central db credential mgmt w/secret, internal pgsql

Chart.yaml

@@ -1,7 +1,7 @@
 ---
 apiVersion: v2
 name: zabbix
-version: 1.2.0
+version: 2.0.0
 appVersion: 6.0.0
 description: Zabbix is a mature and effortless enterprise-class open source monitoring solution for network monitoring and application monitoring of millions of metrics.
 keywords:
@@ -25,8 +25,3 @@ maintainers:
   - name: Sebastien Dupont
     email: sebastien.dupont@cetic.be
     url: https://github.com/banzo
-dependencies:
-  - name: postgresql
-    version: ~11.0.6
-    repository: https://charts.bitnami.com/bitnami
-    condition: postgresql.enabled

README.md

@@ -1,6 +1,6 @@
 # Helm Chart For Zabbix.
 
-[![CircleCI](https://circleci.com/gh/cetic/helm-zabbix.svg?style=svg)](https://circleci.com/gh/cetic/helm-zabbix/tree/master) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) ![version](https://img.shields.io/github/tag/cetic/helm-zabbix.svg?label=release) ![Version: 1.2.0](https://img.shields.io/badge/Version-1.2.0-informational?style=flat-square)
+[![CircleCI](https://circleci.com/gh/cetic/helm-zabbix.svg?style=svg)](https://circleci.com/gh/cetic/helm-zabbix/tree/master) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) ![version](https://img.shields.io/github/tag/cetic/helm-zabbix.svg?label=release) ![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=flat-square)
 
 Zabbix is a mature and effortless enterprise-class open source monitoring solution for network monitoring and application monitoring of millions of metrics.
 
