2 # Copyright © 2019 AT&T, Samsung Electronics
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
18 For internal use only!
20 Generates a secret header with given name and desired labels.
22 The template takes two arguments:
23 - .global: environment (.)
24 - .name: name of the secret
25 - .annotations: annotations which should be used
28 {{ include "common.secret._header" (dict "global" . "name" "myFancyName") }}
30 {{- define "common.secret._header" -}}
31 {{- $global := .global }}
37 namespace: {{ include "common.namespace" $global }}
39 app: {{ include "common.name" $global }}
40 chart: {{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}
41 release: {{ include "common.release" $global }}
42 heritage: {{ $global.Release.Service }}
43 {{- if .annotations }}
44 annotations: {{- include "common.tplValue" (dict "value" .annotations "context" $global) | nindent 4 }}
50 For internal use only!
52 Pick a value based on "user input" and generation policy.
54 The template takes below arguments:
55 - .global: environment (.)
56 - .secretName: name of the secret where the value will be placed
57 - .secretEnv: map of values which configures this secret. This can contain below keys:
58 - value: Value of secret key provided by user (can be a template inside a string)
59 - policy: What to do if value is missing or empty. Possible options are:
60 - generate: Generate a new password deriving it from master password
61 - required: Fail the deployment if value has not been provided
63 - name: Name of the key to which this value should be assigned
65 {{- define "common.secret._value" -}}
66 {{- $global := .global }}
67 {{- $name := .secretName }}
68 {{- $secretEnv := .secretEnv }}
69 {{- $value := tpl $secretEnv.value $global }}
70 {{- $policy := default "generate" $secretEnv.policy }}
74 {{- else if eq $policy "generate" }}
75 {{- include "common.createPassword" (dict "dot" $global "uid" $name) | quote }}
77 {{- fail (printf "Value for %s secret %s key not provided" $name $secretEnv.name) }}
82 For internal use only!
84 Pick a value based on "user input" and generation policy.
86 The template takes below arguments:
87 - .global: environment (.)
88 - .secretName: name of the secret where the value will be placed
89 - .secretEnv: map of values which configures this secret. This can contain below keys:
90 - value: Value of secret key provided by user (can be a template inside a string)
91 - policy: What to do if value is missing or empty. Possible options are:
92 - generate: Generate a new password deriving it from master password
93 - required: Fail the deployment if value has not been provided
95 - name: Name of the key to which this value should be assigned
97 {{- define "common.secret._valueFast" -}}
98 {{- $global := .global }}
99 {{- $name := .secretName }}
100 {{- $secretEnv := .secretEnv }}
101 {{- $value := $secretEnv.value }}
102 {{- $policy := default "generate" $secretEnv.policy }}
105 {{- $value | quote }}
106 {{- else if eq $policy "generate" }}
107 {{- include "common.createPassword" (dict "dot" $global "uid" $name) | quote }}
109 {{- fail (printf "Value for %s secret %s key not provided" $name $secretEnv.name) }}
115 Generate a secret name based on provided name or UID.
116 If UID is provided then the name is generated by appending this UID right after
117 the chart name. If name is provided, it overrides the name generation algorith
118 and is used right away. Both name and uid strings may contain a template to be
121 The template takes below arguments:
122 - .global: environment (.)
123 - .uid: string that uniquely identifies this secret within a helm chart
124 - .name: string that can be used to override default name generation algorithm
125 and provide a custom name for the secret
127 {{- define "common.secret.genName" -}}
128 {{- $global := .global }}
129 {{- $uid := tpl (default "" .uid) $global }}
130 {{- $name := tpl (default "" .name) $global }}
131 {{- $fullname := ne (default "" .chartName) "" | ternary (include "common.fullnameExplicit" (dict "dot" $global "chartName" .chartName)) (include "common.fullname" $global) }}
132 {{- default (printf "%s-%s" $fullname $uid) $name }}
135 {{- define "common.secret.genNameFast" -}}
136 {{- $global := .global }}
137 {{- $uid := (default "" .uid) }}
138 {{- $name := (default "" .name) }}
139 {{- $fullname := ne (default "" .chartName) "" | ternary (include "common.fullnameExplicit" (dict "dot" $global "chartName" .chartName)) (include "common.fullname" $global) }}
140 {{- if eq "test-release" $global.Release.Name -}}
141 {{/* Special case for chart liniting in helm3. DON"T NAME YOUR PRODUCTION RELEASE test-release */}}
