fix: support external secrets for GeoServer credentials

geoserver/latest/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

geoserver/latest/README.md

@@ -68,6 +68,79 @@ kubectl port-forward geoserver-0 8080:8080
 
 ![Screenshot_20230217_024956](https://user-images.githubusercontent.com/94710364/219696756-c4404c25-6442-41f2-bcc7-7893a32f6123.png)
 
+### Using external Kubernetes Secrets for passwords
+
+The chart supports reading passwords from existing Kubernetes Secrets while preserving the original inline password behavior.
+
+`values.yaml` schema
+```yaml
+secrets:
+  master_external_secret: false  
+  master_password: "geoserver"
+  master_password_key: "MASTER_PASSWORD"
+
+  postgis_external_secret: false  
+  postgis_password: "geoserver"
+  postgis_password_key: "POSTGIS_PASSWORD"
+
+  admin_external_secret: false    
+  admin_password: "notgeoserver"
+  admin_password_key: "ADMIN_PASSWORD"
+```
+
+The secrets (master, postgis, admin) have the same way to use, for example:
+
+`master_external_secret`:
+
+- If it is `false`: use the value in `master_password` directly.
+- If it is `true`: use the value in `master_password` as the name of existing Kubernetes secret.
+  - In this case, `master_password_key` is the key field in that Kubernetes secret, update if you use a different key,otherwise keep it as default.
+
+This ensures full backward compatibility while allowing secure integration with externally managed secrets.
+
+**Example: using an external Kubernetes Secret**
+
+- Create the Kubernetes Secret
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: geoserver-external-secrets
+  namespace: default
+type: Opaque
+data:
+  ADMIN_PASSWORD: dGVzdA==         # "test"
+  POSTGIS_PASSWORD: dGVzdA==       # "test"
+  MASTER_PASSWORD: dGVzdA==        # "test"
+```
+
+- Configure `values.yaml`
+
+```yaml
+secrets:
+  master_external_secret: false  
+  master_password: "geoserver"
+  master_password_key: "MASTER_PASSWORD"
+
+  postgis_external_secret: false  
+  postgis_password: "geoserver"
+  postgis_password_key: "POSTGIS_PASSWORD"
+
+  admin_external_secret: true    
+  admin_password: "geoserver-external-secrets"  # Secret name
+  admin_password_key: "ADMIN_PASSWORD"
+
+postgis:
+  enabled: true
+  # ...
+```
+
+In this configuration:
+
+- `postgis_external_secret: false`: The PostGIS password is taken from `postgis_password` ("geoserver"), exactly as in the original behavior.
+- `admin_external_secret: true`: The GeoServer admin password is loaded from the Kubernetes Secret `geoserver-external-secrets`, using the key `ADMIN_PASSWORD` (value: dGVzdA==, i.e. "test").
+
 
 ## Notes on GeoServer configuration
 

geoserver/latest/templates/context.xml.tpl

@@ -0,0 +1,49 @@
+{{- define "geoserver.context.xml" -}}
+<Context>
+
+    <!-- Default set of monitored resources -->
+    <WatchedResource>WEB-INF/web.xml</WatchedResource>
+
+    <!-- Uncomment this to disable session persistence across Tomcat restarts -->
+    <!--
+    <Manager pathname="" />
+    -->
+
+    <!-- Uncomment this to enable Comet connection tacking (provides events
+         on session expiration as well as webapp lifecycle) -->
+    <!--
+    <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
+    -->
+
+    <Resource
+          name="jdbc/postgres" 
+          auth="Container" 
+          type="javax.sql.DataSource"
+          driverClassName="org.postgresql.Driver"
+          url="jdbc:postgresql://127.0.0.1:5432/{{ .Values.postgis.env.database }}"
+          {{- if .Values.secrets.postgis_external_secret }}
+          username="{{ .Values.postgis.env.user }}" 
+          password="${POSTGRES_PASSWORD}"
+          {{- else }}
+          username="{{ .Values.postgis.env.user }}" 
+          password="{{ .Values.secrets.postgis_password }}"
+          {{- end }}
+          initialSize="0"
+          minIdle="0" 
+          maxTotal="20" 
+          maxIdle="5" 
+          maxWaitMillis="2000" 
+          testWhileIdle="true"
+          minEvictableIdleTimeMillis="60000"
+          timeBetweenEvictionRunsMillis="30000"
+          maxConnLifetimeMillis="600000"
+          numTestsPerEvictionRun="5"
+          testOnBorrow="false"
+          removeAbandonedOnMaintenance="true"
+          removeAbandonedTimeout="300"
+          logAbandoned="false"
+          maxOpenPreparedStatements="20"
+          validationQuery="SELECT 1"
+     />
+</Context>
+{{- end -}}

