feat: add flag to control execution of secret generation job and allo… (#56)

* feat: add flag to control execution of secret generation job and allow for manual creation

* run pre-commit

---------

Co-authored-by: Ore Olarewaju <ore.olarewaju@aleph-alpha.com>

Author: tobias-pfaffelmoser-aa

helm/README.md

@@ -159,4 +159,3 @@ spec:
         runAsUser: 1001
         fsGroup: 1001
 {{- end }}
-

helm/qs-minio/templates/_helpers.tpl

@@ -13,7 +13,7 @@ metadata:
 data:
   create-secrets.sh: |
     #!/bin/bash
-    
+
     # Set error handling
     [[ "${FAIL_ON_ERROR}" == "true" ]] && set -e
 
@@ -67,17 +67,17 @@ data:
         local endpoint_url=$2
         local username=$3
         local user_key=$4
-        
+
         local existing_endpoint=$(kubectl get secret "$secret_name" -o jsonpath='{.data.endpointUrl}' 2>/dev/null | base64 -d)
         local existing_username=$(kubectl get secret "$secret_name" -o jsonpath="{.data.$user_key}" 2>/dev/null | base64 -d)
         local existing_minio_label=$(kubectl get secret "$secret_name" -o jsonpath='{.metadata.labels.qs-minio/instance}' 2>/dev/null)
-        
+
         local needs_update=false
-        
+
         if [[ "$existing_endpoint" != "$endpoint_url" ]]; then print_warning "Endpoint URL changed: '$existing_endpoint' -> '$endpoint_url'" >&2; needs_update=true; fi
         if [[ "$existing_username" != "$username" ]]; then print_warning "Username changed or missing: '$existing_username' -> '$username'" >&2; needs_update=true; fi
         if [[ "$existing_minio_label" != "${INSTANCE_NAME}" ]]; then print_warning "Instance label changed" >&2; needs_update=true; fi
-        
+
         echo "$needs_update"
     }
 
@@ -91,14 +91,14 @@ data:
         local password_key=$6
         local action=$7
         local bucket=$8  # Optional bucket parameter
-        
+
         local base_args="--from-literal=$user_key=$username --from-literal=$password_key=$password --from-literal=endpointUrl=$host"
-        
+
         # Add bucket if specified
         if [[ -n "$bucket" ]]; then
             base_args="$base_args --from-literal=bucket=$bucket"
         fi
-        
+
         if kubectl create secret generic "$secret_name" $base_args --dry-run=client -o yaml | \
            kubectl label --local -f - app.kubernetes.io/name="${APP_NAME}" qs-minio/instance="${INSTANCE_NAME}" -o yaml | \
            kubectl apply -f - > /dev/null 2>&1; then
@@ -118,49 +118,49 @@ data:
             return 1
         fi
     }
-    
+
     # Parse bucket name from bucket specification (removes policy suffix)
     # Format can be: "bucket-name" or "bucket-name:policy"
     parse_bucket_name() {
         local bucket_spec=$1
         echo "${bucket_spec%%:*}"
     }
-    
+
     # Create per-bucket secrets
     create_bucket_secrets() {
         local password=$1
         local minio_url=$2
-        
+
         if [[ -z "${DEFAULT_BUCKETS}" ]]; then
             print_debug "No default buckets configured, skipping bucket-specific secrets"
             return 0
         fi
-        
+
         print_status "Creating bucket-specific secrets..."
-        
+
         # Parse buckets - they can be comma, semicolon, or space separated
         local buckets="${DEFAULT_BUCKETS}"
         buckets="${buckets//,/ }"
         buckets="${buckets//;/ }"
-        
+
         for bucket_spec in $buckets; do
             if [[ -z "$bucket_spec" ]]; then
                 continue
             fi
-            
+
             # Extract bucket name (strip policy if present)
             local bucket_name=$(parse_bucket_name "$bucket_spec")
             local bucket_secret_name="${EXISTING_SECRET_NAME}-${bucket_name}"
-            
+
             print_debug "Processing bucket: $bucket_name (from spec: $bucket_spec)"
-            
+
             # Check if bucket secret exists
             if [[ "${DRY_RUN}" != "true" ]] && kubectl get secret "$bucket_secret_name" &> /dev/null; then
                 print_status "Bucket secret '$bucket_secret_name' exists, checking for changes..."
-                
+
                 local existing_password=$(kubectl get secret "$bucket_secret_name" -o jsonpath="{.data.$PASSWORD_KEY}" 2>/dev/null | base64 -d)
                 local needs_update=$(check_secret_changes "$bucket_secret_name" "$minio_url" "$MINIO_USER" "$USER_KEY")
-                
+
                 if [[ "$needs_update" == "true" ]]; then
                     print_status "Updating bucket secret with preserved password"
                     create_or_update_secret "$bucket_secret_name" "$MINIO_USER" "$existing_password" "$minio_url" "$USER_KEY" "$PASSWORD_KEY" "update" "$bucket_name"
@@ -187,30 +187,30 @@ data:
             print_dry_run "DRY-RUN MODE: No actual changes will be made"
             echo ""
         fi
-        
+
         # Construct full MinIO URL with protocol and port
         local minio_url="${MINIO_PROTOCOL}://${MINIO_HOST}:${MINIO_PORT}"
-        
+
         print_status "Processing MinIO secret for instance: ${INSTANCE_NAME}..."
         print_debug "MinIO fullname: ${MINIO_FULLNAME}"
         print_debug "MinIO URL: ${minio_url}"
         print_debug "Secret name: ${EXISTING_SECRET_NAME}"
         print_debug "User key: ${USER_KEY}"
         print_debug "Password key: ${PASSWORD_KEY}"
         print_debug "Default buckets: ${DEFAULT_BUCKETS:-<none>}"
-        
+
         local password=""
-        
+
         # Check if secret exists
         if [[ "${DRY_RUN}" != "true" ]] && kubectl get secret "$EXISTING_SECRET_NAME" &> /dev/null; then
             print_status "Secret '$EXISTING_SECRET_NAME' exists, checking for changes..."
-            
+
             local existing_password=$(kubectl get secret "$EXISTING_SECRET_NAME" -o jsonpath="{.data.$PASSWORD_KEY}" 2>/dev/null | base64 -d)
             password="$existing_password"
             local needs_update=$(check_secret_changes "$EXISTING_SECRET_NAME" "$minio_url" "$MINIO_USER" "$USER_KEY")
-            
+
             print_debug "  Needs update: $needs_update"
-            
+
             if [[ "$needs_update" == "true" ]]; then
                 print_status "Updating secret with preserved password"
                 create_or_update_secret "$EXISTING_SECRET_NAME" "$MINIO_USER" "$existing_password" "$minio_url" "$USER_KEY" "$PASSWORD_KEY" "update"
@@ -230,7 +230,7 @@ data:
                 create_or_update_secret "$EXISTING_SECRET_NAME" "$MINIO_USER" "$password" "$minio_url" "$USER_KEY" "$PASSWORD_KEY" "create"
             fi
         fi
-        
+
         # Create bucket-specific secrets if buckets are configured
         if [[ -n "${DEFAULT_BUCKETS}" ]]; then
             echo ""
@@ -253,15 +253,15 @@ data:
         print_status "MinIO Secret Management Job"
         print_status "============================"
         echo ""
-        
+
         # Validate environment variables
         for var in INSTANCE_NAME MINIO_HOST MINIO_USER EXISTING_SECRET_NAME USER_KEY PASSWORD_KEY APP_NAME; do
             if [[ -z "${!var}" ]]; then
                 print_error "$var environment variable is required"
                 exit 1
             fi
         done
-        
+
         # Show configuration
         print_status "Configuration:"
         print_status "  - Instance: ${INSTANCE_NAME}"
@@ -272,7 +272,7 @@ data:
         print_debug "  - MinIO User: ${MINIO_USER}"
         print_debug "  - Secret Name: ${EXISTING_SECRET_NAME}"
         echo ""
-        
+
         # Check required commands
         print_status "Checking required commands..."
         if ! command -v kubectl &> /dev/null; then
@@ -288,18 +288,18 @@ data:
             print_debug "openssl: $(command -v openssl)"
         fi
         echo ""
-        
+
         # Create secret
         create_minio_secret
         echo ""
-        
+
         # Final status
         if [[ "${DRY_RUN}" == "true" ]]; then
             print_success "Dry-run completed for MinIO instance '${INSTANCE_NAME}'!"
         else
             print_success "Secret processing completed for MinIO instance '${INSTANCE_NAME}'!"
         fi
-        
+
         # Exit with error if any secrets failed
         if [[ $secrets_failed -gt 0 ]] && [[ "${FAIL_ON_ERROR}" == "true" ]]; then
             print_error "Job completed with ${secrets_failed} failure(s)"
@@ -309,4 +309,3 @@ data:
 
