zalf-rdm · mwallschlaeger · Sep 10, 2023 · Sep 6, 2023 · Sep 6, 2023 · Sep 6, 2023
diff --git a/charts/geonode/README.md b/charts/geonode/README.md
@@ -60,9 +60,6 @@ Helm Chart for Geonode a web-based application and platform for developing geosp
 | geonode.general.publishing.admin_moderate_uploads | bool | `false` | ADMIN_MODERATE_UPLOADS When this variable is set to True, every uploaded resource must be approved before becoming visible to the public users. Until a resource is in PENDING APPROVAL state, only the superusers, owner and group members can access it, unless specific edit permissions have been set for other users or groups. A Group Manager can approve the resource, but he cannot publish it whenever the setting RESOURCE_PUBLISHING is set to True. Otherwise, if RESOURCE_PUBLISHING (helm: resource_publishing_by_staff) is set to False, the resource becomes accessible as soon as it is approved. |
 | geonode.general.publishing.resource_publishing_by_staff | bool | `false` | RESOURCE_PUBLISHING By default, the GeoNode application allows GeoNode staff members to publish/unpublish resources. By default, resources are published when created. When this setting is set to True the staff members will be able to unpublish a resource (and eventually publish it back). |
 | geonode.general.settings_module | string | `"geonode.settings"` | the settings module to load |
-| geonode.general.superUser.email | string | `"[email protected]"` | admin user password |
-| geonode.general.superUser.password | string | `"geonode"` | admin panel password |
-| geonode.general.superUser.username | string | `"admin"` | admin username |
 | geonode.haystack.enabled | bool | `false` | enable hystack |
 | geonode.haystack.engine_index_name | string | `"haystack"` | hystack index name |
 | geonode.haystack.engine_url | string | `"http://elasticsearch:9200/"` | hystack url |
@@ -78,7 +75,6 @@ Helm Chart for Geonode a web-based application and platform for developing geosp
 | geonode.ldap.attr_map_first_name | string | `"givenName"` | given name attribute used from ldap |
 | geonode.ldap.attr_map_last_name | string | `"sn"` | last name attribute used from ldap |
 | geonode.ldap.bind_dn | string | `"CN=Users,DC=ad,DC=example,DC=com"` | ldap user bind dn |
-| geonode.ldap.bind_password | string | `"password"` | ldap password |
 | geonode.ldap.enabled | bool | `false` | enable ldap AUTHENTICATION_BACKENDS in DJANGO Geonode |
 | geonode.ldap.group_search_dn | string | `"OU=Groups,DC=ad,DC=example,DC=com"` | ldap group search dn |
 | geonode.ldap.group_search_filterstr | string | `"(objectClass=group)"` | ldap group filterstr |
@@ -88,13 +84,10 @@ Helm Chart for Geonode a web-based application and platform for developing geosp
 | geonode.ldap.user_search_filterstr | string | `"(sAMAccountName=%(user)s)"` | ldap user filterstr |
 | geonode.mail.backend | string | `"django.core.mail.backends.smtp.EmailBackend"` | set mail backend in geonode settings |
 | geonode.mail.enabled | bool | `false` | enables mail configuration for geonode |
-| geonode.mail.from | string | `"[email protected]"` | define from mail-addr  |
 | geonode.mail.host | string | `"smtp.gmail.com"` | set mail host for genode mail |
-| geonode.mail.password | string | `"changeme"` | set password for mailuser in geonode |
 | geonode.mail.port | string | `"587"` | mail port fo geonode mail |
 | geonode.mail.tls | bool | `true` | activate tls for geonode mail (only tls or ssl can be true not both) |
 | geonode.mail.use_ssl | bool | `false` | enable ssl for geonode mail (only tls or ssl can be true not both) |
-| geonode.mail.user | string | `"changeme"` | define mail user to send mails from |
 | geonode.memcached.enabled | bool | `true` | enable memcache, this will spawn one or more seperate memcache container(s) and configure django geonode repsectivly. Dynamic caching (see https://docs.djangoproject.com/en/4.0/topics/cache/) |
 | geonode.memcached.lock_expire | string | `"3600"` | memcached lock expire time |
 | geonode.memcached.lock_timeout | string | `"10"` | memcached lock timeout |
@@ -121,6 +114,14 @@ Helm Chart for Geonode a web-based application and platform for developing geosp
 | geonode.resources.limits.memory | string | `"2Gi"` | limits memory as in resource.limits.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
 | geonode.resources.requests.cpu | int | `1` | requested cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
 | geonode.resources.requests.memory | string | `"1Gi"` | requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
+| geonode.secret.existingSecretName | string | `""` | name of an existing Secret to use. Set, if you want to separately maintain the Secret. |
+| geonode.secret.ldap.bind_password | string | `"password"` | ldap password |
+| geonode.secret.mail.from | string | `"[email protected]"` | define from mail-addr  |
+| geonode.secret.mail.password | string | `"changeme"` | set password for mailuser in geonode |
+| geonode.secret.mail.user | string | `"changeme"` | define mail user to send mails from |
+| geonode.secret.superUser.email | string | `"[email protected]"` | admin user password |
+| geonode.secret.superUser.password | string | `"geonode"` | admin panel password |
+| geonode.secret.superUser.username | string | `"admin"` | admin username |
 | geonode.sentry.build_number | int | `0` | sentry build number |
 | geonode.sentry.dsn | string | `""` | sentry dsn url |
 | geonode.sentry.enabled | bool | `false` | enable sentry integration for geonode |
@@ -145,9 +146,7 @@ Helm Chart for Geonode a web-based application and platform for developing geosp
 | geonode.uwsgi.reload_on_rss | int | `2048` | Restart workers after this much resident memory |
 | geonode.uwsgi.worker_reload_mercy | int | `60` | How long to wait before forcefully killing workers |
