Merge pull request #359: Initial External AUTH Secret

Author: cognifloyd

CHANGELOG.md

@@ -6,6 +6,7 @@
 * Drop support for `networking.k8s.io/v1beta1` which was removed in kubernetes v1.22 (EOL 2022-10-28) (#353) (by @cognifloyd)
 * Reduce duplication in label tests (#354) (by @cognifloyd)
 * Add `st2canary` job as a Helm Hook that runs before install/upgrade to ensure `st2.packs.volumes` is configured correctly (if `st2.packs.volumes.enabled`). (#323) (by @cognifloyd)
+* Enable using existing `st2-auth` secret. This allows users to manage this secret outside of the Helm process. (#359) (by @bmarick)
 
 ## v0.110.0
 * Switch st2 to `v3.8` as a new default stable version (#347)

templates/NOTES.txt

@@ -40,7 +40,7 @@ Ingress is enabled. You may access following endpoints:
 {{- end }}
 
 2. Get the password needed to login:
-kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.data.ST2_AUTH_PASSWORD}" secret {{ .Release.Name }}-st2-auth | base64 --decode
+kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.data.ST2_AUTH_PASSWORD}" secret {{ include "stackstorm-ha.secrets.st2Auth" . }} | base64 --decode
 
 3. Login with this username and the password retrieved above:
 username: {{ .Values.st2.username }}

templates/_helpers.tpl

@@ -69,6 +69,16 @@ Create the name of the stackstorm-ha service account to use
 {{- default .Chart.Name .Values.serviceAccount.serviceAccountName -}}
 {{- end -}}
 
+
+{{/*
+Create the name of the stackstorm-ha st2 auth secret to use
+*/}}
+{{- define "stackstorm-ha.secrets.st2Auth" -}}
+{{- $name := print .Release.Name "-st2-auth" -}}
+{{- default $name .Values.st2.existingAuthSecret -}}
+{{- end -}}
+
+
 {{/*
 Generate '-' prefix only when the variable is defined
 */}}

templates/deployments.yaml

@@ -52,7 +52,7 @@ spec:
         {{- end }}
         envFrom:
         - secretRef:
-            name: {{ .Release.Name }}-st2-auth
+            name: {{ include "stackstorm-ha.secrets.st2Auth" . }}
         volumeMounts:
         - name: htpasswd-vol
           mountPath: /tmp/st2
@@ -1581,7 +1581,7 @@ spec:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
         - secretRef:
-            name: {{ .Release.Name }}-st2-auth
+            name: {{ include "stackstorm-ha.secrets.st2Auth" . }}
         {{- range .Values.st2client.envFromSecrets }}
         - secretRef:
             name: {{ . }}
@@ -1760,7 +1760,7 @@ spec:
             name: {{ .Release.Name }}-st2-urls
         {{- if not (hasKey .Values.st2chatops.env "ST2_API_KEY") }}
         - secretRef:
-            name: {{ .Release.Name }}-st2-auth
+            name: {{ include "stackstorm-ha.secrets.st2Auth" . }}
         {{- end }}
         - secretRef:
             name: {{ .Release.Name }}-st2chatops

templates/jobs.yaml

@@ -156,7 +156,7 @@ spec:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
         - secretRef:
-            name: {{ .Release.Name }}-st2-auth
+            name: {{ include "stackstorm-ha.secrets.st2Auth" . }}
         {{- range .Values.jobs.envFromSecrets }}
         - secretRef:
             name: {{ . }}
@@ -282,7 +282,7 @@ spec:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
         - secretRef:
-            name: {{ .Release.Name }}-st2-auth
+            name: {{ include "stackstorm-ha.secrets.st2Auth" . }}
         {{- range .Values.jobs.envFromSecrets }}
         - secretRef:
             name: {{ . }}
@@ -647,7 +647,7 @@ spec:
         - configMapRef:
             name: {{ $.Release.Name }}-st2-urls
         - secretRef:
-            name: {{ $.Release.Name }}-st2-auth
+            name: {{ include "stackstorm-ha.secrets.st2Auth" $ }}
         {{- range $.Values.jobs.envFromSecrets }}
         - secretRef:
             name: {{ . }}

templates/secrets_st2auth.yaml

@@ -4,12 +4,12 @@
 {{- if or $deprecated_username $deprecated_password }}
 {{- fail "Please update your values! Values for username and password moved from secrets.st2.* to st2.*" }}
 {{- end }}
+{{- if not .Values.st2.existingAuthSecret }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  {{- $name := print .Release.Name "-st2-auth" }}
-  name: {{ $name }}
+  name: {{ include "stackstorm-ha.secrets.st2Auth" . }}
   annotations:
     description: StackStorm username and password, used for basic .htaccess auth
   labels: {{- include "stackstorm-ha.labels" (list $ "st2") | nindent 4 }}
@@ -18,9 +18,10 @@ data:
   # Username, used to login to StackStorm system (default: st2admin)
   ST2_AUTH_USERNAME: {{ required "A valid secret 'st2.username' is required for StackStorm auth!" .Values.st2.username | b64enc | quote }}
   # Password, used to login to StackStorm system (default: auto-generated)
-{{- $previous := lookup "v1" "Secret" .Release.Namespace $name }}
+{{- $previous := lookup "v1" "Secret" .Release.Namespace (include "stackstorm-ha.secrets.st2Auth" .) }}
 {{- if and $previous (not .Values.st2.password) }}
   ST2_AUTH_PASSWORD: {{ default $previous.data.password $previous.data.ST2_AUTH_PASSWORD }}
 {{ else }}
   ST2_AUTH_PASSWORD: {{ default (randAlphaNum 12) .Values.st2.password | b64enc | quote }}
 {{ end }}
+{{- end }}