     # Run main function
     main "$@"
-

helm/qs-minio/templates/configmap-secret-creation-script.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.secretCleanup.retainOnDelete }}
+{{- if and .Values.secretGenerationJob.enabled (not .Values.secretCleanup.retainOnDelete) }}
 ---
 apiVersion: batch/v1
 kind: Job
@@ -31,42 +31,42 @@ spec:
             - -c
             - |
               set -e
-              
+
               echo "================================================"
               echo "  MinIO Secrets Cleanup"
               echo "================================================"
               echo
               echo "⚠️  Secret retention is DISABLED (secretCleanup.retainOnDelete=false)"
               echo "⚠️  All generated secrets will be deleted"
               echo
-              
+
               {{- range $key, $value := .Values }}
               {{- if and (hasPrefix "minio-" $key) (kindIs "map" $value) }}
               {{- if $value.enabled }}
               {{- $instanceName := trimPrefix "minio-" $key }}
               # Cleanup secrets for MinIO instance: {{ $instanceName }}
               echo "Cleaning up secrets for MinIO instance: {{ $instanceName }}"
-              
+
               SECRETS=$(kubectl get secrets -n {{ $.Release.Namespace }} \
                 -l qs-minio/instance={{ $instanceName }} \
                 -o jsonpath='{.items[*].metadata.name}')
-              
+
               if [ -n "$SECRETS" ]; then
                 echo "Found secrets to delete:"
                 for secret in $SECRETS; do
                   echo "  - $secret"
                 done
                 echo
-                
+
                 kubectl delete secrets -n {{ $.Release.Namespace }} \
                   -l qs-minio/instance={{ $instanceName }}
-                
+
                 echo "✅ Deleted {{ $instanceName }} secrets"
               else
                 echo "ℹ️  No secrets found for {{ $instanceName }}"
               fi
               echo
-              
+
               {{- end }}
               {{- end }}
               {{- end }}
@@ -86,7 +86,10 @@ spec:
         fsGroup: 1001
 {{- else }}
 ---
+{{- if not .Values.secretGenerationJob.enabled }}
+# Secret cleanup is skipped because secret generation job is disabled (secretGenerationJob.enabled=false)
+{{- else }}
 # Secret cleanup is disabled (secretCleanup.retainOnDelete=true)
 # Secrets will be retained after helm uninstall
 {{- end }}
-
+{{- end }}

helm/qs-minio/templates/job-cleanup-secrets.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.secretGenerationJob.enabled }}
 {{- range $key, $value := .Values }}
 {{- if and (hasPrefix "minio-" $key) (kindIs "map" $value) }}
 {{- if $value.enabled }}
@@ -7,4 +8,4 @@
 {{- end }}
 {{- end }}
 {{- end }}
-
+{{- end }}

helm/qs-minio/templates/job-create-secrets.yaml

@@ -37,4 +37,3 @@ subjects:
   - kind: ServiceAccount
     name: {{ include "qs-minio.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
-

helm/qs-minio/templates/rbac.yaml

@@ -16,4 +16,3 @@ metadata:
     {{- end }}
 automountServiceAccountToken: true
 {{- end }}
-

helm/qs-minio/templates/serviceaccount.yaml

@@ -60,11 +60,11 @@ spec:
           # Use endpoint URL from secret
           MINIO_URL="${MINIO_ENDPOINT_URL}"
           ALIAS="test-${INSTANCE_NAME}"
-          
+
           # Extract hostname for DNS checks (using shell built-ins)
           MINIO_HOST="${MINIO_URL#*://}"  # Remove protocol
           MINIO_HOST="${MINIO_HOST%%:*}"  # Remove port and path
-          
+
           echo "  Target: ${MINIO_URL}"
           echo "  User: ${MINIO_USER}"
           echo
@@ -75,13 +75,13 @@ spec:
           # Function to check DNS resolution
           check_dns() {
             echo "🔍 Checking DNS resolution for: ${MINIO_HOST}"
-            
+
             # Try ping first (most likely to be available)
             if ping -c 1 -W 2 "${MINIO_HOST}" > /dev/null 2>&1; then
               echo "✅ DNS resolution successful (ping)"
               return 0
             fi
-            
+
             # Try nslookup if available
             if command -v nslookup > /dev/null 2>&1; then
               if nslookup "${MINIO_HOST}" > /dev/null 2>&1; then
@@ -90,7 +90,7 @@ spec:
                 return 0
               fi
             fi
-            
+
             # Try getent if available
             if command -v getent > /dev/null 2>&1; then
               if getent hosts "${MINIO_HOST}" > /dev/null 2>&1; then
@@ -99,7 +99,7 @@ spec:
                 return 0
               fi
             fi
-            
+
             echo "⚠️  Unable to verify DNS resolution with available tools"
             echo "   Proceeding anyway - MinIO client will fail if host is unreachable"
             return 0
@@ -111,15 +111,15 @@ spec:
             if command -v wget > /dev/null 2>&1; then
               wget --spider --quiet --timeout=5 "${MINIO_URL}/minio/health/live" 2>/dev/null && return 0
             fi
-            
+
             # Try curl
             if command -v curl > /dev/null 2>&1; then
               curl -f -s --connect-timeout 5 --max-time 5 "${MINIO_URL}/minio/health/live" > /dev/null 2>&1 && return 0
             fi
-            
+
             # Try using mc (MinIO client itself)
             mc alias set test-health "${MINIO_URL}" "${MINIO_USER}" "${MINIO_PASSWORD}" > /dev/null 2>&1 && return 0
-            
+
             return 1
           }
 
@@ -128,11 +128,11 @@ spec:
             echo "⏳ Waiting for MinIO to be ready..."
             MAX_RETRIES=60
             RETRY=0
-            
+
             # First check DNS
             check_dns
             echo
-            
+
             until check_minio_health || [ $RETRY -eq $MAX_RETRIES ]; do
               echo "   Waiting... (attempt $((RETRY+1))/${MAX_RETRIES})"
               if [ $((RETRY % 6)) -eq 0 ] && [ $RETRY -gt 0 ]; then
@@ -364,4 +364,3 @@ spec:
 {{- end }}
 {{- end }}
 {{- end }}
-