diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 69b8b7be..f50b4bd2 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -100,17 +100,18 @@ helm install cryostat ./charts/cryostat ### Storage Container -| Name | Description | Value | -| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `storage` | Configuration for Cryostat's object storage provider | | -| `storage.image.repository` | Repository for the storage container image | `quay.io/cryostat/cryostat-storage` | -| `storage.image.pullPolicy` | Image pull policy for the storage container image | `Always` | -| `storage.image.tag` | Tag for the storage container image | `latest` | -| `storage.service.type` | Type of Service to create for the object storage | `ClusterIP` | -| `storage.service.port` | Port number to expose on the Service | `8333` | -| `storage.resources.requests.cpu` | CPU resource request for the object storage container. | `50m` | -| `storage.resources.requests.memory` | Memory resource request for the object storage container. | `256Mi` | -| `storage.securityContext` | Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | +| Name | Description | Value | +| ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `storage` | Configuration for Cryostat's object storage provider | | +| `storage.storageSecretName` | Name of the secret containing the object storage secret access key. This secret must contain a STORAGE_ACCESS_KEY secret which is the object storage secret access key. It must not be updated across chart upgrades, or else the connection between Cryostat components and object storage will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | `""` | +| `storage.image.repository` | Repository for the storage container image | `quay.io/cryostat/cryostat-storage` | +| `storage.image.pullPolicy` | Image pull policy for the storage container image | `Always` | +| `storage.image.tag` | Tag for the storage container image | `latest` | +| `storage.service.type` | Type of Service to create for the object storage | `ClusterIP` | +| `storage.service.port` | Port number to expose on the Service | `8333` | +| `storage.resources.requests.cpu` | CPU resource request for the object storage container. | `50m` | +| `storage.resources.requests.memory` | Memory resource request for the object storage container. | `256Mi` | +| `storage.securityContext` | Security Context for the storage container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) | `{}` | ### Grafana Container diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index 24326048..1542458f 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -101,12 +101,12 @@ Get or generate a default encryption key for database. Get or generate a default secret key for object storage. */}} {{- define "cryostat.objectStorageSecretKey" -}} -{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-storage" .Release.Name)) -}} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace ( default (printf "%s-storage-secret" .Release.Name) .Values.storage.storageSecretName )) -}} {{- if $secret -}} {{/* Use current secret. Do not regenerate. */}} -{{- $secret.data.SECRET_KEY -}} +{{- $secret.data.STORAGE_ACCESS_KEY -}} {{- else -}} {{/* Generate new secret diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index 9e060365..47965dc9 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -82,8 +82,8 @@ spec: - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY valueFrom: secretKeyRef: - name: {{ printf "%s-storage" .Release.Name }} - key: SECRET_KEY + name: {{ default (printf "%s-storage-secret" .Release.Name) .Values.storage.storageSecretName }} + key: STORAGE_ACCESS_KEY optional: false - name: AWS_SECRET_ACCESS_KEY value: $(QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY) diff --git a/charts/cryostat/templates/storage_deployment.yaml b/charts/cryostat/templates/storage_deployment.yaml index 2dd42ee2..2997b62a 100644 --- a/charts/cryostat/templates/storage_deployment.yaml +++ b/charts/cryostat/templates/storage_deployment.yaml @@ -43,8 +43,8 @@ spec: - name: CRYOSTAT_SECRET_KEY valueFrom: secretKeyRef: - name: {{ printf "%s-storage" .Release.Name }} - key: SECRET_KEY + name: {{ default (printf "%s-storage-secret" .Release.Name) .Values.storage.storageSecretName }} + key: STORAGE_ACCESS_KEY optional: false - name: DATA_DIR value: /data diff --git a/charts/cryostat/templates/storage_secret.yaml