From 7bb24736b78b0e5e3cd2e4d15cf52a9f1e5d1233 Mon Sep 17 00:00:00 2001 From: David Caputo Date: Sat, 26 Oct 2024 09:52:12 -0400 Subject: [PATCH 1/2] Add username support to persistence secrets --- .../temporal/templates/_admintools-env.yaml | 21 ++++-- charts/temporal/templates/_helpers.tpl | 68 ++++++++++++++++--- .../temporal/templates/server-configmap.yaml | 7 +- .../temporal/templates/server-deployment.yaml | 14 +++- 4 files changed, 89 insertions(+), 21 deletions(-) diff --git a/charts/temporal/templates/_admintools-env.yaml b/charts/temporal/templates/_admintools-env.yaml index 93636edf..81247563 100644 --- a/charts/temporal/templates/_admintools-env.yaml +++ b/charts/temporal/templates/_admintools-env.yaml @@ -15,12 +15,15 @@ - name: CASSANDRA_KEYSPACE value: {{ $driverConfig.keyspace }} - name: CASSANDRA_USER - value: {{ $driverConfig.user }} + valueFrom: + secretKeyRef: + name: {{ include "temporal.persistence.secretName" (list $global $store) }} + key: {{ include "temporal.persistence.secretKeyUser" (list $global $store) }} - name: CASSANDRA_PASSWORD valueFrom: secretKeyRef: name: {{ include "temporal.persistence.secretName" (list $global $store) }} - key: {{ include "temporal.persistence.secretKey" (list $global $store) }} + key: {{ include "temporal.persistence.secretKeyPassword" (list $global $store) }} {{- else if eq $driver "sql" -}} - name: SQL_PLUGIN value: {{ include "temporal.persistence.sql.driver" (list $global $store) }} @@ -31,12 +34,15 @@ - name: SQL_DATABASE value: {{ include "temporal.persistence.sql.database" (list $global $store) }} - name: SQL_USER - value: {{ $driverConfig.user }} + valueFrom: + secretKeyRef: + name: {{ include "temporal.persistence.secretName" (list $global $store) }} + key: {{ include "temporal.persistence.secretKeyUser" (list $global $store) }} - name: SQL_PASSWORD valueFrom: secretKeyRef: name: {{ include "temporal.persistence.secretName" (list $global $store) }} - key: {{ include "temporal.persistence.secretKey" (list $global $store) }} + key: {{ include "temporal.persistence.secretKeyPassword" (list $global $store) }} {{- with $driverConfig.tls }} - name: SQL_TLS value: {{ .enabled | quote }} @@ -67,12 +73,15 @@ - name: ES_PORT value: {{ $driverConfig.port | quote }} - name: ES_USER - value: {{ $driverConfig.username | quote }} + valueFrom: + secretKeyRef: + name: {{ include "temporal.persistence.secretName" (list $global $store) }} + key: {{ include "temporal.persistence.secretKeyUser" (list $global $store) }} - name: ES_PWD valueFrom: secretKeyRef: name: {{ include "temporal.persistence.secretName" (list $global $store) }} - key: {{ include "temporal.persistence.secretKey" (list $global $store) }} + key: {{ include "temporal.persistence.secretKeyPassword" (list $global $store) }} - name: ES_VERSION value: {{ $driverConfig.version }} - name: ES_VISIBILITY_INDEX diff --git a/charts/temporal/templates/_helpers.tpl b/charts/temporal/templates/_helpers.tpl index 4ff707d7..449e311d 100644 --- a/charts/temporal/templates/_helpers.tpl +++ b/charts/temporal/templates/_helpers.tpl @@ -215,12 +215,25 @@ Source: https://stackoverflow.com/a/52024583/3027614 {{- end -}} {{- end -}} -{{- define "temporal.persistence.cassandra.secretKey" -}} +{{- define "temporal.persistence.cassandra.secretKeyUser" -}} {{- $global := index . 0 -}} {{- $store := index . 1 -}} {{- $storeConfig := index $global.Values.server.config.persistence $store -}} {{- $driverConfig := $storeConfig.cassandra -}} -{{- with $driverConfig.secretKey -}} +{{- with $driverConfig.secretKeyUser -}} +{{- print . -}} +{{- else -}} +{{/* Cassandra user is optional, but we will create an empty secret for it */}} +{{- print "user" -}} +{{- end -}} +{{- end -}} + +{{- define "temporal.persistence.cassandra.secretKeyPassword" -}} +{{- $global := index . 0 -}} +{{- $store := index . 1 -}} +{{- $storeConfig := index $global.Values.server.config.persistence $store -}} +{{- $driverConfig := $storeConfig.cassandra -}} +{{- with $driverConfig.secretKeyPassword -}} {{- print . -}} {{- else -}} {{/* Cassandra password is optional, but we will create an empty secret for it */}} @@ -342,13 +355,31 @@ Source: https://stackoverflow.com/a/52024583/3027614 {{- end -}} {{- end -}} -{{- define "temporal.persistence.sql.secretKey" -}} +{{- define "temporal.persistence.sql.secretKeyUser" -}} {{- $global := index . 