From 6186fb6675d57235c22b88d9b3b2215d4c06b082 Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Mon, 20 Aug 2018 13:19:58 -0500 Subject: [PATCH] Helm-Toolkit: Move sensitive config data to secrets. This PS updates helm toolkit, and effected charts in openstack-helm-infra to use Secrets rather than configmaps for application configuration, as they in many cases contain sensitive data. Change-Id: Idd17812437465368e92c9fec0d5b634bbf6dc23a Signed-off-by: Pete Birley --- .zuul.yaml | 2 ++ .../templates/manifests/_job-bootstrap.yaml | 4 ++-- .../manifests/_job-db-drop-mysql.yaml.tpl | 4 ++-- .../manifests/_job-db-init-mysql.yaml.tpl | 4 ++-- .../templates/manifests/_job-db-sync.yaml.tpl | 4 ++-- .../snippets/_values_template_renderer.tpl | 14 ++++++++++++-- ldap/templates/configmap-etc.yaml | 7 ++++--- 7 files changed, 26 insertions(+), 13 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index 30304a0bc..f10492134 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -32,6 +32,7 @@ - ^doc/.*$ - ^releasenotes/.*$ - openstack-helm-infra-kubernetes-keystone-auth: + voting: false irrelevant-files: - ^.*\.rst$ - ^doc/.*$ @@ -55,6 +56,7 @@ - ^doc/.*$ - ^releasenotes/.*$ - openstack-helm-infra-kubernetes-keystone-auth: + voting: false irrelevant-files: - ^.*\.rst$ - ^doc/.*$ diff --git a/helm-toolkit/templates/manifests/_job-bootstrap.yaml b/helm-toolkit/templates/manifests/_job-bootstrap.yaml index a3276d528..8afc50ee6 100644 --- a/helm-toolkit/templates/manifests/_job-bootstrap.yaml +++ b/helm-toolkit/templates/manifests/_job-bootstrap.yaml @@ -92,8 +92,8 @@ spec: - name: etc-service emptyDir: {} - name: bootstrap-conf - configMap: - name: {{ $configMapEtc | quote }} + secret: + secretName: {{ $configMapEtc | quote }} defaultMode: 0444 {{- if $podVols }} {{ $podVols | toYaml | indent 8 }} diff --git a/helm-toolkit/templates/manifests/_job-db-drop-mysql.yaml.tpl b/helm-toolkit/templates/manifests/_job-db-drop-mysql.yaml.tpl index 27b347a60..e813c328d 100644 --- a/helm-toolkit/templates/manifests/_job-db-drop-mysql.yaml.tpl +++ b/helm-toolkit/templates/manifests/_job-db-drop-mysql.yaml.tpl @@ -118,8 +118,8 @@ spec: - name: etc-service emptyDir: {} - name: db-drop-conf - configMap: - name: {{ $configMapEtc | quote }} + secret: + secretName: {{ $configMapEtc | quote }} defaultMode: 0444 {{- end -}} {{- end -}} diff --git a/helm-toolkit/templates/manifests/_job-db-init-mysql.yaml.tpl b/helm-toolkit/templates/manifests/_job-db-init-mysql.yaml.tpl index 8e7e436f8..dea58646e 100644 --- a/helm-toolkit/templates/manifests/_job-db-init-mysql.yaml.tpl +++ b/helm-toolkit/templates/manifests/_job-db-init-mysql.yaml.tpl @@ -115,8 +115,8 @@ spec: - name: etc-service emptyDir: {} - name: db-init-conf - configMap: - name: {{ $configMapEtc | quote }} + secret: + secretName: {{ $configMapEtc | quote }} defaultMode: 0444 {{- end -}} {{- end -}} diff --git a/helm-toolkit/templates/manifests/_job-db-sync.yaml.tpl b/helm-toolkit/templates/manifests/_job-db-sync.yaml.tpl index df64ecf21..134e99bd8 100644 --- a/helm-toolkit/templates/manifests/_job-db-sync.yaml.tpl +++ b/helm-toolkit/templates/manifests/_job-db-sync.yaml.tpl @@ -88,8 +88,8 @@ spec: - name: etc-service emptyDir: {} - name: db-sync-conf - configMap: - name: {{ $configMapEtc | quote }} + secret: + secretName: {{ $configMapEtc | quote }} defaultMode: 0444 {{- if $podVols }} {{ $podVols | toYaml | indent 8 }} diff --git a/helm-toolkit/templates/snippets/_values_template_renderer.tpl b/helm-toolkit/templates/snippets/_values_template_renderer.tpl index 67f099dfd..88a279def 100644 --- a/helm-toolkit/templates/snippets/_values_template_renderer.tpl +++ b/helm-toolkit/templates/snippets/_values_template_renderer.tpl @@ -67,13 +67,23 @@ return: | {{- $envAll := index . "envAll" -}} {{- $template := index . "template" -}} {{- $key := index . "key" -}} +{{- $format := index . "format" | default "configMap" -}} {{- with $envAll -}} {{- $templateRendered := tpl ( $template | toYaml ) . }} -{{- if hasPrefix "|\n" $templateRendered }} -{{ $key }}: {{ $templateRendered }} +{{- if eq $format "Secret" }} +{{- if hasPrefix "|\n" $templateRendered }} +{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }} +{{- else }} +{{ $key }}: {{ $templateRendered | b64enc }} +{{- end -}} +{{- else }} +{{- if hasPrefix "|\n" $templateRendered }} +{{ $key }}: | +{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }} {{- else }} {{ $key }}: | {{ $templateRendered | indent 2 }} {{- end -}} {{- end -}} {{- end -}} +{{- end -}} diff --git a/ldap/templates/configmap-etc.yaml b/ldap/templates/configmap-etc.yaml index e724e6d71..3fa7c37d8 100644 --- a/ldap/templates/configmap-etc.yaml +++ b/ldap/templates/configmap-etc.yaml @@ -13,15 +13,16 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} + {{- if .Values.manifests.configmap_etc }} --- apiVersion: v1 -kind: ConfigMap +kind: Secret metadata: name: ldap-etc +type: Opaque data: {{- if .Values.bootstrap.enabled }} - sample_data.ldif: | -{{ .Values.data.sample | indent 4 }} + sample_data.ldif: {{ .Values.data.sample | b64enc }} {{- end }} {{- end }}