From 10183094137a71b9c8d73426760498006fcf50ef Mon Sep 17 00:00:00 2001 From: "Langhammer, Jens" Date: Tue, 8 Oct 2019 10:44:25 +0200 Subject: [PATCH] helm(minor): cleanup configmap, move secret_key to k8s secret --- helm/passbook/templates/configmap.yaml | 84 +------------------ helm/passbook/templates/secret.yaml | 11 +++ helm/passbook/templates/web-deployment.yaml | 10 +++ .../passbook/templates/worker-deployment.yaml | 5 ++ 4 files changed, 27 insertions(+), 83 deletions(-) create mode 100644 helm/passbook/templates/secret.yaml diff --git a/helm/passbook/templates/configmap.yaml b/helm/passbook/templates/configmap.yaml index 1e2a81bed..c2231b0a5 100644 --- a/helm/passbook/templates/configmap.yaml +++ b/helm/passbook/templates/configmap.yaml @@ -12,87 +12,5 @@ data: host: "{{ .Release.Name }}-redis-master" cache_db: 0 message_queue_db: 1 - - # Error reporting, sends stacktrace to sentry.beryju.org error_report_enabled: {{ .Values.config.error_reporting }} - - {{- if .Values.config.secret_key }} - secret_key: {{ .Values.config.secret_key }} - {{- else }} - secret_key: {{ randAlphaNum 50 }} - {{- end }} - - primary_domain: {{ .Values.primary_domain }} - domains: - {{- range .Values.ingress.hosts }} - - {{ . | quote }} - {{- end }} - - kubernetes-healthcheck-host - - passbook: - sign_up: - # Enables signup, created users are stored in internal Database and created in LDAP if ldap.create_users is true - enabled: true - password_reset: - # Enable password reset, passwords are reset in internal Database and in LDAP if ldap.reset_password is true - enabled: true - # Verification the user has to provide in order to be able to reset passwords. Can be any combination of `email`, `2fa`, `security_questions` - verification: - - email - # Text used in title, on login page and multiple other places - branding: passbook - login: - # Override URL used for logo - logo_url: null - # Override URL used for Background on Login page - bg_url: null - # Optionally add a subtext, placed below logo on the login page - subtext: null - footer: - links: - # Optionally add links to the footer on the login page - # - name: test - # href: https://test - # Specify which fields can be used to authenticate. Can be any combination of `username` and `email` - uid_fields: - - username - - email - session: - remember_age: 2592000 # 60 * 60 * 24 * 30, one month - # Provider-specific settings - ldap: - # # Completely enable or disable LDAP provider - # enabled: false - # # AD Domain, used to generate `userPrincipalName` - # domain: corp.contoso.com - # # Base DN in which passbook should look for users - # base_dn: dn=corp,dn=contoso,dn=com - # # LDAP field which is used to set the django username - # username_field: sAMAccountName - # # LDAP server to connect to, can be set to `` - # server: - # name: corp.contoso.com - # use_tls: false - # # Bind credentials, used for account creation - # bind: - # username: Administraotr@corp.contoso.com - # password: VerySecurePassword! - # Which field from `uid_fields` maps to which LDAP Attribute - login_field_map: - username: sAMAccountName - email: mail # or userPrincipalName - user_attribute_map: - active_directory: - username: "%(sAMAccountName)s" - email: "%(mail)s" - name: "%(displayName)" - # # Create new users in LDAP upon sign-up - # create_users: true - # # Reset LDAP password when user reset their password - # reset_password: true - saml_idp: - signing: true - autosubmit: false - issuer: passbook - assertion_valid_for: 86400 - # List of python packages with provider types to load. + domain: ".{{ .Values.ingress.hosts[0] }}" diff --git a/helm/passbook/templates/secret.yaml b/helm/passbook/templates/secret.yaml new file mode 100644 index 000000000..e5f8b882c --- /dev/null +++ b/helm/passbook/templates/secret.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ include "passbook.fullname" . }}-secret-key +data: + {{- if .Values.config.secret_key }} + secret_key: {{ .Values.config.secret_key | b64enc | quote }} + {{- else }} + secret_key: {{ randAlphaNum 50 | b64enc | quote}} + {{- end }} diff --git a/helm/passbook/templates/web-deployment.yaml b/helm/passbook/templates/web-deployment.yaml index aceab34bb..1b4139641 100644 --- a/helm/passbook/templates/web-deployment.yaml +++ b/helm/passbook/templates/web-deployment.yaml @@ -39,6 +39,11 @@ spec: name: {{ include "passbook.fullname" . }}-config prefix: PASSBOOK_ env: + - name: PASSBOOK_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ include "passbook.fullname" . }}-secret-key + key: secret_key - name: PASSBOOK_REDIS__PASSWORD valueFrom: secretKeyRef: @@ -65,6 +70,11 @@ spec: name: {{ include "passbook.fullname" . }}-config prefix: PASSBOOK_ env: + - name: PASSBOOK_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ include "passbook.fullname" . }}-secret-key + key: secret_key - name: PASSBOOK_REDIS__PASSWORD valueFrom: secretKeyRef: diff --git a/helm/passbook/templates/worker-deployment.yaml b/helm/passbook/templates/worker-deployment.yaml index 47028cec4..2d1cc6ddd 100644 --- a/helm/passbook/templates/worker-deployment.yaml +++ b/helm/passbook/templates/worker-deployment.yaml @@ -44,6 +44,11 @@ spec: name: {{ include "passbook.fullname" . }}-config prefix: PASSBOOK_ env: + - name: PASSBOOK_SECRET_KEY + valueFrom: + secretKeyRef: + name: {{ include "passbook.fullname" . }}-secret-key + key: secret_key - name: PASSBOOK_REDIS__PASSWORD valueFrom: secretKeyRef: