add envFromSecrets for action, sensor, client, workflow, jobs pods

Author: cognifloyd

templates/deployments.yaml

@@ -749,6 +749,10 @@ spec:
         envFrom:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
+        {{- range .Values.st2workflowengine.envFromSecrets }}
+        - secretRef:
+            name: {{ . }}
+        {{- end }}
         volumeMounts:
         {{- include "st2-config-volume-mounts" . | nindent 8 }}
         {{- if .Values.st2.datastore_crypto_key }}
@@ -1116,6 +1120,10 @@ spec:
         envFrom:
         - configMapRef:
             name: {{ $.Release.Name }}-st2-urls
+        {{- range $sensor.envFromSecrets }}
+        - secretRef:
+            name: {{ . }}
+        {{- end }}
         volumeMounts:
         {{- include "st2-config-volume-mounts" $ | nindent 8 }}
         {{- include "packs-volume-mounts" $ | nindent 8 }}
@@ -1250,6 +1258,10 @@ spec:
         envFrom:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
+        {{- range .Values.st2actionrunner.envFromSecrets }}
+        - secretRef:
+            name: {{ . }}
+        {{- end }}
         volumeMounts:
         {{- include "st2-config-volume-mounts" . | nindent 8 }}
         - name: st2-ssh-key-vol
@@ -1506,6 +1518,10 @@ spec:
         envFrom:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
+        {{- range .Values.st2client.envFromSecrets }}
+        - secretRef:
+            name: {{ . }}
+        {{- end }}
         volumeMounts:
         {{- include "st2-config-volume-mounts" . | nindent 8 }}
         {{- if .Values.st2.rbac.enabled }}

templates/jobs.yaml

@@ -51,6 +51,13 @@ spec:
         {{- if .Values.jobs.env }}
         env: {{- include "stackstorm-ha.customEnv" .Values.jobs | nindent 8 }}
         {{- end }}
+        {{- if .Values.jobs.envFromSecrets }}
+        envFrom:
+        {{- range .Values.jobs.envFromSecrets }}
+        - secretRef:
+            name: {{ . }}
+        {{- end }}
+        {{- end }}
         volumeMounts:
         {{- include "st2-config-volume-mounts" . | nindent 8 }}
         - name: st2-rbac-roles-vol
@@ -178,6 +185,10 @@ spec:
         envFrom:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
+        {{- range .Values.jobs.envFromSecrets }}
+        - secretRef:
+            name: {{ . }}
+        {{- end }}
         volumeMounts:
         - name: st2client-config-vol
           mountPath: /root/.st2/
@@ -291,6 +302,10 @@ spec:
         envFrom:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
+        {{- range .Values.jobs.envFromSecrets }}
+        - secretRef:
+            name: {{ . }}
+        {{- end }}
         volumeMounts:
         {{- include "st2-config-volume-mounts" . | nindent 8 }}
         - name: st2client-config-vol
@@ -402,6 +417,13 @@ spec:
         {{- if .Values.jobs.env }}
         env: {{- include "stackstorm-ha.customEnv" .Values.jobs | nindent 8 }}
         {{- end }}
+        {{- if .Values.jobs.envFromSecrets }}
+        envFrom:
+        {{- range .Values.jobs.envFromSecrets }}
+        - secretRef:
+            name: {{ . }}
+        {{- end }}
+        {{- end }}
         volumeMounts:
         {{- include "st2-config-volume-mounts" . | nindent 8 }}
         {{- include "packs-volume-mounts-for-register-job" . | nindent 8 }}

values.yaml

@@ -454,6 +454,8 @@ st2workflowengine:
   affinity: {}
   env: {}
   # HTTP_PROXY: http://proxy:1234
+  ## These named secrets (managed outside this chart) will be added to envFrom.
+  envFromSecrets: []
   serviceAccount:
     attach: false
   # postStartScript is optional. It has the contents of a bash script.
@@ -546,6 +548,8 @@ st2actionrunner:
   #   ip: 8.8.8.8
   env: {}
   # HTTP_PROXY: http://proxy:1234
+  ## These named secrets (managed outside this chart) will be added to envFrom.
+  envFromSecrets: []
   serviceAccount:
     attach: false
   # postStartScript is optional. It has the contents of a bash script.
@@ -604,6 +608,8 @@ st2sensorcontainer:
   tolerations: []
   env: {}
   # HTTP_PROXY: http://proxy:1234
+  ## These named secrets (managed outside this chart) will be added to envFrom.
+  envFromSecrets: []
   serviceAccount:
     attach: false
   # postStartScript is optional. It has the contents of a bash script.
@@ -621,6 +627,8 @@ st2sensorcontainer:
 st2client:
   env: {}
   # HTTP_PROXY: http://proxy:1234
+  ## These named secrets (managed outside this chart) will be added to envFrom.
+  envFromSecrets: []
   annotations: {}
   # Override default image settings (for now, only tag can be overridden)
   image: {}
@@ -673,6 +681,7 @@ st2chatops:
   # Enable st2chatops (default: false)
   enabled: false
   # Custom hubot adapter ENV variables to pass through which will override st2chatops.env defaults.
+  # These env vars get stored in a k8s secret loaded using envFrom.
   # See https://github.com/StackStorm/st2chatops/blob/master/st2chatops.env
   # for the full list of supported adapters and example ENV variables.
   # Note that Helm templating is supported for env values in this block!
@@ -741,6 +750,8 @@ jobs:
   affinity: {}
   env: {}
   # HTTP_PROXY: http://proxy:1234
+  ## These named secrets (managed outside this chart) will be added to envFrom.
+  envFromSecrets: []
   #
   # Advanced controls to skip creating jobs.
   # This is useful in targeted upgrades with `--set`. Do not set this in values files.