init work on using existing secret for sensitive values

Author: fl0ppy-d1sk

charts/bunkerweb/templates/_helpers.tpl

@@ -95,8 +95,21 @@ REDIS settings
 - name: REDIS_HOST
   value: "{{ .Values.settings.redis.redisHost }}"
 - name: REDIS_USERNAME
+  {{- if not (empty .Values.settings.existingSecret) }}
+  valueFrom:
+    secretKeyRef:
+      name: "{{ .Values.settings.existingSecret }}"
+      key: redis-username
+  {{- else }}
   value: "{{ .Values.settings.redis.redisUsername }}"
+  {{- end }}
 - name: REDIS_PASSWORD
+  {{- if not (empty .Values.settings.existingSecret) }}
+  valueFrom:
+    secretKeyRef:
+      name: "{{ .Values.settings.existingSecret }}"
+      key: redis-password
+  {{- else }}
   value: "{{ .Values.settings.redis.redisPassword }}"
   {{- end }}
 {{- end }}

charts/bunkerweb/templates/controller-deployment.yaml

@@ -35,7 +35,13 @@ spec:
             - name: KUBERNETES_MODE
               value: "yes"
             - name: DATABASE_URI
+              {{- if not (empty .Values.settings.existingSecret) }}
+              secretKeyRef:
+                name: {{ .Values.settings.existingSecret }}
+                key: database-uri
+              {{- else }}
               value: "{{ include "bunkerweb.databaseUri" . }}"
+              {{- end }}
             - name: NAMESPACES
               value: "{{ .Values.settings.kubernetes.namespaces }}"
             - name: KUBERNETES_INGRESS_CLASS

charts/bunkerweb/templates/scheduler-deployment.yaml

@@ -35,7 +35,13 @@ spec:
             - name: KUBERNETES_MODE
               value: "yes"
             - name: DATABASE_URI
+              {{- if not (empty .Values.settings.existingSecret) }}
+              secretKeyRef:
+                name: {{ .Values.settings.existingSecret }}
+                key: database-uri
+              {{- else }}
               value: "{{ include "bunkerweb.databaseUri" . }}"
+              {{- end }}
             - name: SERVER_NAME
               value: ""
             - name: MULTISITE

charts/bunkerweb/templates/ui-deployment.yaml

@@ -32,15 +32,51 @@ spec:
           {{- end }}
           env:
             - name: DATABASE_URI
+              {{- if not (empty .Values.settings.existingSecret) }}
+              secretKeyRef:
+                name: {{ .Values.settings.existingSecret }}
+                key: database-uri
+              {{- else }}
               value: "{{ include "bunkerweb.databaseUri" . }}"
+              {{- end }}
             - name: ADMIN_USERNAME
+              {{- if not (empty .Values.settings.existingSecret) }}
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.settings.existingSecret }}"
+                  key: admin-username
+              {{- else }}
               value: "{{ .Values.settings.ui.adminUsername }}"
+              {{- end }}
             - name: ADMIN_PASSWORD
+              {{- if not (empty .Values.settings.existingSecret) }}
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.settings.existingSecret }}"
+                  key: admin-password
+              {{- else }}
               value: "{{ .Values.settings.ui.adminPassword }}"
-            - name: OVERRIDE_ADMIN_CREDS
-              value: "{{ .Values.settings.ui.overrideAdminCreds }}"
+              {{- end }}
             - name: TOTP_SECRETS
+              {{- if not (empty .Values.settings.existingSecret) }}
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.settings.existingSecret }}"
+                  key: totp-secrets
+              {{- else }}
               value: "{{ .Values.settings.ui.totpSecrets }}"
+              {{- end }}
+            - name: FLASK_SECRET
+              {{- if not (empty .Values.settings.existingSecret) }}
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.settings.existingSecret }}"
+                  key: flask-secret
+              {{- else }}
+              value: "{{ .Values.settings.ui.flaskSecret }}"
+              {{- end }}
+            - name: OVERRIDE_ADMIN_CREDS
+              value: "{{ .Values.settings.ui.overrideAdminCreds }}"
             {{- if .Values.ui.extraEnvs }}
               {{- toYaml .Values.ui.extraEnvs | nindent 12 }}
             {{- end }}

charts/bunkerweb/values.yaml

@@ -7,6 +7,17 @@ nodeSelector: {}
 
 # Settings related to BW in a k8s environment
 settings:
+  # Specify the name of an existing secret containing the values of certain sensitive parameters listed here with their corresponding keys :
+  # databaseUri : database-uri
+  # redisUsername : redis-username
+  # redisPassword : redis-password
+  # adminUsername : admin-username
+  # adminPassword : admin-password
+  # flaskSecret: flask-secret
+  # totpSecrets: totp-secrets
+  # mariadb.user : mariadb-username
+  # mariadb.password : mariadb-password
+  existingSecret: ""
   kubernetes:
     namespaces: ""
     ingressClass: ""
@@ -39,7 +50,7 @@ service:
 bunkerweb:
   repository: bunkerity/bunkerweb
   pullPolicy: Always
-  tag: 1.6.0-rc2
+  tag: 1.6.0-rc3
   podAnnotations: {}
   podLabels: {}
   securityContext:
@@ -71,7 +82,7 @@ bunkerweb:
 scheduler:
   repository: bunkerity/bunkerweb-scheduler
   pullPolicy: Always
-  tag: 1.6.0-rc2
+  tag: 1.6.0-rc3
   podAnnotations: {}
   podLabels: {}
   securityContext:
@@ -88,7 +99,7 @@ scheduler:
 controller:
   repository: bunkerity/bunkerweb-autoconf
   pullPolicy: Always
-  tag: 1.6.0-rc2
+  tag: 1.6.0-rc3
   podAnnotations: {}
   podLabels: {}
   securityContext:
@@ -105,7 +116,7 @@ ui:
   enabled: true
   repository: bunkerity/bunkerweb-ui
   pullPolicy: Always
-  tag: 1.6.0-rc2
+  tag: 1.6.0-rc3
   podAnnotations: {}
   podLabels: {}
   securityContext: