inject cnpg secrets instead of DIY creation

This commit is contained in:
Kjeld Schouten-Lebbing
2023-02-23 20:39:35 +01:00
parent 65e494a008
commit c07b6f2dee
3 changed files with 73 additions and 50 deletions

View File

@@ -29,14 +29,14 @@ spec:
instances: {{ $values.instances | default 2 }}
superuserSecret:
name: {{ $cnpgClusterName }}-cnpg-superuser
name: {{ $cnpgClusterName }}-superuser
bootstrap:
initdb:
database: {{ $values.database | default "app" }}
owner: {{ $values.user | default "app" }}
secret:
name: {{ $cnpgClusterName }}-cnpg-user
name: {{ $cnpgClusterName }}-user
primaryUpdateStrategy: {{ $values.primaryUpdateStrategy | default "unsupervised" }}
@@ -69,38 +69,43 @@ spec:
inProgress: false
reusePVC: on
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $cnpgClusterName }}-cnpgcreds
{{- $dbprevious := lookup "v1" "Secret" .Release.Namespace "cnpgcreds" }}
{{- $dbPass := "" }}
{{- $pgPass := "" }}
data:
{{- $dbprevious := lookup "v1" "Secret" .Release.Namespace ( printf "cnpg-%s-user" $values.shortName ) }}
{{- if $dbprevious }}
{{- $dbPass = ( index $dbprevious.data "user-password" ) | b64dec }}
{{- $pgPass = ( index $dbprevious.data "superuser-password" ) | b64dec }}
user-password: {{ ( index $dbprevious.data "user-password" ) }}
superuser-password: {{ ( index $dbprevious.data "superuser-password" ) }}
{{- else }}
{{- $dbPass = $values.password | default ( randAlphaNum 62 ) }}
{{- $pgPass = $values.superUserPassword | default ( randAlphaNum 62 ) }}
user-password: {{ $dbPass | b64enc | quote }}
superuser-password: {{ $pgPass | b64enc | quote }}
{{- end }}
{{- $std := ( ( printf "postgresql://%v:%v@%v-rw:5432/%v" $values.user $dbPass $cnpgClusterName $values.database ) | b64enc | quote ) }}
{{- $nossl := ( ( printf "postgresql://%v:%v@%v-rw:5432/%v?sslmode=disable" $values.user $dbPass $cnpgClusterName $values.database ) | b64enc | quote ) }}
{{- $porthost := ( ( printf "%s-rw:5432" $cnpgClusterName ) | b64enc | quote ) }}
{{- $host := ( ( printf "%s-rw" $cnpgClusterName ) | b64enc | quote ) }}
{{- $jdbc := ( ( printf "jdbc:postgresql://%v-rw:5432/%v" $cnpgClusterName $values.database ) | b64enc | quote ) }}
std: {{ $std }}
nossl: {{ $nossl }}
porthost: {{ $porthost }}
host: {{ $host }}
jdbc: {{ $jdbc }}
type: Opaque
{{- $pgPass := "" }}
{{- $pgprevious := lookup "v1" "Secret" .Release.Namespace ( printf "cnpg-%s-superuser" $values.shortName ) }}
{{- if $pgprevious }}
{{- $pgPass = ( index $dbprevious.data "superuser-password" ) | b64dec }}
{{- else }}
{{- $pgPass = $values.superUserPassword | default ( randAlphaNum 62 ) }}
{{- end }}
{{- $std := ( ( printf "postgresql://%v:%v@%v-rw:5432/%v" $values.user $dbPass $cnpgClusterName $values.database ) | b64enc | quote ) }}
{{- $nossl := ( ( printf "postgresql://%v:%v@%v-rw:5432/%v?sslmode=disable" $values.user $dbPass $cnpgClusterName $values.database ) | b64enc | quote ) }}
{{- $porthost := ( ( printf "%s-rw:5432" $cnpgClusterName ) | b64enc | quote ) }}
{{- $host := ( ( printf "%s-rw" $cnpgClusterName ) | b64enc | quote ) }}
{{- $jdbc := ( ( printf "jdbc:postgresql://%v-rw:5432/%v" $cnpgClusterName $values.database ) | b64enc | quote ) }}
{{- $superuserSecret := include "tc.v1.common.class.cnpg.secret.postgres" (dict "pgPass" $pgPass ) | fromYaml -}}
{{- if $superuserSecret -}}
{{- $_ := set $.Values.secret ( printf "cnpg-%s-superuser" $values.shortName ) $superuserSecret -}}
{{- end -}}
{{- $userSecret := include "tc.v1.common.class.cnpg.secret.user" (dict "values" $values "dbPass" $dbPass ) | fromYaml -}}
{{- if $userSecret -}}
{{- $_ := set $.Values.secret ( printf "cnpg-%s-user" $values.shortName ) $userSecret -}}
{{- end -}}
{{- $urlSecret := include "tc.v1.common.class.cnpg.secret.urls" (dict "std" $std "nossl" $nossl "porthost" $porthost "host" $host "jdbc" $jdbc) | fromYaml -}}
{{- if $urlSecret -}}
{{- $_ := set $.Values.secret ( printf "cnpg-%s-urls" $values.shortName ) $urlSecret -}}
{{- end -}}
{{- $_ := set $values.creds "password" ( $dbPass | quote ) }}
{{- $_ := set $values.creds "superUserPassword" ( $pgPass | quote ) }}
{{- $_ := set $values.creds "std" $std }}
@@ -108,22 +113,46 @@ type: Opaque
{{- $_ := set $values.creds "porthost" $porthost }}
{{- $_ := set $values.creds "host" $host }}
{{- $_ := set $values.creds "jdbc" $jdbc }}
---
apiVersion: v1
{{- end -}}
{{- define "tc.v1.common.class.cnpg.secret.postgres" -}}
{{- $pgPass := .pgPass }}
enabled: true
data:
username: {{ "postgres" | b64enc | quote }}
password: {{ $pgPass | b64enc | quote }}
kind: Secret
metadata:
name: {{ $cnpgClusterName }}-cnpg-superuser
type: kubernetes.io/basic-auth
---
apiVersion: v1
{{- end -}}
{{- define "tc.v1.common.class.cnpg.secret.user" -}}
{{- $dbPass := .dbPass }}
{{- $pgPass := .pgPass }}
{{- $user := .user }}
{{- $cnpgClusterName := .cnpgClusterName }}
{{- $database := .database }}
{{- $values := .values -}}
enabled: true
type: kubernetes.io/basic-auth
data:
username: {{ $values.user | b64enc | quote }}
password: {{ $dbPass | b64enc | quote }}
kind: Secret
metadata:
name: {{ $cnpgClusterName }}-cnpg-user
type: kubernetes.io/basic-auth
{{- end -}}
{{- define "tc.v1.common.class.cnpg.secret.urls" -}}
{{- $std := .std }}
{{- $nossl := .nossl }}
{{- $porthost := .porthost }}
{{- $host := .host }}
{{- $jdbc := .jdbc }}
enabled: true
data:
std: {{ $std }}
nossl: {{ $nossl }}
porthost: {{ $porthost }}
host: {{ $host }}
jdbc: {{ $jdbc }}
{{- end -}}

