fix postgres and redis existing secrets and exposure

chatwoot · Jan 12, 2022 · f9b74b6 · f9b74b6
1 parent 767303c
commit f9b74b6
Show file tree

Hide file tree

Showing 7 changed files with 83 additions and 32 deletions.
diff --git a/charts/chatwoot/Chart.yaml b/charts/chatwoot/Chart.yaml
@@ -31,7 +31,7 @@ sources:
   - http://www.chatwoot.com
 
 # This is the chart version.
-version: 0.7.0
+version: 0.7.3
 
 # This is the application version.
 appVersion: "v2.0.0"
diff --git a/charts/chatwoot/templates/_helpers.tpl b/charts/chatwoot/templates/_helpers.tpl
@@ -182,9 +182,9 @@ Set redis password
 */}}
 {{- define "chatwoot.redis.password" -}}
 {{- if .Values.redis.enabled -}}
-{{- default "redis" .Values.redis.auth.password | quote -}}
+{{- default "redis" .Values.redis.auth.password -}}
 {{- else -}}
-{{- default "redis" .Values.redis.password | quote -}}
+{{- default "redis" .Values.redis.password -}}
 {{- end -}}
 {{- end -}}
 
@@ -193,10 +193,10 @@ Set redis URL
 */}}
 {{- define "chatwoot.redis.url" -}}
 {{- if .Values.redis.enabled -}}
-    "redis://:{{ .Values.redis.auth.password }}@{{ template "chatwoot.redis.host" . }}:{{ template "chatwoot.redis.port" . }}"
+    redis://:{{ .Values.redis.auth.password }}@{{ template "chatwoot.redis.host" . }}:{{ template "chatwoot.redis.port" . }}
 {{- else if .Values.env.REDIS_TLS -}}
-    "rediss://:{{ .Values.redis.password }}@{{ .Values.redis.host }}:{{ .Values.redis.port }}"
+    rediss://:$(REDIS_PASSWORD)@{{ .Values.redis.host }}:{{ .Values.redis.port }}
 {{- else -}}
-    "redis://:{{ .Values.redis.password }}@{{ .Values.redis.host }}:{{ .Values.redis.port }}"
+    redis://:$(REDIS_PASSWORD)@{{ .Values.redis.host }}:{{ .Values.redis.port }}
 {{- end -}}
 {{- end -}}
diff --git a/charts/chatwoot/templates/env-configmap.yaml b/charts/chatwoot/templates/env-configmap.yaml
diff --git a/charts/chatwoot/templates/env-secret.yaml b/charts/chatwoot/templates/env-secret.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app: {{ template "chatwoot.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+  name: {{ template "chatwoot.fullname" . }}-env
+data:
+  POSTGRES_HOST: {{ include "chatwoot.postgresql.host" . | b64enc | quote }}
+  POSTGRES_PORT: {{ include "chatwoot.postgresql.port" . | b64enc | quote }}
+  POSTGRES_USERNAME: {{ default "postgres" .Values.postgresql.postgresqlUsername | b64enc | quote }}
+  {{- if not .Values.postgresql.existingSecret }}
+  POSTGRES_PASSWORD: {{ default "postgres" .Values.postgresql.postgresqlPassword | b64enc | quote }}
+  {{- end }}
+  POSTGRES_DATABASE: {{ default "chatwoot_production" .Values.postgresql.postgresqlDatabase | b64enc | quote }}
+  REDIS_HOST: {{ include "chatwoot.redis.host" . | b64enc | quote }}
+  REDIS_PORT: {{ include "chatwoot.redis.port" . | b64enc | quote }}
+  {{- if not .Values.redis.existingSecret }}
+  REDIS_PASSWORD: {{ include "chatwoot.redis.password" . | b64enc | quote }}
+  {{- end }}
+  REDIS_URL: {{ include "chatwoot.redis.url" . | b64enc | quote }}
+  {{- range $key, $value := .Values.env}}
+  {{ $key }}: {{ $value | toString | b64enc | quote }}
+  {{- end }}
diff --git a/charts/chatwoot/templates/migrations-job.yaml b/charts/chatwoot/templates/migrations-job.yaml
@@ -43,7 +43,23 @@ spec:
         - exec
         - rails
         - db:chatwoot_prepare
+        env:
+        {{- if .Values.postgresql.existingSecret }}
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.postgresql.existingSecret }}
+              key: {{ default "password" .Values.postgresql.existingSecretKey }}
+        {{- end }}
+        {{- if .Values.redis.existingSecret }}
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.redis.existingSecret }}
+              key: {{ default "password" .Values.redis.existingSecretKey }}
+        {{- end }}
         envFrom:
-          - configMapRef:
+          - secretRef:
               name: {{ template "chatwoot.fullname" . }}-env
         imagePullPolicy: {{ .Values.image.pullPolicy }}
+      serviceAccountName: {{ include "chatwoot.serviceAccountName" . }}
diff --git a/charts/chatwoot/templates/web-deployment.yaml b/charts/chatwoot/templates/web-deployment.yaml
@@ -36,8 +36,23 @@ spec:
             - 0.0.0.0
           command:
             - docker/entrypoints/rails.sh
+          env:
+          {{- if .Values.postgresql.existingSecret }}
+          - name: POSTGRES_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.postgresql.existingSecret }}
+                key: {{ default "password" .Values.postgresql.existingSecretKey }}
+          {{- end }}
+          {{- if .Values.redis.existingSecret }}
+          - name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.redis.existingSecret }}
+                key: {{ default "password" .Values.redis.existingSecretKey }}
+          {{- end }}
           envFrom:
-            - configMapRef:
+            - secretRef:
                 name: {{ template "chatwoot.fullname" . }}-env
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           name: {{ .Chart.Name }}-web
@@ -48,4 +63,5 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
             {{- end }}
+      serviceAccountName: {{ include "chatwoot.serviceAccountName" . }}
 status: {}
diff --git a/charts/chatwoot/templates/worker-deployment.yaml b/charts/chatwoot/templates/worker-deployment.yaml
@@ -31,8 +31,23 @@ spec:
             - sidekiq
             - -C
             - config/sidekiq.yml
+          env:
+          {{- if .Values.postgresql.existingSecret }}
+          - name: POSTGRES_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.postgresql.existingSecret }}
+                key: {{ default "password" .Values.postgresql.existingSecretKey }}
+          {{- end }}
+          {{- if .Values.redis.existingSecret }}
+          - name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.redis.existingSecret }}
+                key: {{ default "password" .Values.redis.existingSecretKey }}
+          {{- end }}
           envFrom:
-            - configMapRef:
+            - secretRef:
                 name: {{ template "chatwoot.fullname" . }}-env
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           name: {{ .Chart.Name }}-workers
@@ -41,6 +56,7 @@ spec:
             {{- toYaml . | nindent 12 }}
             {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+      serviceAccountName: {{ include "chatwoot.serviceAccountName" . }}
 
 status: {}