ea..433c53c 100644 --- a/charts/geonode/README.md +++ b/charts/geonode/README.md @@ -122,7 +122,8 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | geonode.resources.limits.memory | string | `"2Gi"` | limits memory as in resource.limits.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | geonode.resources.requests.cpu | int | `1` | requested cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | geonode.resources.requests.memory | string | `"1Gi"` | requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | -| geonode.secret.content | object | `{"email":"support@example.com","password":"geonode","username":"admin"}` | Values of the Secret. If empty, the Secret will not be created from template. In this case, you have to either create the Secret on your own (you may choose a different name). | +| geonode.secret.content | object | `{"superuser":{"email":"support@example.com","password":"geonode","username":"admin"}}` | Values of the Secret. If empty, the Secret will not be created from template. In this case, you have to either create the Secret on your own (you may choose a different name). | +| geonode.secret.createFromContent | bool | `true` | if Secret shall be created based on the values of `secret.content`. | | geonode.secret.name | string | `"geonode-secret"` | name of the secret to use. Change, if you want to maintain them separately. | | geonode.sentry.build_number | int | `0` | sentry build number | | geonode.sentry.dsn | string | `""` | sentry dsn url | diff --git a/charts/geonode/templates/geonode/geonode-secret.yaml b/charts/geonode/templates/geonode/geonode-secret.yaml index ebe930a..513f59d 100644 --- a/charts/geonode/templates/geonode/geonode-secret.yaml +++ b/charts/geonode/templates/geonode/geonode-secret.yaml @@ -1,4 +1,4 @@ -{{- if .Values.geonode.secret.content }} +{{- if .Values.geonode.secret.createFromContent }} apiVersion: v1 kind: Secret metadata: diff --git a/charts/geonode/values.yaml b/charts/geonode/values.yaml index 537dd0b..9a198a4 100644 --- a/charts/geonode/values.yaml +++ b/charts/geonode/values.yaml @@ -34,11 +34,14 @@ geonode: secret: # -- name of the secret to use. Change, if you want to maintain them separately. name: geonode-secret + # -- if Secret shall be created based on the values of `secret.content`. + createFromContent: True # -- Values of the Secret. If empty, the Secret will not be created from template. In this case, you have to either create the Secret on your own (you may choose a different name). content: - username: admin - password: geonode - email: support@example.com + superuser: + username: admin + password: geonode + email: support@example.com resources: requests: From eb3152b31cb03d3c10eda5095ced0eda0449c946 Mon Sep 17 00:00:00 2001 From: Henning Bredel Date: Thu, 7 Sep 2023 17:24:44 +0200 Subject: [PATCH 07/14] Enhance secret configuration - Use existingSecretName to configure secret via external secret - rabbitmq uses its own naming syntax. We show them for convenience - fixing external database property Postgres secrets for external databases has to be added still --- charts/geonode/README.md | 28 ++++----- .../templates/geonode/geonode-deploy.yaml | 24 ++----- .../templates/geonode/geonode-env.yaml | 6 -- .../templates/geonode/geonode-secret.yaml | 18 ++++-- .../templates/geoserver/geoserver-deploy.yaml | 2 + .../templates/geoserver/geoserver-env.yaml | 3 - .../templates/geoserver/geoserver-secret.yaml | 12 ++++ .../postgres-external-geodata-secrets.yaml | 3 +- .../postgres-external-geonode-secrets.yaml | 3 +- .../postgres-external-postgres-secrets.yaml | 3 +- charts/geonode/values.yaml | 62 +++++++++---------- 11 files changed, 82 insertions(+), 82 deletions(-) create mode 100644 charts/geonode/templates/geoserver/geoserver-secret.yaml diff --git a/charts/geonode/README.md b/charts/geonode/README.md index 433c53c..00de7bd 100644 --- a/charts/geonode/README.md +++ b/charts/geonode/README.md @@ -59,11 +59,7 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | geonode.general.ogc_request_timeout | int | `600` | OGC_REQUEST_TIMEOUT | | geonode.general.publishing.admin_moderate_uploads | bool | `false` | ADMIN_MODERATE_UPLOADS When this variable is set to True, every uploaded resource must be approved before becoming visible to the public users. Until a resource is in PENDING APPROVAL state, only the superusers, owner and group members can access it, unless specific edit permissions have been set for other users or groups. A Group Manager can approve the resource, but he cannot publish it whenever the setting RESOURCE_PUBLISHING is set to True. Otherwise, if RESOURCE_PUBLISHING (helm: resource_publishing_by_staff) is set to False, the resource becomes accessible as soon as it is approved. | | geonode.general.publishing.resource_publishing_by_staff | bool | `false` | RESOURCE_PUBLISHING By default, the GeoNode application allows GeoNode staff members to publish/unpublish resources. By default, resources are published when created. When this setting is set to True the staff members will be able to unpublish a resource (and eventually publish it back). | -| geonode.general.secretName | string | `"demo-secret"` | the secret name containing confidential values | | geonode.general.settings_module | string | `"geonode.settings"` | the settings module to load | -| geonode.general.superUser.email | string | `"support@example.com"` | admin user password | -| geonode.general.superUser.password | string | `"geonode"` | admin panel password | -| geonode.general.superUser.username | string | `"admin"` | admin username | | geonode.haystack.enabled | bool | `false` | enable hystack | | geonode.haystack.engine_index_name | string | `"haystack"` | hystack index name | | geonode.haystack.engine_url | string | `"http://elasticsearch:9200/"` | hystack url | @@ -79,7 +75,6 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | geonode.ldap.attr_map_first_name | string | `"givenName"` | given name attribute used from ldap | | geonode.ldap.attr_map_last_name | string | `"sn"` | last name attribute used from ldap | | geonode.ldap.bind_dn | string | `"CN=Users,DC=ad,DC=example,DC=com"` | ldap user bind dn | -| geonode.ldap.bind_password | string | `"password"` | ldap password | | geonode.ldap.enabled | bool | `false` | enable ldap AUTHENTICATION_BACKENDS in DJANGO Geonode | | geonode.ldap.group_search_dn | string | `"OU=Groups,DC=ad,DC=example,DC=com"` | ldap group search dn | | geonode.ldap.group_search_filterstr | string | `"(objectClass=group)"` | ldap group filterstr | @@ -89,13 +84,10 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | geonode.ldap.user_search_filterstr | string | `"(sAMAccountName=%(user)s)"` | ldap user filterstr | | geonode.mail.backend | string | `"django.core.mail.backends.smtp.EmailBackend"` | set mail backend in geonode settings | | geonode.mail.enabled | bool | `false` | enables mail configuration for geonode | -| geonode.mail.from | string | `"changeme@web.de"` | define from mail-addr | | geonode.mail.host | string | `"smtp.gmail.com"` | set mail host for genode mail | -| geonode.mail.password | string | `"changeme"` | set password for mailuser in geonode | | geonode.mail.port | string | `"587"` | mail port fo geonode mail | | geonode.mail.tls | bool | `true` | activate tls for geonode mail (only tls or ssl can be true not both) | | geonode.mail.use_ssl | bool | `false` | enable ssl for geonode mail (only tls or ssl can be true not both) | -| geonode.mail.user | string | `"changeme"` | define mail user to send mails from | | geonode.memcached.enabled | bool | `true` | enable memcache, this will spawn one or more seperate memcache container(s) and configure django geonode repsectivly. Dynamic caching (see https://docs.djangoproject.com/en/4.0/topics/cache/) | | geonode.memcached.lock_expire | string | `"3600"` | memcached lock expire time | | geonode.memcached.lock_timeout | string | `"10"` | memcached lock timeout | @@ -122,9 +114,14 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | geonode.resources.limits.memory | string | `"2Gi"` | limits memory as in resource.limits.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | geonode.resources.requests.cpu | int | `1` | requested cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | geonode.resources.requests.memory | string | `"1Gi"` | requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | -| geonode.secret.content | object | `{"superuser":{"email":"support@example.com","password":"geonode","username":"admin"}}` | Values of the Secret. If empty, the Secret will not be created from template. In this case, you have to either create the Secret on your own (you may choose a different name). | -| geonode.secret.createFromContent | bool | `true` | if Secret shall be created based on the values of `secret.content`. | -| geonode.secret.name | string | `"geonode-secret"` | name of the secret to use. Change, if you want to maintain them separately. | +| geonode.secret.existingSecretName | string | `""` | name of an existing Secret to use. Set, if you want to separately maintain the Secret. | +| geonode.secret.ldap.bind_password | string | `"password"` | ldap password | +| geonode.secret.mail.from | string | `"changeme@web.de"` | define from mail-addr | +| geonode.secret.mail.password | string | `"changeme"` | set password for mailuser in geonode | +| geonode.secret.mail.user | string | `"changeme"` | define mail user to send mails from | +| geonode.secret.superUser.email | string | `"support@example.com"` | admin user password | +| geonode.secret.superUser.password | string | `"geonode"` | admin panel password | +| geonode.secret.superUser.username | string | `"admin"` | admin username | | geonode.sentry.build_number | int | `0` | sentry build number | | geonode.sentry.dsn | string | `""` | sentry dsn url | | geonode.sentry.enabled | bool | `false` | enable sentry integration for geonode | @@ -149,9 +146,7 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | geonode.uwsgi.reload_on_rss | int | `2048` | Restart workers after this much resident memory | | geonode.uwsgi.worker_reload_mercy | int | `60` | How long to wait before forcefully killing workers | | geonodeFixtures | map of fixture files | `{"somefixture.json":"[\n {\n \"pk\": 0,\n \"model\": \"myapp.sample\"\n \"description\": \"nice little content\"\n }\n]\n"}` | Fixture files which shall be made available under /usr/src/geonode/geonode/fixtures (refer to https://docs.djangoproject.com/en/4.2/howto/initial-data/) | -| geoserver | object | `{"admin_password":"geoserver","admin_username":"admin","container_name":"geoserver","image":{"name":"geonode/geoserver","tag":"2.23.0"},"pod_name":"geoserver","port":8080,"resources":{"limits":{"cpu":2,"memory":"4Gi"},"requests":{"cpu":1,"memory":"1Gi"}}}` | CONFIGURATION FOR GEOSERVER DEPLOYMENT | -| geoserver.admin_password | string | `"geoserver"` | geoserver admin password | -| geoserver.admin_username | string | `"admin"` | geoserver admin username | +| geoserver | object | `{"container_name":"geoserver","image":{"name":"geonode/geoserver","tag":"2.23.0"},"pod_name":"geoserver","port":8080,"resources":{"limits":{"cpu":2,"memory":"4Gi"},"requests":{"cpu":1,"memory":"1Gi"}},"secret":{"admin_password":"geoserver","admin_username":"admin","existingSecretName":""}}` | CONFIGURATION FOR GEOSERVER DEPLOYMENT | | geoserver.container_name | string | `"geoserver"` | geoserver container name | | geoserver.image.name | string | `"geonode/geoserver"` | geoserver image docker image (default in zalf namespace because geonode one was not up to date) | | geoserver.image.tag | string | `"2.23.0"` | geoserver docker image tag | @@ -162,6 +157,9 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | geoserver.resources.limits.memory | string | `"4Gi"` | limits memory as in resource.limits.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | geoserver.resources.requests.cpu | int | `1` | requested cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | geoserver.resources.requests.memory | string | `"1Gi"` | requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | +| geoserver.secret.admin_password | string | `"geoserver"` | geoserver admin password | +| geoserver.secret.admin_username | string | `"admin"` | geoserver admin username | +| geoserver.secret.existingSecretName | string | `""` | name of an existing Secret to use. Set, if you want to separately maintain the Secret. | | global.accessMode | string | `"ReadWriteMany"` | storage access mode used by helm dependency pvc | | global.storageClass | string | `nil` | storageClass used by helm dependencies pvc | | memcached.architecture | string | `"high-availability"` | memcached replica. Loadbalanaced via kubernetes. (only one entry in django settings.py) im memcached is activated under geonode.memcached.enabled this takes place | @@ -211,7 +209,7 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | pycsw.resources.limits.memory | string | `"1Gi"` | limits memory as in resource.limits.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | pycsw.resources.requests.cpu | string | `"500m"` | requested cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | pycsw.resources.requests.memory | string | `"1Gi"` | requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | -| rabbitmq | object | `{"auth":{"erlangCookie":"jixYBsiZ9RivaLXC02pTwGjvIo0nHtVu","password":"rabbitpassword","username":"rabbituser"},"enabled":true,"limits":{"cpu":"750m","memory":"1Gi"},"persistence":{"enabled":false},"replicaCount":1,"requests":{"cpu":"500m","memory":"1Gi"}}` | VALUES DEFINITION https://github.com/bitnami/charts/blob/master/bitnami/rabbitmq/values.yaml | +| rabbitmq | object | `{"auth":{"erlangCookie":"jixYBsiZ9RivaLXC02pTwGjvIo0nHtVu","existingErlangSecret":"","existingPasswordSecret":"","password":"rabbitpassword","username":"rabbituser"},"enabled":true,"limits":{"cpu":"750m","memory":"1Gi"},"persistence":{"enabled":false},"replicaCount":1,"requests":{"cpu":"500m","memory":"1Gi"}}` | VALUES DEFINITION https://github.com/bitnami/charts/blob/master/bitnami/rabbitmq/values.yaml | | rabbitmq.limits.cpu | string | `"750m"` | limit cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | rabbitmq.limits.memory | string | `"1Gi"` | limits memory as in resource.limits.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | | rabbitmq.replicaCount | int | `1` | rabbitmq raplica count | diff --git a/charts/geonode/templates/geonode/geonode-deploy.yaml b/charts/geonode/templates/geonode/geonode-deploy.yaml index dc2e5c5..72f5a42 100644 --- a/charts/geonode/templates/geonode/geonode-deploy.yaml +++ b/charts/geonode/templates/geonode/geonode-deploy.yaml @@ -89,25 +89,12 @@ spec: envFrom: - configMapRef: name: {{ include "geonode_pod_name" . }}-env + - secretRef: + name: {{ .Values.geonode.secret.existingSecretName | "geonode-secret" | quote }} + - secretRef: + name: {{ .Values.geoserver.secret.existingSecretName | "geoserver-secret" | quote }} env: - {{- if .Values.geonode.general.secretName }} - - name: ADMIN_USERNAME - valueFrom: - secretKeyRef: - name: {{ .Values.geonode.general.secretName }} - key: ADMIN_USERNAME - - name: ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.geonode.general.secretName }} - key: ADMIN_PASSWORD - - name: ADMIN_EMAIL - valueFrom: - secretKeyRef: - name: {{ .Values.geonode.general.secretName }} - key: ADMIN_EMAIL - {{ end }} - name: GEONODE_DATABASE_PASSWORD valueFrom: secretKeyRef: @@ -207,9 +194,8 @@ spec: envFrom: - configMapRef: name: {{ include "geonode_pod_name" . }}-env - {{- if .Values.geonode.general.secretName }} - secretRef: - name: {{ .Values.geonode.general.secretName }} + name: {{ .Values.geonode.secret.existingSecretName | "geonode-secret" | quote }} env: - name: GEONODE_DATABASE_PASSWORD diff --git a/charts/geonode/templates/geonode/geonode-env.yaml b/charts/geonode/templates/geonode/geonode-env.yaml index c4b1b1c..b539cf3 100644 --- a/charts/geonode/templates/geonode/geonode-env.yaml +++ b/charts/geonode/templates/geonode/geonode-env.yaml @@ -66,11 +66,8 @@ data: DJANGO_EMAIL_BACKEND: {{ .Values.geonode.mail.backend | quote }} DJANGO_EMAIL_HOST: {{ .Values.geonode.mail.host | quote }} DJANGO_EMAIL_PORT: {{ .Values.geonode.mail.port | quote }} - DJANGO_EMAIL_HOST_USER: {{ .Values.geonode.mail.user | quote }} - DJANGO_EMAIL_HOST_PASSWORD: {{ .Values.geonode.mail.password | quote }} DJANGO_EMAIL_USE_TLS: {{ include "boolean2str" .Values.geonode.mail.tls | quote }} DJANGO_EMAIL_USE_SSL: {{ include "boolean2str" .Values.geonode.mail.use_ssl | quote }} - DEFAULT_FROM_EMAIL: {{ .Values.geonode.mail.from | quote }} # PATH # TODO (mwall) allign with volumeMount locations @@ -110,7 +107,6 @@ data: LDAP_ENABLED: {{ include "boolean2str" .Values.geonode.ldap.enabled | quote }} LDAP_SERVER_URL: {{ .Values.geonode.ldap.uri | quote }} LDAP_BIND_DN: {{ .Values.geonode.ldap.bind_dn | quote }} - LDAP_BIND_PASSWORD: {{ .Values.geonode.ldap.bind_password | quote }} LDAP_USER_SEARCH_DN: {{ .Values.geonode.ldap.user_search_dn | quote }} LDAP_USER_SEARCH_FILTERSTR: {{ .Values.geonode.ldap.user_search_filterstr | quote }} LDAP_ALWAYS_UPDATE_USER: {{ .Values.geonode.ldap.always_update_user | quote }} @@ -175,8 +171,6 @@ data: GEOSERVER_PUBLIC_LOCATION: "{{ include "public_url" . }}/geoserver/" GEOSERVER_PUBLIC_SCHEMA: {{ .Values.geonode.general.externalScheme | quote }} GEOSERVER_LOCATION: "http://{{ include "geoserver_pod_name" . }}:{{ .Values.geoserver.port }}/geoserver/" - GEOSERVER_ADMIN_USER: {{ .Values.geoserver.admin_username | quote }} - GEOSERVER_ADMIN_PASSWORD: {{ .Values.geoserver.admin_password | quote }} OGC_REQUEST_TIMEOUT: {{ .Values.geonode.general.ogc_request_timeout | quote }} OGC_REQUEST_MAX_RETRIES: '1' diff --git a/charts/geonode/templates/geonode/geonode-secret.yaml b/charts/geonode/templates/geonode/geonode-secret.yaml index 513f59d..4fac321 100644 --- a/charts/geonode/templates/geonode/geonode-secret.yaml +++ b/charts/geonode/templates/geonode/geonode-secret.yaml @@ -1,11 +1,21 @@ -{{- if .Values.geonode.secret.createFromContent }} +{{- if empty .Values.geonode.secret.existingSecretName }} apiVersion: v1 kind: Secret metadata: name: geonode-secret + namespace: {{ .Release.Namespace }} type: Opaque data: - ADMIN_USERNAME: {{ .Values.geonode.secret.content.superuser.username | base64 }} - ADMIN_PASSWORD: {{ .Values.geonode.secret.content.superuser.password | base64 }} - ADMIN_EMAIL: {{ .Values.geonode.secret.content.superuser.email | base64 }} + # superuser credentials + ADMIN_USERNAME: {{ .Values.geonode.secret.content.superUser.username | b64enc }} + ADMIN_PASSWORD: {{ .Values.geonode.secret.content.superUser.password | b64enc }} + ADMIN_EMAIL: {{ .Values.geonode.secret.content.superUser.email | b64enc }} + + # mail secrets + DJANGO_EMAIL_HOST_USER: {{ .Values.geonode.secret.content.mail.user | b64enc }} + DJANGO_EMAIL_HOST_PASSWORD: {{ .Values.geonode.secret.content.mail.password | b64enc }} + DEFAULT_FROM_EMAIL: {{ .Values.geonode.secret.content.mail.from | b64enc }} + + # ldap secrets + LDAP_BIND_PASSWORD: {{ .Values.geonode.secret.content.ldap.bind_password | b64enc }} {{ end }} \ No newline at end of file diff --git a/charts/geonode/templates/geoserver/geoserver-deploy.yaml b/charts/geonode/templates/geoserver/geoserver-deploy.yaml index 29be5b0..a0300c7 100644 --- a/charts/geonode/templates/geoserver/geoserver-deploy.yaml +++ b/charts/geonode/templates/geoserver/geoserver-deploy.yaml @@ -65,6 +65,8 @@ spec: envFrom: - configMapRef: name: {{ include "geoserver_pod_name" . }}-env + - secretRef: + name: {{ .Values.geoserver.secret.existingSecretName | "geoserver-secret" | quote }} env: # read auto generated password from secret diff --git a/charts/geonode/templates/geoserver/geoserver-env.yaml b/charts/geonode/templates/geoserver/geoserver-env.yaml index fd2ffc1..810893b 100644 --- a/charts/geonode/templates/geoserver/geoserver-env.yaml +++ b/charts/geonode/templates/geoserver/geoserver-env.yaml @@ -17,6 +17,3 @@ data: DATABASE_PORT: "{{ include "database_port" . }}" GEONODE_GEODATABASE: {{ .Values.postgres.geonode_databasename_and_username | quote }} GEONODE_GEODATABASE_SCHEMA: {{ .Values.postgres.schema | quote }} - - GEOSERVER_ADMIN_USER: {{ .Values.geoserver.admin_username | quote }} - GEOSERVER_ADMIN_PASSWORD: {{ .Values.geoserver.admin_password | quote }} \ No newline at end of file diff --git a/charts/geonode/templates/geoserver/geoserver-secret.yaml b/charts/geonode/templates/geoserver/geoserver-secret.yaml new file mode 100644 index 0000000..ce861c9 --- /dev/null +++ b/charts/geonode/templates/geoserver/geoserver-secret.yaml @@ -0,0 +1,12 @@ +{{- if empty .Values.geoserver.secret.existingSecretName }} +apiVersion: v1 +kind: Secret +metadata: + name: geoserver-secret + namespace: {{ .Release.Namespace }} +type: Opaque +data: + # geoserver admin credentials + GEOSERVER_ADMIN_USER: {{ .Values.geoserver.secret.admin_username | b64enc }} + GEOSERVER_ADMIN_PASSWORD: {{ .Values.geoserver.secret.admin_password | b64enc }} +{{ end }} \ No newline at end of file diff --git a/charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml b/charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml index c1fbcd5..99c76ba 100644 --- a/charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml +++ b/charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml @@ -3,8 +3,9 @@ apiVersion: v1 kind: Secret metadata: name: {{ .Release.Name }}-geodata-external-secrets + namespace: {{ .Release.Namespace }} type: Opaque data: - username: {{ .Values.postgres.geodatabasename_and_username | quote }} + username: {{ .Values.postgres.geodata_databasename_and_username | b64enc }} password: {{ .Values.postgres.external_postgres.geodata_password | b64enc }} {{ end }} diff --git a/charts/geonode/templates/postgres/postgres-external-geonode-secrets.yaml b/charts/geonode/templates/postgres/postgres-external-geonode-secrets.yaml index a51593a..96cf40e 100644 --- a/charts/geonode/templates/postgres/postgres-external-geonode-secrets.yaml +++ b/charts/geonode/templates/postgres/postgres-external-geonode-secrets.yaml @@ -3,8 +3,9 @@ apiVersion: v1 kind: Secret metadata: name: {{ .Release.Name }}-geonode-external-secrets + namespace: {{ .Release.Namespace }} type: Opaque data: - username: {{ .Values.postgres.username | quote }} + username: {{ .Values.postgres.username | b64enc }} password: {{ .Values.postgres.external_postgres.geonode_password | b64enc }} {{ end }} diff --git a/charts/geonode/templates/postgres/postgres-external-postgres-secrets.yaml b/charts/geonode/templates/postgres/postgres-external-postgres-secrets.yaml index a601325..7085838 100644 --- a/charts/geonode/templates/postgres/postgres-external-postgres-secrets.yaml +++ b/charts/geonode/templates/postgres/postgres-external-postgres-secrets.yaml @@ -3,8 +3,9 @@ apiVersion: v1 kind: Secret metadata: name: {{ .Release.Name }}-postgres-external-secrets + namespace: {{ .Release.Namespace }} type: Opaque data: - username: {{ .Values.postgres.username | quote }} + username: {{ .Values.postgres.username | b64enc }} password: {{ .Values.postgres.external_postgres.postgres_password | b64enc }} {{ end }} diff --git a/charts/geonode/values.yaml b/charts/geonode/values.yaml index 9a198a4..a63d076 100644 --- a/charts/geonode/values.yaml +++ b/charts/geonode/values.yaml @@ -32,16 +32,26 @@ geonode: print("tasks_post_script not defined ...") secret: - # -- name of the secret to use. Change, if you want to maintain them separately. - name: geonode-secret - # -- if Secret shall be created based on the values of `secret.content`. - createFromContent: True - # -- Values of the Secret. If empty, the Secret will not be created from template. In this case, you have to either create the Secret on your own (you may choose a different name). - content: - superuser: - username: admin - password: geonode - email: support@example.com + # -- name of an existing Secret to use. Set, if you want to separately maintain the Secret. + existingSecretName: "" + superUser: + # -- admin username + username: admin + # -- admin panel password + password: geonode + # -- admin user password + email: support@example.com + mail: + # -- define mail user to send mails from + user: "changeme" + # -- set password for mailuser in geonode + password: "changeme" + # -- define from mail-addr + from: "changeme@web.de" + ldap: + # -- ldap password + bind_password: password + resources: requests: @@ -121,8 +131,6 @@ geonode: cheaper_busyness_backlog_step: 2 general: - # -- the secret name containing confidential values - secretName: demo-secret # -- external ingress schema. If set to 'https', make sure to configure TLS either by # configuring tls certificate or using cert-manager. Available options: (http|https) @@ -154,14 +162,6 @@ geonode: # -- OGC_REQUEST_POOL_CONNECTIONS ogc_request_pool_connections: 10 - superUser: - # -- admin username - username: admin - # -- admin panel password - password: geonode - # -- admin user password - email: support@example.com - publishing: # -- RESOURCE_PUBLISHING By default, the GeoNode application allows GeoNode staff members to publish/unpublish resources. # By default, resources are published when created. When this setting is set to True the staff members will be able to unpublish @@ -198,12 +198,6 @@ geonode: tls: true # -- enable ssl for geonode mail (only tls or ssl can be true not both) use_ssl: False - # -- define mail user to send mails from - user: "changeme" - # -- set password for mailuser in geonode - password: "changeme" - # -- define from mail-addr - from: "changeme@web.de" ldap: # -- enable ldap AUTHENTICATION_BACKENDS in DJANGO Geonode @@ -212,8 +206,6 @@ geonode: uri: ldap://example.com # -- ldap user bind dn bind_dn: "CN=Users,DC=ad,DC=example,DC=com" - # -- ldap password - bind_password: password # -- ldap user search dn user_search_dn: "OU=User,DC=ad,DC=example,DC=com" # -- ldap user filterstr @@ -324,10 +316,14 @@ geoserver: tag: '2.23.0' # -- geoserver port port: 8080 - # -- geoserver admin username - admin_username: admin - # -- geoserver admin password - admin_password: "geoserver" + + secret: + # -- name of an existing Secret to use. Set, if you want to separately maintain the Secret. + existingSecretName: "" + # -- geoserver admin username + admin_username: admin + # -- geoserver admin password + admin_password: "geoserver" # -- geoserver kube resources resources: @@ -549,6 +545,8 @@ rabbitmq: username: rabbituser password: rabbitpassword erlangCookie: jixYBsiZ9RivaLXC02pTwGjvIo0nHtVu + existingPasswordSecret: "" + existingErlangSecret: "" persistence: enabled: False From a67034d75de6ea8faf86369e730962fe225f7349 Mon Sep 17 00:00:00 2001 From: Henning Bredel Date: Fri, 8 Sep 2023 08:36:13 +0200 Subject: [PATCH 08/14] Fix yaml syntax --- charts/geonode/templates/geoserver/geoserver-deploy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/geonode/templates/geoserver/geoserver-deploy.yaml b/charts/geonode/templates/geoserver/geoserver-deploy.yaml index a0300c7..d4d3adb 100644 --- a/charts/geonode/templates/geoserver/geoserver-deploy.yaml +++ b/charts/geonode/templates/geoserver/geoserver-deploy.yaml @@ -66,7 +66,7 @@ spec: - configMapRef: name: {{ include "geoserver_pod_name" . }}-env - secretRef: - name: {{ .Values.geoserver.secret.existingSecretName | "geoserver-secret" | quote }} + name: {{ .Values.geoserver.secret.existingSecretName | "geoserver-secret" | quote }} env: # read auto generated password from secret From c982caf15effef8530f09e724d074852d7b6f1fe Mon Sep 17 00:00:00 2001 From: Henning Bredel Date: Fri, 8 Sep 2023 10:32:28 +0200 Subject: [PATCH 09/14] Fix yaml and property refs --- .../templates/geonode/geonode-deploy.yaml | 26 ++++++++++--------- .../templates/geonode/geonode-secret.yaml | 14 +++++----- .../templates/geoserver/geoserver-deploy.yaml | 8 +++--- 3 files changed, 25 insertions(+), 23 deletions(-) diff --git a/charts/geonode/templates/geonode/geonode-deploy.yaml b/charts/geonode/templates/geonode/geonode-deploy.yaml index 72f5a42..06a15b7 100644 --- a/charts/geonode/templates/geonode/geonode-deploy.yaml +++ b/charts/geonode/templates/geonode/geonode-deploy.yaml @@ -87,17 +87,17 @@ spec: - containerPort: 8001 envFrom: - - configMapRef: - name: {{ include "geonode_pod_name" . }}-env - - secretRef: - name: {{ .Values.geonode.secret.existingSecretName | "geonode-secret" | quote }} - - secretRef: - name: {{ .Values.geoserver.secret.existingSecretName | "geoserver-secret" | quote }} + - configMapRef: + name: {{ include "geonode_pod_name" . }}-env + - secretRef: + name: {{ default "geonode-secret" .Values.geonode.secret.existingSecretName | quote }} + - secretRef: + name: {{ default "geoserver-secret" .Values.geoserver.secret.existingSecretName | quote }} env: - name: GEONODE_DATABASE_PASSWORD valueFrom: - secretKeyRef: + secretKeyRef: name: {{ include "database_geonode_password_secret_key_ref" . }} key: password - name: GEONODE_GEODATABASE_PASSWORD @@ -162,7 +162,6 @@ spec: # Celery is the task worker - name: {{ .Values.geonode.celery.container_name }} image: "{{ .Values.geonode.image.name }}:{{ .Values.geonode.image.tag }}" - command: - bash - -c @@ -180,6 +179,7 @@ spec: cd /usr/src/geonode-contribs/ldap; pip install --upgrade -e . cd /usr/src/geonode/ {{ end }} + {{ if .Values.geonode.sentry.enabled }} pip install sentry-sdk {{ end }} @@ -192,15 +192,17 @@ spec: dockerize -stdout /var/log/celery.log /usr/src/geonode/entrypoint.sh celery-cmd envFrom: - - configMapRef: + - configMapRef: name: {{ include "geonode_pod_name" . }}-env - - secretRef: - name: {{ .Values.geonode.secret.existingSecretName | "geonode-secret" | quote }} + - secretRef: + name: {{ default "geonode-secret" .Values.geonode.secret.existingSecretName | quote }} + - secretRef: + name: {{ default "geoserver-secret" .Values.geoserver.secret.existingSecretName | quote }} env: - name: GEONODE_DATABASE_PASSWORD valueFrom: - secretKeyRef: + secretKeyRef: name: {{ include "database_geonode_password_secret_key_ref" . }} key: password - name: GEONODE_GEODATABASE_PASSWORD diff --git a/charts/geonode/templates/geonode/geonode-secret.yaml b/charts/geonode/templates/geonode/geonode-secret.yaml index 4fac321..556517f 100644 --- a/charts/geonode/templates/geonode/geonode-secret.yaml +++ b/charts/geonode/templates/geonode/geonode-secret.yaml @@ -7,15 +7,15 @@ metadata: type: Opaque data: # superuser credentials - ADMIN_USERNAME: {{ .Values.geonode.secret.content.superUser.username | b64enc }} - ADMIN_PASSWORD: {{ .Values.geonode.secret.content.superUser.password | b64enc }} - ADMIN_EMAIL: {{ .Values.geonode.secret.content.superUser.email | b64enc }} + ADMIN_USERNAME: {{ .Values.geonode.secret.superUser.username | b64enc }} + ADMIN_PASSWORD: {{ .Values.geonode.secret.superUser.password | b64enc }} + ADMIN_EMAIL: {{ .Values.geonode.secret.superUser.email | b64enc }} # mail secrets - DJANGO_EMAIL_HOST_USER: {{ .Values.geonode.secret.content.mail.user | b64enc }} - DJANGO_EMAIL_HOST_PASSWORD: {{ .Values.geonode.secret.content.mail.password | b64enc }} - DEFAULT_FROM_EMAIL: {{ .Values.geonode.secret.content.mail.from | b64enc }} + DJANGO_EMAIL_HOST_USER: {{ .Values.geonode.secret.mail.user | b64enc }} + DJANGO_EMAIL_HOST_PASSWORD: {{ .Values.geonode.secret.mail.password | b64enc }} + DEFAULT_FROM_EMAIL: {{ .Values.geonode.secret.mail.from | b64enc }} # ldap secrets - LDAP_BIND_PASSWORD: {{ .Values.geonode.secret.content.ldap.bind_password | b64enc }} + LDAP_BIND_PASSWORD: {{ .Values.geonode.secret.ldap.bind_password | b64enc }} {{ end }} \ No newline at end of file diff --git a/charts/geonode/templates/geoserver/geoserver-deploy.yaml b/charts/geonode/templates/geoserver/geoserver-deploy.yaml index d4d3adb..52371df 100644 --- a/charts/geonode/templates/geoserver/geoserver-deploy.yaml +++ b/charts/geonode/templates/geoserver/geoserver-deploy.yaml @@ -63,10 +63,10 @@ spec: - containerPort: {{ .Values.geoserver.port }} envFrom: - - configMapRef: - name: {{ include "geoserver_pod_name" . }}-env - - secretRef: - name: {{ .Values.geoserver.secret.existingSecretName | "geoserver-secret" | quote }} + - configMapRef: + name: {{ include "geoserver_pod_name" . }}-env + - secretRef: + name: {{ default "geoserver-secret" .Values.geoserver.secret.existingSecretName | quote }} env: # read auto generated password from secret From 5a7611146d96e06070e544ed8922de17b77699df Mon Sep 17 00:00:00 2001 From: Henning Bredel Date: Fri, 8 Sep 2023 10:55:23 +0200 Subject: [PATCH 10/14] Adds configurable secret to external database --- charts/geonode/README.md | 7 ++++--- .../postgres/postgres-external-geodata-secrets.yaml | 4 ++-- .../postgres/postgres-external-geonode-secrets.yaml | 4 ++-- .../postgres/postgres-external-postgres-secrets.yaml | 4 ++-- ...geonode-manifest.yaml => postgresql-operator.yaml} | 0 charts/geonode/values.yaml | 11 +++++++---- 6 files changed, 17 insertions(+), 13 deletions(-) rename charts/geonode/templates/postgres/{geonode-manifest.yaml => postgresql-operator.yaml} (100%) diff --git a/charts/geonode/README.md b/charts/geonode/README.md index 00de7bd..72c087b 100644 --- a/charts/geonode/README.md +++ b/charts/geonode/README.md @@ -181,11 +181,12 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | postgres-operator.podServiceAccount | object | `{"name":""}` | not setting the podServiceAccount name will leed to generation of this name. This allows to run multiple postgres-operators in a single kubernetes cluster. just seperating them by namespace. | | postgres-operator.storageClass | string | `nil` | postgress pv storageclass | | postgres.external_postgres.enabled | bool | `false` | | -| postgres.external_postgres.geodata_password | string | `"geogeonode"` | | -| postgres.external_postgres.geonode_password | string | `"geonode"` | | | postgres.external_postgres.hostname | string | `"my-external-postgres.com"` | | | postgres.external_postgres.port | int | `5432` | | -| postgres.external_postgres.postgres_password | string | `"postgres"` | | +| postgres.external_postgres.secret.existingSecretName | string | `""` | name of an existing Secret to use. Set, if you want to separately maintain the Secret. | +| postgres.external_postgres.secret.geodata_password | string | `"geogeonode"` | | +| postgres.external_postgres.secret.geonode_password | string | `"geonode"` | | +| postgres.external_postgres.secret.postgres_password | string | `"postgres"` | | | postgres.geodata_databasename_and_username | string | `"geodata"` | geoserver database name and username | | postgres.geonode_databasename_and_username | string | `"geonode"` | geonode database name and username | | postgres.operator_manifest | object | `{"numberOfInstances":1,"pod_name":"postgresql","postgres_version":15,"storageSize":"3Gi"}` | configuration for postgres operator database manifest | diff --git a/charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml b/charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml index 99c76ba..13ddc20 100644 --- a/charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml +++ b/charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml @@ -1,4 +1,4 @@ -{{ if .Values.postgres.external_postgres.enabled }} +{{ if and ( .Values.postgres.external_postgres.enabled (empty .Values.postgres.external_postgres.secret.existingSecretName )) }} apiVersion: v1 kind: Secret metadata: @@ -7,5 +7,5 @@ metadata: type: Opaque data: username: {{ .Values.postgres.geodata_databasename_and_username | b64enc }} - password: {{ .Values.postgres.external_postgres.geodata_password | b64enc }} + password: {{ .Values.postgres.external_postgres.secret.geodata_password | b64enc }} {{ end }} diff --git a/charts/geonode/templates/postgres/postgres-external-geonode-secrets.yaml b/charts/geonode/templates/postgres/postgres-external-geonode-secrets.yaml index 96cf40e..05da13f 100644 --- a/charts/geonode/templates/postgres/postgres-external-geonode-secrets.yaml +++ b/charts/geonode/templates/postgres/postgres-external-geonode-secrets.yaml @@ -1,4 +1,4 @@ -{{ if .Values.postgres.external_postgres.enabled }} +{{ if and ( .Values.postgres.external_postgres.enabled (empty .Values.postgres.external_postgres.secret.existingSecretName )) }} apiVersion: v1 kind: Secret metadata: @@ -7,5 +7,5 @@ metadata: type: Opaque data: username: {{ .Values.postgres.username | b64enc }} - password: {{ .Values.postgres.external_postgres.geonode_password | b64enc }} + password: {{ .Values.postgres.external_postgres.secret.geonode_password | b64enc }} {{ end }} diff --git a/charts/geonode/templates/postgres/postgres-external-postgres-secrets.yaml