Generate random RPC secret if not provided
This commit is contained in:
parent
37a73d7d37
commit
b71fa2ddf4
5 changed files with 64 additions and 3 deletions
|
@ -23,6 +23,13 @@ If release name contains chart name it will be used as a full name.
|
|||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create the name of the rpc secret
|
||||
*/}}
|
||||
{{- define "garage.rpcSecretName" -}}
|
||||
{{- printf "%s-rpc-secret" (include "garage.fullname" .) -}}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
|
@ -60,3 +67,22 @@ Create the name of the service account to use
|
|||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Returns given number of random Hex characters.
|
||||
In practice, it generates up to 100 randAlphaNum strings
|
||||
that are filtered from non-hex characters and augmented
|
||||
to the resulting string that is finally trimmed down.
|
||||
*/}}
|
||||
{{- define "jupyterhub.randHex" -}}
|
||||
{{- $result := "" }}
|
||||
{{- range $i := until 100 }}
|
||||
{{- if lt (len $result) . }}
|
||||
{{- $rand_list := randAlphaNum . | splitList "" -}}
|
||||
{{- $reduced_list := without $rand_list "g" "h" "i" "j" "k" "l" "m" "n" "o" "p" "q" "r" "s" "t" "u" "v" "w" "x" "y" "z" "A" "B" "C" "D" "E" "F" "G" "H" "I" "J" "K" "L" "M" "N" "O" "P" "Q" "R" "S" "T" "U" "V" "W" "X" "Y" "Z" }}
|
||||
{{- $rand_string := join "" $reduced_list }}
|
||||
{{- $result = print $result $rand_string -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- $result | trunc . }}
|
||||
{{- end }}
|
||||
|
|
|
@ -10,7 +10,8 @@ data:
|
|||
replication_mode = "{{ .Values.garage.replicationMode }}"
|
||||
|
||||
rpc_bind_addr = "{{ .Values.garage.rpcBindAddr }}"
|
||||
rpc_secret = "{{ .Values.garage.rpcSecret }}"
|
||||
# rpc_secret will be populated by the init container from a k8s secret object
|
||||
rpc_secret = "__RPC_SECRET_REPLACE__"
|
||||
|
||||
bootstrap_peers = {{ .Values.garage.bootstrapPeers }}
|
||||
|
||||
|
|
14
script/helm/garage/templates/secret.yaml
Normal file
14
script/helm/garage/templates/secret.yaml
Normal file
|
@ -0,0 +1,14 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ include "garage.rpcSecretName" . }}
|
||||
labels:
|
||||
{{- include "garage.labels" . | nindent 4 }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{/* retrieve the secret data using lookup function and when not exists, return an empty dictionary / map as result */}}
|
||||
{{- $prevSecret := (lookup "v1" "Secret" .Release.Namespace (include "garage.rpcSecretName" .)) | default dict }}
|
||||
{{- $prevSecretData := $prevSecret.data | default dict }}
|
||||
{{- $prevRpcSecret := $prevSecretData.rpcSecret | default "" | b64dec }}
|
||||
{{/* Priority is: 1. from values, 2. previous value, 3. generate random */}}
|
||||
rpcSecret: {{ .Values.garage.rpcSecret | default $prevRpcSecret | default (include "jupyterhub.randHex" 64) | b64enc | quote }}
|
|
@ -26,6 +26,23 @@ spec:
|
|||
serviceAccountName: {{ include "garage.serviceAccountName" . }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
||||
initContainers:
|
||||
# Copies garage.toml from configmap to temporary etc volume and replaces RPC secret placeholder
|
||||
- name: {{ .Chart.Name }}-init
|
||||
image: busybox:1.28
|
||||
command: ["sh", "-c", "sed \"s/__RPC_SECRET_REPLACE__/$RPC_SECRET/\" /mnt/garage.toml > /mnt/etc/garage.toml"]
|
||||
env:
|
||||
- name: RPC_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "garage.rpcSecretName" . }}
|
||||
key: rpcSecret
|
||||
volumeMounts:
|
||||
- name: configmap
|
||||
mountPath: /mnt/garage.toml
|
||||
subPath: garage.toml
|
||||
- name: etc
|
||||
mountPath: /mnt/etc
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
securityContext:
|
||||
|
@ -57,9 +74,11 @@ spec:
|
|||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
volumes:
|
||||
- name: etc
|
||||
- name: configmap
|
||||
configMap:
|
||||
name: {{ include "garage.fullname" . }}-config
|
||||
- name: etc
|
||||
emptyDir: {}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
|
|
|
@ -8,7 +8,8 @@ garage:
|
|||
dataDir: "/mnt/data"
|
||||
replicationMode: "3"
|
||||
rpcBindAddr: "[::]:3901"
|
||||
rpcSecret: "1799bccfd7411eddcf9ebd316bc1f5287ad12a68094e1c6ac6abde7e6feae1ec"
|
||||
# If not given, a random secret will be generated
|
||||
rpcSecret: ""
|
||||
bootstrapPeers: []
|
||||
kubernetesSkipCrd: false
|
||||
s3:
|
||||
|
|
Loading…
Reference in a new issue