b/charts/cryostat/templates/storage_secret.yaml index b17a18e3..12c6e012 100644 --- a/charts/cryostat/templates/storage_secret.yaml +++ b/charts/cryostat/templates/storage_secret.yaml @@ -1,7 +1,9 @@ +{{- if empty .Values.storage.storageSecretName -}} apiVersion: v1 kind: Secret metadata: - name: {{ .Release.Name }}-storage + name: {{ .Release.Name }}-storage-secret type: Opaque data: - SECRET_KEY: {{ include "cryostat.objectStorageSecretKey" . }} + STORAGE_ACCESS_KEY: {{ include "cryostat.objectStorageSecretKey" . }} +{{- end -}} diff --git a/charts/cryostat/tests/cookie_secret_test.yaml b/charts/cryostat/tests/cookie_secret_test.yaml index d7b58e2e..9908f447 100644 --- a/charts/cryostat/tests/cookie_secret_test.yaml +++ b/charts/cryostat/tests/cookie_secret_test.yaml @@ -21,7 +21,7 @@ tests: - it: should not create a cookie secret if authentication.cookieSecretName is set set: - authentication.cookieSecretName: "custom-cookie-secret-secret" + authentication.cookieSecretName: "custom-cookie-secret" asserts: - hasDocuments: count: 0 diff --git a/charts/cryostat/tests/cryostat_deployment_test.yaml b/charts/cryostat/tests/cryostat_deployment_test.yaml index 5fb35745..cb7bfe08 100644 --- a/charts/cryostat/tests/cryostat_deployment_test.yaml +++ b/charts/cryostat/tests/cryostat_deployment_test.yaml @@ -112,8 +112,8 @@ tests: - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY')].valueFrom.secretKeyRef value: - key: "SECRET_KEY" - name: "RELEASE-NAME-storage" + key: "STORAGE_ACCESS_KEY" + name: "RELEASE-NAME-storage-secret" optional: false - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='AWS_SECRET_ACCESS_KEY')].value diff --git a/charts/cryostat/tests/storage_deployment_test.yaml b/charts/cryostat/tests/storage_deployment_test.yaml index 735f61c0..4fa39583 100644 --- a/charts/cryostat/tests/storage_deployment_test.yaml +++ b/charts/cryostat/tests/storage_deployment_test.yaml @@ -71,8 +71,8 @@ tests: - equal: path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='CRYOSTAT_SECRET_KEY')].valueFrom.secretKeyRef value: - name: "RELEASE-NAME-storage" - key: "SECRET_KEY" + name: "RELEASE-NAME-storage-secret" + key: "STORAGE_ACCESS_KEY" optional: false - equal: path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='DATA_DIR')].value diff --git a/charts/cryostat/tests/storage_secret_test.yaml b/charts/cryostat/tests/storage_secret_test.yaml index 0ef4f95f..272dfd4a 100644 --- a/charts/cryostat/tests/storage_secret_test.yaml +++ b/charts/cryostat/tests/storage_secret_test.yaml @@ -12,9 +12,16 @@ tests: value: Secret - equal: path: metadata.name - value: RELEASE-NAME-storage + value: RELEASE-NAME-storage-secret - equal: path: type value: Opaque - exists: - path: data.SECRET_KEY + path: data.STORAGE_ACCESS_KEY + + - it: should not create a storage secret if storage.storageSecretName is set + set: + storage.storageSecretName: "custom-storage-secret" + asserts: + - hasDocuments: + count: 0 diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index a3ed336c..816dab36 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -334,6 +334,11 @@ "storage": { "type": "object", "properties": { + "storageSecretName": { + "type": "string", + "description": "Name of the secret containing the object storage secret access key. This secret must contain a STORAGE_ACCESS_KEY secret which is the object storage secret access key. It must not be updated across chart upgrades, or else the connection between Cryostat components and object storage will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable", + "default": "" + }, "securityContext": { "type": "object", "properties": { diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index c26a7f8f..102aa70a 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -115,6 +115,8 @@ db: ## @section Storage Container ## @extra storage Configuration for Cryostat's object storage provider storage: + ## @param storage.storageSecretName Name of the secret containing the object storage secret access key. This secret must contain a STORAGE_ACCESS_KEY secret which is the object storage secret access key. It must not be updated across chart upgrades, or else the connection between Cryostat components and object storage will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable + storageSecretName: "" image: ## @param storage.image.repository Repository for the storage container image repository: "quay.io/cryostat/cryostat-storage"