templates/tests/st2tests-pod.yaml

@@ -43,7 +43,7 @@ spec:
     - configMapRef:
         name: {{ .Release.Name }}-st2-urls
     - secretRef:
-        name: {{ .Release.Name }}-st2-auth
+        name: {{ include "stackstorm-ha.secrets.st2Auth" . }}
     env:
     - name: BATS_HELPERS_DIR
       value: /tools

tests/unit/secrets_test.yaml

@@ -0,0 +1,115 @@
+---
+suite: Secret files
+templates:
+  # primary template files
+  - secrets_st2auth.yaml
+  - deployments.yaml
+  - jobs.yaml
+
+  # included templates must also be listed
+  - configmaps_overrides.yaml
+  - configmaps_packs.yaml
+  - configmaps_rbac.yaml
+  - configmaps_st2-conf.yaml
+  - configmaps_st2-urls.yaml
+  - configmaps_st2web.yaml
+  - secrets_datastore_crypto_key.yaml
+  - secrets_ssh.yaml
+  - secrets_st2apikeys.yaml
+  - secrets_st2auth.yaml
+  - secrets_st2chatops.yaml
+
+tests:
+  - it: ST2 Auth Secret include by default
+    template: secrets_st2auth.yaml
+    set:
+      st2: {}
+    release:
+      name: st2ha
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isNotEmpty:
+          path: data.ST2_AUTH_PASSWORD
+        documentIndex: 0
+      - equal:
+          path: data.ST2_AUTH_USERNAME
+          value: c3QyYWRtaW4=
+        documentIndex: 0
+
+  - it: ST2 Auth Secret set custom username and password
+    template: secrets_st2auth.yaml
+    set:
+      st2:
+        username: example
+        password: badPassword
+    release:
+      name: st2ha
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: data.ST2_AUTH_USERNAME
+          value: "ZXhhbXBsZQ==" # Base64 encoded value
+        documentIndex: 0
+      - equal:
+          path: data.ST2_AUTH_PASSWORD
+          value: "YmFkUGFzc3dvcmQ="  # Base64 encoded value
+        documentIndex: 0
+
+  - it: ST2 Auth Secret disable generation
+    template: secrets_st2auth.yaml
+    set:
+      st2:
+        existingAuthSecret: "hello-world"
+    release:
+      name: st2ha
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: ST2 Auth Secret custom secret Name
+    template: deployments.yaml
+    set:
+      st2:
+        existingAuthSecret: "hello-world"
+      st2chatops:
+        enabled: true
+    release:
+      name: st2ha
+    asserts:
+      - hasDocuments:
+          count: 14
+      - equal:
+          path: spec.template.spec.initContainers[2].envFrom[0].secretRef.name
+          value: "hello-world"
+        documentIndex: 0 # st2auth
+      - equal:
+          path: spec.template.spec.initContainers[0].envFrom[1].secretRef.name
+          value: "hello-world"
+        documentIndex: 12 # st2client
+      - equal:
+          path: spec.template.spec.containers[0].envFrom[1].secretRef.name
+          value: "hello-world"
+        documentIndex: 13 # st2chatops
+
+  - it: ST2 Auth Secret custom secret Name
+    template: jobs.yaml
+    set:
+      st2:
+        existingAuthSecret: "hello-world"
+      st2chatops:
+        enabled: true
+    release:
+      name: st2ha
+    asserts:
+      - hasDocuments:
+          count: 3
+      - equal:
+          path: spec.template.spec.initContainers[2].envFrom[1].secretRef.name
+          value: "hello-world"
+        documentIndex: 0 # st2-apikey-load
+      - equal:
+          path: spec.template.spec.initContainers[1].envFrom[1].secretRef.name
+          value: "hello-world"
+        documentIndex: 1 # st2-key-load

values.yaml

@@ -60,7 +60,11 @@ st2:
   # Password, used to login to StackStorm system
   # If set, st2.password always overrides any existing password.
   # If not set, the password is auto-generated on install and preserved across upgrades.
+  # Disabled if st2.existingAuthSecret is set
   #password: Ch@ngeMe
+  # Name of existing ST2 Auth secret, disables creation of this secret
+  # existingAuthSecret: ""
+
   # ST2 crypto key for the  K/V datastore.
   # See https://docs.stackstorm.com/datastore.html#securing-secrets-admin-only for more info.
   # If set, st2.datastore_crypto_key always overrides any existing datastore_crypto_key.
@@ -81,7 +85,7 @@ st2:
   config: |
     [api]
     allow_origin = '*'
-    # fixes no replicaset found bug;  
+    # fixes no replicaset found bug;
     [database]
     # Connection and server selection timeout (in ms).
     connection_timeout = 5000