Refactoring secrets and common service variables (#63)

Element84 · Aug 10, 2023 · 0b5b8d2 · 0b5b8d2
1 parent 7b5eff7
commit 0b5b8d2
Show file tree

Hide file tree

Showing 55 changed files with 1,284 additions and 511 deletions.
diff --git a/charts/minio/templates/minio-deployment.yaml b/charts/minio/templates/minio-deployment.yaml
@@ -6,7 +6,7 @@ metadata:
     {{- include "minio.labels" . | nindent 6 }}
   name: minio
 spec:
-  replicas: {{ .Values.minio.replicaCount }}
+  replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
       {{- include "minio.labels" . | nindent 6 }}
@@ -21,27 +21,27 @@ spec:
         - command:
             - bash
             - -c
-            - mkdir -p "$${1}/{{ .Values.minio.service.bucketName }}" && exec minio server --console-address ":9001" "$${1}"
+            - mkdir -p "$${1}/{{ .Values.service.bucketName }}" && exec minio server --console-address ":9001" "$${1}"
             - --
             - /tmp/minio
           env:
             - name: MINIO_ROOT_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: minio-secret
-                  key: swoop_secret_access_key
+                  name: {{ .Values.service.secretAccessKeySecret.name }}
+                  key: {{ .Values.service.secretAccessKeySecret.key }}
             - name: MINIO_ROOT_USER
               valueFrom:
                 secretKeyRef:
-                  name: minio-secret
-                  key: swoop_access_key_id
+                  name: {{ .Values.service.accessKeyIdSecret.name }}
+                  key: {{ .Values.service.accessKeyIdSecret.key }}
             - name: SWOOP_BUCKET_NAME
-              value: {{ .Values.minio.service.bucketName }}
-          image: "{{ .Values.minio.image.repository }}:{{ .Values.minio.image.tag }}"
-          name: {{ .Values.minio.deployment.name }}
+              value: {{ .Values.service.bucketName }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          name: {{ .Values.deployment.name }}
           ports:
-            - containerPort: {{ .Values.minio.container.port }}
-            - containerPort: {{ .Values.minio.container.servicePort }}
+            - containerPort: {{ .Values.container.port }}
+            - containerPort: {{ .Values.container.servicePort }}
           resources: {}
       restartPolicy: Always
 status: {}
diff --git a/charts/minio/templates/minio-secret.yaml b/charts/minio/templates/minio-secret.yaml
@@ -1,8 +1,10 @@
+{{- if .Values.service.createSecret -}}
 apiVersion: v1
 kind: Secret
 metadata:
   name: minio-secret
 type: Opaque
 data:
-  swoop_access_key_id: {{ .Values.minio.service.accessKeyId }}
-  swoop_secret_access_key: {{ .Values.minio.service.secretAccessKey }}
+  access_key_id: {{ .Values.service.accessKeyId }}
+  secret_access_key: {{ .Values.service.secretAccessKey }}
+{{- end }}
diff --git a/charts/minio/templates/minio-service.yaml b/charts/minio/templates/minio-service.yaml
@@ -4,16 +4,16 @@ metadata:
   creationTimestamp: null
   labels:
     {{- include "minio.labels" . | nindent 6 }}
-  name: {{ .Values.minio.service.name }}
+  name: {{ .Values.service.name }}
 spec:
-  type: {{ .Values.minio.service.type }}
+  type: {{ .Values.service.type }}
   ports:
-    - name: "{{ .Values.minio.service.targetPort }}"
-      port: {{ .Values.minio.service.port }}
-      targetPort: {{ .Values.minio.service.targetPort }}
-    - name: "{{ .Values.minio.service.serviceTargetPort }}"
-      port: {{ .Values.minio.service.servicePort }}
-      targetPort: {{ .Values.minio.service.serviceTargetPort }}
+    - name: "{{ .Values.service.targetPort }}"
+      port: {{ .Values.service.port }}
+      targetPort: {{ .Values.service.targetPort }}
+    - name: "{{ .Values.service.serviceTargetPort }}"
+      port: {{ .Values.service.servicePort }}
+      targetPort: {{ .Values.service.serviceTargetPort }}
   selector:
     {{- include "minio.labels" . | nindent 6 }}
 status:

diff --git a/charts/minio/values.yaml b/charts/minio/values.yaml
@@ -5,23 +5,30 @@
 nameOverride: ""
 fullnameOverride: ""
 
