diff --git a/charts/hedgedoc/Chart.yaml b/charts/hedgedoc/Chart.yaml
index 0050258..db52ab6 100644
--- a/charts/hedgedoc/Chart.yaml
+++ b/charts/hedgedoc/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
name: hedgedoc-helm
description: Hedgedoc Helm Chart for Rahti platform
Link to the repo https://github.com/CSCfi/helm-charts
-version: 1.0.0
+version: 1.1.0
sources:
- https://github.com/CSCfi/helm-charts
dependencies:
diff --git a/charts/hedgedoc/README.md b/charts/hedgedoc/README.md
index d66dfbc..ccea3aa 100644
--- a/charts/hedgedoc/README.md
+++ b/charts/hedgedoc/README.md
@@ -31,10 +31,16 @@ helm upgrade --install hedgedoc . -f {custom_values.yaml}
| `hedgedoc.containerSecurityContext` | Set SecurityContext for the container | `allowPrivilegeEscalation: false`
`runAsUser:`
`runAsGroup:`
`capabilities:`
`drop:`
`- ALL`
`runAsNonRoot: true`
`seccompProfile:`
`type: RuntimeDefault` |
| `hedgedoc.pvc.storageSpace` | Storage space for the PersistentVolume | `5Gi` |
| `hedgedoc.service.type` | Set the Service type | `ClusterIP` |
+| `hedgedoc.random_pw_secret_key` | Key to store the password | `database-password` |
+| `hedgedoc.secret.database-name` | Name of the database | `postgres` |
+| `hedgedoc.secret.database-user` | Name of the postgres user | `postgres` |
+| `hedgedoc.secret.database-password` | Function that retrieve the generated password | `'{{- include "random_pw_reusable" . -}}'` |
### PostgreSQL parameters
-Since we are using the `bitnami/postgresql` Helm Chart as a dependency, you can take a look to the [PostgreSQL ArtifactHub](https://artifacthub.io/packages/helm/bitnami/postgresql/13.4.4) to check the different values
+Since we are using the `bitnami/postgresql` Helm Chart as a dependency, you can take a look to the [PostgreSQL ArtifactHub](https://artifacthub.io/packages/helm/bitnami/postgresql/13.4.4) to check the different values.
+
+The postgres database password is generated randomly and won't change if you upgrade the Chart.
## Cleanup
To delete all the resources, simply uninstall the Helm Chart:
diff --git a/charts/hedgedoc/templates/NOTES.txt b/charts/hedgedoc/templates/NOTES.txt
index 6da6d62..351d35c 100644
--- a/charts/hedgedoc/templates/NOTES.txt
+++ b/charts/hedgedoc/templates/NOTES.txt
@@ -6,3 +6,7 @@ Your HedgeDoc applications is now deployed. Wait a little bit the time that the
and then you could access it through this URL:
https://{{ .Values.hedgedoc.appname }}.{{ .Values.hedgedoc.domain }}
+
+The postgresql database password is generated automatically. To check its value, run this command:
+
+ echo PostgreSQL Password: $(oc get secret --namespace={{ .Release.Namespace }} postgres -o jsonpath="{.data.database-password}" | base64 -d)
diff --git a/charts/hedgedoc/templates/_helpers.tpl b/charts/hedgedoc/templates/_helpers.tpl
index 3a89b1b..5c277a0 100644
--- a/charts/hedgedoc/templates/_helpers.tpl
+++ b/charts/hedgedoc/templates/_helpers.tpl
@@ -61,9 +61,37 @@ Create the name of the service account to use
{{- end }}
{{- end }}
-{{/*
-Generate postgres database password
+{{/*
+Define a function that generate static password
*/}}
-{{- define "hedgedoc.postgresPassword" -}}
-database-password: {{ randAlphaNum 16 | quote }}
-{{- end }}
+{{- define "generate_static_password" -}}
+{{- /* Create "tmp_vars" dict inside ".Release" to store various stuff. */ -}}
+{{- if not (index .Release "tmp_vars") -}}
+{{- $_ := set .Release "tmp_vars" dict -}}
+{{- end -}}
+{{- /* Some random ID of this password, in case there will be other random values alongside this instance. */ -}}
+{{- $key := printf "%s_%s" .Release.Name "password" -}}
+{{- /* If $key does not yet exist in .Release.tmp_vars, then... */ -}}
+{{- if not (index .Release.tmp_vars $key) -}}
+{{- /* ... store random password under the $key */ -}}
+{{- $_ := set .Release.tmp_vars $key (randAlphaNum 20) -}}
+{{- end -}}
+{{- /* Retrieve previously generated value. */ -}}
+{{- index .Release.tmp_vars $key -}}
+{{- end -}}
+
+{{/*
+Define a function that lookup the secret on upgrade. If install, it requires the name of secret to create and the key to store the password.
+*/}}
+{{- define "random_pw_reusable" -}}
+ {{- if .Release.IsUpgrade -}}
+ {{- $data := default dict (lookup "v1" "Secret" .Release.Namespace "postgres").data -}}
+ {{- if $data -}}
+ {{- index $data .Values.hedgedoc.random_pw_secret_key | b64dec -}}
+ {{- end -}}
+ {{- else -}}
+ {{- if and (required "You must pass postgres (the name of a secret to retrieve password from on upgrade)" "postgres") (required "You must pass .Values.hedgedoc.random_pw_secret_key (the name of the key in the secret to retrieve password from on upgrade)" .Values.hedgedoc.random_pw_secret_key) -}}
+ {{- (include "generate_static_password" .) -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/hedgedoc/templates/secrets.yaml b/charts/hedgedoc/templates/secrets.yaml
index 2118200..d6fef85 100644
--- a/charts/hedgedoc/templates/secrets.yaml
+++ b/charts/hedgedoc/templates/secrets.yaml
@@ -1,11 +1,13 @@
apiVersion: v1
-stringData:
- database-name: postgres
- database-user: postgres
- {{- include "hedgedoc.postgresPassword" . | nindent 2 }}
kind: Secret
metadata:
labels:
app: postgresql
name: postgres
+{{- if .Values.hedgedoc.secret }}
+data:
+ {{- range $key, $val := .Values.hedgedoc.secret }}
+ "{{ $key }}": "{{ tpl $val $ | b64enc }}"
+ {{- end }}
+{{- end }}
type: Opaque
\ No newline at end of file
diff --git a/charts/hedgedoc/values.yaml b/charts/hedgedoc/values.yaml
index eb150b0..bed35f9 100644
--- a/charts/hedgedoc/values.yaml
+++ b/charts/hedgedoc/values.yaml
@@ -28,6 +28,11 @@ hedgedoc:
storageSpace: 5Gi
service:
type: ClusterIP
+ random_pw_secret_key: database-password
+ secret:
+ database-name: postgres
+ database-user: postgres
+ database-password: '{{- include "random_pw_reusable" . -}}'
# Parameters related to the deployment of PostgreSQL
postgresql:
diff --git a/charts/matomo/Chart.yaml b/charts/matomo/Chart.yaml
index 341d1af..0f84768 100644
--- a/charts/matomo/Chart.yaml
+++ b/charts/matomo/Chart.yaml
@@ -2,6 +2,6 @@ apiVersion: v2
name: matomo-helm
description: Matomo Helm Chart for Rahti platform
Link to the repo https://github.com/CSCfi/helm-charts
-version: 1.0.0
+version: 1.1.0
sources:
- https://github.com/CSCfi/helm-charts
diff --git a/charts/matomo/README.md b/charts/matomo/README.md
index 6b6e74f..7802e79 100644
--- a/charts/matomo/README.md
+++ b/charts/matomo/README.md
@@ -24,8 +24,12 @@ helm upgrade --install matomo . -f {custom_values.yaml}
| `mariadb.service.type` | Set the Service type | `ClusterIP` |
| `mariadb.pvc.storageSize` | Storage size for the PersistentVolume | `5Gi` |
| `mariadb.pvc.storageClassName` | Storage Class Name for the PersistentVolume | `standard-csi` |
-| `mariadb.secret.databaseName` | Name of your database | `matomodb` |
-| `mariadb.secret.databaseUser` | Name of the database user | `matomouser` |
+| `mariadb.random_pw_secret_key` | Key to store the password | `database-password` |
+| `mariadb.random_root_pw_secret_key` | Key to store the root password | `database-root-password` |
+| `mariadb.secret.database-name` | Name of the database | `matomodb` |
+| `mariadb.secret.database-user` | Name of the database user | `matomouser` |
+| `mariadb.secret.database-password` | Function that retrieve the generated password | `'{{- include "random_mariadb_pw_reusable" . -}}'` |
+| `mariadb.secret.database-password` | Function that retrieve the generated root password | `'{{- include "random_mariadb_root_pw_reusable" . -}}'` |
| `mariadb.livenessProbe.enabled` | Enable or not `livenessProbe` | `true` |
| `mariadb.livenessProbe.initialDelaySeconds` | Set the `livenessProbe.initialDelaySeconds` | `30` |
| `mariadb.livenessProbe.timeoutSeconds` | Set the `livenessProbe.timeoutSeconds` | `1` |
@@ -36,18 +40,22 @@ helm upgrade --install matomo . -f {custom_values.yaml}
### Matomo parameters
-| Name | Description | Value |
-| ------------------------------------------------ | -------------------------------------------------------------------- | ----------------------- |
-| `matomo.image` | Name of the `matomo` image. | `bitnami/matomo:latest` |
-| `matomo.name` | Name of your app. | `matomo` |
-| `matomo.service.type` | Set the Service type | `ClusterIP` |
-| `matomo.route.tls.insecureEdgeTerminationPolicy` | Set the termination policy regarding insecure traffic for the route | `Redirect` |
-| `matomo.route.tls.termination` | Set the termination for the route | `edge` |
-| `matomo.secret.matomoUser` | Name of the database user | `matomouser` |
+| Name | Description | Value |
+| ------------------------------------------------ | -------------------------------------------------------------------- | ------------------------------------------------- |
+| `matomo.image` | Name of the `matomo` image. | `bitnami/matomo:latest` |
+| `matomo.name` | Name of your app. | `matomo` |
+| `matomo.service.type` | Set the Service type | `ClusterIP` |
+| `matomo.route.tls.insecureEdgeTerminationPolicy` | Set the termination policy regarding insecure traffic for the route | `Redirect` |
+| `matomo.route.tls.termination` | Set the termination for the route | `edge` |
+| `matomo.random_pw_secret_key` | Key to store the password | `matomo-password` |
+| `matomo.secret.matomo-username` | Name of the matomo user | `matomouser` |
+| `matomo.secret.matomo-password` | Function that retrieve the generated password | `'{{- include "random_matomo_pw_reusable" . -}}'` |
The password for the mariadb database and the root password are generated randomly. A function is created in the `_helpers.tpl` file.
It's the same behavior for the matomo user password.
+The passwords won't change if you upgrade the Chart.
+
Follow the instructions after deploying the Helm Chart to retrieve the passwords.
## Cleanup
diff --git a/charts/matomo/templates/_helpers.tpl b/charts/matomo/templates/_helpers.tpl
index 4799396..6d9510a 100644
--- a/charts/matomo/templates/_helpers.tpl
+++ b/charts/matomo/templates/_helpers.tpl
@@ -61,17 +61,110 @@ Create the name of the service account to use
{{- end }}
{{- end }}
-{{/*
-Generate mariadb passwords
+## MARIADB PASSWORD
+{{/*
+Define a function that generate static mariadb password
*/}}
-{{- define "matomo.mariadbPasswords" -}}
-database-password: {{ randAlphaNum 16 | quote }}
-database-root-password: {{ randAlphaNum 32 | quote }}
-{{- end }}
+{{- define "generate_static_mariadb_password" -}}
+{{- /* Create "tmp_vars" dict inside ".Release" to store various stuff. */ -}}
+{{- if not (index .Release "tmp_vars_mariadb") -}}
+{{- $_ := set .Release "tmp_vars_mariadb" dict -}}
+{{- end -}}
+{{- /* Some random ID of this password, in case there will be other random values alongside this instance. */ -}}
+{{- $key := printf "%s_%s" .Release.Name "mariadb_password" -}}
+{{- /* If $key does not yet exist in .Release.tmp_vars, then... */ -}}
+{{- if not (index .Release.tmp_vars_mariadb $key) -}}
+{{- /* ... store random password under the $key */ -}}
+{{- $_ := set .Release.tmp_vars_mariadb $key (randAlphaNum 20) -}}
+{{- end -}}
+{{- /* Retrieve previously generated value. */ -}}
+{{- index .Release.tmp_vars_mariadb $key -}}
+{{- end -}}
+
+{{/*
+Define a function that lookup the secret on upgrade. If install, it requires the name of secret to create and the key to store the password.
+*/}}
+{{- define "random_mariadb_pw_reusable" -}}
+ {{- if .Release.IsUpgrade -}}
+ {{- $data := default dict (lookup "v1" "Secret" .Release.Namespace .Values.mariadb.name).data -}}
+ {{- if $data -}}
+ {{- index $data .Values.mariadb.random_pw_secret_key | b64dec -}}
+ {{- end -}}
+ {{- else -}}
+ {{- if and (required "You must pass .Values.mariadb.name (the name of a secret to retrieve password from on upgrade)" .Values.mariadb.name) (required "You must pass .Values.mariadb.random_pw_secret_key (the name of the key in the secret to retrieve password from on upgrade)" .Values.mariadb.random_pw_secret_key) -}}
+ {{- (include "generate_static_mariadb_password" .) -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+
+## MARIADB ROOT PASSWORD
+{{/*
+Define a function that generate static mariadb root password
+*/}}
+{{- define "generate_static_mariadb_root_password" -}}
+{{- /* Create "tmp_vars" dict inside ".Release" to store various stuff. */ -}}
+{{- if not (index .Release "tmp_vars_mariadb_root") -}}
+{{- $_ := set .Release "tmp_vars_mariadb_root" dict -}}
+{{- end -}}
+{{- /* Some random ID of this password, in case there will be other random values alongside this instance. */ -}}
+{{- $key := printf "%s_%s" .Release.Name "mariadb_root_password" -}}
+{{- /* If $key does not yet exist in .Release.tmp_vars, then... */ -}}
+{{- if not (index .Release.tmp_vars_mariadb_root $key) -}}
+{{- /* ... store random password under the $key */ -}}
+{{- $_ := set .Release.tmp_vars_mariadb_root $key (randAlphaNum 20) -}}
+{{- end -}}
+{{- /* Retrieve previously generated value. */ -}}
+{{- index .Release.tmp_vars_mariadb_root $key -}}
+{{- end -}}
+
+{{/*
+Define a function that lookup the secret on upgrade. If install, it requires the name of secret to create and the key to store the password.
+*/}}
+{{- define "random_mariadb_root_pw_reusable" -}}
+ {{- if .Release.IsUpgrade -}}
+ {{- $data := default dict (lookup "v1" "Secret" .Release.Namespace .Values.mariadb.name).data -}}
+ {{- if $data -}}
+ {{- index $data .Values.mariadb.random_root_pw_secret_key | b64dec -}}
+ {{- end -}}
+ {{- else -}}
+ {{- if and (required "You must pass .Values.mariadb.name (the name of a secret to retrieve password from on upgrade)" .Values.mariadb.name) (required "You must pass .Values.mariadb.random_root_pw_secret_key (the name of the key in the secret to retrieve password from on upgrade)" .Values.mariadb.random_root_pw_secret_key) -}}
+ {{- (include "generate_static_mariadb_root_password" .) -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+
+## MATOMO PASSWORD
+{{/*
+Define a function that generate static matomo password
+*/}}
+{{- define "generate_static_matomo_password" -}}
+{{- /* Create "tmp_vars" dict inside ".Release" to store various stuff. */ -}}
+{{- if not (index .Release "tmp_vars_matomo") -}}
+{{- $_ := set .Release "tmp_vars_matomo" dict -}}
+{{- end -}}
+{{- /* Some random ID of this password, in case there will be other random values alongside this instance. */ -}}
+{{- $key := printf "%s_%s" .Release.Name "matomo_password" -}}
+{{- /* If $key does not yet exist in .Release.tmp_vars, then... */ -}}
+{{- if not (index .Release.tmp_vars_matomo $key) -}}
+{{- /* ... store random password under the $key */ -}}
+{{- $_ := set .Release.tmp_vars_matomo $key (randAlphaNum 20) -}}
+{{- end -}}
+{{- /* Retrieve previously generated value. */ -}}
+{{- index .Release.tmp_vars_matomo $key -}}
+{{- end -}}
{{/*
-Generate matomo password
+Define a function that lookup the secret on upgrade. If install, it requires the name of secret to create and the key to store the password.
*/}}
-{{- define "matomo.userPassword" -}}
-matomo-password: {{ randAlphaNum 16 | quote }}
-{{- end }}
\ No newline at end of file
+{{- define "random_matomo_pw_reusable" -}}
+ {{- if .Release.IsUpgrade -}}
+ {{- $data := default dict (lookup "v1" "Secret" .Release.Namespace .Values.matomo.name).data -}}
+ {{- if $data -}}
+ {{- index $data .Values.matomo.random_pw_secret_key | b64dec -}}
+ {{- end -}}
+ {{- else -}}
+ {{- if and (required "You must pass .Values.matomo.name (the name of a secret to retrieve password from on upgrade)" .Values.matomo.name) (required "You must pass .Values.matomo.random_pw_secret_key (the name of the key in the secret to retrieve password from on upgrade)" .Values.matomo.random_pw_secret_key) -}}
+ {{- (include "generate_static_matomo_password" .) -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
diff --git a/charts/matomo/templates/secrets.yaml b/charts/matomo/templates/secrets.yaml
index 88b6520..a0f464c 100644
--- a/charts/matomo/templates/secrets.yaml
+++ b/charts/matomo/templates/secrets.yaml
@@ -7,17 +7,21 @@ metadata:
template.openshift.io/expose-root_password: '{.data[''database-root-password'']}'
template.openshift.io/expose-username: '{.data[''database-user'']}'
name: {{ .Values.mariadb.name }}
-stringData:
- database-name: {{ .Values.mariadb.secret.databaseName }}
- database-user: {{ .Values.mariadb.secret.databaseUser }}
- {{- include "matomo.mariadbPasswords" . | nindent 2 }}
+{{- if .Values.mariadb.secret }}
+data:
+ {{- range $key, $val := .Values.mariadb.secret }}
+ "{{ $key }}": "{{ tpl $val $ | b64enc }}"
+ {{- end }}
+{{- end }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.matomo.name }}
-stringData:
- matomo-username: {{ .Values.matomo.secret.matomoUser }}
- {{- include "matomo.userPassword" . | nindent 2 }}
-type: Opaque
\ No newline at end of file
+{{- if .Values.matomo.secret }}
+data:
+ {{- range $key, $val := .Values.matomo.secret }}
+ "{{ $key }}": "{{ tpl $val $ | b64enc }}"
+ {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/matomo/values.yaml b/charts/matomo/values.yaml
index 98a2b09..52ad45b 100644
--- a/charts/matomo/values.yaml
+++ b/charts/matomo/values.yaml
@@ -10,9 +10,13 @@ mariadb:
pvc:
storageSize: 5Gi
storageClassName: standard-csi
+ random_pw_secret_key: database-password
+ random_root_pw_secret_key: database-root-password
secret:
- databaseName: matomodb
- databaseUser: matomouser
+ database-name: matomodb
+ database-user: matomouser
+ database-password: '{{- include "random_mariadb_pw_reusable" . -}}'
+ database-root-password: '{{- include "random_mariadb_root_pw_reusable" . -}}'
livenessProbe:
enabled: true
initialDelaySeconds: 30
@@ -34,5 +38,7 @@ matomo:
tls:
insecureEdgeTerminationPolicy: Redirect
termination: edge
+ random_pw_secret_key: matomo-password
secret:
- matomoUser: matomouser
\ No newline at end of file
+ matomo-username: matomouser
+ matomo-password: '{{- include "random_matomo_pw_reusable" . -}}'
\ No newline at end of file
diff --git a/charts/minio/Chart.yaml b/charts/minio/Chart.yaml
index bec49cb..27144e9 100644
--- a/charts/minio/Chart.yaml
+++ b/charts/minio/Chart.yaml
@@ -2,6 +2,6 @@ apiVersion: v2
name: minio-helm
description: Minio Helm Chart for Rahti platform
Link to the repo https://github.com/CSCfi/helm-charts
-version: 1.0.0
+version: 1.1.0
sources:
- https://github.com/CSCfi/helm-charts
diff --git a/charts/minio/README.md b/charts/minio/README.md
index f5042b7..5a4edbc 100644
--- a/charts/minio/README.md
+++ b/charts/minio/README.md
@@ -14,28 +14,34 @@ helm upgrade --install minio . -f {custom_values.yaml}
## Parameters
### minio parameters
-| Name | Description | Value |
-| ----------------------------------------------- | -------------------------------------------------------------------- | -------------------------------------------|
-| `minio.domainSuffix` | Set the `domainSuffix` for your minio app | `2.rahtiapp.fi` |
-| `minio.whiteList` | Set the access of your minio app | `0.0.0.0/0` |
-| `minio.clusterName` | Name for your minio cluster | `my-minio-cluster` |
-| `minio.image` | Name of the Minio image | `minio/minio:RELEASE.2023-12-14T18-51-57Z` |
-| `minio.resources.limits.cpu` | Set the limits cpu | `500m` |
-| `minio.resources.limits.memory` | Set the limits memory | `512Mi` |
-| `minio.resources.requests.cpu` | Set the requests memory | `200m` |
-| `minio.resources.requests.memory` | Set the requests memory | `256Mi` |
-| `minio.readinessProbe.enabled` | Enable or not the `readinessProbe` | `true` |
-| `minio.readinessProbe.httpGet.path` | Set the `httpGet` path for the `readinessProbe` | `/minio/health/ready` |
-| `minio.readinessProbe.httpGet.port` | Set the `httpGet` port for the `readinessProbe` | `9000` |
-| `minio.readinessProbe.httpGet.scheme` | Set the `httpGet` scheme for the `readinessProbe` | `HTTP` |
-| `minio.pvc.name` | Name for the PersistentVolumeClaim | `minio-pvc` |
-| `minio.pvc.storageSize` | Storage size for the PersistentVolumeClaim | `5Gi` |
-| `minio.pvc.storageClassName` | Storage Class Name for the PersistentVolumeClaim | `standard-csi` |
-| `minio.service.type` | Set the Service type | `ClusterIP` |
-| `minio.route.tls.termination` | Set the termination for the route | `edge` |
-| `minio.route.tls.insecureEdgeTerminationPolicy` | Set the termination policy regarding insecure traffic for the route | `Redirect` |
+| Name | Description | Value |
+| ----------------------------------------------- | -------------------------------------------------------------------- | --------------------------------------------------------|
+| `minio.domainSuffix` | Set the `domainSuffix` for your minio app | `2.rahtiapp.fi` |
+| `minio.whiteList` | Set the access of your minio app | `0.0.0.0/0` |
+| `minio.clusterName` | Name for your minio cluster | `my-minio-cluster` |
+| `minio.image` | Name of the Minio image | `minio/minio:RELEASE.2023-12-14T18-51-57Z` |
+| `minio.resources.limits.cpu` | Set the limits cpu | `500m` |
+| `minio.resources.limits.memory` | Set the limits memory | `512Mi` |
+| `minio.resources.requests.cpu` | Set the requests memory | `200m` |
+| `minio.resources.requests.memory` | Set the requests memory | `256Mi` |
+| `minio.readinessProbe.enabled` | Enable or not the `readinessProbe` | `true` |
+| `minio.readinessProbe.httpGet.path` | Set the `httpGet` path for the `readinessProbe` | `/minio/health/ready` |
+| `minio.readinessProbe.httpGet.port` | Set the `httpGet` port for the `readinessProbe` | `9000` |
+| `minio.readinessProbe.httpGet.scheme` | Set the `httpGet` scheme for the `readinessProbe` | `HTTP` |
+| `minio.random_accesskey_secret_key` | Key to store the accessKey | `accessKey` |
+| `minio.random_secretkey_secret_key` | Key to store the secretKey | `secretKey` |
+| `minio.secret.accessKey` | Function that retrieve the generated accessKey | `'{{- include "random_minio_accesskey_reusable" . -}}'` |
+| `minio.secret.secretKey` | Function that retrieve the generated secretKey | `'{{- include "random_minio_secretkey_reusable" . -}}'` |
+| `minio.pvc.name` | Name for the PersistentVolumeClaim | `minio-pvc` |
+| `minio.pvc.storageSize` | Storage size for the PersistentVolumeClaim | `5Gi` |
+| `minio.pvc.storageClassName` | Storage Class Name for the PersistentVolumeClaim | `standard-csi` |
+| `minio.service.type` | Set the Service type | `ClusterIP` |
+| `minio.route.tls.termination` | Set the termination for the route | `edge` |
+| `minio.route.tls.insecureEdgeTerminationPolicy` | Set the termination policy regarding insecure traffic for the route | `Redirect` |
-The secretKey and the accessKey for the minio console are generated randomly. A function is created in the `_helpers.tpl` file.
+The secretKey and the accessKey for the minio console are generated randomly. A function is created in the `_helpers.tpl` file.
+
+The secretKey and the accessKey won't change if you upgrade the Chart.
Follow the instructions after deploying the Helm Chart to retrieve the passwords.
diff --git a/charts/minio/templates/NOTES.txt b/charts/minio/templates/NOTES.txt
index 1a0a6bf..9d09897 100644
--- a/charts/minio/templates/NOTES.txt
+++ b/charts/minio/templates/NOTES.txt
@@ -11,5 +11,5 @@ Get the application console URL by running this command:
The password for the user is generated randomly.
To retrieve it, run this command:
- echo Minio access key: $(oc get secret --namespace={{ .Release.Namespace }} {{ .Values.minio.clusterName }}-secret -o jsonpath="{.data.accessKey}" | base64 -d)
- echo Minio secret key: $(oc get secret --namespace={{ .Release.Namespace }} {{ .Values.minio.clusterName }}-secret -o jsonpath="{.data.secretKey}" | base64 -d)
+ echo Minio access key: $(oc get secret --namespace={{ .Release.Namespace }} {{ .Values.minio.clusterName }} -o jsonpath="{.data.accessKey}" | base64 -d)
+ echo Minio secret key: $(oc get secret --namespace={{ .Release.Namespace }} {{ .Values.minio.clusterName }} -o jsonpath="{.data.secretKey}" | base64 -d)
diff --git a/charts/minio/templates/_helpers.tpl b/charts/minio/templates/_helpers.tpl
index 3728b43..731dbe4 100644
--- a/charts/minio/templates/_helpers.tpl
+++ b/charts/minio/templates/_helpers.tpl
@@ -61,10 +61,74 @@ Create the name of the service account to use
{{- end }}
{{- end }}
+## MINIO ACCESSKEY
{{/*
-Generate default accessKey and secretKey
+Define a function that generate static minio accessKey
*/}}
-{{- define "minio.keys" -}}
-accessKey: {{ randAlphaNum 32 | quote }}
-secretKey: {{ randAlphaNum 32 | quote }}
-{{- end }}
\ No newline at end of file
+{{- define "generate_static_minio_accesskey" -}}
+{{- /* Create "tmp_vars" dict inside ".Release" to store various stuff. */ -}}
+{{- if not (index .Release "tmp_vars_minio_accesskey") -}}
+{{- $_ := set .Release "tmp_vars_minio_accesskey" dict -}}
+{{- end -}}
+{{- /* Some random ID of this password, in case there will be other random values alongside this instance. */ -}}
+{{- $key := printf "%s_%s" .Release.Name "minio_accesskey" -}}
+{{- /* If $key does not yet exist in .Release.tmp_vars, then... */ -}}
+{{- if not (index .Release.tmp_vars_minio_accesskey $key) -}}
+{{- /* ... store random password under the $key */ -}}
+{{- $_ := set .Release.tmp_vars_minio_accesskey $key (randAlphaNum 20) -}}
+{{- end -}}
+{{- /* Retrieve previously generated value. */ -}}
+{{- index .Release.tmp_vars_minio_accesskey $key -}}
+{{- end -}}
+
+{{/*
+Define a function that lookup the secret on upgrade. If install, it requires the name of secret to create and the key to store the password.
+*/}}
+{{- define "random_minio_accesskey_reusable" -}}
+ {{- if .Release.IsUpgrade -}}
+ {{- $data := default dict (lookup "v1" "Secret" .Release.Namespace .Values.minio.clusterName).data -}}
+ {{- if $data -}}
+ {{- index $data .Values.minio.random_accesskey_secret_key | b64dec -}}
+ {{- end -}}
+ {{- else -}}
+ {{- if and (required "You must pass .Values.minio.clusterName (the name of a secret to retrieve password from on upgrade)" .Values.minio.clusterName) (required "You must pass .Values.minio.random_accesskey_secret_key (the name of the key in the secret to retrieve password from on upgrade)" .Values.minio.random_accesskey_secret_key) -}}
+ {{- (include "generate_static_minio_accesskey" .) -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+
+## MINIO SECRETKEY
+{{/*
+Define a function that generate static minio secretKey
+*/}}
+{{- define "generate_static_minio_secretkey" -}}
+{{- /* Create "tmp_vars" dict inside ".Release" to store various stuff. */ -}}
+{{- if not (index .Release "tmp_vars_minio_secretkey") -}}
+{{- $_ := set .Release "tmp_vars_minio_secretkey" dict -}}
+{{- end -}}
+{{- /* Some random ID of this password, in case there will be other random values alongside this instance. */ -}}
+{{- $key := printf "%s_%s" .Release.Name "minio_secretkey" -}}
+{{- /* If $key does not yet exist in .Release.tmp_vars, then... */ -}}
+{{- if not (index .Release.tmp_vars_minio_secretkey $key) -}}
+{{- /* ... store random password under the $key */ -}}
+{{- $_ := set .Release.tmp_vars_minio_secretkey $key (randAlphaNum 20) -}}
+{{- end -}}
+{{- /* Retrieve previously generated value. */ -}}
+{{- index .Release.tmp_vars_minio_secretkey $key -}}
+{{- end -}}
+
+{{/*
+Define a function that lookup the secret on upgrade. If install, it requires the name of secret to create and the key to store the password.
+*/}}
+{{- define "random_minio_secretkey_reusable" -}}
+ {{- if .Release.IsUpgrade -}}
+ {{- $data := default dict (lookup "v1" "Secret" .Release.Namespace .Values.minio.clusterName).data -}}
+ {{- if $data -}}
+ {{- index $data .Values.minio.random_secretkey_secret_key | b64dec -}}
+ {{- end -}}
+ {{- else -}}
+ {{- if and (required "You must pass .Values.minio.clusterName (the name of a secret to retrieve password from on upgrade)" .Values.minio.clusterName) (required "You must pass .Values.minio.random_secretkey_secret_key (the name of the key in the secret to retrieve password from on upgrade)" .Values.minio.random_secretkey_secret_key) -}}
+ {{- (include "generate_static_minio_secretkey" .) -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/minio/templates/deploymentconfig.yaml b/charts/minio/templates/deploymentconfig.yaml
index 6923f75..f184784 100644
--- a/charts/minio/templates/deploymentconfig.yaml
+++ b/charts/minio/templates/deploymentconfig.yaml
@@ -46,12 +46,12 @@ spec:
- name: MINIO_ROOT_USER
valueFrom:
secretKeyRef:
- name: {{ .Values.minio.clusterName }}-secret
+ name: {{ .Values.minio.clusterName }}
key: accessKey
- name: MINIO_ROOT_PASSWORD
valueFrom:
secretKeyRef:
- name: {{ .Values.minio.clusterName }}-secret
+ name: {{ .Values.minio.clusterName }}
key: secretKey
volumes:
- name: minio-vol
diff --git a/charts/minio/templates/secret.yaml b/charts/minio/templates/secret.yaml
index 2414043..d72c146 100644
--- a/charts/minio/templates/secret.yaml
+++ b/charts/minio/templates/secret.yaml
@@ -1,10 +1,13 @@
apiVersion: v1
kind: Secret
metadata:
- name: {{ .Values.minio.clusterName }}-secret
+ name: {{ .Values.minio.clusterName }}
labels:
app: {{ .Values.minio.clusterName }}
-type: Opaque # Unstructured secret
-stringData:
- {{- include "minio.keys" . | nindent 2 }}
+{{- if .Values.minio.secret }}
+data:
+ {{- range $key, $val := .Values.minio.secret }}
+ "{{ $key}}": "{{ tpl $val $ | b64enc }}"
+ {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/minio/values.yaml b/charts/minio/values.yaml
index a866461..ea058e4 100644
--- a/charts/minio/values.yaml
+++ b/charts/minio/values.yaml
@@ -16,6 +16,11 @@ minio:
path: /minio/health/ready
port: 9000
scheme: HTTP
+ random_accesskey_secret_key: accessKey
+ random_secretkey_secret_key: secretKey
+ secret:
+ accessKey: '{{- include "random_minio_accesskey_reusable" . -}}'
+ secretKey: '{{- include "random_minio_secretkey_reusable" . -}}'
pvc:
name: minio-pvc
storageSize: 5Gi