eikek#2502 Added the option supply existing Kubernetes secrets for se…

…cret values for the restserver.
TheAnachronism · Feb 18, 2024 · bfc61f7 · bfc61f7
1 parent 53160d3
commit bfc61f7
Show file tree

Hide file tree

Showing 7 changed files with 145 additions and 27 deletions.
diff --git a/kubernetes/helm/docspell/templates/_helpers.tpl b/kubernetes/helm/docspell/templates/_helpers.tpl
@@ -57,4 +57,4 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end -}}
-{{- end -}}
+{{- end -}}
diff --git a/kubernetes/helm/docspell/templates/joex/deployment.yaml b/kubernetes/helm/docspell/templates/joex/deployment.yaml
@@ -27,6 +27,7 @@ spec:
     metadata:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/joex/config.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/joex/secret.yaml") . | sha256sum }}
         {{- with .Values.joex.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}

diff --git a/kubernetes/helm/docspell/templates/restserver/_configs.tpl b/kubernetes/helm/docspell/templates/restserver/_configs.tpl
@@ -32,7 +32,10 @@
 
 {{/*Auth Secrets*/}}
 {{- define "docspell.server.secrets.auth" -}}
-{{- with .Values.docspell.server.auth.serverSecret }}
+{{- if and .Values.docspell.server.auth.serverSecret.value .Values.docspell.server.auth.serverSecret.existingSecret -}}
+{{- fail "Only either a fixed server secret or an existing secret should be specified" -}}
+{{- end -}}
+{{- with .Values.docspell.server.auth.serverSecret.value }}
 DOCSPELL_SERVER_AUTH_SERVER__SECRET: {{ . }}
 {{- end }}
 {{- end -}}
@@ -111,23 +114,39 @@ DOCSPELL_SERVER_AUTH_SERVER__SECRET: {{ . }}
 {{/*Integration Endpoint Secrets*/}}
 {{- define "docspell.server.secrets.integrationEndpoint" -}}
 {{- if .Values.docspell.server.integrationEndpoint.httpBasic.enabled | quote -}}
-{{- $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT__HTTP__BASIC" -}}
+{{- if and .Values.docspell.server.integrationEndpoint.httpBasic.credentials .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret -}}
+{{- fail "Only either the fixed credentials or an existing secret for the httpBasic integration endpoint should be set" -}}
+{{- end -}}
+{{- $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__BASIC" -}}
 {{ $envPrefix}}_REALM: {{ .Values.docspell.server.integrationEndpoint.httpBasic.realm }}
-{{ $envPrefix}}_USER: {{ .Values.docspell.server.integrationEndpoint.httpBasic.user }}
-{{ $envPrefix}}_PASSWORD: {{ .Values.docspell.server.integrationEndpoint.httpBasic.password }}
+{{- with .Values.docspell.server.integrationEndpoint.httpBasic.credentials }}
+{{ $envPrefix}}_USER: {{ .username }}
+{{ $envPrefix}}_PASSWORD: {{ .password }}
+{{- end -}}
 {{- end }}
 {{- if .Values.docspell.server.integrationEndpoint.httpHeader.enabled | quote -}}
-{{ $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT__HTTP__HEADER" }}
+{{- if and .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.value .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret -}}
+{{- fail "Only either the fixed header value or an existing secret for the http header ingration endpoint should be set" -}}
+{{- end -}}
+{{ $envPrefix := "DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__HEADER" }}
 {{ $envPrefix }}_HEADER__NAME: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerName }}
-{{ $envPrefix }}_HEADER__VALUE: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue }}
+{{- with .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.value -}}
+{{ $envPrefix }}_HEADER__VALUE: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.value }}
+{{- end -}}
 {{- end }}
 {{- end -}}
 
 {{/*Admin Endpoint Secrets*/}}
 {{- define "docspell.server.secrets.adminEndpoint" -}}
-{{- with .Values.docspell.server.adminEndpoint.secret }}
-DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET: {{ . }}
-{{- end }}
+{{- if .Values.docspell.server.adminEndpoint.enabled -}}
+{{- $context := . -}}
+{{- with .Values.docspell.server.adminEndpoint.secret -}}
+{{- if $context.Values.docspell.server.adminEndpoint.existingSecret }}
+{{- fail "Only either the fixed value or an existing secret for the admin endpoint should be set" -}}
+{{- end -}}
+DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET: {{ .value }}
+{{- end -}}
+{{- end -}}
 {{- end -}}
 
