Skip to content

Commit

Permalink
feat(secrets): enable user-supplied storage and authproxy secrets (#189)
Browse files Browse the repository at this point in the history
  • Loading branch information
andrewazores authored Sep 18, 2024
1 parent 8cb9660 commit 9734a59
Show file tree
Hide file tree
Showing 16 changed files with 112 additions and 48 deletions.
46 changes: 24 additions & 22 deletions charts/cryostat/README.md

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions charts/cryostat/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -101,12 +101,12 @@ Get or generate a default encryption key for database.
Get or generate a default secret key for object storage.
*/}}
{{- define "cryostat.objectStorageSecretKey" -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-storage" .Release.Name)) -}}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-storage-secret" .Release.Name)) -}}
{{- if $secret -}}
{{/*
Use current secret. Do not regenerate.
*/}}
{{- $secret.data.SECRET_KEY -}}
{{- $secret.data.STORAGE_ACCESS_KEY -}}
{{- else -}}
{{/*
Generate new secret
Expand Down
2 changes: 1 addition & 1 deletion charts/cryostat/templates/_oauth2Proxy.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Create OAuth2 Proxy container. Configurations defined in alpha_config.yaml
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-cookie-secret
name: {{ default (printf "%s-cookie-secret" .Release.Name) .Values.authentication.cookieSecretName }}
key: COOKIE_SECRET
optional: false
- name: OAUTH2_PROXY_EMAIL_DOMAINS
Expand Down
2 changes: 1 addition & 1 deletion charts/cryostat/templates/_openshiftOauthProxy.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ Create OpenShift OAuth Proxy container.
- name: COOKIE_SECRET
valueFrom:
secretKeyRef:
name: {{ .Release.Name }}-cookie-secret
name: {{ default (printf "%s-cookie-secret" .Release.Name) .Values.authentication.cookieSecretName }}
key: COOKIE_SECRET
optional: false
args:
Expand Down
4 changes: 4 additions & 0 deletions charts/cryostat/templates/cookie_secret.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,11 @@
{{- if empty .Values.authentication.cookieSecretName -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-cookie-secret
labels:
{{- include "cryostat.labels" $ | nindent 4 }}
type: Opaque
data:
COOKIE_SECRET: {{ include "cryostat.cookieSecret" . }}
{{- end -}}
4 changes: 2 additions & 2 deletions charts/cryostat/templates/cryostat_deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -84,8 +84,8 @@ spec:
- name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ printf "%s-storage" .Release.Name }}
key: SECRET_KEY
name: {{ default (printf "%s-storage-secret" .Release.Name) .Values.storage.storageSecretName }}
key: STORAGE_ACCESS_KEY
optional: false
- name: AWS_SECRET_ACCESS_KEY
value: $(QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY)
Expand Down
2 changes: 2 additions & 0 deletions charts/cryostat/templates/db_secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-db
labels:
{{- include "cryostat.labels" $ | nindent 4 }}
type: Opaque
immutable: true
data:
Expand Down
4 changes: 2 additions & 2 deletions charts/cryostat/templates/storage_deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,8 @@ spec:
- name: CRYOSTAT_SECRET_KEY
valueFrom:
secretKeyRef:
name: {{ printf "%s-storage" .Release.Name }}
key: SECRET_KEY
name: {{ default (printf "%s-storage-secret" .Release.Name) .Values.storage.storageSecretName }}
key: STORAGE_ACCESS_KEY
optional: false
- name: DATA_DIR
value: /data
Expand Down
8 changes: 6 additions & 2 deletions charts/cryostat/templates/storage_secret.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,11 @@
{{- if empty .Values.storage.storageSecretName -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-storage
name: {{ .Release.Name }}-storage-secret
labels:
{{- include "cryostat.labels" $ | nindent 4 }}
type: Opaque
data:
SECRET_KEY: {{ include "cryostat.objectStorageSecretKey" . }}
STORAGE_ACCESS_KEY: {{ include "cryostat.objectStorageSecretKey" . }}
{{- end -}}
15 changes: 15 additions & 0 deletions charts/cryostat/tests/cookie_secret_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,18 @@ tests:
value: Opaque
- exists:
path: data.COOKIE_SECRET
- equal:
path: metadata.labels
value:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cryostat
app.kubernetes.io/version: 4.0.0-dev
helm.sh/chart: cryostat-2.0.0-dev

