aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorchemicstry <chemicstry@gmail.com>2022-06-20 18:49:38 +0300
committerMaximilien R <maximilien@deuxfleurs.fr>2022-09-30 18:46:57 +0200
commitb71fa2ddf45e21f40067fc021b3a81d738556eca (patch)
treea3ab91563a4177950420c869cfd0d7cc6df2c6b0
parent37a73d7d3782ec8a5cd8b0e71a00722f90321ced (diff)
downloadgarage-b71fa2ddf45e21f40067fc021b3a81d738556eca.tar.gz
garage-b71fa2ddf45e21f40067fc021b3a81d738556eca.zip
Generate random RPC secret if not provided
-rw-r--r--script/helm/garage/templates/_helpers.tpl26
-rw-r--r--script/helm/garage/templates/configmap.yaml3
-rw-r--r--script/helm/garage/templates/secret.yaml14
-rw-r--r--script/helm/garage/templates/statefulset.yaml21
-rw-r--r--script/helm/garage/values.yaml3
5 files changed, 64 insertions, 3 deletions
diff --git a/script/helm/garage/templates/_helpers.tpl b/script/helm/garage/templates/_helpers.tpl
index 1a651f47..037a5f1c 100644
--- a/script/helm/garage/templates/_helpers.tpl
+++ b/script/helm/garage/templates/_helpers.tpl
@@ -24,6 +24,13 @@ If release name contains chart name it will be used as a full name.
{{- end }}
{{/*
+Create the name of the rpc secret
+*/}}
+{{- define "garage.rpcSecretName" -}}
+{{- printf "%s-rpc-secret" (include "garage.fullname" .) -}}
+{{- end }}
+
+{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "garage.chart" -}}
@@ -60,3 +67,22 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
+
+{{/*
+ Returns given number of random Hex characters.
+ In practice, it generates up to 100 randAlphaNum strings
+ that are filtered from non-hex characters and augmented
+ to the resulting string that is finally trimmed down.
+*/}}
+{{- define "jupyterhub.randHex" -}}
+ {{- $result := "" }}
+ {{- range $i := until 100 }}
+ {{- if lt (len $result) . }}
+ {{- $rand_list := randAlphaNum . | splitList "" -}}
+ {{- $reduced_list := without $rand_list "g" "h" "i" "j" "k" "l" "m" "n" "o" "p" "q" "r" "s" "t" "u" "v" "w" "x" "y" "z" "A" "B" "C" "D" "E" "F" "G" "H" "I" "J" "K" "L" "M" "N" "O" "P" "Q" "R" "S" "T" "U" "V" "W" "X" "Y" "Z" }}
+ {{- $rand_string := join "" $reduced_list }}
+ {{- $result = print $result $rand_string -}}
+ {{- end }}
+ {{- end }}
+ {{- $result | trunc . }}
+{{- end }}
diff --git a/script/helm/garage/templates/configmap.yaml b/script/helm/garage/templates/configmap.yaml
index 587746f6..e33a4dbd 100644
--- a/script/helm/garage/templates/configmap.yaml
+++ b/script/helm/garage/templates/configmap.yaml
@@ -10,7 +10,8 @@ data:
replication_mode = "{{ .Values.garage.replicationMode }}"
rpc_bind_addr = "{{ .Values.garage.rpcBindAddr }}"
- rpc_secret = "{{ .Values.garage.rpcSecret }}"
+ # rpc_secret will be populated by the init container from a k8s secret object
+ rpc_secret = "__RPC_SECRET_REPLACE__"
bootstrap_peers = {{ .Values.garage.bootstrapPeers }}
diff --git a/script/helm/garage/templates/secret.yaml b/script/helm/garage/templates/secret.yaml
new file mode 100644
index 00000000..54749424
--- /dev/null
+++ b/script/helm/garage/templates/secret.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "garage.rpcSecretName" . }}
+ labels:
+ {{- include "garage.labels" . | nindent 4 }}
+type: Opaque
+data:
+ {{/* retrieve the secret data using lookup function and when not exists, return an empty dictionary / map as result */}}
+ {{- $prevSecret := (lookup "v1" "Secret" .Release.Namespace (include "garage.rpcSecretName" .)) | default dict }}
+ {{- $prevSecretData := $prevSecret.data | default dict }}
+ {{- $prevRpcSecret := $prevSecretData.rpcSecret | default "" | b64dec }}
+ {{/* Priority is: 1. from values, 2. previous value, 3. generate random */}}
+ rpcSecret: {{ .Values.garage.rpcSecret | default $prevRpcSecret | default (include "jupyterhub.randHex" 64) | b64enc | quote }}
diff --git a/script/helm/garage/templates/statefulset.yaml b/script/helm/garage/templates/statefulset.yaml
index 82fe89a9..bda40117 100644
--- a/script/helm/garage/templates/statefulset.yaml
+++ b/script/helm/garage/templates/statefulset.yaml
@@ -26,6 +26,23 @@ spec:
serviceAccountName: {{ include "garage.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
+ initContainers:
+ # Copies garage.toml from configmap to temporary etc volume and replaces RPC secret placeholder
+ - name: {{ .Chart.Name }}-init
+ image: busybox:1.28
+ command: ["sh", "-c", "sed \"s/__RPC_SECRET_REPLACE__/$RPC_SECRET/\" /mnt/garage.toml > /mnt/etc/garage.toml"]
+ env:
+ - name: RPC_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: {{ include "garage.rpcSecretName" . }}
+ key: rpcSecret
+ volumeMounts:
+ - name: configmap
+ mountPath: /mnt/garage.toml
+ subPath: garage.toml
+ - name: etc
+ mountPath: /mnt/etc
containers:
- name: {{ .Chart.Name }}
securityContext:
@@ -57,9 +74,11 @@ spec:
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumes:
- - name: etc
+ - name: configmap
configMap:
name: {{ include "garage.fullname" . }}-config
+ - name: etc
+ emptyDir: {}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
diff --git a/script/helm/garage/values.yaml b/script/helm/garage/values.yaml
index 06cf9d16..d011f63e 100644
--- a/script/helm/garage/values.yaml
+++ b/script/helm/garage/values.yaml
@@ -8,7 +8,8 @@ garage:
dataDir: "/mnt/data"
replicationMode: "3"
rpcBindAddr: "[::]:3901"
- rpcSecret: "1799bccfd7411eddcf9ebd316bc1f5287ad12a68094e1c6ac6abde7e6feae1ec"
+ # If not given, a random secret will be generated
+ rpcSecret: ""
bootstrapPeers: []
kubernetesSkipCrd: false
s3: