Skip to content

Commit 606ab8a

Browse files
robertdyrrobertdyr
committed
adds checksum annotation for pods to automatically rollout secret changes
1 parent 5d1c94e commit 606ab8a

18 files changed

+363
-351
lines changed

charts/openmetadata/Chart.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,13 +15,13 @@ type: application
1515
# This is the chart version. This version number should be incremented each time you make changes
1616
# to the chart and its templates, including the app version.
1717
# Versions are expected to follow Semantic Versioning (https://semver.org/)
18-
version: 1.10.13
18+
version: 1.10.14
1919

2020
# This is the version number of the application being deployed. This version number should be
2121
# incremented each time you make changes to the application. Versions are not expected to
2222
# follow Semantic Versioning. They should reflect the version the application is using.
2323
# It is recommended to use it with quotes.
24-
appVersion: "1.10.13"
24+
appVersion: "1.10.14"
2525

2626
home: https://open-metadata.org/
2727

@@ -59,7 +59,7 @@ icon: https://open-metadata.org/assets/favicon.png
5959
annotations:
6060
artifacthub.io/images: |
6161
- name: openmetadata-server
62-
image: docker.io/openmetadata/server:1.10.13
62+
image: docker.io/openmetadata/server:1.10.14
6363
artifacthub.io/license: "Apache-2.0"
6464
# artifacthub.io/prerelease: "false"
6565
artifacthub.io/recommendations: |