-minio:
-  image:
-    repository: quay.io/minio/minio
-    tag: latest
-  container:
-    port: 9000
-    servicePort: 9001
-  service:
-    type: ClusterIP
-    port: 9000
-    targetPort: 9000
-    servicePort: 9001
-    serviceTargetPort: 9001
-    name: minio
-    bucketName: swoop
-    accessKeyId: bWluaW8=
-    secretAccessKey: cGFzc3dvcmQ=
-  deployment:
-    name: minio
-  replicaCount: 1
+image:
+  repository: quay.io/minio/minio
+  tag: latest
+container:
+  port: 9000
+  servicePort: 9001
+service:
+  type: ClusterIP
+  port: 9000
+  targetPort: 9000
+  servicePort: 9001
+  serviceTargetPort: 9001
+  name: minio
+  bucketName: swoop
+  createSecret: true
+  accessKeyIdSecret:
+    name: minio-secret
+    key: access_key_id
+  secretAccessKeySecret:
+    name: minio-secret
+    key: secret_access_key
+  accessKeyId: bWluaW8=
+  secretAccessKey: cGFzc3dvcmQ=
+  endpoint: http://minio.default:9000
+deployment:
+  name: minio
+replicaCount: 1
diff --git a/charts/postgres/templates/postgres-claim0-persistentvolumeclaim.yaml b/charts/postgres/templates/postgres-claim0-persistentvolumeclaim.yaml
@@ -6,10 +6,10 @@ metadata:
     {{- include "postgres.labels" . | nindent 6 }}
   name: postgres-claim0
 spec:
-  storageClassName: {{ .Values.postgres.storage.storageClassName }}
+  storageClassName: {{ .Values.storage.storageClassName }}
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
-      storage: {{ .Values.postgres.storage.size }}
+      storage: {{ .Values.storage.size }}
 status: {}
diff --git a/charts/postgres/templates/postgres-deployment.yaml b/charts/postgres/templates/postgres-deployment.yaml
@@ -6,7 +6,7 @@ metadata:
     {{- include "postgres.labels" . | nindent 6 }}
   name: postgres
 spec:
-  replicas: {{ .Values.postgres.replicaCount }}
+  replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
       {{- include "postgres.labels" . | nindent 6 }}
@@ -21,43 +21,43 @@ spec:
       containers:
         - env:
             - name: POSTGRES_HOST_AUTH_METHOD
-              value: {{ .Values.postgres.service.authMethod }}
+              value: {{ .Values.service.authMethod }}
             - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: postgres-secret
-                  key: pg_password
+                  name: {{ .Values.service.passwordSecret.name }}
+                  key: {{ .Values.service.passwordSecret.key }}
             - name: POSTGRES_USER
               valueFrom:
                 secretKeyRef:
-                  name: postgres-secret
-                  key: pg_user
-            - name: POSTGRES_PORT
-              value: "{{ .Values.postgres.service.port }}"
-            - name: PGDATABASE
-              value: {{ .Values.postgres.service.dbName }}
-            - name: PGPORT
-              value: "{{ .Values.postgres.service.port }}"
-            - name: PGAUTHMETHOD
-              value: {{ .Values.postgres.service.authMethod }}
+                  name: {{ .Values.service.userNameSecret.name }}
+                  key: {{ .Values.service.userNameSecret.key }}
             - name: PGPASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: postgres-secret
-                  key: pg_password
+                  name: {{ .Values.service.passwordSecret.name }}
+                  key: {{ .Values.service.passwordSecret.key }}
             - name: PGUSER
               valueFrom:
                 secretKeyRef:
-                  name: postgres-secret
-                  key: pg_user
+                  name: {{ .Values.service.userNameSecret.name }}
+                  key: {{ .Values.service.userNameSecret.key }}
+            - name: POSTGRES_PORT
+              value: "{{ .Values.service.port }}"
+            - name: PGDATABASE
+              value: {{ .Values.service.dbName }}
+            - name: PGPORT
+              value: "{{ .Values.service.port }}"
+            - name: PGAUTHMETHOD
+              value: {{ .Values.service.authMethod }}
             - name: PGSSLMODE
-              value: {{ .Values.postgres.service.sslMode }}
+              value: {{ .Values.service.sslMode }}
             - name: SWOOP_DB_SCHEMA_VERSION_TABLE
-              value: {{ .Values.postgres.service.schemaVersionTable }}
-          image: "{{ .Values.postgres.image.repository }}:{{ .Values.postgres.image.tag }}"
-          name: {{ .Values.postgres.deployment.name }}
+              value: {{ .Values.service.schemaVersionTable }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          name: {{ .Values.deployment.name }}
           ports:
-            - containerPort: {{ .Values.postgres.container.port }}
+            - containerPort: {{ .Values.container.port }}
           resources: {}
           volumeMounts:
             - mountPath: /swoop

diff --git a/charts/postgres/templates/postgres-secret.yaml b/charts/postgres/templates/postgres-secret.yaml
@@ -1,8 +1,10 @@
+{{- if .Values.service.createDBAdminSecret -}}
 apiVersion: v1
 kind: Secret
 metadata:
   name: postgres-secret
 type: Opaque
 data:
-  pg_user: {{ .Values.postgres.service.dbUser }}
-  pg_password: {{ .Values.postgres.service.dbPassword }}
+  username: {{ .Values.service.dbUser }}
+  password: {{ .Values.service.dbPassword }}
+{{- end }}
diff --git a/charts/postgres/templates/postgres-service.yaml b/charts/postgres/templates/postgres-service.yaml
@@ -4,13 +4,13 @@ metadata:
   creationTimestamp: null
   labels:
     {{- include "postgres.labels" . | nindent 6 }}
-  name: {{ .Values.postgres.service.name }}
+  name: {{ .Values.service.name }}
 spec:
-  type: {{ .Values.postgres.service.type }}
+  type: {{ .Values.service.type }}
   ports:
-    - name: "{{ .Values.postgres.service.targetPort }}"
-      port: {{ .Values.postgres.service.port }}
-      targetPort: {{ .Values.postgres.service.targetPort }}
+    - name: "{{ .Values.service.targetPort }}"
+      port: {{ .Values.service.port }}
+      targetPort: {{ .Values.service.targetPort }}
   selector:
     {{- include "postgres.labels" . | nindent 6 }}
 status:

diff --git a/charts/postgres/templates/postgres-storage-class.yaml b/charts/postgres/templates/postgres-storage-class.yaml
@@ -1,11 +1,11 @@
-{{- if .Values.postgres.storage.retainPersistentVolume -}}
+{{- if .Values.storage.retainPersistentVolume -}}
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:
   labels:
     {{- include "postgres.labels" . | nindent 6 }}
   name: postgres-retain
-provisioner: {{ .Values.postgres.storage.provisioner }}
+provisioner: {{ .Values.storage.provisioner }}
 reclaimPolicy: Retain
-volumeBindingMode: {{ .Values.postgres.storage.volumeBindingMode }}
+volumeBindingMode: {{ .Values.storage.volumeBindingMode }}
 {{- end }}
diff --git a/charts/postgres/values.yaml b/charts/postgres/values.yaml
@@ -11,29 +11,36 @@ local-path-provisioner:
     provisionerName: filmdrop.io/local-path-provisioner
     name: local-path-class
 
-postgres:
-  image:
-    repository: quay.io/element84/swoop-db
-    tag: latest
-  container:
-    port: 5432
-  service:
-    type: ClusterIP
-    port: 5432
-    targetPort: 5432
-    name: postgres
-    dbName: swoop
-    authMethod: trust
-    dbUser: cG9zdGdyZXM=
-    dbPassword: cGFzc3dvcmQ=
-    sslMode: disable
-    schemaVersionTable: swoop.schema_version
-  storage:
-    size: 1Gi
-    volumeBindingMode: WaitForFirstConsumer
-    provisioner: filmdrop.io/local-path-provisioner
-    retainPersistentVolume: true
-    storageClassName: postgres-retain
-  deployment:
-    name: postgres
-  replicaCount: 1
+image:
+  repository: quay.io/element84/swoop-db
+  tag: latest
+container:
+  port: 5432
+service:
+  type: ClusterIP
+  port: 5432
+  targetPort: 5432
+  name: postgres
+  dbName: swoop
+  dbHost: postgres.default
+  authMethod: trust
+  createDBAdminSecret: true
+  userNameSecret:
+    name: postgres-secret
+    key: username
+  passwordSecret:
+    name: postgres-secret
+    key: password
+  dbUser: cG9zdGdyZXM=
+  dbPassword: cGFzc3dvcmQ=
+  sslMode: disable
+  schemaVersionTable: swoop.schema_version
+storage:
+  size: 1Gi
+  volumeBindingMode: WaitForFirstConsumer
+  provisioner: filmdrop.io/local-path-provisioner
+  retainPersistentVolume: true
+  storageClassName: postgres-retain
+deployment:
+  name: postgres
+replicaCount: 1
diff --git a/charts/swoop-api/templates/db-migration-crds.yaml b/charts/swoop-api/templates/db-migration-crds.yaml
@@ -1,14 +1,32 @@
-{{- if .Values.postgres.migration.enabled }}
+{{- $migrationEnabled := .Values.postgres.migration.enabled -}}
+{{- $migrationServiceAccount := .Values.service.serviceAccount -}}
+{{- if (hasKey .Values "global")  }}
+  {{- if (hasKey .Values.global "postgres")  }}
+    {{- if (hasKey .Values.global.postgres "migration")  }}
+      {{- if (hasKey .Values.global.postgres.migration "enabled")  }}
+        {{- $migrationEnabled = .Values.global.postgres.migration.enabled -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+  {{- if (hasKey .Values.global "swoop")  }}
+    {{- if (hasKey .Values.global.swoop "api")  }}
+      {{- if (hasKey .Values.global.swoop.api "serviceAccount")  }}
+        {{- $migrationServiceAccount = .Values.global.swoop.api.serviceAccount -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{- if $migrationEnabled }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ .Values.swoopApi.serviceAccount }}
-  namespace: {{ .Values.swoopApi.namespace }}
+  name: {{ $migrationServiceAccount }}
+  namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ .Values.swoopApi.serviceAccount }}-migration-reader
+  name: {{ $migrationServiceAccount }}-migration-reader
 rules:
 rules:
 - apiGroups:
@@ -58,13 +76,13 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ .Values.swoopApi.serviceAccount }}-migration-reader
+  name: {{ $migrationServiceAccount }}-migration-reader
 subjects:
 - kind: ServiceAccount
-  name: {{ .Values.swoopApi.serviceAccount }}
+  name: {{ $migrationServiceAccount }}
 roleRef:
   kind: Role
-  name: {{ .Values.swoopApi.serviceAccount }}-migration-reader
+  name: {{ $migrationServiceAccount }}-migration-reader
   apiGroup: rbac.authorization.k8s.io
 apiVersion: rbac.authorization.k8s.io/v1
 {{- end }}