View File

@@ -7,6 +7,7 @@
{{- end -}}
{{- end -}}
{{- $cnpgClusterName := $values.name -}}
{{- $cnpgName := $values.cnpgName -}}
{{- $cnpgPoolerName := $values.poolerName -}}
{{- $cnpgClusterLabels := $values.labels -}}
{{- $cnpgClusterAnnotations := $values.annotations }}
@@ -15,7 +16,7 @@
apiVersion: {{ include "tc.v1.common.capabilities.cnpg.pooler.apiVersion" $ }}
kind: Pooler
metadata:
name: {{ printf "%v-%v" $cnpgPoolerName $values.pooler.type }}
name: {{ printf "%v-%v" $cnpgClusterName $values.pooler.type }}
spec:
cluster:
name: {{ $cnpgClusterName }}
@@ -33,7 +34,7 @@ spec:
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: pooler-{{ printf "%v-%v" $cnpgClusterName $values.pooler.type }}
name: {{ printf "%v-%v" $cnpgClusterName $values.pooler.type }}
spec:
selector:
matchLabels:

View File

@@ -5,23 +5,16 @@
{{- if $cnpg.enabled -}}
{{- $cnpgValues := $cnpg -}}
{{- $cnpgName := include "tc.v1.common.lib.chart.names.fullname" $ -}}
{{- $_ := set $cnpgValues "shortName" $name -}}
{{/* set defaults */}}
{{- if and (not $cnpgValues.nameOverride) (ne $name (include "tc.v1.common.lib.util.cnpg.primary" $)) -}}
{{- $_ := set $cnpgValues "nameOverride" $name -}}
{{- end -}}
{{- $_ := set $cnpgValues "nameOverride" $name -}}
{{- if $cnpgValues.nameOverride -}}
{{- $cnpgName = printf "%v-%v" $cnpgName $cnpgValues.nameOverride -}}
{{- end -}}
{{- $cnpgPoolerName := printf "cnpg-pooler-%v" $cnpgName -}}
{{- $cnpgName = printf "cnpg-%v" $cnpgName -}}
{{- $cnpgName := printf "%v-cnpg-%v" $cnpgName $cnpgValues.nameOverride -}}
{{- $_ := set $cnpgValues "name" $cnpgName -}}
{{- $_ := set $ "ObjectValues" (dict "cnpg" $cnpgValues) -}}
{{- $_ := set $cnpgValues "poolerName" $cnpgPoolerName -}}
{{- include "tc.v1.common.class.cnpg.cluster" $ -}}
{{- $_ := set $cnpgValues.pooler "type" "rw" -}}