charts/openmetadata/templates/config/authentication-secret.yaml

Lines changed: 99 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,99 @@
1+
{{- if .Values.openmetadata.config.authentication.enabled }}
2+
apiVersion: v1
3+
kind: Secret
4+
metadata:
5+
name: {{ include "OpenMetadata.fullname" . }}-authentication-secret
6+
type: Opaque
7+
data:
8+
AUTHENTICATION_PUBLIC_KEYS: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .Values.openmetadata.config.authentication.publicKeys) }}
9+
AUTHENTICATION_JWT_PRINCIPAL_CLAIMS: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .Values.openmetadata.config.authentication.jwtPrincipalClaims) }}
10+
{{- if .Values.openmetadata.config.authentication.jwtPrincipalClaimsMapping }}
11+
AUTHENTICATION_JWT_PRINCIPAL_CLAIMS_MAPPING: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .Values.openmetadata.config.authentication.jwtPrincipalClaimsMapping) }}
12+
{{- end }}
13+
{{- with .Values.openmetadata.config.authentication }}
14+
AUTHENTICATION_PROVIDER: {{ .provider | quote | b64enc }}
15+
AUTHENTICATION_RESPONSE_TYPE: {{ .responseType | quote | b64enc }}
16+
AUTHENTICATION_AUTHORITY: {{ .authority | quote | b64enc }}
17+
AUTHENTICATION_CLIENT_ID: {{ .clientId | quote | b64enc }}
18+
AUTHENTICATION_CLIENT_TYPE: {{ .clientType | quote | b64enc }}
19+
AUTHENTICATION_CALLBACK_URL: {{ .callbackUrl | quote | b64enc }}
20+
AUTHENTICATION_ENABLE_SELF_SIGNUP: {{ .enableSelfSignup | quote | b64enc }}
21+
{{- if and (eq .clientType "confidential") (.oidcConfiguration.enabled) }}
22+
OIDC_TYPE: {{ .oidcConfiguration.oidcType | quote | b64enc }}
23+
OIDC_SCOPE: {{ .oidcConfiguration.scope | quote | b64enc }}
24+
OIDC_DISCOVERY_URI: {{ .oidcConfiguration.discoveryUri | quote | b64enc }}
25+
OIDC_USE_NONCE: {{ .oidcConfiguration.useNonce | quote | b64enc }}
26+
OIDC_PREFERRED_JWS: {{ .oidcConfiguration.preferredJwsAlgorithm | quote | b64enc }}
27+
OIDC_RESPONSE_TYPE: {{ .oidcConfiguration.responseType | quote | b64enc }}
28+
OIDC_PROMPT_TYPE: {{ .oidcConfiguration.promptType | quote | b64enc }}
29+
OIDC_DISABLE_PKCE: {{ .oidcConfiguration.disablePkce | quote | b64enc }}
30+
OIDC_CALLBACK: {{ .oidcConfiguration.callbackUrl | quote | b64enc }}
31+
OIDC_SERVER_URL: {{ .oidcConfiguration.serverUrl | quote | b64enc }}
32+
OIDC_CLIENT_AUTH_METHOD: {{ .oidcConfiguration.clientAuthenticationMethod | quote | b64enc }}
33+
OIDC_TENANT: {{ .oidcConfiguration.tenant | quote | b64enc }}
34+
OIDC_MAX_CLOCK_SKEW: {{ .oidcConfiguration.maxClockSkew | quote | b64enc }}
35+
OIDC_OM_REFRESH_TOKEN_VALIDITY: {{ .oidcConfiguration.tokenValidity | quote | b64enc }}
36+
OIDC_CUSTOM_PARAMS: {{ .oidcConfiguration.customParams | b64enc }}
37+
OIDC_MAX_AGE: {{ .oidcConfiguration.maxAge | quote | b64enc }}
38+
OIDC_SESSION_EXPIRY: {{ .oidcConfiguration.sessionExpiry | quote | b64enc }}
39+
{{ end }}
40+
{{- if eq .provider "ldap" }}
41+
AUTHENTICATION_LDAP_HOST: {{ .ldapConfiguration.host | b64enc }}
42+
AUTHENTICATION_LDAP_PORT: {{ .ldapConfiguration.port | quote | b64enc }}
43+
AUTHENTICATION_LOOKUP_ADMIN_DN: {{ .ldapConfiguration.dnAdminPrincipal | quote | b64enc }}
44+
AUTHENTICATION_USER_LOOKUP_BASEDN: {{ .ldapConfiguration.userBaseDN | quote | b64enc }}
45+
AUTHENTICATION_GROUP_LOOKUP_BASEDN: {{ .ldapConfiguration.groupBaseDN | quote | b64enc }}
46+
AUTHENTICATION_USER_ROLE_ADMIN_NAME: {{ .ldapConfiguration.roleAdminName | quote | b64enc }}
47+
AUTHENTICATION_USER_ALL_ATTR: {{ .ldapConfiguration.allAttributeName | quote | b64enc }}
48+
AUTHENTICATION_USER_NAME_ATTR: {{ .ldapConfiguration.usernameAttributeName | quote | b64enc }}
49+
AUTHENTICATION_USER_GROUP_ATTR: {{ .ldapConfiguration.groupAttributeName | quote | b64enc }}
50+
AUTHENTICATION_USER_GROUP_ATTR_VALUE: {{ .ldapConfiguration.groupAttributeValue | quote | b64enc }}
51+
AUTHENTICATION_USER_GROUP_MEMBER_ATTR: {{ .ldapConfiguration.groupMemberAttributeName | quote | b64enc }}
52+
AUTH_ROLES_MAPPING: {{ .ldapConfiguration.authRolesMapping | quote | b64enc }}
53+
AUTH_REASSIGN_ROLES: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .ldapConfiguration.authReassignRoles) }}
54+
AUTHENTICATION_USER_MAIL_ATTR: {{ .ldapConfiguration.mailAttributeName | quote | b64enc }}
55+
AUTHENTICATION_LDAP_POOL_SIZE: {{ .ldapConfiguration.maxPoolSize | quote | b64enc }}
56+
AUTHENTICATION_LDAP_SSL_ENABLED: {{ .ldapConfiguration.sslEnabled | quote | b64enc }}
57+
AUTHENTICATION_LDAP_TRUSTSTORE_TYPE: {{ .ldapConfiguration.truststoreConfigType | quote | b64enc }}
58+
{{- if eq .ldapConfiguration.truststoreConfigType "CustomTrustStore" }}
59+
AUTHENTICATION_LDAP_TRUSTSTORE_PATH: {{ .ldapConfiguration.trustStoreConfig.customTrustManagerConfig.trustStoreFilePath | quote | b64enc }}
60+
AUTHENTICATION_LDAP_SSL_KEY_FORMAT: {{ .ldapConfiguration.trustStoreConfig.customTrustManagerConfig.trustStoreFileFormat | quote | b64enc }}
61+
AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST: {{ .ldapConfiguration.trustStoreConfig.customTrustManagerConfig.verifyHostname | quote | b64enc }}
62+
AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES: {{ .ldapConfiguration.trustStoreConfig.customTrustManagerConfig.examineValidityDates | quote | b64enc }}
63+
{{ end }}
64+
{{- if eq .ldapConfiguration.truststoreConfigType "HostName" }}
65+
AUTHENTICATION_LDAP_ALLOW_WILDCARDS: {{ .ldapConfiguration.trustStoreConfig.hostNameConfig.allowWildCards | quote | b64enc }}
66+
AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES: {{ .ldapConfiguration.trustStoreConfig.hostNameConfig.acceptableHostNames | b64enc}}
67+
{{ end }}
68+
{{- if eq .ldapConfiguration.truststoreConfigType "JVMDefault" }}
69+
AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST: {{ .ldapConfiguration.trustStoreConfig.jvmDefaultConfig.verifyHostname | quote | b64enc }}
70+
{{ end }}
71+
{{- if eq .ldapConfiguration.truststoreConfigType "TrustAll" }}
72+
AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES: {{ .ldapConfiguration.trustStoreConfig.trustAllConfig.examineValidityDates | quote | b64enc }}
73+
{{ end }}
74+
{{ end }}
75+
{{- if eq .provider "saml" }}
76+
SAML_DEBUG_MODE: {{ .saml.debugMode | quote | b64enc }}
77+
SAML_IDP_ENTITY_ID: {{ .saml.idp.entityId | quote | b64enc }}
78+
SAML_IDP_SSO_LOGIN_URL: {{ .saml.idp.ssoLoginUrl | quote | b64enc }}
79+
SAML_AUTHORITY_URL: {{ .saml.idp.authorityUrl | quote | b64enc }}
80+
SAML_IDP_NAME_ID: {{ .saml.idp.nameId | quote | b64enc }}
81+
SAML_SP_ENTITY_ID: {{ .saml.sp.entityId | quote | b64enc }}
82+
SAML_SP_ACS: {{ .saml.sp.acs | quote | b64enc }}
83+
SAML_SP_CALLBACK: {{ .saml.sp.callback | quote | b64enc }}
84+
SAML_STRICT_MODE: {{ .saml.security.strictMode | quote | b64enc }}
85+
SAML_VALIDATE_XML: {{ .saml.security.validateXml | quote | b64enc }}
86+
SAML_SP_TOKEN_VALIDITY: {{ .saml.security.tokenValidity | quote | b64enc }}
87+
SAML_SEND_ENCRYPTED_NAME_ID: {{ .saml.security.sendEncryptedNameId | quote | b64enc }}
88+
SAML_SEND_SIGNED_AUTH_REQUEST: {{ .saml.security.sendSignedAuthRequest | quote | b64enc }}
89+
SAML_SIGNED_SP_METADATA: {{ .saml.security.signSpMetadata | quote | b64enc }}
90+
SAML_WANT_MESSAGE_SIGNED: {{ .saml.security.wantMessagesSigned | quote | b64enc }}
91+
SAML_WANT_ASSERTION_SIGNED: {{ .saml.security.wantAssertionsSigned | quote | b64enc }}
92+
SAML_WANT_ASSERTION_ENCRYPTED: {{ .saml.security.wantAssertionEncrypted | quote | b64enc }}
93+
# Key Store should only be considered if wantAssertionEncrypted will be true
94+
{{- if .saml.security.wantAssertionEncrypted }}
95+
SAML_KEYSTORE_FILE_PATH: {{ .saml.security.keyStoreFilePath | quote | b64enc }}
96+
{{ end }}
97+
{{ end }}
98+
{{ end }}
99+
{{ end }}

charts/openmetadata/templates/config/authorizer-secret.yaml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
{{- if .Values.openmetadata.config.authorizer.enabled }}
2+
apiVersion: v1
3+
kind: Secret
4+
metadata:
5+
name: {{ include "OpenMetadata.fullname" . }}-authorizer-secret
6+
type: Opaque
7+
data:
8+
{{- with .Values.openmetadata.config.authorizer }}
9+
AUTHORIZER_CLASS_NAME: {{ .className | quote | b64enc }}
10+
AUTHORIZER_REQUEST_FILTER: {{ .containerRequestFilter | quote | b64enc }}
11+
AUTHORIZER_PRINCIPAL_DOMAIN: {{ .principalDomain | quote | b64enc }}
12+
AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN: {{ .enforcePrincipalDomain | quote | b64enc }}
13+
AUTHORIZER_ENABLE_SECURE_SOCKET: {{ .enableSecureSocketConnection | quote | b64enc }}
14+
AUTHORIZER_ADMIN_PRINCIPALS: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .initialAdmins ) }}
15+
AUTHORIZER_ALLOWED_DOMAINS: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .allowedDomains) }}
16+
AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .allowedEmailRegistrationDomains) }}
17+
AUTHORIZER_USE_ROLES_FROM_PROVIDER: {{ .useRolesFromProvider | quote | b64enc }}
18+
{{ end }}
19+
{{ end }}

charts/openmetadata/templates/config/config-secret.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
apiVersion: v1
2+
kind: Secret
3+
metadata:
4+
name: {{ include "OpenMetadata.fullname" . }}-config-secret
5+
type: Opaque
6+
data:
7+
{{- with .Values.openmetadata.config }}
8+
LOG_LEVEL: {{ .logLevel | b64enc }}
9+
OPENMETADATA_CLUSTER_NAME: {{ .clusterName | b64enc }}
10+
{{ end }}

charts/openmetadata/templates/config/db-secret.yaml

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
{{- if .Values.openmetadata.config.database.enabled }}
2+
apiVersion: v1
3+
kind: Secret
4+
metadata:
5+
name: {{ include "OpenMetadata.fullname" . }}-db-secret
6+
type: Opaque
7+
data:
8+
{{- with .Values.openmetadata.config.database }}
9+
DB_HOST: {{ .host | b64enc }}
10+
DB_PORT: {{ .port | toString | b64enc }}
11+
DB_DRIVER_CLASS: {{ .driverClass | b64enc }}
12+
DB_SCHEME: {{ .dbScheme | b64enc }}
13+
OM_DATABASE: {{ .databaseName | b64enc }}
14+
DB_PARAMS: {{ .dbParams | b64enc | quote }}
15+
DB_USER: {{ .auth.username | b64enc }}
16+
DB_CONNECTION_POOL_MAX_SIZE: {{ .maxSize | quote | b64enc }}
17+
DB_CONNECTION_POOL_MIN_SIZE: {{ .minSize | quote | b64enc }}
18+
DB_CONNECTION_POOL_INITIAL_SIZE: {{ .initialSize | quote | b64enc }}
19+
DB_CONNECTION_CHECK_CONNECTION_WHILE_IDLE: {{ .checkConnectionWhileIdle | quote | b64enc }}
20+
DB_CONNECTION_CHECK_CONNECTION_ON_BORROW: {{ .checkConnectionOnBorrow | quote | b64enc }}
21+
DB_CONNECTION_EVICTION_INTERVAL: {{ .evictionInterval | quote | b64enc }}
22+
DB_CONNECTION_MIN_IDLE_TIME: {{ .minIdleTime | quote | b64enc }}
23+
{{ end }}
24+
{{ end }}

charts/openmetadata/templates/config/eventmonitor-secret.yaml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
{{- if .Values.openmetadata.config.eventMonitor.enabled }}
2+
apiVersion: v1
3+
kind: Secret
4+
metadata:
5+
name: {{ include "OpenMetadata.fullname" . }}-eventmonitor-secret
6+
type: Opaque
7+
data:
8+
{{- with .Values.openmetadata.config.eventMonitor }}
9+
EVENT_MONITOR: {{ .type | b64enc }}
10+
EVENT_MONITOR_BATCH_SIZE: {{ .batchSize | quote | b64enc }}
11+
{{ end }}
12+
EVENT_MONITOR_PATH_PATTERN: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .Values.openmetadata.config.eventMonitor.pathPattern) }}
13+
EVENT_MONITOR_LATENCY: {{ include "OpenMetadata.commaJoinedQuotedEncodedList" (dict "value" .Values.openmetadata.config.eventMonitor.latency) }}
14+
{{ end }}

charts/openmetadata/templates/config/fernetkey-secret.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
{{- if not .Values.openmetadata.config.fernetkey.secretRef }}
2+
apiVersion: v1
3+
kind: Secret
4+
metadata:
5+
name: {{ include "OpenMetadata.fullname" . }}-fernetkey-secret
6+
type: Opaque
7+
data:
8+
{{- with .Values.openmetadata.config.fernetkey }}
9+
FERNET_KEY: {{ .value | b64enc | quote }}
10+
{{ end }}
11+
{{ end }}
12+

charts/openmetadata/templates/config/jwt-secret.yaml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
{{- if .Values.openmetadata.config.jwtTokenConfiguration.enabled }}
2+
apiVersion: v1
3+
kind: Secret
4+
metadata:
5+
name: {{ include "OpenMetadata.fullname" . }}-jwt-secret
6+
type: Opaque
7+
data:
8+
{{- with .Values.openmetadata.config.jwtTokenConfiguration }}
9+
RSA_PUBLIC_KEY_FILE_PATH: {{ .rsapublicKeyFilePath | quote | b64enc }}
10+
RSA_PRIVATE_KEY_FILE_PATH: {{ .rsaprivateKeyFilePath | quote | b64enc }}
11+
JWT_ISSUER: {{ .jwtissuer | quote | b64enc }}
12+
JWT_KEY_ID: {{ .keyId | quote | b64enc }}
13+
{{ end }}
14+
{{ end }}

charts/openmetadata/templates/config/omd-secret.yaml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
apiVersion: v1
2+
kind: Secret
3+
metadata:
4+
name: {{ include "OpenMetadata.fullname" . }}-omd-secret
5+
type: Opaque
6+
data:
7+
{{- with .Values.openmetadata.config.openmetadata }}
8+
SERVER_HOST: {{ .host | b64enc }}
9+
SERVER_PORT: {{ .port | quote | b64enc }}
10+
SERVER_ADMIN_PORT: {{ .adminPort | quote | b64enc }}
11+
SERVER_MAX_THREADS: {{ .maxThreads | quote | b64enc }}
12+
SERVER_MIN_THREADS: {{ .minThreads | quote | b64enc }}
13+
SERVER_IDLE_THREAD_TIMEOUT: {{ .idleThreadTimeout | quote | b64enc }}
14+
{{ end }}

charts/openmetadata/templates/config/pipeline-secret.yaml

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
apiVersion: v1
2+
kind: Secret
3+
metadata:
4+
name: {{ include "OpenMetadata.fullname" . }}-pipeline-secret
5+
type: Opaque
6+
data:
7+
{{- if .Values.openmetadata.config.pipelineServiceClientConfig.enabled }}
8+
{{- with .Values.openmetadata.config.pipelineServiceClientConfig }}
9+
{{- if eq (include "OpenMetadata.utils.checkEmptyString" .hostIp) "true" }}
10+
PIPELINE_SERVICE_CLIENT_HOST_IP: {{ .hostIp | quote | b64enc }}
11+
{{- end }}
12+
PIPELINE_SERVICE_CLIENT_ENABLED: {{ .enabled | quote | b64enc }}
13+
PIPELINE_SERVICE_CLIENT_CLASS_NAME: {{ .className | quote | b64enc }}
14+
PIPELINE_SERVICE_IP_INFO_ENABLED: {{ .ingestionIpInfoEnabled | quote | b64enc }}
15+
PIPELINE_SERVICE_CLIENT_ENDPOINT: {{ .apiEndpoint | b64enc }}
16+
PIPELINE_SERVICE_CLIENT_VERIFY_SSL: {{ .verifySsl | quote | b64enc }}
17+
PIPELINE_SERVICE_CLIENT_HEALTH_CHECK_INTERVAL: {{ .healthCheckInterval | quote | b64enc }}
18+
PIPELINE_SERVICE_CLIENT_SSL_CERT_PATH: {{ .sslCertificatePath | quote | b64enc }}
19+
SERVER_HOST_API_URL: {{ .metadataApiEndpoint | b64enc }}
20+
{{- if .auth.enabled }}
21+
AIRFLOW_USERNAME: {{ .auth.username | b64enc }}
22+
AIRFLOW_TRUST_STORE_PATH: {{ .auth.trustStorePath | quote | b64enc }}
23+
{{- end }}
24+
{{ end }}
25+
{{- else }}
26+
PIPELINE_SERVICE_CLIENT_ENABLED: {{ .Values.openmetadata.config.pipelineServiceClientConfig.enabled | quote | b64enc }}
27+
{{- end }}

0 commit comments

Comments
 (0)