Merge branch 'jan94_feature-allowEnrollmentJwtFromSecret' of github.com:openziti/helm-charts into jan94_feature-allowEnrollmentJwtFromSecret

Author: qrkourier

charts/ziti-router/README.md

@@ -267,6 +267,8 @@ identity:
 | edge.service.labels | object | `{}` | service labels |
 | edge.service.type | string | `"ClusterIP"` | expose the service as a ClusterIP, NodePort, or LoadBalancer; default is ClusterIP, but you could use NodePort or LoadBalancer instead of an ingress controller |
 | enrollmentJwt | string | `nil` | enrollment one time token from the controller's management API |
+| enrollmentJwtFromSecret | bool | `false` | allow for using a secret to specify the enrollment token instead of using the enrollmentJwt field if enabled, setting the enrollment token on the enrollmentJwt field has no effect |
+| enrollmentJwtSecretName | string | `""` | set the enrollment jwt from a secret The enrollment token secret must be of the following format: apiVersion: v1 kind: Secret metadata:   name: myEnrollmentJwtSecret type: Opaque data:   enrollmentJwt: |
 | env | object | `{}` | assign key=value in pod environment |
 | execMountDir | string | `"/usr/local/bin"` | read-only mountpoint for executables (must be in image's executable search PATH) |
 | fabric.metrics.enabled | bool | `false` | configure fabric metrics in the router config |

charts/ziti-router/templates/deployment.yaml

@@ -59,7 +59,14 @@ spec:
             {{- end }}
           env:
             - name: ZITI_ENROLL_TOKEN
+              {{- if .Values.enrollmentJwtFromSecret }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ required (printf "You must set an enrollmentJwtSecretName, when using enrollmentJwtFromSecret. Try setting --set enrollmentJwtSecretName=myEnrollmentJwtSecret") .Values.enrollmentJwtSecretName }}
+                  key: enrollmentJwt
+              {{- else }}
               value: {{ .Values.enrollmentJwt | quote }}
+              {{- end }}
             # must be true or enroll() will not be called
             - name: ZITI_BOOTSTRAP
               value: "true"

charts/ziti-router/values.yaml

@@ -249,6 +249,19 @@ csr:
 execMountDir:     /usr/local/bin
 # -- enrollment one time token from the controller's management API
 enrollmentJwt:
+# -- allow for using a secret to specify the enrollment token instead of using the enrollmentJwt field
+# if enabled, setting the enrollment token on the enrollmentJwt field has no effect
+enrollmentJwtFromSecret: false
+# -- set the enrollment jwt from a secret
+# The enrollment token secret must be of the following format:
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: myEnrollmentJwtSecret
+# type: Opaque
+# data:
+#   enrollmentJwt:
+enrollmentJwtSecretName: ""
 # -- read-only mountpoint for router identity secret specified in deployment for use by router run container
 identityMountDir: /etc/ziti/identity
 # -- writeable mountpoint where read-only config file is projected to allow router