Load PostgreSQL connection configuration from K8s secret (#112)

* Create sync-from-upstream.yaml Signed-off-by: Zach Stone <zach@giantswarm.io> * Update sync-from-upstream.yaml Signed-off-by: Zach Stone <zach@giantswarm.io> * Allow loading Postgres config from secret Signed-off-by: Zach Stone <zach@giantswarm.io> * Remove GS workflow (#1) Signed-off-by: Zach Stone <zach@giantswarm.io> * Update README Signed-off-by: Zach Stone <zach@giantswarm.io> * Use genreic "DB" instead of PG-specific references Signed-off-by: Zach Stone <zach@giantswarm.io> * Fix codegen-ed README Signed-off-by: Zach Stone <zach@giantswarm.io> --------- Signed-off-by: Zach Stone <zach@giantswarm.io>
kyverno · Apr 30, 2024 · f97f31a · f97f31a
1 parent 2ed3a29
commit f97f31a
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 8 deletions.
diff --git a/charts/reports-server/README.md b/charts/reports-server/README.md
@@ -57,10 +57,15 @@ helm install reports-server --namespace reports-server --create-namespace report
 | service.type | string | `"ClusterIP"` | Service type |
 | service.port | int | `443` | Service port |
 | config.debug | bool | `false` | Enable debug (to use inmemorydatabase) |
+| config.db.secretName | string | `""` | If set, database connection information will be read from the Secret with this name. Overrides `db.host`, `db.name`, `db.user`, and `db.password`. |
 | config.db.host | string | `""` | Database host |
+| config.db.hostSecretKeyName | string | `"host"` | The database host will be read from this `key` in the specified Secret, when `db.secretName` is set. |
 | config.db.name | string | `"reportsdb"` | Database name |
+| config.db.dbNameSecretKeyName | string | `"dbname"` | The database name will be read from this `key` in the specified Secret, when `db.secretName` is set. |
 | config.db.user | string | `"postgres"` | Database user |
+| config.db.userSecretKeyName | string | `"username"` | The database username will be read from this `key` in the specified Secret, when `db.secretName` is set. |
 | config.db.password | string | `"reports"` | Database password |
+| config.db.passwordSecretKeyName | string | `"password"` | The database password will be read from this `key` in the specified Secret, when `db.secretName` is set. |
 
 ## Source Code
 

diff --git a/charts/reports-server/templates/_helpers.tpl b/charts/reports-server/templates/_helpers.tpl
@@ -60,3 +60,39 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Database config is injected into the environment, if a secret ref is set. Otherwise, Helm values are used directly.
+*/}}
+{{- define "reports-server.dbHost" -}}
+{{- if .Values.config.db.secretName }}
+{{- printf "%s" "$(DB_HOST)" }}
+{{- else }}
+{{- default (printf "%s-postgresql.%s" $.Release.Name $.Release.Namespace ) .Values.config.db.host }}
+{{- end }}
+{{- end }}
+
+{{- define "reports-server.dbName" -}}
+{{- if .Values.config.db.secretName }}
+{{- printf "%s" "$(DB_DATABASE)" }}
+{{- else }}
+{{- .Values.config.db.name }}
+{{- end }}
+{{- end }}
+
+{{- define "reports-server.dbUser" -}}
+{{- if .Values.config.db.secretName }}
+{{- printf "%s" "$(DB_USER)" }}
+{{- else }}
+{{- .Values.config.db.user }}
+{{- end }}
+{{- end }}
+
+{{- define "reports-server.dbPassword" -}}
+{{- if .Values.config.db.secretName }}
+{{- printf "%s" "$(DB_PASSWORD)" }}
+{{- else }}
+{{- .Values.config.db.password }}
+{{- end }}
+{{- end }}
+
diff --git a/charts/reports-server/templates/deployment.yaml b/charts/reports-server/templates/deployment.yaml
@@ -40,17 +40,36 @@ spec:
             {{- if .Values.config.debug }}
             - --debug
             {{- else }}
-            {{- if .Values.config.db.host }}
-            - --dbhost={{ .Values.config.db.host }}
-            {{- else }}
-            - --dbhost={{ $.Release.Name }}-postgresql.{{ $.Release.Namespace }}
-            {{- end }}
-            - --dbname={{ .Values.config.db.name }}
-            - --dbuser={{ .Values.config.db.user }}
-            - --dbpassword={{ .Values.config.db.password }}
+            - --dbhost={{ include "reports-server.dbHost" . }}
+            - --dbname={{ include "reports-server.dbName" . }}
+            - --dbuser={{ include "reports-server.dbUser" . }}
+            - --dbpassword={{ include "reports-server.dbPassword" . }}
             {{- end }}
             - --cert-dir=/tmp
             - --secure-port=4443
+          {{- if .Values.config.db.secretName }}
+          env:
+            - name: DB_HOST
+              valueFrom:
+                secretKeyRef:
+                  key: {{ .Values.config.db.hostSecretKeyName }}
+                  name: {{ .Values.config.db.secretName }}
+            - name: DB_DATABASE
+              valueFrom:
+                secretKeyRef:
+                  key: {{ .Values.config.db.dbNameSecretKeyName }}
+                  name: {{ .Values.config.db.secretName }}
+            - name: DB_USER
+              valueFrom:
+                secretKeyRef:
+                  key: {{ .Values.config.db.userSecretKeyName }}
+                  name: {{ .Values.config.db.secretName }}
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: {{ .Values.config.db.passwordSecretKeyName }}
+                  name: {{ .Values.config.db.secretName }}
+          {{- end}}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"

diff --git a/charts/reports-server/values.yaml b/charts/reports-server/values.yaml
@@ -145,15 +145,25 @@ config:
   debug: false
 
   db:
+    # -- If set, database connection information will be read from the Secret with this name. Overrides `db.host`, `db.name`, `db.user`, and `db.password`.
+    secretName: ""
 
     # -- Database host
     host: ""
+    # -- The database host will be read from this `key` in the specified Secret, when `db.secretName` is set.
+    hostSecretKeyName: "host"
 
     # -- Database name
     name: reportsdb
+    # -- The database name will be read from this `key` in the specified Secret, when `db.secretName` is set.
+    dbNameSecretKeyName: "dbname"
 
     # -- Database user
     user: postgres
+    # -- The database username will be read from this `key` in the specified Secret, when `db.secretName` is set.
+    userSecretKeyName: "username"
 
     # -- Database password
     password: reports
+    # -- The database password will be read from this `key` in the specified Secret, when `db.secretName` is set.
+    passwordSecretKeyName: "password"