142 {{- $uid = lower $uid -}}
144 {{- default (printf "%s-%s" $fullname $uid) $name }}
148 Get the real secret name by UID or name, based on the configuration provided by user.
149 User may decide to not create a new secret but reuse existing one for this deployment
150 (aka externalSecret). In this case the real name of secret to be used is different
151 than the one declared in secret definition. This easily retrieve current secret real
152 name based on declared name or UID even if it has been overrided by the user using
153 externalSecret option. You should use this template always when you need to reference
154 a secret created using common.secret template by name.
156 The template takes below arguments:
157 - .global: environment (.)
158 - .uid: string that uniquely identifies this secret within a helm chart
159 (can be omitted if name has been provided)
160 - .name: name which was used to declare a secret
161 (can be omitted if uid has been provided)
163 {{- define "common.secret.getSecretName" -}}
164 {{- $global := .global }}
165 {{- $name := tpl (default "" .name) $global }}
166 {{- $uid := tpl (default "" .uid) $global }}
167 {{- $targetName := default (include "common.secret.genName" (dict "global" $global "uid" $uid "name" .name)) $name}}
168 {{- range $secret := $global.Values.secrets }}
169 {{- $currUID := tpl (default "" $secret.uid) $global }}
170 {{- $givenName := tpl (default "" $secret.name) $global }}
171 {{- $currName := default (include "common.secret.genName" (dict "global" $global "uid" $currUID "name" $secret.name)) $givenName }}
172 {{- if or (eq $uid $currUID) (eq $currName $targetName) }}
173 {{- $externalSecret := tpl (default "" $secret.externalSecret) $global }}
174 {{- default $currName $externalSecret }}
179 {{- define "common.secret.getSecretNameFast" -}}
180 {{- $global := .global }}
181 {{- include "common.secret.buildCache" $global }}
182 {{- $secretsCache := $global.Values._secretsCache }}
183 {{- $uid := tpl .uid $global }}
184 {{- $secret := index $secretsCache $uid }}
185 {{- $secret.realName }}
188 {{- define "common.secret.buildCache" -}}
190 {{- if not $global.Values._secretsCache }}
191 {{- $secretCache := dict }}
192 {{- range $secret := .Values.secrets }}
193 {{- $entry := dict }}
194 {{- $uid := tpl (default "" $secret.uid) $global }}
195 {{- $keys := keys $secret }}
196 {{- range $key := (without $keys "annotations" "filePaths" )}}
197 {{- $_ := set $entry $key (tpl (index $secret $key) $global) }}
199 {{- if $secret.annotations }}
200 {{- $_ := set $entry "annotations" $secret.annotations }}
202 {{- if $secret.filePaths }}
203 {{- if kindIs "string" $secret.filePaths }}
204 {{- $evaluated := tpl (default "" $secret.filePaths) $global }}
205 {{- if and $evaluated (ne $evaluated "\"\"") }}
206 {{- $fstr := printf "val:\n%s" ($evaluated | indent 2) }}
207 {{- $flist := (index (tpl $fstr $global | fromYaml) "val") }}
208 {{- $_ := set $entry "filePaths" $flist }}
210 {{- $_ := set $entry "filePaths" (list) }}
213 {{- $_ := set $entry "filePaths" $secret.filePaths }}
216 {{- $realName := default (include "common.secret.genNameFast" (dict "global" $global "uid" $uid "name" $entry.name) ) $entry.externalSecret }}
217 {{- $_ := set $entry "realName" $realName }}
218 {{- $_ := set $secretCache $uid $entry }}
220 {{- $_ := set $global.Values "_secretsCache" $secretCache }}
225 Convenience template which can be used to easily set the value of environment variable
226 to the value of a key in a secret.
228 It takes care of all name mangling, usage of external secrets etc.
230 The template takes below arguments:
231 - .global: environment (.)
232 - .uid: string that uniquely identifies this secret within a helm chart
233 (can be omitted if name has been provided)
234 - .name: name which was used to declare a secret
235 (can be omitted if uid has been provided)
236 - .key: Key within this secret which value should be assigned to this variable
240 - name: SECRET_PASSWORD
241 {{- include "common.secret.envFromSecret" (dict "global" . "uid" "secret" "key" "password") | indent 8}}
243 {{- define "common.secret.envFromSecret" -}}
247 name: {{ include "common.secret.getSecretName" . }}
251 {{- define "common.secret.envFromSecretFast" -}}
255 name: {{ include "common.secret.getSecretNameFast" . }}
260 Define secrets to be used by chart.
261 Every secret has a type which is one of:
263 Generic secret template that allows to input some raw data (from files).
264 File Input can be passed as list of files (filePaths) or as a single string
267 Type of secret which allows you to define a list of key value pairs.
268 The list is assiged to envs value. Every item may define below items:
270 Identifier of this value within secret
272 String that defines a value associated with given key.
273 This can be a simple string or a template.
275 Defines what to do if value is not provided by the user.
276 Available options are:
278 Generate a value by derriving it from master password
282 Type of secret that holds only the password.
283 Only two items can be defined for this type:
285 Equivalent of value field from genericKV
287 The same meaning as for genericKV policy field
289 Type of secret that holds both username and password.
290 Below fields are available:
292 The value for login key.
293 This can be a simple string or a template.
294 Providing a value for login is always required.
296 The value for password key.
297 This can be a simple string or a template.
299 The same meaning as the policy field in genericKV.
300 Only the policy for password can be set.
302 Every secret can be identified using:
304 A string to be appended to the chart fullname to generate a secret name.
306 Overrides default secret name generation and allows to set immutable
307 and globaly unique name
309 List of annotations to be used while defining a secret
311 To allow sharing a secret between the components and allow to pre-deploy secrets
312 before ONAP deployment it is possible to use already existing secret instead of
313 creating a new one. For this purpose externalSecret field can be used. If value of
314 this field is evaluated to true no new secret is created, only the name of the
315 secret is aliased to the external one.
319 {{ include "common.secret" . }}
324 mysqlExternalSecret: "some-other-secret-name"
328 externalSecret: '{{ tpl .Values.passExternalSecret . }}'
330 login: '{{ .Values.mysqlLogin }}'
331 mysqlPassword: '{{ .Values.mysqlPassword }}'
332 passwordPolicy: generate
334 In the above example new secret is not going to be created.
335 Already existing one (some-other-secret-name) is going to be used.
336 To force creating a new one, just make sure that mysqlExternalSecret
340 {{- define "common.secret" -}}
342 {{- range $secret := .Values.secrets }}
343 {{- $uid := tpl (default "" $secret.uid) $global }}
344 {{- $name := include "common.secret.genName" (dict "global" $global "uid" $uid "name" $secret.name) }}
345 {{- $annotations := default "" $secret.annotations }}
346 {{- $type := default "generic" $secret.type }}
347 {{- $externalSecret := tpl (default "" $secret.externalSecret) $global }}
348 {{- if not $externalSecret }}
350 {{ include "common.secret._header" (dict "global" $global "name" $name "annotations" $annotations) }}
352 {{- if eq $type "generic" }}
354 {{- range $curFilePath := $secret.filePaths }}
355 {{ tpl ($global.Files.Glob $curFilePath).AsSecrets $global | indent 2 }}
357 {{- if $secret.filePath }}
358 {{ tpl ($global.Files.Glob $secret.filePath).AsSecrets $global | indent 2 }}
360 {{- else if eq $type "genericKV" }}
362 {{- if $secret.envs }}
363 {{- range $secretEnv := $secret.envs }}
364 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
365 {{ $secretEnv.name }}: {{ include "common.secret._value" $valueDesc }}
368 {{- else if eq $type "password" }}
369 {{- $secretEnv := (dict "policy" (default "generate" $secret.policy) "name" "password" "value" $secret.password) }}
370 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
372 password: {{ include "common.secret._value" $valueDesc }}
373 {{- else if eq $type "basicAuth" }}
375 {{- $secretEnv := (dict "policy" "required" "name" "login" "value" $secret.login) }}
376 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
377 login: {{ include "common.secret._value" $valueDesc }}
378 {{- $secretEnv := (dict "policy" (default "generate" $secret.passwordPolicy) "name" "password" "value" $secret.password) }}
379 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
380 password: {{ include "common.secret._value" $valueDesc }}
387 Define secrets to be used by chart.
388 Every secret has a type which is one of:
390 Generic secret template that allows to input some raw data (from files).
391 File Input can be passed as list of files (filePaths) or as a single string
394 Type of secret which allows you to define a list of key value pairs.
395 The list is assiged to envs value. Every item may define below items:
397 Identifier of this value within secret
399 String that defines a value associated with given key.
400 This can be a simple string or a template.
402 Defines what to do if value is not provided by the user.
403 Available options are:
405 Generate a value by derriving it from master password
409 Type of secret that holds only the password.
410 Only two items can be defined for this type:
412 Equivalent of value field from genericKV
414 The same meaning as for genericKV policy field
416 Type of secret that holds both username and password.
417 Below fields are available:
419 The value for login key.
420 This can be a simple string or a template.
421 Providing a value for login is always required.
423 The value for password key.
424 This can be a simple string or a template.
426 The same meaning as the policy field in genericKV.
427 Only the policy for password can be set.
429 Every secret can be identified using:
431 A string to be appended to the chart fullname to generate a secret name.
433 Overrides default secret name generation and allows to set immutable
434 and globaly unique name
436 List of annotations to be used while defining a secret
438 To allow sharing a secret between the components and allow to pre-deploy secrets
439 before ONAP deployment it is possible to use already existing secret instead of
440 creating a new one. For this purpose externalSecret field can be used. If value of
441 this field is evaluated to true no new secret is created, only the name of the
442 secret is aliased to the external one.
446 {{ include "common.secretFast" . }}
451 mysqlExternalSecret: "some-other-secret-name"
455 externalSecret: '{{ tpl .Values.passExternalSecret . }}'
457 login: '{{ .Values.mysqlLogin }}'
458 mysqlPassword: '{{ .Values.mysqlPassword }}'
459 passwordPolicy: generate
461 In the above example new secret is not going to be created.
462 Already existing one (some-other-secret-name) is going to be used.
463 To force creating a new one, just make sure that mysqlExternalSecret
467 {{- define "common.secretFast" -}}
469 {{- include "common.secret.buildCache" $global }}
470 {{- range $secret := .Values._secretsCache }}
471 {{- $uid := $secret.uid }}
472 {{- $externalSecret := $secret.externalSecret }}
473 {{- if not $externalSecret }}
474 {{- $name := $secret.realName }}
475 {{- $annotations := default "" $secret.annotations }}
476 {{- $type := default "generic" $secret.type }}
478 {{ include "common.secret._header" (dict "global" $global "name" $name "annotations" $annotations) }}
480 {{- if eq $type "generic" }}
482 {{- range $curFilePath := $secret.filePaths }}
483 {{ tpl ($global.Files.Glob $curFilePath).AsSecrets $global | indent 2 }}
485 {{- if $secret.filePath }}
486 {{ tpl ($global.Files.Glob $secret.filePath).AsSecrets $global | indent 2 }}
488 {{- else if eq $type "genericKV" }}
490 {{- if $secret.envs }}
491 {{- range $secretEnv := $secret.envs }}
492 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
493 {{ $secretEnv.name }}: {{ include "common.secret._valueFast" $valueDesc }}
496 {{- else if eq $type "password" }}
497 {{- $secretEnv := (dict "policy" (default "generate" $secret.policy) "name" "password" "value" $secret.password) }}
498 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
500 password: {{ include "common.secret._valueFast" $valueDesc }}
501 {{- else if eq $type "basicAuth" }}
503 {{- $secretEnv := (dict "policy" "required" "name" "login" "value" $secret.login) }}
504 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
505 login: {{ include "common.secret._valueFast" $valueDesc }}
506 {{- $secretEnv := (dict "policy" (default "generate" $secret.passwordPolicy) "name" "password" "value" $secret.password) }}
507 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
508 password: {{ include "common.secret._valueFast" $valueDesc }}