- it: should not create a cookie secret if authentication.cookieSecretName is set
set:
authentication.cookieSecretName: "custom-cookie-secret"
asserts:
- hasDocuments:
count: 0
4 changes: 2 additions & 2 deletions charts/cryostat/tests/cryostat_deployment_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -115,8 +115,8 @@ tests:
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY')].valueFrom.secretKeyRef
value:
key: "SECRET_KEY"
name: "RELEASE-NAME-storage"
key: "STORAGE_ACCESS_KEY"
name: "RELEASE-NAME-storage-secret"
optional: false
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat')].env[?(@.name=='AWS_SECRET_ACCESS_KEY')].value
Expand Down
8 changes: 8 additions & 0 deletions charts/cryostat/tests/db_secret_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,14 @@ tests:
path: data.ENCRYPTION_KEY
- exists:
path: data.CONNECTION_KEY
- equal:
path: metadata.labels
value:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cryostat
app.kubernetes.io/version: 4.0.0-dev
helm.sh/chart: cryostat-2.0.0-dev

- it: should not create a database secret if core.databaseSecretName is set
set:
Expand Down
4 changes: 2 additions & 2 deletions charts/cryostat/tests/storage_deployment_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,8 @@ tests:
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='CRYOSTAT_SECRET_KEY')].valueFrom.secretKeyRef
value:
name: "RELEASE-NAME-storage"
key: "SECRET_KEY"
name: "RELEASE-NAME-storage-secret"
key: "STORAGE_ACCESS_KEY"
optional: false
- equal:
path: spec.template.spec.containers[?(@.name=='cryostat-storage')].env[?(@.name=='DATA_DIR')].value
Expand Down
19 changes: 17 additions & 2 deletions charts/cryostat/tests/storage_secret_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,24 @@ tests:
value: Secret
- equal:
path: metadata.name
value: RELEASE-NAME-storage
value: RELEASE-NAME-storage-secret
- equal:
path: type
value: Opaque
- exists:
path: data.SECRET_KEY
path: data.STORAGE_ACCESS_KEY
- equal:
path: metadata.labels
value:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cryostat
app.kubernetes.io/version: 4.0.0-dev
helm.sh/chart: cryostat-2.0.0-dev

