2 # Copyright © 2019 AT&T, Samsung Electronics
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
18 For internal use only!
20 Generates a secret header with given name and desired labels.
22 The template takes two arguments:
23 - .global: environment (.)
24 - .name: name of the secret
25 - .annotations: annotations which should be used
28 {{ include "common.secret._header" (dict "global" . "name" "myFancyName") }}
30 {{- define "common.secret._header" -}}
31 {{- $global := .global }}
37 namespace: {{ include "common.namespace" $global }}
39 app: {{ include "common.name" $global }}
40 chart: {{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}
41 release: {{ include "common.release" $global }}
42 heritage: {{ $global.Release.Service }}
43 {{- if .annotations }}
44 annotations: {{- include "common.tplValue" (dict "value" .annotations "context" $global) | nindent 4 }}
50 For internal use only!
52 Pick a value based on "user input" and generation policy.
54 The template takes below arguments:
55 - .global: environment (.)
56 - .secretName: name of the secret where the value will be placed
57 - .secretEnv: map of values which configures this secret. This can contain below keys:
58 - value: Value of secret key provided by user (can be a template inside a string)
59 - policy: What to do if value is missing or empty. Possible options are:
60 - generate: Generate a new password deriving it from master password
61 - required: Fail the deployment if value has not been provided
63 - name: Name of the key to which this value should be assigned
65 {{- define "common.secret._value" -}}
66 {{- $global := .global }}
67 {{- $name := .secretName }}
68 {{- $secretEnv := .secretEnv }}
69 {{- $value := tpl $secretEnv.value $global }}
70 {{- $policy := default "generate" $secretEnv.policy }}
74 {{- else if eq $policy "generate" }}
75 {{- include "common.createPassword" (dict "dot" $global "uid" $name) | quote }}
77 {{- fail (printf "Value for %s secret %s key not provided" $name $secretEnv.name) }}
82 For internal use only!
84 Pick a value based on "user input" and generation policy.
86 The template takes below arguments:
87 - .global: environment (.)
88 - .secretName: name of the secret where the value will be placed
89 - .secretEnv: map of values which configures this secret. This can contain below keys:
90 - value: Value of secret key provided by user (can be a template inside a string)
91 - policy: What to do if value is missing or empty. Possible options are:
92 - generate: Generate a new password deriving it from master password
93 - required: Fail the deployment if value has not been provided
95 - name: Name of the key to which this value should be assigned
97 {{- define "common.secret._valueFast" -}}
98 {{- $global := .global }}
99 {{- $name := .secretName }}
100 {{- $secretEnv := .secretEnv }}
101 {{- $value := $secretEnv.value }}
102 {{- $policy := default "generate" $secretEnv.policy }}
105 {{- $value | quote }}
106 {{- else if eq $policy "generate" }}
107 {{- include "common.createPassword" (dict "dot" $global "uid" $name) | quote }}
109 {{- fail (printf "Value for %s secret %s key not provided" $name $secretEnv.name) }}
115 Generate a secret name based on provided name or UID.
116 If UID is provided then the name is generated by appending this UID right after
117 the chart name. If name is provided, it overrides the name generation algorith
118 and is used right away. Both name and uid strings may contain a template to be
121 The template takes below arguments:
122 - .global: environment (.)
123 - .uid: string that uniquely identifies this secret within a helm chart
124 - .name: string that can be used to override default name generation algorithm
125 and provide a custom name for the secret
127 {{- define "common.secret.genName" -}}
128 {{- $global := .global }}
129 {{- $uid := tpl (default "" .uid) $global }}
130 {{- $name := tpl (default "" .name) $global }}
131 {{- $fullname := ne (default "" .chartName) "" | ternary (include "common.fullnameExplicit" (dict "dot" $global "chartName" .chartName)) (include "common.fullname" $global) }}
132 {{- default (printf "%s-%s" $fullname $uid) $name }}
135 {{- define "common.secret.genNameFast" -}}
136 {{- $global := .global }}
137 {{- $uid := (default "" .uid) }}
138 {{- $name := (default "" .name) }}
139 {{- $fullname := ne (default "" .chartName) "" | ternary (include "common.fullnameExplicit" (dict "dot" $global "chartName" .chartName)) (include "common.fullname" $global) }}
