Refactor deployment templates to support additional env vars from Sec…

…ret (#603)

* Refactor deployment templates to support additional environment variables from secrets

* Add documentation

---------

Co-authored-by: Rob Holland <[email protected]>

README.md

@@ -110,7 +110,7 @@ helm install \
 
 ### Install with sidecar containers
 
-You may need to provide your own sidecar containers. 
+You may need to provide your own sidecar containers.
 
 For an example, review the values for Google's `cloud sql proxy` in the `values/values.cloudsqlproxy.yaml` and pass that file to `helm install`:
 
@@ -283,7 +283,7 @@ helm install \
 ```
 
 Note that if archival is enabled, it is also enabled for all newly created namespaces.
-Make sure to update the specific archival provider values file to set your configs. 
+Make sure to update the specific archival provider values file to set your configs.
 
 ### Install and configure Temporal
 
@@ -316,6 +316,29 @@ helm install \
   --wait
 ```
 
+### Enable SSO in Temporal UI
+
+To enable SSO in the temporal UI set following env variables in the `web.additionalEnv`:
+
+```yaml
+- name: TEMPORAL_AUTH_ENABLED
+  value: "true"
+- name: TEMPORAL_AUTH_PROVIDER_URL
+  value: "https://accounts.google.com"
+- name: TEMPORAL_AUTH_CLIENT_ID
+  value: "xxxxx-xxxx.apps.googleusercontent.com"
+- name: TEMPORAL_AUTH_CALLBACK_URL
+  value: "https://xxxx.com:8080/auth/sso/callback"
+```
+
+In the `web.additionalEnvSecretName` set the secret name, the secret should have following
+
+```yaml
+TEMPORAL_AUTH_CLIENT_SECRET: xxxxxxxxxxxxxxx
+```
+
+Reference: <https://docs.temporal.io/references/web-ui-server-env-vars>
+
 ## Play With It
 
 ### Exploring Your Cluster

charts/temporal/templates/admintools-deployment.yaml

@@ -39,6 +39,11 @@ spec:
           {{- if .Values.admintools.additionalEnv }}
           {{- toYaml .Values.admintools.additionalEnv | nindent 12 }}
           {{- end }}
+          {{- if .Values.admintools.additionalEnvSecretName }}
+          envFrom:
+            - secretRef:
+                name: {{ .Values.admintools.additionalEnvSecretName }}
+          {{- end }}
           livenessProbe:
               exec:
                 command:

charts/temporal/templates/server-deployment.yaml

@@ -88,6 +88,11 @@ spec:
           {{- if or $.Values.server.additionalEnv $serviceValues.additionalEnv }}
           {{- toYaml (default $.Values.server.additionalEnv $serviceValues.additionalEnv) | nindent 12 }}
           {{- end }}
+          {{- if $.Values.server.additionalEnvSecretName }}
+          envFrom:
+            - secretRef:
+                name: {{ $.Values.server.additionalEnvSecretName }}
+          {{- end }}
           ports:
           {{- if ne $service "worker" }}
             - name: rpc

charts/temporal/templates/web-deployment.yaml

@@ -36,6 +36,11 @@ spec:
           {{- if .Values.web.additionalEnv }}
           {{- toYaml .Values.web.additionalEnv | nindent 12 }}
           {{- end }}
+          {{- if .Values.web.additionalEnvSecretName }}
+          envFrom:
+            - secretRef:
+                name: {{ .Values.web.additionalEnvSecretName }}
+          {{- end }}
           ports:
             - name: http
               containerPort: 8080

charts/temporal/values.yaml

@@ -263,6 +263,7 @@ server:
     tolerations: []
     affinity: {}
     additionalEnv: []
+    additionalEnvSecretName: ""
     containerSecurityContext: {}
     topologySpreadConstraints: []
     podDisruptionBudget: {}
@@ -332,6 +333,7 @@ admintools:
   tolerations: []
   affinity: {}
   additionalEnv: []
+  additionalEnvSecretName: ""
   resources: {}
   containerSecurityContext: {}
   securityContext: {}
@@ -388,6 +390,7 @@ web:
   # Adjust Web UI config with environment variables:
   # https://docs.temporal.io/references/web-ui-environment-variables
   additionalEnv: []
+  additionalEnvSecretName: ""
   containerSecurityContext: {}
   securityContext: {}
   topologySpreadConstraints: []