geoserver/latest/templates/secrets.yaml

@@ -1,20 +1,25 @@
 {{- define "geoserver.secrets" -}}
+{{- if not (and .Values.secrets.postgis_external_secret .Values.secrets.admin_external_secret) }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "geoserver.fullname" . }}
   labels:
     {{- include "geoserver.labels" . | nindent 4 }}
 data:
+  {{- if not .Values.secrets.postgis_external_secret }}
   POSTGIS_PASSWORD: {{ .Values.secrets.postgis_password | b64enc | quote}}
+  {{- end }}
+  {{- if not .Values.secrets.admin_external_secret }}
   ADMIN_PASSWORD: {{ .Values.secrets.admin_password | b64enc | quote}}
+  {{- end }}
 ---
+{{- end }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "geoserver.fullname" . }}-context
 data:
-  context.xml: |-
-              {{ .Files.Get "context.xml" | b64enc }}
+  context.xml: {{ include "geoserver.context.xml" . | b64enc | quote }}
 {{- end -}}
 {{- include "geoserver.secrets" . -}}

geoserver/latest/templates/statefulset.yaml

@@ -76,9 +76,27 @@ spec:
             - name: ADMIN_PASSWORD
               valueFrom:
                 secretKeyRef:
+                  {{- if .Values.secrets.admin_external_secret }}
+                  name: {{ .Values.secrets.admin_password }}
+                  key: {{ .Values.secrets.admin_password_key }}
+                  {{- else }}
                   name: {{ include "geoserver.fullname" . }}
                   key: ADMIN_PASSWORD
+                  {{- end }}
                   optional: true
+            {{- if .Values.postgis.enabled }}
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.secrets.postgis_external_secret }}
+                  name: {{ .Values.secrets.postgis_password }}
+                  key: {{ .Values.secrets.postgis_password_key }}
+                  {{- else }}
+                  name: {{ include "geoserver.fullname" . }}
+                  key: POSTGIS_PASSWORD
+                  {{- end }}
+                  optional: true
+            {{- end }}
             - name: POD_HOSTNAME
               valueFrom:
                 fieldRef:
@@ -239,8 +257,13 @@ spec:
             - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
+                  {{- if .Values.secrets.postgis_external_secret }}
+                  name: {{ .Values.secrets.postgis_password }}
+                  key: {{ .Values.secrets.postgis_password_key }}
+                  {{- else }}
                   name: {{ include "geoserver.fullname" . }}
                   key: POSTGIS_PASSWORD
+                  {{- end }}
           ports:
             - name: postgresql
               containerPort: 5432

geoserver/latest/tests/statefulset_test.yaml

@@ -1,6 +1,7 @@
 suite: test statefulset
 templates:
   - configmap.yml
+  - context.xml.tpl
   - secrets.yaml
   - env-properties-secret.yaml
   - statefulset.yaml

geoserver/latest/values.yaml

@@ -121,9 +121,16 @@ persistence:
     storageClass: ""
 
 secrets:
+  master_external_secret: false  # Set true to use existing K8s secret instead of creating one
   master_password: "geoserver"
+  master_password_key: "MASTER_PASSWORD"
+  postgis_external_secret: false  # Set true to use existing K8s secret instead of creating one
   postgis_password: "geoserver"
+  postgis_password_key: "POSTGIS_PASSWORD"
+  admin_external_secret: false    # Set true to use existing K8s secret instead of creating one
   admin_password: "notgeoserver"
+  admin_password_key: "ADMIN_PASSWORD"
+
 postgis:
   enabled: false
   image: "postgis/postgis:12-3.1"