 {{/*Signup Settings*/}}
@@ -142,6 +161,12 @@ DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET: {{ . }}
 {{/*Signup Secrets*/}}
 {{- define "docspell.server.secrets.signup" -}}
 {{- if eq .Values.docspell.server.backend.signup.mode "invite" }}
-DOCSPELL_SERVER_BACKEND_SIGNUP_NEW__INVITE__PASSWORD: {{ .Values.docspell.server.backend.signup.newInvitePassword }}
+{{- $context := . -}}
+{{- with .Values.docspell.server.backend.signup.newInvitePassword.value -}}
+{{- if $context.Values.docspell.server.backend.signup.newInvitePassword.existingSecret -}}
+{{- fail "Only either the fixed value or an existing secret for the new invite password should be set" -}}
+{{- end -}}
+DOCSPELL_SERVER_BACKEND_SIGNUP_NEW__INVITE__PASSWORD: {{ . }}
+{{- end -}}
 {{- end -}}
 {{- end -}}
diff --git a/kubernetes/helm/docspell/templates/restserver/_existingSecrets.tpl b/kubernetes/helm/docspell/templates/restserver/_existingSecrets.tpl
@@ -0,0 +1,44 @@
+{{- define "docspell.server.secrets.existingSecrets" -}}
+{{- if .Values.docspell.server.auth.serverSecret.existingSecret -}}
+- name: DOCSPELL_SERVER_AUTH_SERVER__SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.docspell.server.auth.serverSecret.existingSecret.name }}
+      key: {{ .Values.docspell.server.auth.serverSecret.existingSecret.key }}
+{{- end }}
+{{- if .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret }}
+- name: DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__BASIC_USER
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.name }}
+      key: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.usernameKey }}
+- name: DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__BASIC_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.name }}
+      key: {{ .Values.docspell.server.integrationEndpoint.httpBasic.existingSecret.passwordKey }}
+{{- end }}
+{{- if .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret }}
+- name: DOCSPELL_SERVER_INTEGRATION__ENDPOINT_HTTP__HEADER_HEADER__VALUE
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret.name }}
+      key: {{ .Values.docspell.server.integrationEndpoint.httpHeader.headerValue.existingSecret.key }}
+{{- end }}
+{{- with .Values.docspell.server.adminEndpoint.existingSecret }}
+- name: DOCSPELL_SERVER_ADMIN__ENDPOINT_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ .name }}
+      key: {{ .key }}
+{{- end }}
+{{- if eq .Values.docspell.server.backend.signup.mode "invite" -}}
+{{- with .Values.docspell.server.backend.signup.newInvitePassword.existingSecret }}
+- name: DOCSPELL_SERVER_BACKEND_SIGNUP_NEW__INVITE__PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ .name }}
+      key: {{ .key }}
+{{- end -}}
+{{- end }}
+{{- end -}}
diff --git a/kubernetes/helm/docspell/templates/restserver/deployment.yaml b/kubernetes/helm/docspell/templates/restserver/deployment.yaml
@@ -27,6 +27,7 @@ spec:
     metadata:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/restserver/config.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/restserver/secret.yaml") . | sha256sum }}
         {{- with .Values.restserver.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -47,6 +48,8 @@ spec:
           ports:
           - containerPort: {{ .Values.restserver.service.port }}
             name: http
+          env:
+          {{- include "docspell.server.secrets.existingSecrets" . | nindent 10 }}
           envFrom:
           - configMapRef:
               name: {{ include "docspell.fullname" . }}-restserver

diff --git a/kubernetes/helm/docspell/templates/restserver/secret.yaml b/kubernetes/helm/docspell/templates/restserver/secret.yaml
@@ -7,11 +7,18 @@ metadata:
 type: Opaque
 stringData:
     assertions:
-      {{- if and (gt .Values.restserver.replicaCount 1.0) (not .Values.docspell.server.auth.serverSecret) -}}
+      {{- if gt .Values.restserver.replicaCount 1.0 }}
+      {{- if and (not .Values.docspell.server.auth.serverSecret.existingSecret) (not .Values.docspell.server.auth.serverSecret.value) }}
       {{- fail "If multiple replicas are running of the rest server, the server secret has to be fixed." -}}
       {{- end -}}
-      {{- if and (eq .Values.docspell.server.backend.signup.mode "invite") (not .Values.docspell.server.backend.signup.newInvitePassword) -}}
-      {{- fail "Invite password has to be set, when using signup mode 'invite'" -}}
+      {{- if and .Values.docspell.server.adminEndpoint.enabled (and (not .Values.docspell.server.adminEndpoint.existingSecret) (not .Values.docspell.server.adminEndpoint.secret)) -}}
+      {{- fail "When enabling the administration endpoint, a value for authentication has the supplied." -}}
+      {{- end -}}
+      {{- end -}}
+      {{- if eq .Values.docspell.server.backend.signup.mode "invite" -}}
+      {{- if not .Values.docspell.server.backend.signup.newInvitePassword -}}
+      {{- fail "Invite password has to be set, when using signup mode 'invite'." -}}
+      {{- end -}}
       {{- end -}}
     {{- include "docspell.server.secrets.auth" . | nindent 4 }}
     {{- include "docspell.server.secrets.openid" . | nindent 4 }}

diff --git a/kubernetes/helm/docspell/values.yaml b/kubernetes/helm/docspell/values.yaml
@@ -60,13 +60,19 @@ docspell:
     bind:
       address: 0.0.0.0
       port: 7880
-    ## @param docspell.server.auth.serverSecret Secret to sign the authenticator tokens. If empty, one will be generated
+    ## @param docspell.server.auth.serverSecret.value Secret to sign the authenticator tokens. If empty, one will be generated
+    ## @param docspell.server.auth.serverSecret.existingSecret.name The name of an existing Kubernetes secret that contains the server secret
+    ## @param docspell.server.auth.serverSecret.existingSecret.key The key inside the existing Kubernetes secret that contains the server secret
     ## @param docspell.server.auth.sessionValid How long an authentication token is valid
     ## @param docspell.server.auth.onAccountSourceConflict Fail if a duplicate account from an external source should fail the login. Can be: fail, convert    
     ## @param docspell.server.auth.rememberMe.enabled Enable/disable the remember me function
     ## @param docspell.server.auth.rememberMe.valid How long the remember me cookie/token is valid
     auth:
-      serverSecret: b64:YRx77QujCGkHSvll0TVEmtTaw3Z5eXr+nWMsEJowgKg=
+      serverSecret: 
+        value:
+        existingSecret:
+          name: "my-existing-secret"
+          key: "key-inside-secret"
       sessionValid: "5 minutes"
       onAccountSourceConflict: fail
       rememberMe:
@@ -104,8 +110,6 @@ docspell:
     ## @param docspell.server.integrationEndpoint.sourceName The name used for the item "source" property when uploaded through this endpoint
     ## @param docspell.server.integrationEndpoint.allowedIps.enabled Enable ip-allow-access-list
     ## @param docspell.server.integrationEndpoint.allowedIps.ips List of ips which should be added to the access list
-    ## @param docspell.server.integrationEndpoint.httpBasic.enabled Whether integration endpoint requests are expected to use http basic auth when uploading files
-    ## @param doscpell.server.integrationEndpoint.httpHeader.enabled Whether integration endpoint requests are expected to supply some specific header when uploading files
     integrationEndpoint:
       enabled: true
       priority: low
@@ -115,18 +119,46 @@ docspell:
         ips:
           # IP addresses may be specific as simple globs: a part marked as '*' matches any octet, like in `192.168.*.*`
           - 127.0.0.1
+      ## @param docspell.server.integrationEndpoint.httpBasic.enabled Whether integration endpoint requests are expected to use http basic auth when uploading files
+      ## @param docspell.server.integrationEndpoint.httpBasic.credentials.user The username for httpBasic authentication
+      ## @param docspell.server.integrationEndpoint.httpBasic.credentials.password The password for the httpBasic authentication
+      ## @param docspell.server.integrationEndpoint.httpBasic.existingSecret.name Name of an existing Kubernetes secret that contains the httpBasic credentials
+      ## @param docspell.server.integrationEndpoint.httpBasic.existingSecret.usernameKey The key inside the existing Kubernetes secret that contains the username for httpBasic
+      ## @param docspell.server.integrationEndpoint.httpBasic.existingSecret.passwordKey The key inside the existing Kubernetes secret that contains the password for httpBasic
       httpBasic:
         enabled: false
         realm: "Docspell Integration"
-        user: "docspell-int"
-        password: "docspell-int"
+        credentials:
+          # username: "docspell-int"
+          # password: "docspell-int"
+        existingSecret:
+          name: "http-basic-secret-name"
+          usernameKey: "username-key-inside-secret"
+          passwordKey: "password-key-inside-secret"
+      ## @param doscpell.server.integrationEndpoint.httpHeader.enabled Whether integration endpoint requests are expected to supply some specific header when uploading files
+      ## @param docpsell.server.integrationEndpoint.httpHeader.headerName The name of the header that has to be included in the integration endpoint request
+      ## @param docspell.server.integrationEndpoint.httpHeader.headerValue.value The header value that is expected to be included in the integration endpoint request
+      ## @param docspell.server.integrationEndpojnt.httpHeader.headerValue.existingSecret.name The name of an existing Kubernetes secret that contains the value expected to be included in the integration endpoint request
+      ## @param docspell.server.integrationEndpojnt.httpHeader.headerValue.existingSecret.key The key inside of an existing Kubernetes secret that contains the value expected to be included in the integration endpoint 
       httpHeader:
         enabled: true
         headerName: "Docspell-Integration"
-        headerValue: "SomeSecret"
-    ## @param docspell.server.adminEndpoint.secret Special administration endpoint. If a secret isn't supplied, the endpont is disabled
+        headerValue: 
+          # value: "SomeSecret"
+          existingSecret:
+            name: "my-existing-secret"
+            key: "header-value-key-inside-secret"
+    ## @param docspell.server.adminEndpoint.enabled Whether to enable the special administration endpoint. A secret value or existing secret containing the value has to be supplied when enabled
+    ## @param docspell.server.adminEndpoint.secret.value Value for the administration endpoint
+    ## @param docspell.server.adminEndpoint.existingSecret.name The name of an existing Kubernetes secret that contains the value for the admin endpoint 
+    ## @param docspell.server.adminEndpoint.existingSecret.key The key inside of an existing Kubernetes secret that contains the value for the admin endpoint
     adminEndpoint:
-      secret: 
+      enabled: false
+      # secret:
+      #   value: "test"
+      # existingSecret:
+      #   name: "my-existing-secret"
+      #   key: "admin-key-inside-secret"
 
     ## @param docspell.server.backend.mailDebug Enable or disabling debugging for e-mail related functionality
     backend:
@@ -139,11 +171,17 @@ docspell:
         runFixupMigrations: true
         repairSchema: false
       ## @param docspell.server.backend.signup.mode The mode defines if new users can signup or not (open, invite, closed)
-      ## @param docspell.server.backend.signup.newInvitePassword If mode is 'invite', a password must be provided to generate invitation keys
+      ## @param docspell.server.backend.signup.newInvitePassword.value If mode is 'invite', a password must be provided to generate invitation keys
+      ## @param docspell.server.backend.signup.newInvitePassword.existingSecret.name The name of an existing Kubernetes secret that contains the invitation generation password
+      ## @param docspell.server.backend.signup.newINvitePassword.existingSecret.key The key inside of an existing Kubernetes secret that contains the invitation generation password
       ## @param docspell.server.backend.signup.inviteTime If mode is 'invite', this is the period an invitation token is considered valid
       signup:
         mode: open
-        newInvitePassword: 
+        newInvitePassword:
+          # value: asdf
+          # existingSecret:
+          #   name: "my-existing-secret"
+          #   key: "invite-password-key"
         inviteTime: "3 days"
   ## @param docspell.joex.appId Id of the node
   ## @param docspell.joex.mailDebug Enable or disabling debugging for e-mail related functionality  
@@ -442,7 +480,7 @@ joex:
 ## @param solr.livenessProbe 
 
 solr:
-  enabled: true
+  enabled: false
   podAnnotations: {}
   nodeSelector: {}
   affinity: {}
@@ -545,7 +583,7 @@ solr:
 ## @param postgresql.global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
 ## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume
 postgresql:
-  enabled: true
+  enabled: false
   global:
    postgresql:
     auth: