Adding existingSecret.registation and existingSecret.passkey; Always store registration and passkey data in a Kubernetes secret; use projected volume to ensure all data in one directory

Signed-off-by: jessebot <[email protected]>

Author: jessebot

helm/hookshot/README.md

@@ -1,6 +1,6 @@
 # hookshot
 
-![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.2.0](https://img.shields.io/badge/AppVersion-3.2.0-informational?style=flat-square)
+![Version: 0.1.15](https://img.shields.io/badge/Version-0.1.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0-replaced-by-ci](https://img.shields.io/badge/AppVersion-0.0.0--replaced--by--ci-informational?style=flat-square)
 Deploy a Matrix Hookshot instance to Kubernetes
 
 Status: Beta
@@ -39,7 +39,7 @@ To configure Hookshot-specific parameters, the value `.Values.hookshot.config` a
 
 ## Existing configuration
 
-If you have an existing configuration file for Hookshot, you can create a configmap like so:
+If you have an existing configuration file for hookshot, you can create a configmap like so:
 
 ``` bash
 kubectl create --namespace "your hookshot namespace" configmap hookshot-custom-config --from-file=config.yml --from-file=registration.yml --from-file=passkey.pem
@@ -74,9 +74,12 @@ You'll need to configure your Ingress connectivity according to your environment
 | affinity | object | `{}` | Affinity settings for deployment |
 | autoscaling.enabled | bool | `false` |  |
 | fullnameOverride | string | `""` | Full name override for helm chart |
-| hookshot.config | object | `{"bridge":{"bindAddress":"0.0.0.0","domain":"example.com","port":9002,"url":"https://example.com"},"generic":{"allowJsTransformationFunctions":true,"enableHttpGet":false,"enabled":true,"urlPrefix":"https://example.com/","userIdPrefix":"_webhooks_","waitForComplete":false},"listeners":[{"bindAddress":"0.0.0.0","port":9000,"resources":["webhooks","widgets"]},{"bindAddress":"0.0.0.0","port":9001,"resources":["metrics"]}],"logging":{"colorize":false,"json":false,"level":"info","timestampFormat":"HH:mm:ss:SSS"},"metrics":{"enabled":true},"passFile":"/data/passkey.pem","widgets":{"addToAdminRooms":false,"branding":{"widgetTitle":"Hookshot Configuration"},"publicUrl":"https://webhook-hookshot.example.com/widgetapi/v1/static","roomSetupWidget":{"addOnInvite":false},"setRoomName":false}}` | Raw Hookshot configuration. Gets templated into a YAML file and then loaded unless an existingConfigMap is specified. |
-| hookshot.existingConfigMap | string | `nil` | Name of existing ConfigMap with valid Hookshot configuration |
-| hookshot.passkey | string | `""` |  |
+| hookshot.config | object | `{"bridge":{"bindAddress":"127.0.0.1","domain":"example.com","mediaUrl":"https://example.com","port":9993,"url":"http://localhost:8008"},"listeners":[{"bindAddress":"0.0.0.0","port":9000,"resources":["webhooks"]},{"bindAddress":"127.0.0.1","port":9001,"resources":["metrics","provisioning"]},{"bindAddress":"0.0.0.0","port":9002,"resources":["widgets"]}],"logging":{"colorize":true,"json":false,"level":"info","timestampFormat":"HH:mm:ss:SSS"},"passFile":"passkey.pem"}` | Raw Hookshot configuration. Gets templated into a YAML file and then loaded unless an existingConfigMap is specified. |
+| hookshot.config.passFile | string | `"passkey.pem"` | A passkey used to encrypt tokens stored inside the bridge. Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate |
+| hookshot.existingConfigMap | string | `""` | Name of existing ConfigMap with valid Hookshot configuration |
+| hookshot.existingSecret.passkey | string | `""` | Name of existing Secret with valid Hookshot passkey.pem If set, ignores hookshot.passkey |
+| hookshot.existingSecret.registration | string | `""` | Name of existing Secret with valid Hookshot registration.yaml. If set, ignores hookshot.registration |
+| hookshot.passkey | string | `""` | A passkey used to encrypt tokens stored inside the bridge. Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate |
 | hookshot.registration.as_token | string | `""` |  |
 | hookshot.registration.hs_token | string | `""` |  |
 | hookshot.registration.id | string | `"matrix-hookshot"` |  |
@@ -119,4 +122,4 @@ You'll need to configure your Ingress connectivity according to your environment
 | tolerations | list | `[]` | Tolerations for deployment |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
+Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)

helm/hookshot/templates/_helpers.tpl

@@ -35,6 +35,28 @@ Helper for configmap name
 {{- end }}
 {{- end }}
 
+{{/*
+Helper for secret name for registration
+*/}}
+{{- define "hookshot.registrationSecretName" -}}
+{{- if .Values.hookshot.existingSecret.registration }}
+{{- printf "%s" .Values.hookshot.existingSecret.registration -}}
+{{- else }}
+{{- printf "%s-registration-secret" (include "hookshot.fullname" .) | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Helper for secret name for passkey.pem
+*/}}
+{{- define "hookshot.passkeySecretName" -}}
+{{- if .Values.hookshot.existingSecret.passkey }}
+{{- printf "%s" .Values.hookshot.existingSecret.passkey -}}
+{{- else }}
+{{- printf "%s-passkey-secret" (include "hookshot.fullname" .) | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}

helm/hookshot/templates/_pod.tpl

@@ -43,10 +43,8 @@ containers:
 {{- toYaml .Values.containerSecurityContext | nindent 6 }}
 {{- end }}
     volumeMounts:
-{{- if or (and (not .Values.hookshot.existingConfigMap) (.Values.hookshot.config)) (.Values.hookshot.existingConfigMap) }}
       - name: config
         mountPath: "/data"
-{{- end }}
     ports:
       - name: webhook
         containerPort: 9000
@@ -58,7 +56,7 @@ containers:
         containerPort: 9002
         protocol: TCP
     env:
-      
+
     envFrom:
     {{- if .Values.envFromSecret }}
       - secretRef:
@@ -109,8 +107,14 @@ tolerations:
 {{- end }}
 volumes:
   - name: config
-    configMap:
-      name: {{ template "hookshot.configMapName" . }}
+    projected:
+      sources:
+        configMap:
+          name: {{ template "hookshot.configMapName" . }}
+        secret:
+          secretName: {{ template "hookshot.registrationSecretName" . }}
+        secret:
+          secretName: {{ template "hookshot.passkeySecretName" . }}
 {{- $root := . }}
 {{- range .Values.extraConfigmapMounts }}
   - name: {{ tpl .name $root }}

helm/hookshot/templates/configmap.yaml

@@ -1,5 +1,5 @@
----
 {{- if not .Values.hookshot.existingConfigMap }}
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -12,10 +12,6 @@ metadata:
 {{ toYaml . | indent 4 }}
 {{- end }}
 data:
-  config.yml: |
-{{ toYaml .Values.hookshot.config | indent 4 }}
-  registration.yml: |
-{{ toYaml .Values.hookshot.registration | indent 4 }}
-  passkey.pem: |
-{{ .Values.hookshot.passkey | indent 4 }}
+  config.yml: |-
+    {{- toYaml .Values.hookshot.config | nindent 4 }}
 {{- end }}

helm/hookshot/templates/passkey-secret.yaml

@@ -0,0 +1,17 @@
+{{- if not .Values.hookshot.existingSecret.passkey }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "hookshot.passkeySecretName" . }}
+  namespace: {{ template "hookshot.namespace" . }}
+  labels:
+    {{- include "hookshot.labels" . | nindent 4 }}
+{{- with .Values.annotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+data:
+  passkey.pem: |-
+    {{ toYaml .Values.hookshot.passkey | nindent 4 }}
+{{- end }}

helm/hookshot/templates/registration-secret.yaml

@@ -0,0 +1,17 @@
+{{- if not .Values.hookshot.existingSecret.registration }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "hookshot.registrationSecretName" . }}
+  namespace: {{ template "hookshot.namespace" . }}
+  labels:
+    {{- include "hookshot.labels" . | nindent 4 }}
+{{- with .Values.annotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+data:
+  registration.yaml: |-
+    {{- toYaml .Values.hookshot.registration | nindent 4 }}
+{{- end }}

helm/hookshot/values.yaml

@@ -101,8 +101,17 @@ tolerations: []
 # -- Affinity settings for deployment
 affinity: {}
 hookshot:
+  existingSecret:
+    # -- Name of existing Secret with valid Hookshot registration.yaml.
+    # If set, ignores hookshot.registration
+    registration: ""
+    # -- Name of existing Secret with valid Hookshot passkey.pem
+    # If set, ignores hookshot.passkey
+    passkey: ""
+
   # -- Name of existing ConfigMap with valid Hookshot configuration
-  existingConfigMap:
+  existingConfigMap: ""
+
   # -- Raw Hookshot configuration. Gets templated into a YAML file and then loaded unless an existingConfigMap is specified.
   config:
     # This is an example configuration file
@@ -113,9 +122,9 @@ hookshot:
       mediaUrl: https://example.com
       port: 9993
       bindAddress: 127.0.0.1
-    passFile: passkey.pem
-    # A passkey used to encrypt tokens stored inside the bridge.
+    # -- A passkey used to encrypt tokens stored inside the bridge.
     # Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate
+    passFile: passkey.pem
     logging:
       # Logging settings. You can have a severity debug,info,warn,error
       level: info
@@ -298,4 +307,6 @@ hookshot:
     sender_localpart: hookshot
     url: "http://example.com"
     rate_limited: false
+  # -- A passkey used to encrypt tokens stored inside the bridge.
+  # Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate
   passkey: ""