Skip to content
This repository has been archived by the owner on Mar 22, 2024. It is now read-only.

Commit

Permalink
support datastore password secret created by external resources (#464)
Browse files Browse the repository at this point in the history 
This allows the datastore secret object to be created by external agents
such as https://github.com/external-secrets/external-secrets

---------

Signed-off-by: grameshtwilio <gramesh@twilio.com>
Co-authored-by: Faisal Memon <fymemon@yahoo.com>
  • Loading branch information
@grameshtwilio @faisal-memon
grameshtwilio and faisal-memon committed Aug 22, 2023
1 parent 71ac5af commit c817dd2
Show file tree
Hide file tree
Showing 5 changed files with 33 additions and 0 deletions.
3 changes: 3 additions & 0 deletions charts/spire/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,9 @@ Now you can interact with the Spire agent socket from your own application. The
| spire-server.controllerManager.validatingWebhookConfiguration.failurePolicy | string | `"Fail"` | |
| spire-server.dataStore.sql.databaseName | string | `"spire"` | Only used by "postgres" or "mysql" |
| spire-server.dataStore.sql.databaseType | string | `"sqlite3"` | Other supported databases are "postgres" and "mysql" |
| spire-server.dataStore.sql.externalSecret | object | `{"enabled":false,"key":"","name":""}` | When an external source creates the secret. The secret should reside in the same namespace as the spire server |
| spire-server.dataStore.sql.externalSecret.key | string | `""` | The key of the secret object whose value is the dataStore.sql password |
| spire-server.dataStore.sql.externalSecret.name | string | `""` | The name of the secret object |
| spire-server.dataStore.sql.host | string | `""` | Only used by "postgres" or "mysql" |
| spire-server.dataStore.sql.options | list | `[]` | Only used by "postgres" or "mysql" |
| spire-server.dataStore.sql.password | string | `""` | Only used by "postgres" or "mysql" |
Expand Down
3 changes: 3 additions & 0 deletions charts/spire/charts/spire-server/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,9 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
| controllerManager.validatingWebhookConfiguration.failurePolicy | string | `"Fail"` | |
| dataStore.sql.databaseName | string | `"spire"` | Only used by "postgres" or "mysql" |
| dataStore.sql.databaseType | string | `"sqlite3"` | Other supported databases are "postgres" and "mysql" |
| dataStore.sql.externalSecret | object | `{"enabled":false,"key":"","name":""}` | When an external source creates the secret. The secret should reside in the same namespace as the spire server |
| dataStore.sql.externalSecret.key | string | `""` | The key of the secret object whose value is the dataStore.sql password |
| dataStore.sql.externalSecret.name | string | `""` | The name of the secret object |
| dataStore.sql.host | string | `""` | Only used by "postgres" or "mysql" |
| dataStore.sql.options | list | `[]` | Only used by "postgres" or "mysql" |
| dataStore.sql.password | string | `""` | Only used by "postgres" or "mysql" |
Expand Down
11 changes: 11 additions & 0 deletions charts/spire/charts/spire-server/templates/secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,14 @@
{{- if and (.Values.dataStore.sql.externalSecret.enabled) (ne .Values.dataStore.sql.password "") }}
{{- fail "dataStore.sql.password should not be set when dataStore.sql.externalSecret is enabled" }}
{{- end }}
{{- if and (.Values.dataStore.sql.externalSecret.enabled) (eq .Values.dataStore.sql.externalSecret.name "") }}
{{- fail "dataStore.sql.externalSecret.name cannot be empty string when dataStore.sql.externalSecret is enabled" }}
{{- end }}
{{- if and (.Values.dataStore.sql.externalSecret.enabled) (eq .Values.dataStore.sql.externalSecret.key "") }}
{{- fail "dataStore.sql.externalSecret.key cannot be empty string when dataStore.sql.externalSecret is enabled" }}
{{- end }}
{{- if ne .Values.dataStore.sql.databaseType "sqlite3" }}
{{- if not .Values.dataStore.sql.externalSecret.enabled }}
apiVersion: v1
kind: Secret
metadata:
Expand All @@ -7,3 +17,4 @@ metadata:
data:
DBPW: {{ .Values.dataStore.sql.password | b64enc }}
{{- end }}
{{- end }}
8 changes: 8 additions & 0 deletions charts/spire/charts/spire-server/templates/statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,12 +83,20 @@ spec:
- name: PATH
value: "/opt/spire/bin:/bin"
{{- if ne .Values.dataStore.sql.databaseType "sqlite3" }}
{{- if .Values.dataStore.sql.externalSecret.enabled }}
- name: DBPW
valueFrom:
secretKeyRef:
name: {{ .Values.dataStore.sql.externalSecret.name }}
key: {{ .Values.dataStore.sql.externalSecret.key }}
{{- else }}
- name: DBPW
valueFrom:
secretKeyRef:
name: {{ $fullname }}-dbpw
key: DBPW
{{- end }}
{{- end }}
{{- if ne .Values.keyManager.awsKMS.accessKeyID "" }}
- name: AWS_KMS_ACCESS_KEY_ID
valueFrom:
Expand Down
8 changes: 8 additions & 0 deletions charts/spire/charts/spire-server/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,14 @@ dataStore:
# -- Settings from https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md go in this section
plugin_data: {}

# -- When an external source creates the secret. The secret should reside in the same namespace as the spire server
externalSecret:
enabled: false
# -- The name of the secret object
name: ""
# -- The key of the secret object whose value is the dataStore.sql password
key: ""

# -- The log level, valid values are "debug", "info", "warn", and "error"
logLevel: info
# -- The JWT issuer domain
Expand Down

0 comments on commit c817dd2

Please sign in to comment.