 | geonodeFixtures | map of fixture files | `{"somefixture.json":"[\n  {\n    \"pk\": 0,\n    \"model\": \"myapp.sample\"\n    \"description\": \"nice little content\"\n  }\n]\n"}` | Fixture files which shall be made available under /usr/src/geonode/geonode/fixtures (refer to https://docs.djangoproject.com/en/4.2/howto/initial-data/) |
-| geoserver | object | `{"admin_password":"geoserver","admin_username":"admin","container_name":"geoserver","image":{"name":"geonode/geoserver","tag":"2.23.0"},"pod_name":"geoserver","port":8080,"resources":{"limits":{"cpu":2,"memory":"4Gi"},"requests":{"cpu":1,"memory":"1Gi"}}}` | CONFIGURATION FOR GEOSERVER DEPLOYMENT |
-| geoserver.admin_password | string | `"geoserver"` | geoserver admin password |
-| geoserver.admin_username | string | `"admin"` | geoserver admin username |
+| geoserver | object | `{"container_name":"geoserver","image":{"name":"geonode/geoserver","tag":"2.23.0"},"pod_name":"geoserver","port":8080,"resources":{"limits":{"cpu":2,"memory":"4Gi"},"requests":{"cpu":1,"memory":"1Gi"}},"secret":{"admin_password":"geoserver","admin_username":"admin","existingSecretName":""}}` | CONFIGURATION FOR GEOSERVER DEPLOYMENT |
 | geoserver.container_name | string | `"geoserver"` | geoserver container name |
 | geoserver.image.name | string | `"geonode/geoserver"` | geoserver image docker image (default in zalf namespace because geonode one was not up to date) |
 | geoserver.image.tag | string | `"2.23.0"` | geoserver docker image tag |
@@ -158,6 +157,9 @@ Helm Chart for Geonode a web-based application and platform for developing geosp
 | geoserver.resources.limits.memory | string | `"4Gi"` | limits memory as in resource.limits.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
 | geoserver.resources.requests.cpu | int | `1` | requested cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
 | geoserver.resources.requests.memory | string | `"1Gi"` | requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
+| geoserver.secret.admin_password | string | `"geoserver"` | geoserver admin password |
+| geoserver.secret.admin_username | string | `"admin"` | geoserver admin username |
+| geoserver.secret.existingSecretName | string | `""` | name of an existing Secret to use. Set, if you want to separately maintain the Secret. |
 | global.accessMode | string | `"ReadWriteMany"` | storage access mode used by helm dependency pvc |
 | global.storageClass | string | `nil` | storageClass used by helm dependencies pvc |
 | memcached.architecture | string | `"high-availability"` | memcached replica. Loadbalanaced via kubernetes. (only one entry in django settings.py) im memcached is activated under geonode.memcached.enabled this takes place |
@@ -193,9 +195,24 @@ Helm Chart for Geonode a web-based application and platform for developing geosp
 | postgres.operator_manifest.storageSize | string | `"3Gi"` | Database storage size |
 | postgres.schema | string | `"public"` | database schema |
 | postgres.username | string | `"postgres"` | postgres username |
-| rabbitmq | object | `{"auth":{"erlangCookie":"jixYBsiZ9RivaLXC02pTwGjvIo0nHtVu","password":"rabbitpassword","username":"rabbituser"},"enabled":true,"limits":{"cpu":"750m","memory":"1Gi"},"persistence":{"enabled":false},"replicaCount":1,"requests":{"cpu":"500m","memory":"1Gi"}}` | VALUES DEFINITION https://github.com/bitnami/charts/blob/master/bitnami/rabbitmq/values.yaml |
+| pycsw.config | string | [server] ... | pycsw config file parameters, see docs: https://docs.pycsw.org/_/downloads/en/latest/pdf/ |
+| pycsw.container_name | string | `"pycsw"` | pycsw container name |
+| pycsw.enabled | bool | `true` | enable single pycsw pod |
+| pycsw.endpoint | string | `"/catalogue/csw"` | pycsw url below geonode.ingress.externalDomain |
+| pycsw.image.name | string | `"geopython/pycsw"` | pycsw docker image |
+| pycsw.image.tag | string | `"2.6.1"` | pycsw docker image tag |
+| pycsw.mappings | string | MD_CORE_MODEL = { ... } | pycsw local mappings, copied from 4.1.x: https://github.com/GeoNode/geonode/blob/master/geonode/catalogue/backends/pycsw_local_mappings.py |
+| pycsw.pod_name | string | `"pysw"` | pycsw pod name |
+| pycsw.port | int | `8000` | pycsw endpoint port |
+| pycsw.replicaCount | int | `1` | pycsw container replicas |
+| pycsw.resources.limits.cpu | string | `"500m"` | limit cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
+| pycsw.resources.limits.memory | string | `"1Gi"` | limits memory as in resource.limits.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
+| pycsw.resources.requests.cpu | string | `"500m"` | requested cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
+| pycsw.resources.requests.memory | string | `"1Gi"` | requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
+| rabbitmq | object | `{"auth":{"erlangCookie":"jixYBsiZ9RivaLXC02pTwGjvIo0nHtVu","existingErlangSecret":"","existingPasswordSecret":"","password":"rabbitpassword","username":"rabbituser"},"enabled":true,"limits":{"cpu":"750m","memory":"1Gi"},"persistence":{"enabled":false},"replicaCount":1,"requests":{"cpu":"500m","memory":"1Gi"}}` | VALUES DEFINITION https://github.com/bitnami/charts/blob/master/bitnami/rabbitmq/values.yaml |
 | rabbitmq.limits.cpu | string | `"750m"` | limit cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
 | rabbitmq.limits.memory | string | `"1Gi"` | limits memory as in resource.limits.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
+| rabbitmq.replicaCount | int | `1` | rabbitmq raplica count |
 | rabbitmq.requests.cpu | string | `"500m"` | requested cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
 | rabbitmq.requests.memory | string | `"1Gi"` | requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
 

diff --git a/charts/geonode/templates/_helpers.tpl b/charts/geonode/templates/_helpers.tpl
@@ -42,7 +42,7 @@
 {{- end -}}
 {{- end -}}
 
-# secret key reference for the password of user:  .Values.postgres.geonodedatabase_and_username
+# secret key reference for the password of user:  .Values.postgres.geonode_databasename_and_username
 {{- define "database_geonode_password_secret_key_ref" -}}
 {{- if (index .Values "postgres-operator" "enabled") -}}
 "{{ .Values.postgres.geonode_databasename_and_username }}.{{ include "postgres_pod_name" . }}.credentials.postgresql.acid.zalan.do"
@@ -51,7 +51,7 @@
 {{- end -}}
 {{- end -}}
 
-# secret key reference for the password of user: .Values.postgres.geodatabasename_and_username
+# secret key reference for the password of user: .Values.postgres.geonode_databasename_and_username
 {{- define "database_geodata_password_secret_key_ref" -}}
 {{- if (index .Values "postgres-operator" "enabled") -}}
 "{{ .Values.postgres.geodata_databasename_and_username }}.{{ include "postgres_pod_name" . }}.credentials.postgresql.acid.zalan.do"

diff --git a/charts/geonode/templates/geonode/geonode-deploy.yaml b/charts/geonode/templates/geonode/geonode-deploy.yaml
@@ -87,13 +87,17 @@ spec:
         - containerPort: 8001
 
         envFrom:
-          - configMapRef:
-              name: {{ include "geonode_pod_name" . }}-env
+        - configMapRef:
+            name: {{ include "geonode_pod_name" . }}-env
+        - secretRef:
+            name: {{ default "geonode-secret" .Values.geonode.secret.existingSecretName | quote }}
+        - secretRef:
+            name: {{ default "geoserver-secret" .Values.geoserver.secret.existingSecretName | quote }}
 
         env:
         - name: GEONODE_DATABASE_PASSWORD
           valueFrom:
-            secretKeyRef: 
+            secretKeyRef:
               name: {{ include "database_geonode_password_secret_key_ref" . }}
               key: password
         - name: GEONODE_GEODATABASE_PASSWORD
@@ -158,7 +162,6 @@ spec:
       # Celery is the task worker
       - name: {{ .Values.geonode.celery.container_name }}
         image: "{{ .Values.geonode.image.name }}:{{ .Values.geonode.image.tag }}"
-
         command:
         - bash
         - -c
@@ -176,6 +179,7 @@ spec:
           cd /usr/src/geonode-contribs/ldap; pip install --upgrade  -e .
           cd /usr/src/geonode/
           {{ end }}
+
           {{ if .Values.geonode.sentry.enabled }}
           pip install sentry-sdk
           {{ end }}
@@ -188,13 +192,17 @@ spec:
           dockerize -stdout /var/log/celery.log /usr/src/geonode/entrypoint.sh celery-cmd
 
         envFrom:
-          - configMapRef:
-              name: {{ include "geonode_pod_name" . }}-env
+        - configMapRef:
+            name: {{ include "geonode_pod_name" . }}-env
+        - secretRef:
+            name: {{ default "geonode-secret" .Values.geonode.secret.existingSecretName | quote }}
+        - secretRef:
+            name: {{ default "geoserver-secret" .Values.geoserver.secret.existingSecretName | quote }}
 
         env:
         - name: GEONODE_DATABASE_PASSWORD
           valueFrom:
-            secretKeyRef: 
+            secretKeyRef:
               name: {{ include "database_geonode_password_secret_key_ref" . }}
               key: password
         - name: GEONODE_GEODATABASE_PASSWORD

diff --git a/charts/geonode/templates/geonode/geonode-env.yaml b/charts/geonode/templates/geonode/geonode-env.yaml
@@ -47,11 +47,6 @@ data:
   ALLOWED_HOSTS: "['django', '*', '{{ .Values.geonode.general.externalDomain }}']"
   PROXY_ALLOWED_HOSTS: 'localhost,django,geonode,geoserver,spatialreference.org,nominatim.openstreetmap.org,dev.openlayers.org'
 
-  # Admin Settings
-  ADMIN_USERNAME: {{ .Values.geonode.general.superUser.username | quote }}
-  ADMIN_EMAIL: {{ .Values.geonode.general.superUser.email | quote }}
-  ADMIN_PASSWORD: {{ .Values.geonode.general.superUser.password | quote }}
-
   # General settings
   FREETEXT_KEYWORDS_READONLY: {{ include "boolean2str" .Values.geonode.general.freetext_keywords_readonly | quote }}
   FIXTURE_DIRS: "[ '/usr/src/geonode/geonode/fixtures' ]"
@@ -71,11 +66,8 @@ data:
   DJANGO_EMAIL_BACKEND: {{ .Values.geonode.mail.backend | quote }}
   DJANGO_EMAIL_HOST: {{ .Values.geonode.mail.host | quote }}
   DJANGO_EMAIL_PORT: {{ .Values.geonode.mail.port | quote }}
-  DJANGO_EMAIL_HOST_USER: {{ .Values.geonode.mail.user | quote }}
-  DJANGO_EMAIL_HOST_PASSWORD: {{ .Values.geonode.mail.password | quote }}
   DJANGO_EMAIL_USE_TLS: {{ include "boolean2str" .Values.geonode.mail.tls | quote }}
   DJANGO_EMAIL_USE_SSL: {{ include "boolean2str" .Values.geonode.mail.use_ssl | quote }}
-  DEFAULT_FROM_EMAIL: {{ .Values.geonode.mail.from | quote }}
 
   # PATH
   # TODO (mwall) allign with volumeMount locations
@@ -115,7 +107,6 @@ data:
   LDAP_ENABLED:  {{ include "boolean2str" .Values.geonode.ldap.enabled | quote }}
   LDAP_SERVER_URL: {{ .Values.geonode.ldap.uri | quote }}
   LDAP_BIND_DN: {{ .Values.geonode.ldap.bind_dn | quote }}
-  LDAP_BIND_PASSWORD: {{ .Values.geonode.ldap.bind_password | quote }}
   LDAP_USER_SEARCH_DN: {{ .Values.geonode.ldap.user_search_dn | quote }}
   LDAP_USER_SEARCH_FILTERSTR: {{ .Values.geonode.ldap.user_search_filterstr | quote }}
   LDAP_ALWAYS_UPDATE_USER: {{ .Values.geonode.ldap.always_update_user | quote }}
@@ -180,8 +171,6 @@ data:
   GEOSERVER_PUBLIC_LOCATION: "{{ include "public_url" . }}/geoserver/"
   GEOSERVER_PUBLIC_SCHEMA: {{ .Values.geonode.general.externalScheme | quote }}
   GEOSERVER_LOCATION: "http://{{ include "geoserver_pod_name" . }}:{{ .Values.geoserver.port }}/geoserver/"
-  GEOSERVER_ADMIN_USER: {{ .Values.geoserver.admin_username | quote }}
-  GEOSERVER_ADMIN_PASSWORD: {{ .Values.geoserver.admin_password | quote }}
 
   OGC_REQUEST_TIMEOUT: {{ .Values.geonode.general.ogc_request_timeout | quote }}
   OGC_REQUEST_MAX_RETRIES: '1'

diff --git a/charts/geonode/templates/geonode/geonode-secret.yaml b/charts/geonode/templates/geonode/geonode-secret.yaml
@@ -0,0 +1,21 @@
+{{- if empty .Values.geonode.secret.existingSecretName }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: geonode-secret
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  # superuser credentials
+  ADMIN_USERNAME: {{ .Values.geonode.secret.superUser.username | b64enc }}
+  ADMIN_PASSWORD: {{ .Values.geonode.secret.superUser.password | b64enc }}
+  ADMIN_EMAIL: {{ .Values.geonode.secret.superUser.email | b64enc }}
+
+  # mail secrets
+  DJANGO_EMAIL_HOST_USER: {{ .Values.geonode.secret.mail.user | b64enc }}
+  DJANGO_EMAIL_HOST_PASSWORD: {{ .Values.geonode.secret.mail.password | b64enc }}
+  DEFAULT_FROM_EMAIL: {{ .Values.geonode.secret.mail.from | b64enc }}
+
+  # ldap secrets
+  LDAP_BIND_PASSWORD: {{ .Values.geonode.secret.ldap.bind_password | b64enc }}
+{{ end }}
diff --git a/charts/geonode/templates/geoserver/geoserver-deploy.yaml b/charts/geonode/templates/geoserver/geoserver-deploy.yaml
@@ -63,8 +63,10 @@ spec:
         - containerPort: {{ .Values.geoserver.port }}
 
         envFrom:
-          - configMapRef:
-              name:  {{ include "geoserver_pod_name" . }}-env
+        - configMapRef:
+            name:  {{ include "geoserver_pod_name" . }}-env
+        - secretRef:
+            name: {{ default "geoserver-secret" .Values.geoserver.secret.existingSecretName | quote }}
 
         env:
           # read auto generated password from secret

diff --git a/charts/geonode/templates/geoserver/geoserver-env.yaml b/charts/geonode/templates/geoserver/geoserver-env.yaml
@@ -17,6 +17,3 @@ data:
   DATABASE_PORT: "{{ include "database_port" . }}"
   GEONODE_GEODATABASE: {{ .Values.postgres.geonode_databasename_and_username | quote  }}
   GEONODE_GEODATABASE_SCHEMA: {{ .Values.postgres.schema | quote }}
-
-  GEOSERVER_ADMIN_USER: {{ .Values.geoserver.admin_username | quote }}
-  GEOSERVER_ADMIN_PASSWORD: {{ .Values.geoserver.admin_password | quote }}
diff --git a/charts/geonode/templates/geoserver/geoserver-secret.yaml b/charts/geonode/templates/geoserver/geoserver-secret.yaml
@@ -0,0 +1,12 @@
+{{- if empty .Values.geoserver.secret.existingSecretName }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: geoserver-secret
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  # geoserver admin credentials
+  GEOSERVER_ADMIN_USER: {{ .Values.geoserver.secret.admin_username | b64enc }}
+  GEOSERVER_ADMIN_PASSWORD: {{ .Values.geoserver.secret.admin_password | b64enc }}
+{{ end }}
diff --git a/charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml b/charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml
@@ -3,8 +3,9 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ .Release.Name }}-geodata-external-secrets
+  namespace: {{ .Release.Namespace }}
 type: Opaque
 data:
-  username: {{ .Values.postgres.geodatabasename_and_username | quote }}
+  username: {{ .Values.postgres.geodata_databasename_and_username | b64enc }}
   password: {{ .Values.postgres.external_postgres.geodata_password | b64enc }}
 {{ end }}