b/charts/geonode/templates/postgres/postgres-external-postgres-secrets.yaml index 7085838..4a6036c 100644 --- a/charts/geonode/templates/postgres/postgres-external-postgres-secrets.yaml +++ b/charts/geonode/templates/postgres/postgres-external-postgres-secrets.yaml @@ -1,4 +1,4 @@ -{{ if .Values.postgres.external_postgres.enabled }} +{{ if and ( .Values.postgres.external_postgres.enabled (empty .Values.postgres.external_postgres.secret.existingSecretName )) }} apiVersion: v1 kind: Secret metadata: @@ -7,5 +7,5 @@ metadata: type: Opaque data: username: {{ .Values.postgres.username | b64enc }} - password: {{ .Values.postgres.external_postgres.postgres_password | b64enc }} + password: {{ .Values.postgres.external_postgres.secret.postgres_password | b64enc }} {{ end }} diff --git a/charts/geonode/templates/postgres/geonode-manifest.yaml b/charts/geonode/templates/postgres/postgresql-operator.yaml similarity index 100% rename from charts/geonode/templates/postgres/geonode-manifest.yaml rename to charts/geonode/templates/postgres/postgresql-operator.yaml diff --git a/charts/geonode/values.yaml b/charts/geonode/values.yaml index a63d076..f658fc9 100644 --- a/charts/geonode/values.yaml +++ b/charts/geonode/values.yaml @@ -4,7 +4,7 @@ global: # -- storage access mode used by helm dependency pvc accessMode: ReadWriteMany - + # geonode configuration geonode: # -- pod name @@ -589,9 +589,12 @@ postgres: enabled: False hostname: my-external-postgres.com port: 5432 - postgres_password: postgres - geonode_password: geonode - geodata_password: geogeonode + secret: + # -- name of an existing Secret to use. Set, if you want to separately maintain the Secret. + existingSecretName: "" + postgres_password: postgres + geonode_password: geonode + geodata_password: geogeonode # VALUES DEFINITION: https://github.com/zalando/postgres-operator/blob/master/charts/postgres-operator/values.yaml postgres-operator: From 4c688f745491cbb8db1a154a5bb2a1c85be18ebf Mon Sep 17 00:00:00 2001 From: Henning Bredel Date: Fri, 8 Sep 2023 14:36:25 +0200 Subject: [PATCH 11/14] Adjust minikube values --- charts/geonode/README.md | 4 ++-- charts/geonode/values.yaml | 2 +- minikube-values-external-db.yaml | 12 +++++++----- minikube-values.yaml | 5 +++-- 4 files changed, 13 insertions(+), 10 deletions(-) diff --git a/charts/geonode/README.md b/charts/geonode/README.md index 72c087b..5309d32 100644 --- a/charts/geonode/README.md +++ b/charts/geonode/README.md @@ -98,9 +98,9 @@ Helm Chart for Geonode a web-based application and platform for developing geosp | geonode.monitoring.user_analytics_gzip | bool | `true` | | | geonode.persistant.storageSize | string | `"10Gi"` | size of persistant geonode storage | | geonode.pod_name | string | `"geonode"` | pod name | -| geonode.register | object | `{"approval_required":false,"authentication_method":"user_email","auto_assign_registered_members_to_registered":true,"confirm_email_on_get":true,"conformation_required":true,"email_required":true,"email_verification":"mandatory","open_signup":true,"registered_members_group_name":null,"show_profile_email":true}` | Find docs for register values under: - https://docs.geonode.org/en/3.3.x/basic/settings/index.html - https://github.com/pinax/django-user-accounts/blob/master/docs/settings.rst - https://django-allauth.readthedocs.io/en/latest/configuration.html | +| geonode.register | object | `{"approval_required":false,"authentication_method":"username_email","auto_assign_registered_members_to_registered":true,"confirm_email_on_get":true,"conformation_required":true,"email_required":true,"email_verification":"mandatory","open_signup":true,"registered_members_group_name":null,"show_profile_email":true}` | Find docs for register values under: - https://docs.geonode.org/en/3.3.x/basic/settings/index.html - https://github.com/pinax/django-user-accounts/blob/master/docs/settings.rst - https://django-allauth.readthedocs.io/en/latest/configuration.html | | geonode.register.approval_required | bool | `false` | approve given email with registration | -| geonode.register.authentication_method | string | `"user_email"` | Specifies the login method to use – whether the user logs in by entering their username, e-mail address, or either one of both. Setting this to “email” requires email_required=True | +| geonode.register.authentication_method | string | `"username_email"` | Specifies the login method to use – whether the user logs in by entering their username, e-mail address, or either one of both. Setting this to “email” requires email_required=True | | geonode.register.auto_assign_registered_members_to_registered | bool | `true` | if set to True new registered user will be add to defined group in registered_members_group_name | | geonode.register.confirm_email_on_get | bool | `true` | send confirm email on get | | geonode.register.conformation_required | bool | `true` | If True, new user accounts will be created as inactive. The user must use the activation link to activate his account. | diff --git a/charts/geonode/values.yaml b/charts/geonode/values.yaml index f658fc9..182fca0 100644 --- a/charts/geonode/values.yaml +++ b/charts/geonode/values.yaml @@ -251,7 +251,7 @@ geonode: # -- If True, new user accounts will be created as inactive. The user must use the activation link to activate his account. conformation_required: True # -- Specifies the login method to use – whether the user logs in by entering their username, e-mail address, or either one of both. Setting this to “email” requires email_required=True - authentication_method: "user_email" + authentication_method: "username_email" # -- group name to add new registered users to, requires auto_assign_registered_members_to_registered: True. registered_members_group_name: # -- if set to True new registered user will be add to defined group in registered_members_group_name diff --git a/minikube-values-external-db.yaml b/minikube-values-external-db.yaml index 66f2e68..173cb75 100644 --- a/minikube-values-external-db.yaml +++ b/minikube-values-external-db.yaml @@ -16,8 +16,9 @@ geonode: ingress: enabled: False - superUser: - password: geonode + secret: + superUser: + password: geonode mail: enabled: False @@ -45,9 +46,10 @@ postgres: enabled: True hostname: "external-postgres.com" port: 5432 - postgres_password: - geonode_password: - geodata_password: + secret: + postgres_password: + geonode_password: + geodata_password: postgres-operator: enabled: False diff --git a/minikube-values.yaml b/minikube-values.yaml index 8ded9c1..66a6aae 100644 --- a/minikube-values.yaml +++ b/minikube-values.yaml @@ -16,8 +16,9 @@ geonode: ingress: enabled: False - superUser: - password: geonode + secret: + superUser: + password: geonode mail: enabled: False From f91955e84e283a612988442dfb4d8ac7de23d155 Mon Sep 17 00:00:00 2001 From: Henning Bredel Date: Fri, 8 Sep 2023 17:32:52 +0200 Subject: [PATCH 12/14] Resolve go template issues --- .../templates/postgres/postgres-external-geodata-secrets.yaml | 2 +- .../templates/postgres/postgres-external-geonode-secrets.yaml | 2 +- .../templates/postgres/postgres-external-postgres-secrets.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml b/charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml index 13ddc20..cdd0a09 100644 --- a/charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml +++ b/charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml @@ -1,4 +1,4 @@ -{{ if and ( .Values.postgres.external_postgres.enabled (empty .Values.postgres.external_postgres.secret.existingSecretName )) }} +{{ if and .Values.postgres.external_postgres.enabled (not .Values.postgres.external_postgres.secret.existingSecretName )}} apiVersion: v1 kind: Secret metadata: diff --git a/charts/geonode/templates/postgres/postgres-external-geonode-secrets.yaml b/charts/geonode/templates/postgres/postgres-external-geonode-secrets.yaml index 05da13f..7e1ef1b 100644 --- a/charts/geonode/templates/postgres/postgres-external-geonode-secrets.yaml +++ b/charts/geonode/templates/postgres/postgres-external-geonode-secrets.yaml @@ -1,4 +1,4 @@ -{{ if and ( .Values.postgres.external_postgres.enabled (empty .Values.postgres.external_postgres.secret.existingSecretName )) }} +{{ if and .Values.postgres.external_postgres.enabled (not .Values.postgres.external_postgres.secret.existingSecretName )}} apiVersion: v1 kind: Secret metadata: diff --git a/charts/geonode/templates/postgres/postgres-external-postgres-secrets.yaml b/charts/geonode/templates/postgres/postgres-external-postgres-secrets.yaml index 4a6036c..e1262e9 100644 --- a/charts/geonode/templates/postgres/postgres-external-postgres-secrets.yaml +++ b/charts/geonode/templates/postgres/postgres-external-postgres-secrets.yaml @@ -1,4 +1,4 @@ -{{ if and ( .Values.postgres.external_postgres.enabled (empty .Values.postgres.external_postgres.secret.existingSecretName )) }} +{{ if and .Values.postgres.external_postgres.enabled (not .Values.postgres.external_postgres.secret.existingSecretName )}} apiVersion: v1 kind: Secret metadata: From 33210a6172d8fa35ac5e6f4a8cf35c24b73b61b0 Mon Sep 17 00:00:00 2001 From: Henning Bredel Date: Fri, 8 Sep 2023 18:21:11 +0200 Subject: [PATCH 13/14] Update documentation --- docs/provide-custom-secret.md | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/docs/provide-custom-secret.md b/docs/provide-custom-secret.md index a282ba6..91f842c 100644 --- a/docs/provide-custom-secret.md +++ b/docs/provide-custom-secret.md @@ -1,18 +1,31 @@ # Maintain Secrets Ensure to put confidential settings in a Kubernetes Secret. -By default, each service provides a secret template which is filled by the `secret.content` value given in the `values.yaml` for each component. +By default, each service provides a secret template which is filled by the values within the `secret` section given in the `values.yaml` for each component. In your `values.yaml` you have two options: -1. Override the `secret.content` to set project specific secrets -1. Create custom Kubernetes Secrets and configure `secret.name` accordingly +1. Set the secret values directly within the `secret` section +1. Override the `secret.existingSecretName` to reference a secret which you maintain separately + > :bulb: **Note:** > > Make sure to not expose your secrets, e.g. via Git! > Consider to pass secrets from a CD pipeline via masked environment settings. -> By referencing a custom Secret (leaving `secret.content` empty), you would have to create and maintain a Secret by yourself. + +Consult the documentation of Chart dependedncies how this is there (most of them handle it similarly). +For RabbitMQ you can provide externally managed Secrets as declared[in the `auth` section of the rabbitmq config](https://github.com/bitnami/charts/blob/main/bitnami/rabbitmq/values.yaml#L130): + +```yaml +rabbitmq: + auth: + username: rabbituser + existingPasswordSecret: "rabbitmq-password-secret" + existingErlangSecret: "rabbitmq-erlang-secret" + +``` + ## Tooling From 7e98a7d5e5a19a53dffae0e48013d849db523226 Mon Sep 17 00:00:00 2001 From: Henning Bredel Date: Fri, 8 Sep 2023 18:29:10 +0200 Subject: [PATCH 14/14] Fix wording --- docs/provide-custom-secret.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/provide-custom-secret.md b/docs/provide-custom-secret.md index 91f842c..7129a40 100644 --- a/docs/provide-custom-secret.md +++ b/docs/provide-custom-secret.md @@ -14,8 +14,8 @@ In your `values.yaml` you have two options: > Make sure to not expose your secrets, e.g. via Git! > Consider to pass secrets from a CD pipeline via masked environment settings. -Consult the documentation of Chart dependedncies how this is there (most of them handle it similarly). -For RabbitMQ you can provide externally managed Secrets as declared[in the `auth` section of the rabbitmq config](https://github.com/bitnami/charts/blob/main/bitnami/rabbitmq/values.yaml#L130): +Consult the documentation of Chart dependencies how this is done there (most of them handle it similarly). +For example, you can configure externally managed Secrets [in the `auth` section of the rabbitmq config](https://github.com/bitnami/charts/blob/main/bitnami/rabbitmq/values.yaml#L130): ```yaml rabbitmq: