2 # Copyright © 2019 AT&T, Samsung Electronics
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
18 For internal use only!
20 Generates a secret header with given name and desired labels.
22 The template takes two arguments:
23 - .global: environment (.)
24 - .name: name of the secret
25 - .annotations: annotations which should be used
28 {{ include "common.secret._header" (dict "global" . "name" "myFancyName") }}
30 {{- define "common.secret._header" -}}
31 {{- $global := .global }}
37 namespace: {{ include "common.namespace" $global }}
39 app: {{ include "common.name" $global }}
40 chart: {{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}
41 release: {{ include "common.release" $global }}
42 heritage: {{ $global.Release.Service }}
43 {{- if .annotations }}
44 annotations: {{- include "common.tplValue" (dict "value" .annotations "context" $global) | nindent 4 }}
50 For internal use only!
52 Pick a value based on "user input" and generation policy.
54 The template takes below arguments:
55 - .global: environment (.)
56 - .secretName: name of the secret where the value will be placed
57 - .secretEnv: map of values which configures this secret. This can contain below keys:
58 - value: Value of secret key provided by user (can be a template inside a string)
59 - policy: What to do if value is missing or empty. Possible options are:
60 - generate: Generate a new password deriving it from master password
61 - required: Fail the deployment if value has not been provided
63 - name: Name of the key to which this value should be assigned
65 {{- define "common.secret._value" -}}
66 {{- $global := .global }}
67 {{- $name := .secretName }}
68 {{- $secretEnv := .secretEnv }}
69 {{- $value := tpl $secretEnv.value $global }}
70 {{- $policy := default "generate" $secretEnv.policy }}
74 {{- else if eq $policy "generate" }}
75 {{- include "common.createPassword" (dict "dot" $global "uid" $name) | quote }}
77 {{- fail (printf "Value for %s secret %s key not provided" $name $secretEnv.name) }}
83 Generate a secret name based on provided name or UID.
84 If UID is provided then the name is generated by appending this UID right after
85 the chart name. If name is provided, it overrides the name generation algorith
86 and is used right away. Both name and uid strings may contain a template to be
89 The template takes below arguments:
90 - .global: environment (.)
91 - .uid: string that uniquely identifies this secret within a helm chart
92 - .name: string that can be used to override default name generation algorithm
93 and provide a custom name for the secret
95 {{- define "common.secret.genName" -}}
96 {{- $global := .global }}
97 {{- $uid := tpl (default "" .uid) $global }}
98 {{- $name := tpl (default "" .name) $global }}
99 {{- $fullname := ne (default "" .chartName) "" | ternary (include "common.fullnameExplicit" (dict "dot" $global "chartName" .chartName)) (include "common.fullname" $global) }}
100 {{- default (printf "%s-%s" $fullname $uid) $name }}
104 Get the real secret name by UID or name, based on the configuration provided by user.
105 User may decide to not create a new secret but reuse existing one for this deployment
106 (aka externalSecret). In this case the real name of secret to be used is different
107 than the one declared in secret definition. This easily retrieve current secret real
108 name based on declared name or UID even if it has been overrided by the user using
109 externalSecret option. You should use this template always when you need to reference
110 a secret created using common.secret template by name.
112 The template takes below arguments:
113 - .global: environment (.)
114 - .uid: string that uniquely identifies this secret within a helm chart
115 (can be omitted if name has been provided)
116 - .name: name which was used to declare a secret
117 (can be omitted if uid has been provided)
119 {{- define "common.secret.getSecretName" -}}
120 {{- $global := .global }}
121 {{- $name := tpl (default "" .name) $global }}
122 {{- $uid := tpl (default "" .uid) $global }}
123 {{- $targetName := default (include "common.secret.genName" (dict "global" $global "uid" $uid "name" .name)) $name}}
124 {{- range $secret := $global.Values.secrets }}
125 {{- $givenName := tpl (default "" $secret.name) $global }}
126 {{- $currUID := tpl (default "" $secret.uid) $global }}
127 {{- $currName := default (include "common.secret.genName" (dict "global" $global "uid" $currUID "name" $secret.name)) $givenName }}
128 {{- if or (eq $uid $currUID) (eq $currName $targetName) }}
129 {{- $externalSecret := tpl (default "" $secret.externalSecret) $global }}
130 {{- default $currName $externalSecret }}
136 Convenience template which can be used to easily set the value of environment variable
137 to the value of a key in a secret.
139 It takes care of all name mangling, usage of external secrets etc.
141 The template takes below arguments:
142 - .global: environment (.)
143 - .uid: string that uniquely identifies this secret within a helm chart
144 (can be omitted if name has been provided)
145 - .name: name which was used to declare a secret
146 (can be omitted if uid has been provided)
147 - .key: Key within this secret which value should be assigned to this variable
151 - name: SECRET_PASSWORD
152 {{- include "common.secret.envFromSecret" (dict "global" . "uid" "secret" "key" "password") | indent 8}}
154 {{- define "common.secret.envFromSecret" -}}
158 name: {{ include "common.secret.getSecretName" . }}
163 Define secrets to be used by chart.
164 Every secret has a type which is one of:
166 Generic secret template that allows to input some raw data (from files).
167 File Input can be passed as list of files (filePaths) or as a single string
170 Type of secret which allows you to define a list of key value pairs.
171 The list is assiged to envs value. Every item may define below items:
173 Identifier of this value within secret
175 String that defines a value associated with given key.
176 This can be a simple string or a template.
178 Defines what to do if value is not provided by the user.
179 Available options are:
181 Generate a value by derriving it from master password
185 Type of secret that holds only the password.
186 Only two items can be defined for this type:
188 Equivalent of value field from genericKV
190 The same meaning as for genericKV policy field
192 Type of secret that holds both username and password.
193 Below fields are available:
195 The value for login key.
196 This can be a simple string or a template.
197 Providing a value for login is always required.
199 The value for password key.
200 This can be a simple string or a template.
202 The same meaning as the policy field in genericKV.
203 Only the policy for password can be set.
205 Every secret can be identified using:
207 A string to be appended to the chart fullname to generate a secret name.
209 Overrides default secret name generation and allows to set immutable
210 and globaly unique name
212 List of annotations to be used while defining a secret
214 To allow sharing a secret between the components and allow to pre-deploy secrets
215 before ONAP deployment it is possible to use already existing secret instead of
216 creating a new one. For this purpose externalSecret field can be used. If value of
217 this field is evaluated to true no new secret is created, only the name of the
218 secret is aliased to the external one.
222 {{ include "common.secret" . }}
227 mysqlExternalSecret: "some-other-secret-name"
231 externalSecret: '{{ tpl .Values.passExternalSecret . }}'
233 login: '{{ .Values.mysqlLogin }}'
234 mysqlPassword: '{{ .Values.mysqlPassword }}'
235 passwordPolicy: generate
237 In the above example new secret is not going to be created.
238 Already existing one (some-other-secret-name) is going to be used.
239 To force creating a new one, just make sure that mysqlExternalSecret
243 {{- define "common.secret" -}}
245 {{- range $secret := .Values.secrets }}
246 {{- $uid := tpl (default "" $secret.uid) $global }}
247 {{- $name := include "common.secret.genName" (dict "global" $global "uid" $uid "name" $secret.name) }}
248 {{- $annotations := default "" $secret.annotations }}
249 {{- $type := default "generic" $secret.type }}
250 {{- $externalSecret := tpl (default "" $secret.externalSecret) $global }}
251 {{- if not $externalSecret }}
253 {{ include "common.secret._header" (dict "global" $global "name" $name "annotations" $annotations) }}
255 {{- if eq $type "generic" }}
257 {{- range $curFilePath := $secret.filePaths }}
258 {{ tpl ($global.Files.Glob $curFilePath).AsSecrets $global | indent 2 }}
260 {{- if $secret.filePath }}
261 {{ tpl ($global.Files.Glob $secret.filePath).AsSecrets $global | indent 2 }}
263 {{- else if eq $type "genericKV" }}
265 {{- if $secret.envs }}
266 {{- range $secretEnv := $secret.envs }}
267 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
268 {{ $secretEnv.name }}: {{ include "common.secret._value" $valueDesc }}
271 {{- else if eq $type "password" }}
272 {{- $secretEnv := (dict "policy" (default "generate" $secret.policy) "name" "password" "value" $secret.password) }}
273 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
275 password: {{ include "common.secret._value" $valueDesc }}
276 {{- else if eq $type "basicAuth" }}
278 {{- $secretEnv := (dict "policy" "required" "name" "login" "value" $secret.login) }}
279 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
280 login: {{ include "common.secret._value" $valueDesc }}
281 {{- $secretEnv := (dict "policy" (default "generate" $secret.passwordPolicy) "name" "password" "value" $secret.password) }}
282 {{- $valueDesc := (dict "global" $global "secretName" $name "secretEnv" $secretEnv) }}
283 password: {{ include "common.secret._value" $valueDesc }}