- it: should not create a storage secret if storage.storageSecretName is set
set:
storage.storageSecretName: "custom-storage-secret"
asserts:
- hasDocuments:
count: 0
20 changes: 15 additions & 5 deletions charts/cryostat/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@
"properties": {
"cpu": {
"type": "string",
"description": "CPU resource request for the Cryostat container.",
"description": "CPU resource request for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)",
"default": "500m"
},
"memory": {
Expand Down Expand Up @@ -317,7 +317,7 @@
"properties": {
"cpu": {
"type": "string",
"description": "CPU resource request for the database container.",
"description": "CPU resource request for the database container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)",
"default": "25m"
},
"memory": {
Expand All @@ -334,6 +334,11 @@
"storage": {
"type": "object",
"properties": {
"storageSecretName": {
"type": "string",
"description": "Name of the secret containing the object storage secret access key. This secret must contain a STORAGE_ACCESS_KEY secret which is the object storage secret access key. It must not be updated across chart upgrades, or else the connection between Cryostat components and object storage will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable",
"default": ""
},
"securityContext": {
"type": "object",
"properties": {
Expand Down Expand Up @@ -402,7 +407,7 @@
"properties": {
"cpu": {
"type": "string",
"description": "CPU resource request for the object storage container.",
"description": "CPU resource request for the object storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)",
"default": "50m"
},
"memory": {
Expand Down Expand Up @@ -487,7 +492,7 @@
"properties": {
"cpu": {
"type": "string",
"description": "CPU resource request for the Grafana container.",
"description": "CPU resource request for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)",
"default": "25m"
},
"memory": {
Expand Down Expand Up @@ -557,7 +562,7 @@
"properties": {
"cpu": {
"type": "string",
"description": "CPU resource request for the JFR Data Source container.",
"description": "CPU resource request for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)",
"default": "200m"
},
"memory": {
Expand Down Expand Up @@ -644,6 +649,11 @@
"authentication": {
"type": "object",
"properties": {
"cookieSecretName": {
"type": "string",
"description": "Name of the secret containing the authenticating proxy cookie encryption key. This secret must contain a COOKIE_SECRET secret which is the cookie encryption key. It must not be updated across chart upgrades, or else existing user login sessions will be invalidated. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable",
"default": ""
},
"openshift": {
"type": "object",
"properties": {
Expand Down
14 changes: 9 additions & 5 deletions charts/cryostat/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ core:
destinationCACertificate: ""
resources:
requests:
## @param core.resources.requests.cpu CPU resource request for the Cryostat container.
## @param core.resources.requests.cpu CPU resource request for the Cryostat container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)
cpu: 500m
## @param core.resources.requests.memory Memory resource request for the Cryostat container.
memory: 384Mi
Expand Down Expand Up @@ -99,7 +99,7 @@ db:
port: 5432
resources:
requests:
## @param db.resources.requests.cpu CPU resource request for the database container.
## @param db.resources.requests.cpu CPU resource request for the database container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)
cpu: 25m
## @param db.resources.requests.memory Memory resource request for the database container.
memory: 64Mi
Expand All @@ -115,6 +115,8 @@ db:
## @section Storage Container
## @extra storage Configuration for Cryostat's object storage provider
storage:
## @param storage.storageSecretName Name of the secret containing the object storage secret access key. This secret must contain a STORAGE_ACCESS_KEY secret which is the object storage secret access key. It must not be updated across chart upgrades, or else the connection between Cryostat components and object storage will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable
storageSecretName: ""
image:
## @param storage.image.repository Repository for the storage container image
repository: "quay.io/cryostat/cryostat-storage"
Expand All @@ -129,7 +131,7 @@ storage:
port: 8333
resources:
requests:
## @param storage.resources.requests.cpu CPU resource request for the object storage container.
## @param storage.resources.requests.cpu CPU resource request for the object storage container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)
cpu: 50m
## @param storage.resources.requests.memory Memory resource request for the object storage container.
memory: 256Mi
Expand Down Expand Up @@ -159,7 +161,7 @@ grafana:
port: 3000
resources:
requests:
## @param grafana.resources.requests.cpu CPU resource request for the Grafana container.
## @param grafana.resources.requests.cpu CPU resource request for the Grafana container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)
cpu: 25m
## @param grafana.resources.requests.memory Memory resource request for the Grafana container.
memory: 80Mi
Expand All @@ -184,7 +186,7 @@ datasource:
tag: "latest"
resources:
requests:
## @param datasource.resources.requests.cpu CPU resource request for the JFR Data Source container.
## @param datasource.resources.requests.cpu CPU resource request for the JFR Data Source container. See: [ResourceRequirements](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources)
cpu: 200m
## @param datasource.resources.requests.memory Memory resource request for the JFR Data Source container.
memory: 200Mi
Expand All @@ -200,6 +202,8 @@ datasource:
## @section Authentication

authentication:
## @param authentication.cookieSecretName Name of the secret containing the authenticating proxy cookie encryption key. This secret must contain a COOKIE_SECRET secret which is the cookie encryption key. It must not be updated across chart upgrades, or else existing user login sessions will be invalidated. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable
cookieSecretName: ""
openshift:
## @param authentication.openshift.enabled Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one.
enabled: false
Expand Down

0 comments on commit 9734a59

Please sign in to comment.