2 # Copyright © 2019 AT&T, Samsung Electronics
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
18 For internal use only!
20 Generates a secret header with given name and desired labels.
22 The template takes two arguments:
23 - .global: environment (.)
24 - .name: name of the secret
25 - .annotations: annotations which should be used
28 {{ include "common.secret._header" (dict "global" . "name" "myFancyName") }}
30 {{- define "common.secret._header" -}}
31 {{- $global := .global }}
37 namespace: {{ include "common.namespace" $global }}
39 app: {{ include "common.name" $global }}
40 chart: {{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}
41 release: {{ include "common.release" $global }}
42 heritage: {{ $global.Release.Service }}
43 {{- if .annotations }}
44 annotations: {{- include "common.tplValue" (dict "value" .annotations "context" $global) | nindent 4 }}
50 For internal use only!
52 Pick a value based on "user input" and generation policy.
54 The template takes below arguments:
55 - .global: environment (.)
56 - .secretName: name of the secret where the value will be placed
57 - .secretEnv: map of values which configures this secret. This can contain below keys:
58 - value: Value of secret key provided by user (can be a template inside a string)
59 - policy: What to do if value is missing or empty. Possible options are:
60 - generate: Generate a new password deriving it from master password
61 - required: Fail the deployment if value has not been provided
63 - name: Name of the key to which this value should be assigned
65 {{- define "common.secret._value" -}}
66 {{- $global := .global }}
67 {{- $name := .secretName }}
68 {{- $secretEnv := .secretEnv }}
69 {{- $value := tpl $secretEnv.value $global }}
70 {{- $policy := default "generate" $secretEnv.policy }}
74 {{- else if eq $policy "generate" }}
75 {{- include "common.createPassword" (dict "dot" $global "uid" $name) | quote }}
77 {{- fail (printf "Value for %s secret %s key not provided" $name $secretEnv.name) }}
82 For internal use only!
84 Pick a value based on "user input" and generation policy.
86 The template takes below arguments:
87 - .global: environment (.)
88 - .secretName: name of the secret where the value will be placed
89 - .secretEnv: map of values which configures this secret. This can contain below keys:
90 - value: Value of secret key provided by user (can be a template inside a string)
91 - policy: What to do if value is missing or empty. Possible options are:
92 - generate: Generate a new password deriving it from master password
93 - required: Fail the deployment if value has not been provided
95 - name: Name of the key to which this value should be assigned
97 {{- define "common.secret._valueFast" -}}
98 {{- $global := .global }}
99 {{- $name := .secretName }}
100 {{- $secretEnv := .secretEnv }}
101 {{- $value := $secretEnv.value }}
102 {{- $policy := default "generate" $secretEnv.policy }}
105 {{- $value | quote }}
106 {{- else if eq $policy "generate" }}
107 {{- include "common.createPassword" (dict "dot" $global "uid" $name) | quote }}
109 {{- fail (printf "Value for %s secret %s key not provided" $name $secretEnv.name) }}
115 Generate a secret name based on provided name or UID.
116 If UID is provided then the name is generated by appending this UID right after
117 the chart name. If name is provided, it overrides the name generation algorith
118 and is used right away. Both name and uid strings may contain a template to be
121 The template takes below arguments:
122 - .global: environment (.)
123 - .uid: string that uniquely identifies this secret within a helm chart
124 - .name: string that can be used to override default name generation algorithm
125 and provide a custom name for the secret
127 {{- define "common.secret.genName" -}}
128 {{- $global := .global }}
129 {{- $uid := tpl (default "" .uid) $global }}
130 {{- $name := tpl (default "" .name) $global }}
131 {{- $fullname := ne (default "" .chartName) "" | ternary (include "common.fullnameExplicit" (dict "dot" $global "chartName" .chartName)) (include "common.fullname" $global) }}
132 {{- default (printf "%s-%s" $fullname $uid) $name }}
135 {{- define "common.secret.genNameFast" -}}
136 {{- $global := .global }}
137 {{- $uid := (default "" .uid) }}
138 {{- $name := (default "" .name) }}
139 {{- $fullname := ne (default "" .chartName) "" | ternary (include "common.fullnameExplicit" (dict "dot" $global "chartName" .chartName)) (include "common.fullname" $global) }}
140 {{- default (printf "%s-%s" $fullname $uid) $name }}
144 Get the real secret name by UID or name, based on the configuration provided by user.
145 User may decide to not create a new secret but reuse existing one for this deployment
146 (aka externalSecret). In this case the real name of secret to be used is different
147 than the one declared in secret definition. This easily retrieve current secret real
148 name based on declared name or UID even if it has been overrided by the user using
149 externalSecret option. You should use this template always when you need to reference
150 a secret created using common.secret template by name.
152 The template takes below arguments:
153 - .global: environment (.)
154 - .uid: string that uniquely identifies this secret within a helm chart
155 (can be omitted if name has been provided)
156 - .name: name which was used to declare a secret
157 (can be omitted if uid has been provided)
159 {{- define "common.secret.getSecretName" -}}
160 {{- $global := .global }}
161 {{- $name := tpl (default "" .name) $global }}
162 {{- $uid := tpl (default "" .uid) $global }}
163 {{- $targetName := default (include "common.secret.genName" (dict "global" $global "uid" $uid "name" .name)) $name}}
164 {{- range $secret := $global.Values.secrets }}
165 {{- $currUID := tpl (default "" $secret.uid) $global }}
166 {{- $givenName := tpl (default "" $secret.name) $global }}
167 {{- $currName := default (include "common.secret.genName" (dict "global" $global "uid" $currUID "name" $secret.name)) $givenName }}
168 {{- if or (eq $uid $currUID) (eq $currName $targetName) }}
169 {{- $externalSecret := tpl (default "" $secret.externalSecret) $global }}
170 {{- default $currName $externalSecret }}
175 {{- define "common.secret.getSecretNameFast" -}}
176 {{- $global := .global }}
177 {{- include "common.secret.buildCache" $global }}
178 {{- $secretsCache := $global.Values._secretsCache }}
179 {{- $uid := tpl .uid $global }}
180 {{- $secret := index $secretsCache $uid }}
181 {{- $secret.realName }}
184 {{- define "common.secret.buildCache" -}}
186 {{- if not $global.Values._secretsCache }}
187 {{- $secretCache := dict }}
188 {{- range $secret := .Values.secrets }}
189 {{- $entry := dict }}
190 {{- $uid := tpl (default "" $secret.uid) $global }}
191 {{- $keys := keys $secret }}
192 {{- range $key := (without $keys "annotations" "filePaths" )}}
193 {{- $_ := set $entry $key (tpl (index $secret $key) $global) }}
195 {{- if $secret.annotations }}
196 {{- $_ := set $entry "annotations" $secret.annotations }}
198 {{- if $secret.filePaths }}
199 {{- $_ := set $entry "filePaths" $secret.filePaths }}
201 {{- $realName := default (include "common.secret.genNameFast" (dict "global" $global "uid" $uid "name" $entry.name) ) $entry.externalSecret }}
202 {{- $_ := set $entry "realName" $realName }}
203 {{- $_ := set $secretCache $uid $entry }}
205 {{- $_ := set $global.Values "_secretsCache" $secretCache }}
210 Convenience template which can be used to easily set the value of environment variable
211 to the value of a key in a secret.
213 It takes care of all name mangling, usage of external secrets etc.
215 The template takes below arguments:
216 - .global: environment (.)
217 - .uid: string that uniquely identifies this secret within a helm chart
218 (can be omitted if name has been provided)
219 - .name: name which was used to declare a secret
220 (can be omitted if uid has been provided)
221 - .key: Key within this secret which value should be assigned to this variable
225 - name: SECRET_PASSWORD
226 {{- include "common.secret.envFromSecret" (dict "global" . "uid" "secret" "key" "password") | indent 8}}
228 {{- define "common.secret.envFromSecret" -}}
232 name: {{ include "common.secret.getSecretName" . }}
236 {{- define "common.secret.envFromSecretFast" -}}
240 name: {{ include "common.secret.getSecretNameFast" . }}
245 Define secrets to be used by chart.
246 Every secret has a type which is one of:
248 Generic secret template that allows to input some raw data (from files).
249 File Input can be passed as list of files (filePaths) or as a single string
252 Type of secret which allows you to define a list of key value pairs.
253 The list is assiged to envs value. Every item may define below items:
255 Identifier of this value within secret
257 String that defines a value associated with given key.
258 This can be a simple string or a template.
260 Defines what to do if value is not provided by the user.
261 Available options are:
263 Generate a value by derriving it from master password
267 Type of secret that holds only the password.
268 Only two items can be defined for this type:
270 Equivalent of value field from genericKV
272 The same meaning as for genericKV policy field
274 Type of secret that holds both username and password.
275 Below fields are available:
277 The value for login key.
278 This can be a simple string or a template.
279 Providing a value for login is always required.
281 The value for password key.
282 This can be a simple string or a template.
284 The same meaning as the policy field in genericKV.
285 Only the policy for password can be set.
287 Every secret can be identified using:
289 A string to be appended to the chart fullname to generate a secret name.
291 Overrides default secret name generation and allows to set immutable
292 and globaly unique name
294 List of annotations to be used while defining a secret
296 To allow sharing a secret between the components and allow to pre-deploy secrets
297 before ONAP deployment it is possible to use already existing secret instead of
298 creating a new one. For this purpose externalSecret field can be used. If value of
299 this field is evaluated to true no new secret is created, only the name of the
300 secret is aliased to the external one.
304 {{ include "common.secret" . }}
309 mysqlExternalSecret: "some-other-secret-name"
313 externalSecret: '{{ tpl .Values.passExternalSecret . }}'
315 login: '{{ .Values.mysqlLogin }}'
316 mysqlPassword: '{{ .Values.mysqlPassword }}'
317 passwordPolicy: generate
319 In the above example new secret is not going to be created.
320 Already existing one (some-other-secret-name) is going to be used.
321 To force creating a new one, just make sure that mysqlExternalSecret
325 {{- define "common.secret" -}}
327 {{- range $secret := .Values.secrets }}
328 {{- $uid := tpl (default "" $secret.uid) $global }}
329 {{- $name := include "common.secret.genName" (dict "global" $global "uid" $uid "name" $secret.name) }}
330 {{- $annotations := default "" $secret.annotations }}
331 {{- $type := default "generic" $secret.type }}
332 {{- $externalSecret := tpl (default "" $secret.externalSecret) $global }}
333 {{- if not $externalSecret }}
335 {{ include "common.secret._header" (dict "global" $global "name" $name "annotations" $annotations) }}
337 {{- if eq $type "generic" }}
339 {{- range $curFilePath := $secret.filePaths }}
340 {{ tpl ($global.Files.Glob $curFilePath).AsSecrets $global | indent 2 }}
342 {{- if $secret.filePath }}
343 {{ tpl ($global.Files.Glob $secret.filePath).AsSecrets $global | indent 2 }}
345 {{- else if eq $type "genericKV" }}
347 {{- if $secret.envs }}
348 {{- range $secretEnv := $secret.envs }}
349 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
350 {{ $secretEnv.name }}: {{ include "common.secret._value" $valueDesc }}
353 {{- else if eq $type "password" }}
354 {{- $secretEnv := (dict "policy" (default "generate" $secret.policy) "name" "password" "value" $secret.password) }}
355 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
357 password: {{ include "common.secret._value" $valueDesc }}
358 {{- else if eq $type "basicAuth" }}
360 {{- $secretEnv := (dict "policy" "required" "name" "login" "value" $secret.login) }}
361 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
362 login: {{ include "common.secret._value" $valueDesc }}
363 {{- $secretEnv := (dict "policy" (default "generate" $secret.passwordPolicy) "name" "password" "value" $secret.password) }}
364 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
365 password: {{ include "common.secret._value" $valueDesc }}
372 Define secrets to be used by chart.
373 Every secret has a type which is one of:
375 Generic secret template that allows to input some raw data (from files).
376 File Input can be passed as list of files (filePaths) or as a single string
379 Type of secret which allows you to define a list of key value pairs.
380 The list is assiged to envs value. Every item may define below items:
382 Identifier of this value within secret
384 String that defines a value associated with given key.
385 This can be a simple string or a template.
387 Defines what to do if value is not provided by the user.
388 Available options are:
390 Generate a value by derriving it from master password
394 Type of secret that holds only the password.
395 Only two items can be defined for this type:
397 Equivalent of value field from genericKV
399 The same meaning as for genericKV policy field
401 Type of secret that holds both username and password.
402 Below fields are available:
404 The value for login key.
405 This can be a simple string or a template.
406 Providing a value for login is always required.
408 The value for password key.
409 This can be a simple string or a template.
411 The same meaning as the policy field in genericKV.
412 Only the policy for password can be set.
414 Every secret can be identified using:
416 A string to be appended to the chart fullname to generate a secret name.
418 Overrides default secret name generation and allows to set immutable
419 and globaly unique name
421 List of annotations to be used while defining a secret
423 To allow sharing a secret between the components and allow to pre-deploy secrets
424 before ONAP deployment it is possible to use already existing secret instead of
425 creating a new one. For this purpose externalSecret field can be used. If value of
426 this field is evaluated to true no new secret is created, only the name of the
427 secret is aliased to the external one.
431 {{ include "common.secretFast" . }}
436 mysqlExternalSecret: "some-other-secret-name"
440 externalSecret: '{{ tpl .Values.passExternalSecret . }}'
442 login: '{{ .Values.mysqlLogin }}'
443 mysqlPassword: '{{ .Values.mysqlPassword }}'
444 passwordPolicy: generate
446 In the above example new secret is not going to be created.
447 Already existing one (some-other-secret-name) is going to be used.
448 To force creating a new one, just make sure that mysqlExternalSecret
452 {{- define "common.secretFast" -}}
454 {{- include "common.secret.buildCache" $global }}
455 {{- range $secret := .Values._secretsCache }}
456 {{- $uid := $secret.uid }}
457 {{- $externalSecret := $secret.externalSecret }}
458 {{- if not $externalSecret }}
459 {{- $name := $secret.realName }}
460 {{- $annotations := default "" $secret.annotations }}
461 {{- $type := default "generic" $secret.type }}
463 {{ include "common.secret._header" (dict "global" $global "name" $name "annotations" $annotations) }}
465 {{- if eq $type "generic" }}
467 {{- range $curFilePath := $secret.filePaths }}
468 {{ tpl ($global.Files.Glob $curFilePath).AsSecrets $global | indent 2 }}
470 {{- if $secret.filePath }}
471 {{ tpl ($global.Files.Glob $secret.filePath).AsSecrets $global | indent 2 }}
473 {{- else if eq $type "genericKV" }}
475 {{- if $secret.envs }}
476 {{- range $secretEnv := $secret.envs }}
477 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
478 {{ $secretEnv.name }}: {{ include "common.secret._valueFast" $valueDesc }}
481 {{- else if eq $type "password" }}
482 {{- $secretEnv := (dict "policy" (default "generate" $secret.policy) "name" "password" "value" $secret.password) }}
483 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
485 password: {{ include "common.secret._valueFast" $valueDesc }}
486 {{- else if eq $type "basicAuth" }}
488 {{- $secretEnv := (dict "policy" "required" "name" "login" "value" $secret.login) }}
489 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
490 login: {{ include "common.secret._valueFast" $valueDesc }}
491 {{- $secretEnv := (dict "policy" (default "generate" $secret.passwordPolicy) "name" "password" "value" $secret.password) }}
492 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
493 password: {{ include "common.secret._valueFast" $valueDesc }}