0 -}} {{- $store := index . 1 -}} {{- $storeConfig := index $global.Values.server.config.persistence $store -}} {{- $driverConfig := $storeConfig.sql -}} -{{- if $driverConfig.secretKey -}} -{{- print $driverConfig.secretKey -}} +{{- if $driverConfig.secretKeyUser -}} +{{- print $driverConfig.secretKeyUser -}} +{{- else if or $driverConfig.existingSecret $driverConfig.user -}} +{{- print "username" -}} +{{- else if and $global.Values.mysql.enabled (and (eq (include "temporal.persistence.driver" (list $global $store)) "sql") (eq (include "temporal.persistence.sql.driver" (list $global $store)) "mysql8")) -}} +{{- print "mysql-username" -}} +{{- else if and $global.Values.postgresql.enabled (and (eq (include "temporal.persistence.driver" (list $global $store)) "sql") (eq (include "temporal.persistence.sql.driver" (list $global $store)) "postgres12")) -}} +{{- print "postgresql-username" -}} +{{- else -}} +{{- fail (printf "Please specify sql username or existing secret for %s store" $store) -}} +{{- end -}} +{{- end -}} + +{{- define "temporal.persistence.sql.secretKeyPassword" -}} +{{- $global := index . 0 -}} +{{- $store := index . 1 -}} +{{- $storeConfig := index $global.Values.server.config.persistence $store -}} +{{- $driverConfig := $storeConfig.sql -}} +{{- if $driverConfig.secretKeyPassword -}} +{{- print $driverConfig.secretKeyPassword -}} {{- else if or $driverConfig.existingSecret $driverConfig.password -}} {{- print "password" -}} {{- else if and $global.Values.mysql.enabled (and (eq (include "temporal.persistence.driver" (list $global $store)) "sql") (eq (include "temporal.persistence.sql.driver" (list $global $store)) "mysql8")) -}} @@ -373,12 +404,23 @@ Source: https://stackoverflow.com/a/52024583/3027614 {{- end -}} {{- end -}} -{{- define "temporal.persistence.elasticsearch.secretKey" -}} +{{- define "temporal.persistence.elasticsearch.secretKeyUser" -}} {{- $global := index . 0 -}} {{- $store := index . 1 -}} {{- $driverConfig := $global.Values.elasticsearch -}} -{{- if $driverConfig.secretKey -}} -{{- print $driverConfig.secretKey -}} +{{- if $driverConfig.secretKeyUser -}} +{{- print $driverConfig.secretKeyUser -}} +{{- else -}} +{{- "password" -}} +{{- end -}} +{{- end -}} + +{{- define "temporal.persistence.elasticsearch.secretKeyPassword" -}} +{{- $global := index . 0 -}} +{{- $store := index . 1 -}} +{{- $driverConfig := $global.Values.elasticsearch -}} +{{- if $driverConfig.secretKeyPassword -}} +{{- print $driverConfig.secretKeyPassword -}} {{- else -}} {{- "password" -}} {{- end -}} @@ -390,10 +432,16 @@ Source: https://stackoverflow.com/a/52024583/3027614 {{- include (printf "temporal.persistence.%s.secretName" (include "temporal.persistence.driver" (list $global $store))) (list $global $store) -}} {{- end -}} -{{- define "temporal.persistence.secretKey" -}} +{{- define "temporal.persistence.secretKeyUser" -}} +{{- $global := index . 0 -}} +{{- $store := index . 1 -}} +{{- include (printf "temporal.persistence.%s.secretKeyUser" (include "temporal.persistence.driver" (list $global $store))) (list $global $store) -}} +{{- end -}} + +{{- define "temporal.persistence.secretKeyPassword" -}} {{- $global := index . 0 -}} {{- $store := index . 1 -}} -{{- include (printf "temporal.persistence.%s.secretKey" (include "temporal.persistence.driver" (list $global $store))) (list $global $store) -}} +{{- include (printf "temporal.persistence.%s.secretKeyPassword" (include "temporal.persistence.driver" (list $global $store))) (list $global $store) -}} {{- end -}} {{/* diff --git a/charts/temporal/templates/server-configmap.yaml b/charts/temporal/templates/server-configmap.yaml index 0de45347..6d6513b7 100644 --- a/charts/temporal/templates/server-configmap.yaml +++ b/charts/temporal/templates/server-configmap.yaml @@ -23,8 +23,9 @@ data: cassandra: hosts: "{{ include "temporal.persistence.cassandra.hosts" (list $ "default") }}" port: {{ include "temporal.persistence.cassandra.port" (list $ "default") }} + user: {{ `{{ .Env.TEMPORAL_STORE_USER | quote }}` }} password: {{ `{{ .Env.TEMPORAL_STORE_PASSWORD | quote }}` }} - {{- with (omit $server.config.persistence.default.cassandra "hosts" "port" "password" "existingSecret") }} + {{- with (omit $server.config.persistence.default.cassandra "hosts" "port" "user" "password" "existingSecret") }} {{- toYaml . | nindent 12 }} {{- end }} {{- else if eq (include "temporal.persistence.driver" (list $ "default")) "sql" }} @@ -34,7 +35,7 @@ data: databaseName: "{{ $server.config.persistence.default.sql.database }}" connectAddr: "{{ include "temporal.persistence.sql.host" (list $ "default") }}:{{ include "temporal.persistence.sql.port" (list $ "default") }}" connectProtocol: "tcp" - user: {{ include "temporal.persistence.sql.user" (list $ "default") }} + user: {{ `{{ .Env.TEMPORAL_STORE_USER | quote }}` }} password: {{ `{{ .Env.TEMPORAL_STORE_PASSWORD | quote }}` }} {{- with (omit $server.config.persistence.default.sql "driver" "driverName" "host" "port" "connectAddr" "connectProtocol" "database" "databaseName" "user" "password" "existingSecret") }} {{- toYaml . | nindent 12 }} @@ -66,7 +67,7 @@ data: databaseName: "{{ $server.config.persistence.visibility.sql.database }}" connectAddr: "{{ include "temporal.persistence.sql.host" (list $ "visibility") }}:{{ include "temporal.persistence.sql.port" (list $ "visibility") }}" connectProtocol: "tcp" - user: "{{ include "temporal.persistence.sql.user" (list $ "visibility") }}" + user: {{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_USER | quote }}` }} password: {{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_PASSWORD | quote }}` }} {{- with (omit $server.config.persistence.visibility.sql "driver" "driverName" "host" "port" "connectAddr" "connectProtocol" "database" "databaseName" "user" "password" "existingSecret") }} {{- toYaml . | nindent 12 }} diff --git a/charts/temporal/templates/server-deployment.yaml b/charts/temporal/templates/server-deployment.yaml index 798a4cb0..2c70187b 100644 --- a/charts/temporal/templates/server-deployment.yaml +++ b/charts/temporal/templates/server-deployment.yaml @@ -71,16 +71,26 @@ spec: fieldPath: status.podIP - name: SERVICES value: {{ $service }} + - name: TEMPORAL_STORE_USER + valueFrom: + secretKeyRef: + name: {{ include "temporal.persistence.secretName" (list $ "default") }} + key: {{ include "temporal.persistence.secretKeyUser" (list $ "default") }} - name: TEMPORAL_STORE_PASSWORD valueFrom: secretKeyRef: name: {{ include "temporal.persistence.secretName" (list $ "default") }} - key: {{ include "temporal.persistence.secretKey" (list $ "default") }} + key: {{ include "temporal.persistence.secretKeyPassword" (list $ "default") }} + - name: TEMPORAL_VISIBILITY_STORE_USER + valueFrom: + secretKeyRef: + name: {{ include "temporal.persistence.secretName" (list $ "visibility") }} + key: {{ include "temporal.persistence.secretKeyUser" (list $ "visibility") }} - name: TEMPORAL_VISIBILITY_STORE_PASSWORD valueFrom: secretKeyRef: name: {{ include "temporal.persistence.secretName" (list $ "visibility") }} - key: {{ include "temporal.persistence.secretKey" (list $ "visibility") }} + key: {{ include "temporal.persistence.secretKeyPassword" (list $ "visibility") }} {{- if $.Values.server.versionCheckDisabled }} - name: TEMPORAL_VERSION_CHECK_DISABLED value: "1" From 3c9ba29c739ed41acef07671b2b537efe2019c37 Mon Sep 17 00:00:00 2001 From: David Caputo Date: Sat, 26 Oct 2024 10:20:36 -0400 Subject: [PATCH 2/2] Additional update to secret --- charts/temporal/templates/server-secret.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/temporal/templates/server-secret.yaml b/charts/temporal/templates/server-secret.yaml index e6c786d6..0eaa3e83 100644 --- a/charts/temporal/templates/server-secret.yaml +++ b/charts/temporal/templates/server-secret.yaml @@ -21,10 +21,13 @@ metadata: type: Opaque data: {{- if eq $driver "cassandra" }} + username: {{ $driverConfig.user | b64enc | quote }} password: {{ $driverConfig.password | b64enc | quote }} {{- else if eq $driver "sql" }} + username: {{ include "temporal.persistence.sql.user" (list $ $store) | b64enc | quote }} password: {{ include "temporal.persistence.sql.password" (list $ $store) | b64enc | quote }} {{- else if eq $driver "elasticsearch" }} + username: {{ $driverConfig.user | b64enc | quote }} password: {{ $driverConfig.password | b64enc | quote }} {{- end }} ---