Skip to content

Commit

Permalink
feat(storage): storage access key secret can be supplied
Browse files Browse the repository at this point in the history
  • Loading branch information
@andrewazores
andrewazores committed Sep 6, 2024
1 parent b32abb3 commit 562710e
Show file tree
Hide file tree
Showing 11 changed files with 43 additions and 26 deletions.
23 changes: 12 additions & 11 deletions charts/cryostat/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,17 +100,18 @@ helm install cryostat ./charts/cryostat

### Storage Container

| Name | Description | Value |
| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- |
| `storage` | Configuration for Cryostat's object storage provider | |
| `storage.image.repository` | Repository for the storage container image | `quay.io/cryostat/cryostat-storage` |
| `storage.image.pullPolicy` | Image pull policy for the storage container image | `Always` |
| `storage.image.tag` | Tag for the storage container image | `latest` |
| `storage.service.type` | Type of Service to create for the object storage | `ClusterIP` |
| `storage.service.port` | Port number to expose on the Service | `8333` |
| `storage.resources.requests.cpu` | CPU resource request for the object storage container. | `50m` |
| `storage.resources.requests.memory` | Memory resource request for the object storage container. | `256Mi` |
| `storage.securityContext` | Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` |
| Name | Description | Value |
| ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- |
| `storage` | Configuration for Cryostat's object storage provider | |
| `storage.storageSecretName` | Name of the secret containing the object storage secret access key. This secret must contain a STORAGE_ACCESS_KEY secret which is the object storage secret access key. It must not be updated across chart upgrades, or else the connection between Cryostat components and object storage will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | `""` |
| `storage.image.repository` | Repository for the storage container image | `quay.io/cryostat/cryostat-storage` |
| `storage.image.pullPolicy` | Image pull policy for the storage container image | `Always` |
| `storage.image.tag` | Tag for the storage container image | `latest` |
| `storage.service.type` | Type of Service to create for the object storage | `ClusterIP` |
| `storage.service.port` | Port number to expose on the Service | `8333` |
| `storage.resources.requests.cpu` | CPU resource request for the object storage container. | `50m` |
| `storage.resources.requests.memory` | Memory resource request for the object storage container. | `256Mi` |
| `storage.securityContext` | Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` |

### Grafana Container

Expand Down
4 changes: 2 additions & 2 deletions charts/cryostat/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,12 +101,12 @@ Get or generate a default encryption key for database.
Get or generate a default secret key for object storage.
*/}}
{{- define "cryostat.objectStorageSecretKey" -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-storage" .Release.Name)) -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace ( default (printf "%s-storage-secret" .Release.Name) .Values.storage.storageSecretName )) -}}
{{- if $secret -}}
{{/*
Use current secret. Do not regenerate.
*/}}
{{- $secret.data.SECRET_KEY -}}
{{- $secret.data.STORAGE_ACCESS_KEY -}}
{{- else -}}
{{/*
Generate new secret
Expand Down
4 changes: 2 additions & 2 deletions charts/cryostat/templates/cryostat_deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,8 @@ spec:
- name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ printf "%s-storage" .Release.Name }}
key: SECRET_KEY
name: {{ default (printf "%s-storage-secret" .Release.Name) .Values.storage.storageSecretName }}
key: STORAGE_ACCESS_KEY
optional: false
- name: AWS_SECRET_ACCESS_KEY
value: $(QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY)
Expand Down
4 changes: 2 additions & 2 deletions charts/cryostat/templates/storage_deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,8 @@ spec:
- name: CRYOSTAT_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ printf "%s-storage" .Release.Name }}
key: SECRET_KEY
name: {{ default (printf "%s-storage-secret" .Release.Name) .Values.storage.storageSecretName }}
key: STORAGE_ACCESS_KEY
optional: false
- name: DATA_DIR
value: /data
Expand Down
6 changes: 4 additions & 2 deletions charts/cryostat/templates/storage_secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
{{- if empty .Values.storage.storageSecretName -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-storage
name: {{ .Release.Name }}-storage-secret
type: Opaque
data:
SECRET_KEY: {{ include "cryostat.objectStorageSecretKey" . }}
STORAGE_ACCESS_KEY: {{ include "cryostat.objectStorageSecretKey" . }}
{{- end -}}
2 changes: 1 addition & 1 deletion charts/cryostat/tests/cookie_secret_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ tests:

- it: should not create a cookie secret if authentication.cookieSecretName is set
set:
authentication.cookieSecretName: "custom-cookie-secret-secret"
authentication.cookieSecretName: "custom-cookie-secret"
asserts:
- hasDocuments:
count: 0
4 changes: 2 additions & 2 deletions charts/cryostat/tests/cryostat_deployment_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,8 +112,8 @@ tests:
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY')].valueFrom.secretKeyRef
value:
key: "SECRET_KEY"
name: "RELEASE-NAME-storage"
key: "STORAGE_ACCESS_KEY"
name: "RELEASE-NAME-storage-secret"
optional: false
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='AWS_SECRET_ACCESS_KEY')].value
Expand Down
4 changes: 2 additions & 2 deletions charts/cryostat/tests/storage_deployment_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,8 @@ tests:
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='CRYOSTAT_SECRET_KEY')].valueFrom.secretKeyRef
value:
name: "RELEASE-NAME-storage"
key: "SECRET_KEY"
name: "RELEASE-NAME-storage-secret"
key: "STORAGE_ACCESS_KEY"
optional: false
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='DATA_DIR')].value
Expand Down
11 changes: 9 additions & 2 deletions charts/cryostat/tests/storage_secret_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,16 @@ tests:
value: Secret
- equal:
path: metadata.name
value: RELEASE-NAME-storage
value: RELEASE-NAME-storage-secret
- equal:
path: type
value: Opaque
- exists:
path: data.SECRET_KEY
path: data.STORAGE_ACCESS_KEY

- it: should not create a storage secret if storage.storageSecretName is set
set:
storage.storageSecretName: "custom-storage-secret"
asserts:
- hasDocuments:
count: 0
5 changes: 5 additions & 0 deletions charts/cryostat/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -334,6 +334,11 @@
"storage": {
"type": "object",
"properties": {
"storageSecretName": {
"type": "string",
"description": "Name of the secret containing the object storage secret access key. This secret must contain a STORAGE_ACCESS_KEY secret which is the object storage secret access key. It must not be updated across chart upgrades, or else the connection between Cryostat components and object storage will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable",
"default": ""
},
"securityContext": {
"type": "object",
"properties": {
Expand Down
2 changes: 2 additions & 0 deletions charts/cryostat/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,8 @@ db:
## @section Storage Container
## @extra storage Configuration for Cryostat's object storage provider
storage:
## @param storage.storageSecretName Name of the secret containing the object storage secret access key. This secret must contain a STORAGE_ACCESS_KEY secret which is the object storage secret access key. It must not be updated across chart upgrades, or else the connection between Cryostat components and object storage will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable
storageSecretName: ""
image:
## @param storage.image.repository Repository for the storage container image
repository: "quay.io/cryostat/cryostat-storage"
Expand Down

0 comments on commit 562710e

Please sign in to comment.