140 {{- default (printf "%s-%s" $fullname $uid) $name }}
144 Get the real secret name by UID or name, based on the configuration provided by user.
145 User may decide to not create a new secret but reuse existing one for this deployment
146 (aka externalSecret). In this case the real name of secret to be used is different
147 than the one declared in secret definition. This easily retrieve current secret real
148 name based on declared name or UID even if it has been overrided by the user using
149 externalSecret option. You should use this template always when you need to reference
150 a secret created using common.secret template by name.
152 The template takes below arguments:
153 - .global: environment (.)
154 - .uid: string that uniquely identifies this secret within a helm chart
155 (can be omitted if name has been provided)
156 - .name: name which was used to declare a secret
157 (can be omitted if uid has been provided)
159 {{- define "common.secret.getSecretName" -}}
160 {{- $global := .global }}
161 {{- $name := tpl (default "" .name) $global }}
162 {{- $uid := tpl (default "" .uid) $global }}
163 {{- $targetName := default (include "common.secret.genName" (dict "global" $global "uid" $uid "name" .name)) $name}}
164 {{- range $secret := $global.Values.secrets }}
165 {{- $currUID := tpl (default "" $secret.uid) $global }}
166 {{- $givenName := tpl (default "" $secret.name) $global }}
167 {{- $currName := default (include "common.secret.genName" (dict "global" $global "uid" $currUID "name" $secret.name)) $givenName }}
168 {{- if or (eq $uid $currUID) (eq $currName $targetName) }}
169 {{- $externalSecret := tpl (default "" $secret.externalSecret) $global }}
170 {{- default $currName $externalSecret }}
175 {{- define "common.secret.getSecretNameFast" -}}
176 {{- $global := .global }}
177 {{- include "common.secret.buildCache" $global }}
178 {{- $secretsCache := $global.Values._secretsCache }}
179 {{- $uid := tpl .uid $global }}
180 {{- $secret := index $secretsCache $uid }}
181 {{- $secret.realName }}
184 {{- define "common.secret.buildCache" -}}
186 {{- if not $global.Values._secretsCache }}
187 {{- $secretCache := dict }}
188 {{- range $secret := .Values.secrets }}
189 {{- $entry := dict }}
190 {{- $uid := tpl (default "" $secret.uid) $global }}
191 {{- $keys := keys $secret }}
192 {{- range $key := (without $keys "annotations" "filePaths" )}}
193 {{- $_ := set $entry $key (tpl (index $secret $key) $global) }}
195 {{- if $secret.annotations }}
196 {{- $_ := set $entry "annotations" $secret.annotations }}
198 {{- if $secret.filePaths }}
199 {{- if kindIs "string" $secret.filePaths }}
200 {{- $evaluated := tpl (default "" $secret.filePaths) $global }}
201 {{- if and $evaluated (ne $evaluated "\"\"") }}
202 {{- $fstr := printf "val:\n%s" ($evaluated | indent 2) }}
203 {{- $flist := (index (tpl $fstr $global | fromYaml) "val") }}
204 {{- $_ := set $entry "filePaths" $flist }}
206 {{- $_ := set $entry "filePaths" (list) }}
209 {{- $_ := set $entry "filePaths" $secret.filePaths }}
212 {{- $realName := default (include "common.secret.genNameFast" (dict "global" $global "uid" $uid "name" $entry.name) ) $entry.externalSecret }}
213 {{- $_ := set $entry "realName" $realName }}
214 {{- $_ := set $secretCache $uid $entry }}
216 {{- $_ := set $global.Values "_secretsCache" $secretCache }}
221 Convenience template which can be used to easily set the value of environment variable
222 to the value of a key in a secret.
224 It takes care of all name mangling, usage of external secrets etc.
226 The template takes below arguments:
227 - .global: environment (.)
228 - .uid: string that uniquely identifies this secret within a helm chart
229 (can be omitted if name has been provided)
230 - .name: name which was used to declare a secret
231 (can be omitted if uid has been provided)
232 - .key: Key within this secret which value should be assigned to this variable
236 - name: SECRET_PASSWORD
237 {{- include "common.secret.envFromSecret" (dict "global" . "uid" "secret" "key" "password") | indent 8}}
239 {{- define "common.secret.envFromSecret" -}}
243 name: {{ include "common.secret.getSecretName" . }}
247 {{- define "common.secret.envFromSecretFast" -}}
251 name: {{ include "common.secret.getSecretNameFast" . }}
256 Define secrets to be used by chart.
257 Every secret has a type which is one of:
259 Generic secret template that allows to input some raw data (from files).
260 File Input can be passed as list of files (filePaths) or as a single string
263 Type of secret which allows you to define a list of key value pairs.
264 The list is assiged to envs value. Every item may define below items:
266 Identifier of this value within secret
268 String that defines a value associated with given key.
269 This can be a simple string or a template.
271 Defines what to do if value is not provided by the user.
272 Available options are:
274 Generate a value by derriving it from master password
278 Type of secret that holds only the password.
279 Only two items can be defined for this type:
281 Equivalent of value field from genericKV
283 The same meaning as for genericKV policy field
285 Type of secret that holds both username and password.
286 Below fields are available:
288 The value for login key.
289 This can be a simple string or a template.
290 Providing a value for login is always required.
292 The value for password key.
293 This can be a simple string or a template.
295 The same meaning as the policy field in genericKV.
296 Only the policy for password can be set.
298 Every secret can be identified using:
300 A string to be appended to the chart fullname to generate a secret name.
302 Overrides default secret name generation and allows to set immutable
303 and globaly unique name
305 List of annotations to be used while defining a secret
307 To allow sharing a secret between the components and allow to pre-deploy secrets
308 before ONAP deployment it is possible to use already existing secret instead of
309 creating a new one. For this purpose externalSecret field can be used. If value of
310 this field is evaluated to true no new secret is created, only the name of the
311 secret is aliased to the external one.
315 {{ include "common.secret" . }}
320 mysqlExternalSecret: "some-other-secret-name"
324 externalSecret: '{{ tpl .Values.passExternalSecret . }}'
326 login: '{{ .Values.mysqlLogin }}'
327 mysqlPassword: '{{ .Values.mysqlPassword }}'
328 passwordPolicy: generate
330 In the above example new secret is not going to be created.
331 Already existing one (some-other-secret-name) is going to be used.
332 To force creating a new one, just make sure that mysqlExternalSecret
336 {{- define "common.secret" -}}
338 {{- range $secret := .Values.secrets }}
339 {{- $uid := tpl (default "" $secret.uid) $global }}
340 {{- $name := include "common.secret.genName" (dict "global" $global "uid" $uid "name" $secret.name) }}
341 {{- $annotations := default "" $secret.annotations }}
342 {{- $type := default "generic" $secret.type }}
343 {{- $externalSecret := tpl (default "" $secret.externalSecret) $global }}
344 {{- if not $externalSecret }}
346 {{ include "common.secret._header" (dict "global" $global "name" $name "annotations" $annotations) }}
348 {{- if eq $type "generic" }}
350 {{- range $curFilePath := $secret.filePaths }}
351 {{ tpl ($global.Files.Glob $curFilePath).AsSecrets $global | indent 2 }}
353 {{- if $secret.filePath }}
354 {{ tpl ($global.Files.Glob $secret.filePath).AsSecrets $global | indent 2 }}
356 {{- else if eq $type "genericKV" }}
358 {{- if $secret.envs }}
359 {{- range $secretEnv := $secret.envs }}
360 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
361 {{ $secretEnv.name }}: {{ include "common.secret._value" $valueDesc }}
364 {{- else if eq $type "password" }}
365 {{- $secretEnv := (dict "policy" (default "generate" $secret.policy) "name" "password" "value" $secret.password) }}
366 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
368 password: {{ include "common.secret._value" $valueDesc }}
369 {{- else if eq $type "basicAuth" }}
371 {{- $secretEnv := (dict "policy" "required" "name" "login" "value" $secret.login) }}
372 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
373 login: {{ include "common.secret._value" $valueDesc }}
374 {{- $secretEnv := (dict "policy" (default "generate" $secret.passwordPolicy) "name" "password" "value" $secret.password) }}
375 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
376 password: {{ include "common.secret._value" $valueDesc }}
383 Define secrets to be used by chart.
384 Every secret has a type which is one of:
386 Generic secret template that allows to input some raw data (from files).
387 File Input can be passed as list of files (filePaths) or as a single string
390 Type of secret which allows you to define a list of key value pairs.
391 The list is assiged to envs value. Every item may define below items:
393 Identifier of this value within secret
395 String that defines a value associated with given key.
396 This can be a simple string or a template.
398 Defines what to do if value is not provided by the user.
399 Available options are:
401 Generate a value by derriving it from master password
405 Type of secret that holds only the password.
406 Only two items can be defined for this type:
408 Equivalent of value field from genericKV
410 The same meaning as for genericKV policy field
412 Type of secret that holds both username and password.
413 Below fields are available:
415 The value for login key.
416 This can be a simple string or a template.
417 Providing a value for login is always required.
419 The value for password key.
420 This can be a simple string or a template.
422 The same meaning as the policy field in genericKV.
423 Only the policy for password can be set.
425 Every secret can be identified using:
427 A string to be appended to the chart fullname to generate a secret name.
429 Overrides default secret name generation and allows to set immutable
430 and globaly unique name
432 List of annotations to be used while defining a secret
434 To allow sharing a secret between the components and allow to pre-deploy secrets
435 before ONAP deployment it is possible to use already existing secret instead of
436 creating a new one. For this purpose externalSecret field can be used. If value of
437 this field is evaluated to true no new secret is created, only the name of the
438 secret is aliased to the external one.
442 {{ include "common.secretFast" . }}
447 mysqlExternalSecret: "some-other-secret-name"
451 externalSecret: '{{ tpl .Values.passExternalSecret . }}'
453 login: '{{ .Values.mysqlLogin }}'
454 mysqlPassword: '{{ .Values.mysqlPassword }}'
455 passwordPolicy: generate
457 In the above example new secret is not going to be created.
458 Already existing one (some-other-secret-name) is going to be used.
459 To force creating a new one, just make sure that mysqlExternalSecret
463 {{- define "common.secretFast" -}}
465 {{- include "common.secret.buildCache" $global }}
466 {{- range $secret := .Values._secretsCache }}
467 {{- $uid := $secret.uid }}
468 {{- $externalSecret := $secret.externalSecret }}
469 {{- if not $externalSecret }}
470 {{- $name := $secret.realName }}
471 {{- $annotations := default "" $secret.annotations }}
472 {{- $type := default "generic" $secret.type }}
474 {{ include "common.secret._header" (dict "global" $global "name" $name "annotations" $annotations) }}
476 {{- if eq $type "generic" }}
478 {{- range $curFilePath := $secret.filePaths }}
479 {{ tpl ($global.Files.Glob $curFilePath).AsSecrets $global | indent 2 }}
481 {{- if $secret.filePath }}
482 {{ tpl ($global.Files.Glob $secret.filePath).AsSecrets $global | indent 2 }}
484 {{- else if eq $type "genericKV" }}
486 {{- if $secret.envs }}
487 {{- range $secretEnv := $secret.envs }}
488 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
489 {{ $secretEnv.name }}: {{ include "common.secret._valueFast" $valueDesc }}
492 {{- else if eq $type "password" }}
493 {{- $secretEnv := (dict "policy" (default "generate" $secret.policy) "name" "password" "value" $secret.password) }}
494 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
496 password: {{ include "common.secret._valueFast" $valueDesc }}
497 {{- else if eq $type "basicAuth" }}
499 {{- $secretEnv := (dict "policy" "required" "name" "login" "value" $secret.login) }}
500 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
501 login: {{ include "common.secret._valueFast" $valueDesc }}
502 {{- $secretEnv := (dict "policy" (default "generate" $secret.passwordPolicy) "name" "password" "value" $secret.password) }}
503 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
504 password: {{ include "common.secret._valueFast" $valueDesc }}