@@ -161,6 +161,8 @@ The following tables lists the configurable parameters of the chart and their de
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | Affinity configurations |
+| db_access.secret_autocreate | bool | `true` | automatically create secret if not already present (works only in combination with postgresql.enabled=true) |
+| db_access.secret_name | string | `"zabbixdb-pguser-zabbix"` | * password |
 | ingress.annotations | object | `{}` | Ingress annotations |
 | ingress.enabled | bool | `false` | Enables Ingress |
 | ingress.extraLabels | object | `{}` | Ingress extra labels |
@@ -174,12 +176,20 @@ The following tables lists the configurable parameters of the chart and their de
 | livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the probe to be considered successful after having failed |
 | livenessProbe.timeoutSeconds | int | `5` | Number of seconds after which the probe times out |
 | nodeSelector | object | `{}` | nodeSelector configurations |
-| postgresql.auth.database | string | `"zabbix"` | Name of database |
-| postgresql.auth.enablePostgresUser | bool | `true` | Enable remote access to ``postgres`` user |
-| postgresql.auth.password | string | `"zabbix"` | Password of database |
-| postgresql.auth.postgresPassword | string | `"zabbix_pwd"` | Password of``postgres`` user in Postgresql |
-| postgresql.auth.username | string | `"zabbix"` | User of database |
 | postgresql.enabled | bool | `true` | Create a database using Postgresql |
+| postgresql.extraEnv | list | `[]` | Extra environment variables. A list of additional environment variables. |
+| postgresql.image.pullPolicy | string | `"IfNotPresent"` | Pull policy of Docker image |
+| postgresql.image.pullSecrets | list | `[]` | List of dockerconfig secrets names to use when pulling images |
+| postgresql.image.repository | string | `"postgres"` | Postgresql Docker image name: chose one of "postgres" or "timescale/timescaledb" |
+| postgresql.image.tag | int | `14` | Tag of Docker image of Postgresql server, chose "14" for postgres or "latest-pg14" for timescaledb |
+| postgresql.max_connections | int | `50` | Name of database POSTGRES_DB: "zabbix" - max simultaneous connections to accept for the Postgres server |
+| postgresql.persistence.enabled | bool | `false` | whether to enable persistent storage for the postgres container or not |
+| postgresql.persistence.existing_claim_name | bool | `false` | existing persistent volume claim name to be used to store posgres data |
+| postgresql.persistence.storage_size | string | `"5Gi"` | size of the PVC to be automatically generated |
+| postgresql.service.annotations | object | `{}` | Annotations for the zabbix-server service |
+| postgresql.service.clusterIP | string | `nil` | Cluster IP for Zabbix server |
+| postgresql.service.port | int | `5432` | Port of service in Kubernetes cluster |
+| postgresql.service.type | string | `"ClusterIP"` | Type of service in Kubernetes cluster |
 | readinessProbe.failureThreshold | int | `6` | When a probe fails, Kubernetes will try failureThreshold times before giving up. Giving up in case of liveness probe means restarting the container. In case of readiness probe the Pod will be marked Unready |
 | readinessProbe.initialDelaySeconds | int | `5` | Number of seconds after the container has started before readiness |
 | readinessProbe.path | string | `"/"` | Path of health check of application |
@@ -195,7 +205,7 @@ The following tables lists the configurable parameters of the chart and their de
 | zabbixagent.ZBX_SERVER_PORT | int | `10051` | Zabbix server port |
 | zabbixagent.ZBX_VMWARECACHESIZE | string | `"128M"` | Cache size |
 | zabbixagent.enabled | bool | `true` | Enables use of **Zabbix Agent** |
-| zabbixagent.extraEnv | object | `{}` | Extra environment variables. A list of additional environment variables. See example: https://github.com/cetic/helm-zabbix/blob/master/docs/example/kind/values.yaml |
+| zabbixagent.extraEnv | list | `[]` | Extra environment variables. A list of additional environment variables. See example: https://github.com/cetic/helm-zabbix/blob/master/docs/example/kind/values.yaml |
 | zabbixagent.image.pullPolicy | string | `"IfNotPresent"` | Pull policy of Docker image |
 | zabbixagent.image.pullSecrets | list | `[]` | List of dockerconfig secrets names to use when pulling images |
 | zabbixagent.image.repository | string | `"zabbix/zabbix-agent"` | Zabbix agent Docker image name. Can use zabbix/zabbix-agent or zabbix/zabbix-agent2 |
@@ -212,7 +222,7 @@ The following tables lists the configurable parameters of the chart and their de
 | zabbixproxy.ZBX_SERVER_PORT | int | `10051` | Zabbix server port |
 | zabbixproxy.ZBX_VMWARECACHESIZE | string | `"128M"` | Cache size |
 | zabbixproxy.enabled | bool | `true` | Enables use of **Zabbix Proxy** |
-| zabbixproxy.extraEnv | object | `{}` | Extra environment variables. A list of additional environment variables. See example: https://github.com/cetic/helm-zabbix/blob/master/docs/example/kind/values.yaml |
+| zabbixproxy.extraEnv | list | `[]` | Extra environment variables. A list of additional environment variables. See example: https://github.com/cetic/helm-zabbix/blob/master/docs/example/kind/values.yaml |
 | zabbixproxy.image.pullPolicy | string | `"IfNotPresent"` | Pull policy of Docker image |
 | zabbixproxy.image.pullSecrets | list | `[]` | List of dockerconfig secrets names to use when pulling images |
 | zabbixproxy.image.repository | string | `"zabbix/zabbix-proxy-sqlite3"` | Zabbix proxy Docker image name |
@@ -231,7 +241,7 @@ The following tables lists the configurable parameters of the chart and their de
 | zabbixserver.POSTGRES_PASSWORD_SECRET_KEY | string | `"password"` | Key of the secret used for Postgres Password, requires POSTGRES_PASSWORD_SECRET, defaults to password |
 | zabbixserver.POSTGRES_USER | string | `"zabbix"` | User of database |
 | zabbixserver.enabled | bool | `true` | Enables use of **Zabbix Server** |
-| zabbixserver.extraEnv | object | `{}` | Extra environment variables. A list of additional environment variables. See example: https://github.com/cetic/helm-zabbix/blob/master/docs/example/kind/values.yaml |
+| zabbixserver.extraEnv | list | `[]` | Extra environment variables. A list of additional environment variables. See example: https://github.com/cetic/helm-zabbix/blob/master/docs/example/kind/values.yaml |
 | zabbixserver.hostIP | string | `"0.0.0.0"` | optional set hostIP different from 0.0.0.0 to open port only on this IP |
 | zabbixserver.hostPort | bool | `false` | optional set true open a port direct on node where zabbix server runs |
 | zabbixserver.image.pullPolicy | string | `"IfNotPresent"` | Pull policy of Docker image |
@@ -240,25 +250,20 @@ The following tables lists the configurable parameters of the chart and their de
 | zabbixserver.image.tag | string | `"ubuntu-6.0.0"` | Tag of Docker image of Zabbix server |
 | zabbixserver.replicaCount | int | `1` | Number of replicas of ``zabbixserver`` module |
 | zabbixserver.resources | object | `{}` |  |
+| zabbixserver.service | object | `{"annotations":{},"clusterIP":null,"nodePort":31051,"port":10051,"type":"ClusterIP"}` | Name of database POSTGRES_DB: "zabbix" |
 | zabbixserver.service.annotations | object | `{}` | Annotations for the zabbix-server service |
 | zabbixserver.service.clusterIP | string | `nil` | Cluster IP for Zabbix server |
 | zabbixserver.service.nodePort | int | `31051` | NodePort of service on each node |
 | zabbixserver.service.port | int | `10051` | Port of service in Kubernetes cluster |
 | zabbixserver.service.type | string | `"ClusterIP"` | Type of service in Kubernetes cluster |
-| zabbixweb.DB_SERVER_HOST | string | `"zabbix-postgresql"` | Address of database host |
-| zabbixweb.DB_SERVER_PORT | int | `5432` | Port of database |
-| zabbixweb.POSTGRES_DB | string | `"zabbix"` | Name of database |
-| zabbixweb.POSTGRES_PASSWORD | string | `"zabbix"` | Password of database |
-| zabbixweb.POSTGRES_USER | string | `"zabbix"` | User of database |
-| zabbixweb.ZBX_SERVER_HOST | string | `"zabbix-zabbix-server"` | Zabbix server host |
-| zabbixweb.ZBX_SERVER_PORT | int | `10051` | Zabbix server port |
 | zabbixweb.enabled | bool | `true` | Enables use of **Zabbix Web** |
-| zabbixweb.extraEnv | object | `{}` | Extra environment variables. A list of additional environment variables. See example: https://github.com/cetic/helm-zabbix/blob/master/docs/example/kind/values.yaml |
+| zabbixweb.extraEnv | list | `[]` | Extra environment variables. A list of additional environment variables. See example: https://github.com/cetic/helm-zabbix/blob/master/docs/example/kind/values.yaml |
 | zabbixweb.image.pullPolicy | string | `"IfNotPresent"` | Pull policy of Docker image |
 | zabbixweb.image.pullSecrets | list | `[]` | List of dockerconfig secrets names to use when pulling images |
 | zabbixweb.image.repository | string | `"zabbix/zabbix-web-apache-pgsql"` | Zabbix web Docker image name |
 | zabbixweb.image.tag | string | `"ubuntu-6.0.0"` | Tag of Docker image of Zabbix web |
 | zabbixweb.resources | object | `{}` |  |
+| zabbixweb.service | object | `{"annotations":{},"clusterIP":null,"port":80,"type":"NodePort"}` | Name of database POSTGRES_DB: zabbix |
 | zabbixweb.service.annotations | object | `{}` | Annotations for the zabbix-web service |
 | zabbixweb.service.clusterIP | string | `nil` | Cluster IP for Zabbix web |
 | zabbixweb.service.port | int | `80` | Port to expose service |

docs/example/kind/values.yaml

@@ -1,4 +1,14 @@
 # Custom values for zabbix.
+db_access:
+  # central place for all database related parameters (db name, host, user, password) in one secret
+  # which will be used by all relevant components which are installed by this chart (Zabbix server,
+  # database, frontend).
+  # In case you are using the CrunchyData Postgres Operator, you can refer to a secret generated by
+  # this operator to use a PGO database for your Zabbix instance.
+  secret_name: myzabbixdbaccess
+  # generate this secret if it does not yet exist and set a random password. Only useful if also using
+  # postgresql.enabled=true
+  secret_autocreate: true
 
 zabbixserver:
   enabled: true
@@ -7,11 +17,6 @@ zabbixserver:
     repository: zabbix/zabbix-server-pgsql
     tag: ubuntu-6.0.0
     pullPolicy: IfNotPresent
-  DB_SERVER_HOST: "zabbix-postgresql"
-  DB_SERVER_PORT: "5432"
-  POSTGRES_USER: "zabbix"
-  POSTGRES_PASSWORD: zabbix
-  POSTGRES_DB: "zabbix"
   service:
     type: NodePort
     port: 10051
@@ -25,12 +30,11 @@ zabbixserver:
 
 postgresql:
   enabled: true
-  auth:
-    enablePostgresUser: true
-    postgresPassword: "zabbix_pwd"
-    username: "zabbix"
-    password: "zabbix"
-    database: "zabbix"
+  max_connections: 100
+  persistence:
+    enabled: true
+    existing_claim_name: false
+    storage_size: 5Gi # generate a PVC in default storage class with the given size for the DB
 
 zabbixproxy:
   enabled: true
@@ -97,11 +101,6 @@ zabbixweb:
     pullPolicy: IfNotPresent
   ZBX_SERVER_HOST: zabbix-zabbix-server
   ZBX_SERVER_PORT: 10051
-  DB_SERVER_HOST: zabbix-postgresql
-  DB_SERVER_PORT: 5432
-  POSTGRES_USER: zabbix
-  POSTGRES_PASSWORD: zabbix
-  POSTGRES_DB: zabbix
   service:
     type: NodePort
     port: 80

templates/deployment-zabbix-web.yaml

@@ -48,23 +48,80 @@ spec:
             value: {{ .Values.zabbixweb.ZBX_SERVER_HOST | quote }}
           - name: ZBX_SERVER_PORT
             value: {{ .Values.zabbixweb.ZBX_SERVER_PORT | quote }}
+          {{- if .Values.postgresql.enabled }}
           - name: DB_SERVER_HOST
+            value: {{ template "zabbix.fullname" . }}-postgresql
+          - name: DB_SERVER_PORT
+            value: {{ .Values.postgresql.service.port | quote }}
+          {{- else if .Values.db_access.secret_name }}
+          - name: DB_SERVER_HOST
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.db_access.secret_name }}
+                key: host
+          - name: DB_SERVER_PORT
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.db_access.secret_name }}
+                key: port
+                optional: true
+          {{- else }}
+          - name: DB_SERVER_HOST
+            {{- if .Values.db_access.DB_SERVER_HOST }}
+            value: {{ .Values.db_access.DB_SERVER_HOST | quote }}
+            {{- else }}
             value: {{ .Values.zabbixweb.DB_SERVER_HOST | quote }}
+            {{- end -}}
           - name: DB_SERVER_PORT
+            {{- if .Values.db_access.DB_SERVER_PORT }}
+            value: {{ .Values.db_access.DB_SERVER_PORT | quote }}
+            {{- else }}
             value: {{ .Values.zabbixweb.DB_SERVER_PORT | quote }}
+            {{- end -}}
+          {{- end }}
+          {{- if .Values.db_access.secret_name }}
           - name: POSTGRES_USER
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.db_access.secret_name }}
+                key: user
+                optional: true
+          - name: POSTGRES_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.db_access.secret_name }}
+                key: password
+          - name: POSTGRES_DB
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.db_access.secret_name }}
+                key: dbname
+                optional: true
+          {{- else }}
+          - name: POSTGRES_USER
+            {{- if .Values.db_access.POSTGRES_USER }}
+            value: {{ .Values.db_access.POSTGRES_USER | quote }}
+            {{- else }}
             value: {{ .Values.zabbixweb.POSTGRES_USER | quote }}
+            {{- end }}
           - name: POSTGRES_PASSWORD
-            {{- if .Values.zabbixserver.POSTGRES_PASSWORD_SECRET }}
+            {{- if .Values.db_access.POSTGRES_PASSWORD }}
+            value: {{ .Values.db_access.POSTGRES_PASSWORD | quote }}
+            {{- else if .Values.zabbixserver.POSTGRES_PASSWORD_SECRET }}
             valueFrom:
               secretKeyRef:
                 name: {{ .Values.zabbixserver.POSTGRES_PASSWORD_SECRET }}
                 key: {{ default "password" .Values.zabbixserver.POSTGRES_PASSWORD_SECRET_KEY }}
             {{- else }}
-            value: {{ .Values.zabbixserver.POSTGRES_PASSWORD | quote }}
+            value: {{ .Values.zabbixweb.POSTGRES_PASSWORD | quote }}
             {{- end }}
           - name: POSTGRES_DB
+            {{- if .Values.db_access.POSTGRES_DB }}
+            value: {{ .Values.db_access.POSTGRES_DB | quote }}
+            {{- else }}
             value: {{ .Values.zabbixweb.POSTGRES_DB | quote }}
+            {{- end }}
+          {{- end }}
           # - name: POSTGRES_USER_FILE
           #  value: value: {{ .Values.zabbixweb.POSTGRES_USER_FILE | quote }}
           #- name: POSTGRES_PASSWORD_FILE

