Merge pull request #25 from CSCfi/random-pass-update

Update generated random password
CSCfi · Mar 11, 2024 · 508796a · 508796a
2 parents 640741e + 8907406
commit 508796a
Show file tree

Hide file tree

Showing 18 changed files with 312 additions and 78 deletions.
diff --git a/charts/hedgedoc/Chart.yaml b/charts/hedgedoc/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: hedgedoc-helm
 description: Hedgedoc Helm Chart for Rahti platform
   Link to the repo https://github.com/CSCfi/helm-charts
-version: 1.0.0
+version: 1.1.0
 sources:
 - https://github.com/CSCfi/helm-charts
 dependencies:

diff --git a/charts/hedgedoc/README.md b/charts/hedgedoc/README.md
@@ -31,10 +31,16 @@ helm upgrade --install hedgedoc . -f {custom_values.yaml}
 | `hedgedoc.containerSecurityContext`    | Set SecurityContext for the container                   | `allowPrivilegeEscalation: false`<br>`runAsUser:`<br>`runAsGroup:`<br>`capabilities:`<br>&nbsp;&nbsp;`drop:`<br>&nbsp;&nbsp;`- ALL`<br>`runAsNonRoot: true`<br>`seccompProfile:`<br>&nbsp;&nbsp;`type: RuntimeDefault` |
 | `hedgedoc.pvc.storageSpace`            | Storage space for the PersistentVolume                  | `5Gi`                             |
 | `hedgedoc.service.type`                | Set the Service type                                    | `ClusterIP`                       |
+| `hedgedoc.random_pw_secret_key`        | Key to store the password                               | `database-password`               |
+| `hedgedoc.secret.database-name`        | Name of the database                                    | `postgres`                        |
+| `hedgedoc.secret.database-user`        | Name of the postgres user                               | `postgres`                        |
+| `hedgedoc.secret.database-password`    | Function that retrieve the generated password           | `'{{- include "random_pw_reusable" . -}}'` |
 
 ### PostgreSQL parameters
 
-Since we are using the `bitnami/postgresql` Helm Chart as a dependency, you can take a look to the [PostgreSQL ArtifactHub](https://artifacthub.io/packages/helm/bitnami/postgresql/13.4.4) to check the different values
+Since we are using the `bitnami/postgresql` Helm Chart as a dependency, you can take a look to the [PostgreSQL ArtifactHub](https://artifacthub.io/packages/helm/bitnami/postgresql/13.4.4) to check the different values.
+
+The postgres database password is generated randomly and won't change if you upgrade the Chart.
 
 ## Cleanup
 To delete all the resources, simply uninstall the Helm Chart:

diff --git a/charts/hedgedoc/templates/NOTES.txt b/charts/hedgedoc/templates/NOTES.txt
@@ -6,3 +6,7 @@ Your HedgeDoc applications is now deployed. Wait a little bit the time that the
 and then you could access it through this URL:
 
 https://{{ .Values.hedgedoc.appname }}.{{ .Values.hedgedoc.domain }}
+
+The postgresql database password is generated automatically. To check its value, run this command:
+
+  echo PostgreSQL Password: $(oc get secret --namespace={{ .Release.Namespace }} postgres -o jsonpath="{.data.database-password}" | base64 -d)
diff --git a/charts/hedgedoc/templates/_helpers.tpl b/charts/hedgedoc/templates/_helpers.tpl
@@ -61,9 +61,37 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
-{{/* 
-Generate postgres database password
+{{/*
+Define a function that generate static password
 */}}
-{{- define "hedgedoc.postgresPassword" -}}
-database-password: {{ randAlphaNum 16 | quote }}
-{{- end }}
+{{- define "generate_static_password" -}}
+{{- /* Create "tmp_vars" dict inside ".Release" to store various stuff. */ -}}
+{{- if not (index .Release "tmp_vars") -}}
+{{-   $_ := set .Release "tmp_vars" dict -}}
+{{- end -}}
+{{- /* Some random ID of this password, in case there will be other random values alongside this instance. */ -}}
+{{- $key := printf "%s_%s" .Release.Name "password" -}}
+{{- /* If $key does not yet exist in .Release.tmp_vars, then... */ -}}
+{{- if not (index .Release.tmp_vars $key) -}}
+{{- /* ... store random password under the $key */ -}}
+{{-   $_ := set .Release.tmp_vars $key (randAlphaNum 20) -}}
+{{- end -}}
+{{- /* Retrieve previously generated value. */ -}}
+{{- index .Release.tmp_vars $key -}}
+{{- end -}}
+
+{{/*
+Define a function that lookup the secret on upgrade. If install, it requires the name of secret to create and the key to store the password.
+*/}}
+{{- define "random_pw_reusable" -}}
+  {{- if .Release.IsUpgrade -}}
+    {{- $data := default dict (lookup "v1" "Secret" .Release.Namespace "postgres").data -}}
+    {{- if $data -}}
+      {{- index $data .Values.hedgedoc.random_pw_secret_key | b64dec -}}
+    {{- end -}}
+  {{- else -}}
+    {{- if and (required "You must pass postgres (the name of a secret to retrieve password from on upgrade)" "postgres") (required "You must pass .Values.hedgedoc.random_pw_secret_key (the name of the key in the secret to retrieve password from on upgrade)" .Values.hedgedoc.random_pw_secret_key) -}}
+      {{- (include "generate_static_password" .) -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
diff --git a/charts/hedgedoc/templates/secrets.yaml b/charts/hedgedoc/templates/secrets.yaml
@@ -1,11 +1,13 @@
 apiVersion: v1
-stringData:
-  database-name: postgres
-  database-user: postgres
-  {{- include "hedgedoc.postgresPassword" . | nindent 2 }}
 kind: Secret
 metadata:
   labels:
     app: postgresql
   name: postgres
+{{- if .Values.hedgedoc.secret }}
+data:
+  {{- range $key, $val := .Values.hedgedoc.secret }}
+    "{{ $key }}": "{{ tpl $val $ | b64enc }}"
+  {{- end }}
+{{- end }}
 type: Opaque
diff --git a/charts/hedgedoc/values.yaml b/charts/hedgedoc/values.yaml
@@ -28,6 +28,11 @@ hedgedoc:
     storageSpace: 5Gi
   service:
     type: ClusterIP
+  random_pw_secret_key: database-password
+  secret:
+    database-name: postgres
+    database-user: postgres
+    database-password: '{{- include "random_pw_reusable" . -}}'
 
 # Parameters related to the deployment of PostgreSQL
 postgresql:

diff --git a/charts/matomo/Chart.yaml b/charts/matomo/Chart.yaml
@@ -2,6 +2,6 @@ apiVersion: v2
 name: matomo-helm
 description: Matomo Helm Chart for Rahti platform
   Link to the repo https://github.com/CSCfi/helm-charts
-version: 1.0.0
+version: 1.1.0
 sources:
 - https://github.com/CSCfi/helm-charts
diff --git a/charts/matomo/README.md b/charts/matomo/README.md
@@ -24,8 +24,12 @@ helm upgrade --install matomo . -f {custom_values.yaml}
 | `mariadb.service.type`                       | Set the Service type                                         | `ClusterIP`                                                     |
 | `mariadb.pvc.storageSize`                    | Storage size for the PersistentVolume                        | `5Gi`                                                           |
 | `mariadb.pvc.storageClassName`               | Storage Class Name for the PersistentVolume                  | `standard-csi`                                                  |
-| `mariadb.secret.databaseName`                | Name of your database                                        | `matomodb`                                                      |
-| `mariadb.secret.databaseUser`                | Name of the database user                                    | `matomouser`                                                    |
+| `mariadb.random_pw_secret_key`               | Key to store the password                                    | `database-password`                                             |
+| `mariadb.random_root_pw_secret_key`          | Key to store the root password                               | `database-root-password`                                        |
+| `mariadb.secret.database-name`               | Name of the database                                         | `matomodb`                                                      |
+| `mariadb.secret.database-user`               | Name of the database user                                    | `matomouser`                                                    |
+| `mariadb.secret.database-password`           | Function that retrieve the generated password                | `'{{- include "random_mariadb_pw_reusable" . -}}'`              |
+| `mariadb.secret.database-password`           | Function that retrieve the generated root password           | `'{{- include "random_mariadb_root_pw_reusable" . -}}'`         |
 | `mariadb.livenessProbe.enabled`              | Enable or not `livenessProbe`                                | `true`                                                          |
 | `mariadb.livenessProbe.initialDelaySeconds`  | Set the `livenessProbe.initialDelaySeconds`                  | `30`                                                            |
 | `mariadb.livenessProbe.timeoutSeconds`       | Set the `livenessProbe.timeoutSeconds`                       | `1`                                                             |
@@ -36,18 +40,22 @@ helm upgrade --install matomo . -f {custom_values.yaml}
 
 ### Matomo parameters
 
-| Name                                             | Description                                                          | Value                   |
-| ------------------------------------------------ | -------------------------------------------------------------------- | ----------------------- |
-| `matomo.image`                                   | Name of the `matomo` image.                                          | `bitnami/matomo:latest` |
-| `matomo.name`                                    | Name of your app.                                                    | `matomo`                |
-| `matomo.service.type`                            | Set the Service type                                                 | `ClusterIP`             |
-| `matomo.route.tls.insecureEdgeTerminationPolicy` | Set the termination policy regarding insecure traffic for the route  | `Redirect`              |
-| `matomo.route.tls.termination`                   | Set the termination for the route                                    | `edge`                  |
-| `matomo.secret.matomoUser`                       | Name of the database user                                            | `matomouser`            |
+| Name                                             | Description                                                          | Value                                             |
+| ------------------------------------------------ | -------------------------------------------------------------------- | ------------------------------------------------- |
+| `matomo.image`                                   | Name of the `matomo` image.                                          | `bitnami/matomo:latest`                           |
+| `matomo.name`                                    | Name of your app.                                                    | `matomo`                                          |
+| `matomo.service.type`                            | Set the Service type                                                 | `ClusterIP`                                       |
+| `matomo.route.tls.insecureEdgeTerminationPolicy` | Set the termination policy regarding insecure traffic for the route  | `Redirect`                                        |
+| `matomo.route.tls.termination`                   | Set the termination for the route                                    | `edge`                                            |
+| `matomo.random_pw_secret_key`                    | Key to store the password                                            | `matomo-password`                                 |
+| `matomo.secret.matomo-username`                  | Name of the matomo user                                              | `matomouser`                                      |
+| `matomo.secret.matomo-password`                  | Function that retrieve the generated password                        | `'{{- include "random_matomo_pw_reusable" . -}}'` |
 
 The password for the mariadb database and the root password are generated randomly. A function is created in the `_helpers.tpl` file.  
 It's the same behavior for the matomo user password.
 
+The passwords won't change if you upgrade the Chart.
+
 Follow the instructions after deploying the Helm Chart to retrieve the passwords.
 
 ## Cleanup

diff --git a/charts/matomo/templates/_helpers.tpl b/charts/matomo/templates/_helpers.tpl
@@ -61,17 +61,110 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
-{{/* 
-Generate mariadb passwords
+## MARIADB PASSWORD
+{{/*
+Define a function that generate static mariadb password
 */}}
-{{- define "matomo.mariadbPasswords" -}}
-database-password: {{ randAlphaNum 16 | quote }}
-database-root-password: {{ randAlphaNum 32 | quote }}
-{{- end }}
+{{- define "generate_static_mariadb_password" -}}
+{{- /* Create "tmp_vars" dict inside ".Release" to store various stuff. */ -}}
+{{- if not (index .Release "tmp_vars_mariadb") -}}
+{{-   $_ := set .Release "tmp_vars_mariadb" dict -}}
+{{- end -}}
+{{- /* Some random ID of this password, in case there will be other random values alongside this instance. */ -}}
+{{- $key := printf "%s_%s" .Release.Name "mariadb_password" -}}
+{{- /* If $key does not yet exist in .Release.tmp_vars, then... */ -}}
+{{- if not (index .Release.tmp_vars_mariadb $key) -}}
+{{- /* ... store random password under the $key */ -}}
+{{-   $_ := set .Release.tmp_vars_mariadb $key (randAlphaNum 20) -}}
+{{- end -}}
+{{- /* Retrieve previously generated value. */ -}}
+{{- index .Release.tmp_vars_mariadb $key -}}
+{{- end -}}
+
+{{/*
+Define a function that lookup the secret on upgrade. If install, it requires the name of secret to create and the key to store the password.
+*/}}
+{{- define "random_mariadb_pw_reusable" -}}
+  {{- if .Release.IsUpgrade -}}
+    {{- $data := default dict (lookup "v1" "Secret" .Release.Namespace .Values.mariadb.name).data -}}
+    {{- if $data -}}
+      {{- index $data .Values.mariadb.random_pw_secret_key | b64dec -}}
+    {{- end -}}
+  {{- else -}}
+    {{- if and (required "You must pass .Values.mariadb.name (the name of a secret to retrieve password from on upgrade)" .Values.mariadb.name) (required "You must pass .Values.mariadb.random_pw_secret_key (the name of the key in the secret to retrieve password from on upgrade)" .Values.mariadb.random_pw_secret_key) -}}
+      {{- (include "generate_static_mariadb_password" .) -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+## MARIADB ROOT PASSWORD
+{{/*
+Define a function that generate static mariadb root password
+*/}}
+{{- define "generate_static_mariadb_root_password" -}}
+{{- /* Create "tmp_vars" dict inside ".Release" to store various stuff. */ -}}
+{{- if not (index .Release "tmp_vars_mariadb_root") -}}
+{{-   $_ := set .Release "tmp_vars_mariadb_root" dict -}}
+{{- end -}}
+{{- /* Some random ID of this password, in case there will be other random values alongside this instance. */ -}}
+{{- $key := printf "%s_%s" .Release.Name "mariadb_root_password" -}}
+{{- /* If $key does not yet exist in .Release.tmp_vars, then... */ -}}
+{{- if not (index .Release.tmp_vars_mariadb_root $key) -}}
+{{- /* ... store random password under the $key */ -}}
+{{-   $_ := set .Release.tmp_vars_mariadb_root $key (randAlphaNum 20) -}}
+{{- end -}}
+{{- /* Retrieve previously generated value. */ -}}
+{{- index .Release.tmp_vars_mariadb_root $key -}}
+{{- end -}}
+
+{{/*
+Define a function that lookup the secret on upgrade. If install, it requires the name of secret to create and the key to store the password.
+*/}}
+{{- define "random_mariadb_root_pw_reusable" -}}
+  {{- if .Release.IsUpgrade -}}
+    {{- $data := default dict (lookup "v1" "Secret" .Release.Namespace .Values.mariadb.name).data -}}
+    {{- if $data -}}
+      {{- index $data .Values.mariadb.random_root_pw_secret_key | b64dec -}}
+    {{- end -}}
+  {{- else -}}
+    {{- if and (required "You must pass .Values.mariadb.name (the name of a secret to retrieve password from on upgrade)" .Values.mariadb.name) (required "You must pass .Values.mariadb.random_root_pw_secret_key (the name of the key in the secret to retrieve password from on upgrade)" .Values.mariadb.random_root_pw_secret_key) -}}
+      {{- (include "generate_static_mariadb_root_password" .) -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+## MATOMO PASSWORD
+{{/*
+Define a function that generate static matomo password
+*/}}
+{{- define "generate_static_matomo_password" -}}
+{{- /* Create "tmp_vars" dict inside ".Release" to store various stuff. */ -}}
+{{- if not (index .Release "tmp_vars_matomo") -}}
+{{-   $_ := set .Release "tmp_vars_matomo" dict -}}
+{{- end -}}
+{{- /* Some random ID of this password, in case there will be other random values alongside this instance. */ -}}
+{{- $key := printf "%s_%s" .Release.Name "matomo_password" -}}
+{{- /* If $key does not yet exist in .Release.tmp_vars, then... */ -}}
+{{- if not (index .Release.tmp_vars_matomo $key) -}}
+{{- /* ... store random password under the $key */ -}}
+{{-   $_ := set .Release.tmp_vars_matomo $key (randAlphaNum 20) -}}
+{{- end -}}
+{{- /* Retrieve previously generated value. */ -}}
+{{- index .Release.tmp_vars_matomo $key -}}
+{{- end -}}
 
 {{/*
-Generate matomo password
+Define a function that lookup the secret on upgrade. If install, it requires the name of secret to create and the key to store the password.
 */}}
-{{- define "matomo.userPassword" -}}
-matomo-password: {{ randAlphaNum 16 | quote }}
-{{- end }}
+{{- define "random_matomo_pw_reusable" -}}
+  {{- if .Release.IsUpgrade -}}
+    {{- $data := default dict (lookup "v1" "Secret" .Release.Namespace .Values.matomo.name).data -}}
+    {{- if $data -}}
+      {{- index $data .Values.matomo.random_pw_secret_key | b64dec -}}
+    {{- end -}}
+  {{- else -}}
+    {{- if and (required "You must pass .Values.matomo.name (the name of a secret to retrieve password from on upgrade)" .Values.matomo.name) (required "You must pass .Values.matomo.random_pw_secret_key (the name of the key in the secret to retrieve password from on upgrade)" .Values.matomo.random_pw_secret_key) -}}
+      {{- (include "generate_static_matomo_password" .) -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
diff --git a/charts/matomo/templates/secrets.yaml b/charts/matomo/templates/secrets.yaml
@@ -7,17 +7,21 @@ metadata:
     template.openshift.io/expose-root_password: '{.data[''database-root-password'']}'
     template.openshift.io/expose-username: '{.data[''database-user'']}'
   name: {{ .Values.mariadb.name }}
-stringData:
-  database-name: {{ .Values.mariadb.secret.databaseName }}
-  database-user: {{ .Values.mariadb.secret.databaseUser }}
-  {{- include "matomo.mariadbPasswords" . | nindent 2 }}
+{{- if .Values.mariadb.secret }}
+data:
+  {{- range $key, $val := .Values.mariadb.secret }}
+    "{{ $key }}": "{{ tpl $val $ | b64enc }}"
+  {{- end }}
+{{- end }}
 
 ---
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ .Values.matomo.name }}
-stringData:
-  matomo-username: {{ .Values.matomo.secret.matomoUser }}
-  {{- include "matomo.userPassword" . | nindent 2 }}
-type: Opaque
+{{- if .Values.matomo.secret }}
+data:
+  {{- range $key, $val := .Values.matomo.secret }}
+    "{{ $key }}": "{{ tpl $val $ | b64enc }}"
+  {{- end }}
+{{- end }}
diff --git a/charts/matomo/values.yaml b/charts/matomo/values.yaml
@@ -10,9 +10,13 @@ mariadb:
   pvc:
     storageSize: 5Gi
     storageClassName: standard-csi
+  random_pw_secret_key: database-password
+  random_root_pw_secret_key: database-root-password
   secret:
-    databaseName: matomodb
-    databaseUser: matomouser
+    database-name: matomodb
+    database-user: matomouser
+    database-password: '{{- include "random_mariadb_pw_reusable" . -}}'
+    database-root-password: '{{- include "random_mariadb_root_pw_reusable" . -}}'
   livenessProbe:
     enabled: true
     initialDelaySeconds: 30
@@ -34,5 +38,7 @@ matomo:
     tls:
       insecureEdgeTerminationPolicy: Redirect
       termination: edge
+  random_pw_secret_key: matomo-password
   secret:
-    matomoUser: matomouser
+    matomo-username: matomouser
+    matomo-password: '{{- include "random_matomo_pw_reusable" . -}}'
diff --git a/charts/minio/Chart.yaml b/charts/minio/Chart.yaml
@@ -2,6 +2,6 @@ apiVersion: v2
 name: minio-helm
 description: Minio Helm Chart for Rahti platform
   Link to the repo https://github.com/CSCfi/helm-charts
-version: 1.0.0
+version: 1.1.0
 sources:
 - https://github.com/CSCfi/helm-charts