Skip to content

Commit

Permalink
eikek#2502 Added the option supply existing Kubernetes secrets to loa…
Browse files Browse the repository at this point in the history
…d secret values.
  • Loading branch information
TheAnachronism committed Feb 18, 2024
1 parent 53160d3 commit 5c9deb7
Show file tree
Hide file tree
Showing 9 changed files with 188 additions and 29 deletions.
2 changes: 2 additions & 0 deletions kubernetes/helm/docspell/templates/_configs.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@
{{- $envPrefix = "DOCSPELL_JOEX_JDBC" -}}
{{- end }}
{{ $envPrefix }}_USER: {{ .context.Values.postgresql.global.postgresql.auth.username }}
{{- if not .context.Values.postgresql.global.postgresql.auth.existingSecret }}
{{ $envPrefix }}_PASSWORD: {{ .context.Values.postgresql.global.postgresql.auth.password }}
{{- end }}
{{ $envPrefix }}_URL: {{ include "postgresql.jdbcUrl" .context }}
{{- end -}}
{{- end -}}
Expand Down
2 changes: 1 addition & 1 deletion kubernetes/helm/docspell/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -57,4 +57,4 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{- end -}}
10 changes: 10 additions & 0 deletions kubernetes/helm/docspell/templates/joex/_existingSecrets.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{{- define "docspell.joex.secrets.existingSecrets" -}}
{{/*PostgreSQL Password*/}}
{{- if .Values.postgresql.global.postgresql.auth.existingSecret -}}
- name: DOCSPELL_JOEX_JDBC_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.postgresql.global.postgresql.auth.existingSecret }}
key: {{ .Values.postgresql.global.postgresql.auth.secretKeys.userPasswordKey | default "password" }}
{{- end -}}
{{- end -}}
3 changes: 3 additions & 0 deletions kubernetes/helm/docspell/templates/joex/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ spec:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/joex/config.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/joex/secret.yaml") . | sha256sum }}
{{- with .Values.joex.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
Expand All @@ -51,6 +52,8 @@ spec:
ports:
- containerPort: {{ .Values.joex.service.port }}
name: http
env:
{{- include "docspell.joex.secrets.existingSecrets" . | nindent 10 }}
envFrom:
- configMapRef:
name: {{ include "docspell.fullname" . }}-joex
Expand Down
53 changes: 40 additions & 13 deletions kubernetes/helm/docspell/templates/restserver/_configs.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,14 @@

{{/*Auth Secrets*/}}
{{- define "docspell.server.secrets.auth" -}}
{{- with .Values.docspell.server.auth.serverSecret }}
{{- if .Values.docspell.server.auth.serverSecret -}}
{{- if and .Values.docspell.server.auth.serverSecret.value .Values.docspell.server.auth.serverSecret.existingSecret -}}
{{- fail "Only either a fixed server secret or an existing secret should be specified" -}}
{{- end -}}
{{- with .Values.docspell.server.auth.serverSecret.value }}
DOCSPELL_SERVER_AUTH_SERVER__SECRET: {{ . }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}

{{/*Download Config*/}}
Expand Down Expand Up @@ -110,24 +115,40 @@ DOCSPELL_SERVER_AUTH_SERVER__SECRET: {{ . }}

{{/*Integration Endpoint Secrets*/}}
{{- define "docspell.server.secrets.integrationEndpoint" -}}
{{- if .Values.docspell.server.integrationEndpoint.httpBasic.enabled | quote -}}
{{- $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT__HTTP__BASIC" -}}
{{- if .Values.docspell.server.integrationEndpoint.httpBasic.enabled -}}
{{- if and .Values.docspell.server.integrationEndpoint.httpBasic.credentials .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret -}}
{{- fail "Only either the fixed credentials or an existing secret for the httpBasic integration endpoint should be set" -}}
{{- end -}}
{{- $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__BASIC" -}}
{{ $envPrefix}}_REALM: {{ .Values.docspell.server.integrationEndpoint.httpBasic.realm }}
{{ $envPrefix}}_USER: {{ .Values.docspell.server.integrationEndpoint.httpBasic.user }}
{{ $envPrefix}}_PASSWORD: {{ .Values.docspell.server.integrationEndpoint.httpBasic.password }}
{{- with .Values.docspell.server.integrationEndpoint.httpBasic.credentials }}
{{ $envPrefix}}_USER: {{ .username }}
{{ $envPrefix}}_PASSWORD: {{ .password }}
{{- end -}}
{{- end }}
{{- if .Values.docspell.server.integrationEndpoint.httpHeader.enabled | quote -}}
{{ $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT__HTTP__HEADER" }}
{{- if .Values.docspell.server.integrationEndpoint.httpHeader.enabled -}}
{{- if and .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.value .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret -}}
{{- fail "Only either the fixed header value or an existing secret for the http header ingration endpoint should be set" -}}
{{- end -}}
{{ $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__HEADER" }}
{{ $envPrefix }}_HEADER__NAME: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerName }}
{{ $envPrefix }}_HEADER__VALUE: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue }}
{{- with .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.value -}}
{{ $envPrefix }}_HEADER__VALUE: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.value }}
{{- end -}}
{{- end }}
{{- end -}}

{{/*Admin Endpoint Secrets*/}}
{{- define "docspell.server.secrets.adminEndpoint" -}}
{{- with .Values.docspell.server.adminEndpoint.secret }}
DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET: {{ . }}
{{- end }}
{{- if .Values.docspell.server.adminEndpoint.enabled -}}
{{- $context := . -}}
{{- with .Values.docspell.server.adminEndpoint.secret -}}
{{- if $context.Values.docspell.server.adminEndpoint.existingSecret }}
{{- fail "Only either the fixed value or an existing secret for the admin endpoint should be set" -}}
{{- end -}}
DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET: {{ .value }}
{{- end -}}
{{- end -}}
{{- end -}}

{{/*Signup Settings*/}}
Expand All @@ -142,6 +163,12 @@ DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET: {{ . }}
{{/*Signup Secrets*/}}
{{- define "docspell.server.secrets.signup" -}}
{{- if eq .Values.docspell.server.backend.signup.mode "invite" }}
DOCSPELL_SERVER_BACKEND_SIGNUP_NEW__INVITE__PASSWORD: {{ .Values.docspell.server.backend.signup.newInvitePassword }}
{{- $context := . -}}
{{- with .Values.docspell.server.backend.signup.newInvitePassword.value -}}
{{- if $context.Values.docspell.server.backend.signup.newInvitePassword.existingSecret -}}
{{- fail "Only either the fixed value or an existing secret for the new invite password should be set" -}}
{{- end -}}
DOCSPELL_SERVER_BACKEND_SIGNUP_NEW__INVITE__PASSWORD: {{ . }}
{{- end -}}
{{- end -}}
{{- end -}}
61 changes: 61 additions & 0 deletions kubernetes/helm/docspell/templates/restserver/_existingSecrets.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
{{- define "docspell.server.secrets.existingSecrets" -}}
{{/*Server Secret*/}}
{{- if .Values.docspell.server.auth.serverSecret -}}
{{- if and .Values.docspell.server.auth.serverSecret.existingSecret (not .Values.docspell.server.auth.serverSecret.value) -}}
- name: DOCSPELL_SERVER_AUTH_SERVER__SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.docspell.server.auth.serverSecret.existingSecret.name }}
key: {{ .Values.docspell.server.auth.serverSecret.existingSecret.key }}
{{- end -}}
{{- end }}
{{/*Integration Endpoint Http Basic Auth*/}}
{{- if .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret }}
- name: DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__BASIC_USER
valueFrom:
secretKeyRef:
name: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.name }}
key: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.usernameKey }}
- name: DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__BASIC_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.name }}
key: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.passwordKey }}
{{- end }}
{{/*Integration Endpoint Http Header Auth*/}}
{{- if and .Values.docspell.server.integrationEndpoint.enabled .Values.docspell.server.integrationEndpoint.httpHeader.enabled -}}
{{- if .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret }}
- name: DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__HEADER_HEADER__VALUE
valueFrom:
secretKeyRef:
name: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret.name }}
key: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret.key }}
{{- end -}}
{{- end }}
{{/*Admin Endpoint Secret*/}}
{{- with .Values.docspell.server.adminEndpoint.existingSecret }}
- name: DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET
valueFrom:
secretKeyRef:
name: {{ .name }}
key: {{ .key }}
{{- end }}
{{/*Sign Up Invitation Generation Password*/}}
{{- if eq .Values.docspell.server.backend.signup.mode "invite" -}}
{{- with .Values.docspell.server.backend.signup.newInvitePassword.existingSecret }}
- name: DOCSPELL_SERVER_BACKEND_SIGNUP_NEW__INVITE__PASSWORD
valueFrom:
secretKeyRef:
name: {{ .name }}
key: {{ .key }}
{{- end -}}
{{- end }}
{{/*PostgreSQL Password*/}}
{{- if .Values.postgresql.global.postgresql.auth.existingSecret -}}
- name: DOCSPELL_SERVER_BACKEND_JDBC_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.postgresql.global.postgresql.auth.existingSecret }}
key: {{ .Values.postgresql.global.postgresql.auth.secretKeys.userPasswordKey | default "password" }}
{{- end -}}
{{- end -}}
3 changes: 3 additions & 0 deletions kubernetes/helm/docspell/templates/restserver/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ spec:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/restserver/config.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/restserver/secret.yaml") . | sha256sum }}
{{- with .Values.restserver.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
Expand All @@ -47,6 +48,8 @@ spec:
ports:
- containerPort: {{ .Values.restserver.service.port }}
name: http
env:
{{- include "docspell.server.secrets.existingSecrets" . | nindent 10 }}
envFrom:
- configMapRef:
name: {{ include "docspell.fullname" . }}-restserver
Expand Down
14 changes: 11 additions & 3 deletions kubernetes/helm/docspell/templates/restserver/secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,19 @@ metadata:
type: Opaque
stringData:
assertions:
{{- if and (gt .Values.restserver.replicaCount 1.0) (not .Values.docspell.server.auth.serverSecret) -}}
{{- if gt .Values.restserver.replicaCount 1.0 }}
{{- if not .Values.docspell.server.auth.serverSecret -}}
{{- fail "If multiple replicas are running of the rest server, the server secret has to be fixed." -}}
{{- else if not (or .Values.docspell.server.auth.serverSecret.existingSecret .Values.docspell.server.auth.serverSecret.value) }}
{{- end -}}
{{- if and .Values.docspell.server.adminEndpoint.enabled (and (not .Values.docspell.server.adminEndpoint.existingSecret) (not .Values.docspell.server.adminEndpoint.secret)) -}}
{{- fail "When enabling the administration endpoint, a value for authentication has the supplied." -}}
{{- end -}}
{{- end -}}
{{- if eq .Values.docspell.server.backend.signup.mode "invite" -}}
{{- if not .Values.docspell.server.backend.signup.newInvitePassword -}}
{{- fail "Invite password has to be set, when using signup mode 'invite'." -}}
{{- end -}}
{{- if and (eq .Values.docspell.server.backend.signup.mode "invite") (not .Values.docspell.server.backend.signup.newInvitePassword) -}}
{{- fail "Invite password has to be set, when using signup mode 'invite'" -}}
{{- end -}}
{{- include "docspell.server.secrets.auth" . | nindent 4 }}
{{- include "docspell.server.secrets.openid" . | nindent 4 }}
Expand Down
69 changes: 57 additions & 12 deletions kubernetes/helm/docspell/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -60,13 +60,19 @@ docspell:
bind:
address: 0.0.0.0
port: 7880
## @param docspell.server.auth.serverSecret Secret to sign the authenticator tokens. If empty, one will be generated
## @param docspell.server.auth.serverSecret.value Secret to sign the authenticator tokens. If empty, one will be generated
## @param docspell.server.auth.serverSecret.existingSecret.name The name of an existing Kubernetes secret that contains the server secret
## @param docspell.server.auth.serverSecret.existingSecret.key The key inside the existing Kubernetes secret that contains the server secret
## @param docspell.server.auth.sessionValid How long an authentication token is valid
## @param docspell.server.auth.onAccountSourceConflict Fail if a duplicate account from an external source should fail the login. Can be: fail, convert
## @param docspell.server.auth.rememberMe.enabled Enable/disable the remember me function
## @param docspell.server.auth.rememberMe.valid How long the remember me cookie/token is valid
auth:
serverSecret: b64:YRx77QujCGkHSvll0TVEmtTaw3Z5eXr+nWMsEJowgKg=
serverSecret:
# value: asdf
# existingSecret:
# name: "my-existing-secret"
# key: "key-inside-secret"
sessionValid: "5 minutes"
onAccountSourceConflict: fail
rememberMe:
Expand Down Expand Up @@ -104,8 +110,6 @@ docspell:
## @param docspell.server.integrationEndpoint.sourceName The name used for the item "source" property when uploaded through this endpoint
## @param docspell.server.integrationEndpoint.allowedIps.enabled Enable ip-allow-access-list
## @param docspell.server.integrationEndpoint.allowedIps.ips List of ips which should be added to the access list
## @param docspell.server.integrationEndpoint.httpBasic.enabled Whether integration endpoint requests are expected to use http basic auth when uploading files
## @param doscpell.server.integrationEndpoint.httpHeader.enabled Whether integration endpoint requests are expected to supply some specific header when uploading files
integrationEndpoint:
enabled: true
priority: low
Expand All @@ -115,18 +119,46 @@ docspell:
ips:
# IP addresses may be specific as simple globs: a part marked as '*' matches any octet, like in `192.168.*.*`
- 127.0.0.1
## @param docspell.server.integrationEndpoint.httpBasic.enabled Whether integration endpoint requests are expected to use http basic auth when uploading files
## @param docspell.server.integrationEndpoint.httpBasic.credentials.user The username for httpBasic authentication
## @param docspell.server.integrationEndpoint.httpBasic.credentials.password The password for the httpBasic authentication
## @param docspell.server.integrationEndpoint.httpBasic.existingSecret.name Name of an existing Kubernetes secret that contains the httpBasic credentials
## @param docspell.server.integrationEndpoint.httpBasic.existingSecret.usernameKey The key inside the existing Kubernetes secret that contains the username for httpBasic
## @param docspell.server.integrationEndpoint.httpBasic.existingSecret.passwordKey The key inside the existing Kubernetes secret that contains the password for httpBasic
httpBasic:
enabled: false
realm: "Docspell Integration"
user: "docspell-int"
password: "docspell-int"
credentials:
# username: "docspell-int"
# password: "docspell-int"
# existingSecret:
# name: "http-basic-secret-name"
# usernameKey: "username-key-inside-secret"
# passwordKey: "password-key-inside-secret"
## @param doscpell.server.integrationEndpoint.httpHeader.enabled Whether integration endpoint requests are expected to supply some specific header when uploading files
## @param docpsell.server.integrationEndpoint.httpHeader.headerName The name of the header that has to be included in the integration endpoint request
## @param docspell.server.integrationEndpoint.httpHeader.headerValue.value The header value that is expected to be included in the integration endpoint request
## @param docspell.server.integrationEndpojnt.httpHeader.headerValue.existingSecret.name The name of an existing Kubernetes secret that contains the value expected to be included in the integration endpoint request
## @param docspell.server.integrationEndpojnt.httpHeader.headerValue.existingSecret.key The key inside of an existing Kubernetes secret that contains the value expected to be included in the integration endpoint
httpHeader:
enabled: true
enabled: false
headerName: "Docspell-Integration"
headerValue: "SomeSecret"
## @param docspell.server.adminEndpoint.secret Special administration endpoint. If a secret isn't supplied, the endpont is disabled
headerValue:
# value: "SomeSecret"
# existingSecret:
# name: "my-existing-secret"
# key: "header-value-key-inside-secret"
## @param docspell.server.adminEndpoint.enabled Whether to enable the special administration endpoint. A secret value or existing secret containing the value has to be supplied when enabled
## @param docspell.server.adminEndpoint.secret.value Value for the administration endpoint
## @param docspell.server.adminEndpoint.existingSecret.name The name of an existing Kubernetes secret that contains the value for the admin endpoint
## @param docspell.server.adminEndpoint.existingSecret.key The key inside of an existing Kubernetes secret that contains the value for the admin endpoint
adminEndpoint:
secret:
enabled: false
# secret:
# value: "test"
# existingSecret:
# name: "my-existing-secret"
# key: "admin-key-inside-secret"

## @param docspell.server.backend.mailDebug Enable or disabling debugging for e-mail related functionality
backend:
Expand All @@ -139,11 +171,17 @@ docspell:
runFixupMigrations: true
repairSchema: false
## @param docspell.server.backend.signup.mode The mode defines if new users can signup or not (open, invite, closed)
## @param docspell.server.backend.signup.newInvitePassword If mode is 'invite', a password must be provided to generate invitation keys
## @param docspell.server.backend.signup.newInvitePassword.value If mode is 'invite', a password must be provided to generate invitation keys
## @param docspell.server.backend.signup.newInvitePassword.existingSecret.name The name of an existing Kubernetes secret that contains the invitation generation password
## @param docspell.server.backend.signup.newINvitePassword.existingSecret.key The key inside of an existing Kubernetes secret that contains the invitation generation password
## @param docspell.server.backend.signup.inviteTime If mode is 'invite', this is the period an invitation token is considered valid
signup:
mode: open
newInvitePassword:
newInvitePassword:
# value: asdf
# existingSecret:
# name: "my-existing-secret"
# key: "invite-password-key"
inviteTime: "3 days"
## @param docspell.joex.appId Id of the node
## @param docspell.joex.mailDebug Enable or disabling debugging for e-mail related functionality
Expand Down Expand Up @@ -542,6 +580,9 @@ solr:
## @param postgresql.global.postgresql.auth.password Password for the `dbname` user (overrides `auth.password`)
## @param postgresql.global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`)
## @param postgresql.global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`)
## @param postgresql.global.postgresql.auth.existingSecret Name of an existing Kubernetes secret that contains the postgresql credentials. `auth.password` will be ignored and picked up from this secret
## @param postgresql.global.postgresql.auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials.
## @param postgresql.global.postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials.
## @param postgresql.global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume
postgresql:
Expand All @@ -552,6 +593,10 @@ postgresql:
database: dbname
username: dbuser
password: dbpass
existingSecret: postgres-secret
secretKeys:
adminPasswordKey: postgres-password
userPasswordKey: password
service:
postgresql: 5432
primary:
Expand Down

0 comments on commit 5c9deb7

Please sign in to comment.