templates/secret-db-access.yaml

@@ -0,0 +1,26 @@
+{{- if and .Values.db_access.secret_autocreate .Values.postgresql.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.db_access.secret_name }}
+  labels:
+    app: {{ template "zabbix.fullname" . }}-db-access
+    app.kubernetes.io/name: db-access
+    helm.sh/chart: {{ include "zabbix.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}-db-access
+    app.kubernetes.io/managed-by: {{ .Release.Service }}-db-access
+type: Opaque
+data:
+  {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace .Values.db_access.secret_name) | default dict }}
+  {{- $secretData := (get $secretObj "data") | default dict }}
+  {{- $secretHost := (get $secretData "host") | default (printf "%s-%s" (include "zabbix.fullname" .) "postgresql" | b64enc) }}
+  {{- $secretPort := (get $secretData "port") | default (.Values.postgresql.service.port | toString | b64enc) }}
+  {{- $secretDbname := (get $secretData "dbname") | default ("zabbix" | b64enc) }}
+  {{- $secretUser := (get $secretData "user") | default ("zabbix" | b64enc) }}
+  {{- $secretPassword := (get $secretData "password") | default (randAlphaNum 16 | b64enc) }}
+  host: {{ $secretHost | quote }}
+  port: {{ $secretPort | quote }}
+  dbname: {{ $secretDbname | quote }}
+  user: {{ $secretUser | quote }}
+  password: {{ $secretPassword | quote }}
+{{- end }}

templates/service.yaml

@@ -135,3 +135,35 @@ spec:
   selector:
     app: {{ template "zabbix.fullname" . }}-zabbix-proxy
 {{- end }}
+
+{{- if .Values.postgresql.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "zabbix.fullname" . }}-postgresql
+  labels:
+    app: {{ template "zabbix.fullname" . }}-postgresql
+    app.kubernetes.io/name: postgresql
+    helm.sh/chart: {{ include "zabbix.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}-postgresql
+    app.kubernetes.io/managed-by: {{ .Release.Service }}-postgresql
+  {{- if .Values.postgresql.service.annotations }}
+  annotations:
+    {{- range $key,$value := .Values.postgresql.service.annotations }}
+    {{ $key }}: {{ $value }}
+    {{- end }}
+  {{- end }}
+spec:
+  type: {{ .Values.postgresql.service.type }}
+  {{- if .Values.postgresql.service.clusterIP }}
+  clusterIP: {{ .Values.postgresql.service.clusterIP }}
+  {{- end }}
+  ports:
+    - port: {{ .Values.postgresql.service.port }}
+      targetPort: 5432
+      protocol: TCP
+      name: db
+  selector:
+    app: {{ template "zabbix.fullname" . }}-postgresql
+{{- end }}