Merge pull request #257 from cognifloyd/envfrom-simplify

cognifloyd · web-flow · commit cbde2106ab6e · 2021-10-22T11:08:17.000-05:00
Use envFrom for ST2_AUTH_USERNAME/PASSWORD
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@
 * Use "--convert" when loading keys into datastore (in key-load Job) so that `st2.keyvalue[].value` can be any basic JSON data type. (#253) (by @cognifloyd)
 * New feature: Add `extra_volumes` to `st2actionrunner`, `st2client`, `st2sensorcontainer`. This is useful for loading volumes to be used by actions or sensors. This might include secrets (like ssl certificates) and configuration (like system-wide ansible.cfg). (#254) (by @cognifloyd)
 * Some `helm upgrades` do not need to run all the jobs. An upgrade that only touches RBAC config, for example, does not need to run the register-content job. Use `--set 'jobs.skip={apikey_load,key_load,register_content}'` to skip the other jobs. (#255) (by @cognifloyd)
+* Refactor deployments/jobs to inject st2 username/password via `envFrom` instead of via `env`. (#257) (by @cognifloyd)
 
 ## v0.70.0
 * New feature: Shared packs volumes `st2.packs.volumes`. Allow using cluster-specific persistent volumes to store packs, virtualenvs, and (optionally) configs. This enables using `st2 pack install`. It even works with `st2packs` images in `st2.packs.images`. (#199) (by @cognifloyd)
diff --git a/templates/deployments.yaml b/templates/deployments.yaml
@@ -58,17 +58,9 @@ spec:
       - name: generate-htpasswd
         image: '{{ template "imageRepository" . }}/st2auth:{{ tpl (.Values.st2auth.image.tag | default .Values.image.tag) . }}'
         imagePullPolicy: {{ .Values.image.pullPolicy }}
-        env:
-        - name: ST2_AUTH_USERNAME
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Release.Name }}-st2-auth
-              key: username
-        - name: ST2_AUTH_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Release.Name }}-st2-auth
-              key: password
+        envFrom:
+        - secretRef:
+            name: {{ .Release.Name }}-st2-auth
         volumeMounts:
         - name: htpasswd-vol
           mountPath: /tmp/st2
@@ -1488,17 +1480,8 @@ spec:
         envFrom:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
-        env:
-        - name: ST2_AUTH_USERNAME
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Release.Name }}-st2-auth
-              key: username
-        - name: ST2_AUTH_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Release.Name }}-st2-auth
-              key: password
+        - secretRef:
+            name: {{ .Release.Name }}-st2-auth
         volumeMounts:
         - name: st2client-config-vol
           mountPath: /root/.st2/
@@ -1651,22 +1634,13 @@ spec:
       - name: st2chatops
         image: '{{ .Values.st2chatops.image.repository | default "stackstorm" }}/{{ .Values.st2chatops.image.name | default "st2chatops" }}:{{ tpl (.Values.st2chatops.image.tag | default .Values.image.tag) . }}'
         imagePullPolicy: {{ .Values.st2chatops.image.pullPolicy | default .Values.image.pullPolicy }}
-        {{- if not (hasKey .Values.st2chatops.env "ST2_API_KEY") }}
-        env:
-        - name: ST2_AUTH_USERNAME
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Release.Name }}-st2-auth
-              key: username
-        - name: ST2_AUTH_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Release.Name }}-st2-auth
-              key: password
-        {{- end }}
         envFrom:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
+        {{- if not (hasKey .Values.st2chatops.env "ST2_API_KEY") }}
+        - secretRef:
+            name: {{ .Release.Name }}-st2-auth
+        {{- end }}
         - secretRef:
             name: {{ .Release.Name }}-st2chatops
         ports:
diff --git a/templates/jobs.yaml b/templates/jobs.yaml
@@ -148,17 +148,8 @@ spec:
         envFrom:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
-        env:
-        - name: ST2_AUTH_USERNAME
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Release.Name }}-st2-auth
-              key: username
-        - name: ST2_AUTH_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Release.Name }}-st2-auth
-              key: password
+        - secretRef:
+            name: {{ .Release.Name }}-st2-auth
         volumeMounts:
         - name: st2client-config-vol
           mountPath: /root/.st2/
@@ -269,17 +260,8 @@ spec:
         envFrom:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
-        env:
-        - name: ST2_AUTH_USERNAME
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Release.Name }}-st2-auth
-              key: username
-        - name: ST2_AUTH_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Release.Name }}-st2-auth
-              key: password
+        - secretRef:
+            name: {{ .Release.Name }}-st2-auth
         volumeMounts:
         - name: st2client-config-vol
           mountPath: /root/.st2/
diff --git a/templates/secrets_st2auth.yaml b/templates/secrets_st2auth.yaml
@@ -22,11 +22,11 @@ metadata:
 type: Opaque
 data:
   # Username, used to login to StackStorm system (default: st2admin)
-  username: {{ required "A valid secret 'st2.username' is required for StackStorm auth!" .Values.st2.username | b64enc | quote }}
+  ST2_AUTH_USERNAME: {{ required "A valid secret 'st2.username' is required for StackStorm auth!" .Values.st2.username | b64enc | quote }}
   # Password, used to login to StackStorm system (default: auto-generated)
 {{- $previous := lookup "v1" "Secret" .Release.Namespace $name }}
 {{- if and $previous (not .Values.st2.password) }}
-  password: {{ $previous.data.password }}
+  ST2_AUTH_PASSWORD: {{ default $previous.data.password $previous.data.ST2_AUTH_PASSWORD }}
 {{ else }}
-  password: {{ default (randAlphaNum 12) .Values.st2.password | b64enc | quote }}
+  ST2_AUTH_PASSWORD: {{ default (randAlphaNum 12) .Values.st2.password | b64enc | quote }}
 {{ end }}
diff --git a/templates/tests/st2tests-pod.yaml b/templates/tests/st2tests-pod.yaml
@@ -33,19 +33,11 @@ spec:
     envFrom:
     - configMapRef:
         name: {{ .Release.Name }}-st2-urls
+    - secretRef:
+        name: {{ .Release.Name }}-st2-auth
     env:
     - name: BATS_HELPERS_DIR
       value: /tools/bats-helpers/
-    - name: ST2_AUTH_USERNAME
-      valueFrom:
-        secretKeyRef:
-          name: {{ .Release.Name }}-st2-auth
-          key: username
-    - name: ST2_AUTH_PASSWORD
-      valueFrom:
-        secretKeyRef:
-          name: {{ .Release.Name }}-st2-auth
-          key: password
     - name: ST2_VERSION
       value: "{{ .Chart.AppVersion }}"
     - name: ST2_RBAC_ENABLED
