feat: use external secret for postgres (#33)

Co-authored-by: owlas <[email protected]>
lightdash · Jan 13, 2023 · 4f81889 · 4f81889
1 parent 87f5f20
commit 4f81889
Show file tree

Hide file tree

Showing 8 changed files with 64 additions and 90 deletions.
diff --git a/charts/lightdash/Chart.yaml b/charts/lightdash/Chart.yaml
@@ -6,13 +6,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.6.0
+version: 0.7.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: 0.331.0
+appVersion: 0.365.1
 
 maintainers:
   - name: owlas

diff --git a/charts/lightdash/README.md b/charts/lightdash/README.md
@@ -2,7 +2,7 @@
 
 A Helm chart to deploy lightdash on kubernetes
 
-![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.331.0](https://img.shields.io/badge/AppVersion-0.331.0-informational?style=flat-square)
+![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.365.1](https://img.shields.io/badge/AppVersion-0.365.1-informational?style=flat-square)
 
 ## Prerequisites
 
@@ -67,18 +67,18 @@ If you don't want helm to manage this, you may wish to separately create a secre
 | configMap.TRUST_PROXY | string | `"false"` | Trust the reverse proxy when setting secure cookies (via the "X-Forwarded-Proto" header) |
 | externalDatabase.database | string | `"lightdash"` |  |
 | externalDatabase.existingSecret | string | `""` |  |
-| externalDatabase.existingSecretPasswordKey | string | `""` |  |
 | externalDatabase.host | string | `"localhost"` |  |
 | externalDatabase.password | string | `""` |  |
 | externalDatabase.port | int | `5432` |  |
+| externalDatabase.secretKeys.passwordKey | string | `"postgresql-password"` |  |
 | externalDatabase.user | string | `"lightdash"` |  |
 | extraContainers | list | `[]` |  |
 | fullnameOverride | string | `""` |  |
 | global.imageRegistry | string | `""` |  |
 | global.storageClass | string | `""` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"lightdash/lightdash"` |  |
-| image.tag | string | `"0.316.0"` |  |
+| image.tag | string | `""` |  |
 | imagePullSecrets | list | `[]` |  |
 | ingress.annotations | object | `{}` |  |
 | ingress.className | string | `""` |  |
@@ -96,7 +96,8 @@ If you don't want helm to manage this, you may wish to separately create a secre
 | podSecurityContext | object | `{}` |  |
 | postgresql.auth.database | string | `"lightdash"` |  |
 | postgresql.auth.existingSecret | string | `""` |  |
-| postgresql.auth.password | string | `"lightdash"` |  |
+| postgresql.auth.password | string | `""` |  |
+| postgresql.auth.secretKeys.userPasswordKey | string | `"password"` |  |
 | postgresql.auth.username | string | `"lightdash"` |  |
 | postgresql.commonAnnotations."helm.sh/hook" | string | `"pre-install,pre-upgrade"` |  |
 | postgresql.commonAnnotations."helm.sh/hook-weight" | string | `"-1"` |  |

diff --git a/charts/lightdash/templates/_helpers.tpl b/charts/lightdash/templates/_helpers.tpl
@@ -62,61 +62,51 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 
 
 {{/*
-Get the Postgresql credentials secret.
+Get the name of the postgresql credentials secret.
+If postgres is enabled, subchart creates it's own secret containing the password unless the user specifies an existingSecret
+If using an external database, the password will be stored in the lightdash secret unless the user specifies an existingSecret
 */}}
-{{- define "lightdash.postgresql.secretName" -}}
-{{- if and (.Values.postgresql.enabled) (not .Values.postgresql.auth.existingSecret) -}}
-    {{- printf "%s" (include "lightdash.postgresql.fullname" .) -}}
-{{- else if and (.Values.postgresql.enabled) (.Values.postgresql.auth.existingSecret) -}}
-    {{- printf "%s" .Values.postgresql.auth.existingSecret -}}
-{{- else }}
+{{- define "lightdash.database.secretName" -}}
+{{- if .Values.postgresql.enabled -}}
+    {{- if .Values.postgresql.auth.existingSecret -}}
+        {{ .Values.postgresql.auth.existingSecret -}}
+    {{- else -}}
+        {{- include "lightdash.postgresql.fullname" . -}}
+    {{- end -}}
+{{- else -}}
     {{- if .Values.externalDatabase.existingSecret -}}
-        {{- printf "%s" .Values.externalDatabase.existingSecret -}}
+        {{ .Values.externalDatabase.existingSecret -}}
     {{- else -}}
-        {{ printf "%s-%s" .Release.Name "externaldb" }}
+        {{- printf "%s-externaldb" (include "lightdash.fullname" .) -}}
     {{- end -}}
 {{- end -}}
 {{- end -}}
 
+{{- define "lightdash.database.secret.passwordKey" -}}
+{{- if .Values.postgresql.enabled -}}
+  {{- ternary "password" .Values.postgresql.auth.secretKeys.userPasswordKey (eq "" .Values.postgresql.auth.existingSecret) -}}
+{{- else -}}
+  {{- .Values.externalDatabase.secretKeys.passwordKey -}}
+{{- end -}}
+{{- end -}}
 
 {{/*
-Add environment variables to configure database values
+Configuration for postgres credentials
 */}}
 {{- define "lightdash.database.host" -}}
 {{- ternary (include "lightdash.postgresql.fullname" .) .Values.externalDatabase.host .Values.postgresql.enabled -}}
 {{- end -}}
 
-{{/*
-Add environment variables to configure database values
-*/}}
 {{- define "lightdash.database.user" -}}
 {{- ternary .Values.postgresql.auth.username .Values.externalDatabase.user .Values.postgresql.enabled -}}
 {{- end -}}
 
-{{/*
-Add environment variables to configure database values
-*/}}
 {{- define "lightdash.database.name" -}}
 {{- ternary .Values.postgresql.auth.database .Values.externalDatabase.database .Values.postgresql.enabled -}}
 {{- end -}}
 
-{{/*
-Add environment variables to configure database values
-*/}}
-{{- define "lightdash.database.existingsecret.key" -}}
-{{- if .Values.postgresql.enabled -}}
-    {{- printf "%s" "postgresql-password" -}}
-{{- else -}}
-    {{- if .Values.externalDatabase.existingSecret -}}
-        {{- if .Values.externalDatabase.existingSecretPasswordKey -}}
-            {{- printf "%s" .Values.externalDatabase.existingSecretPasswordKey -}}
-        {{- else -}}
-            {{- printf "%s" "postgresql-password" -}}
-        {{- end -}}
-    {{- else -}}
-        {{- printf "%s" "postgresql-password" -}}
-    {{- end -}}
-{{- end -}}
+{{- define "lightdash.database.password" -}}
+{{- ternary .Values.postgresql.auth.password .Values.externalDatabase.password .Values.postgresql.enabled -}}
 {{- end -}}
 
 {{/*
@@ -126,16 +116,6 @@ Add environment variables to configure database values
 {{- ternary "5432" .Values.externalDatabase.port .Values.postgresql.enabled -}}
 {{- end -}}
 
-{{/*
-Add environment variables to configure database values
-*/}}
-{{- define "lightdash.database.url" -}}
-{{- $host := (include "lightdash.database.host" .) -}}
-{{- $dbName := (include "lightdash.database.name" .) -}}
-{{- $port := (include "lightdash.database.port" . ) -}}
-{{- printf "jdbc:postgresql://%s:%s/%s" $host $port $dbName -}}
-{{- end -}}
-
 {{/*
  Create the name of the service account to use
  */}}
@@ -147,6 +127,7 @@ Add environment variables to configure database values
 {{- end -}}
 {{- end -}}
 
+
 {{/*
  Create the name of the backend configuration
  */}}

diff --git a/charts/lightdash/templates/configmap.yaml b/charts/lightdash/templates/configmap.yaml
@@ -6,15 +6,11 @@ metadata:
   labels:
     {{- include "lightdash.labels" . | nindent 4 }}
 data:
-  # -- The hostname of the PostgreSQL database
-  PGHOST: {{ include "lightdash.database.host" . }}
-  # -- The username for the lightdash account in the PostgreSQL database
   PGUSER: {{ include "lightdash.database.user" . }}
-  # -- The database port of the PostgreSQL database
+  PGHOST: {{ include "lightdash.database.host" . }}
   PGPORT: {{ include "lightdash.database.port" . | quote }}
-  # -- The name of the PostgreSQL database
   PGDATABASE: {{ include "lightdash.database.name" . }}
   HEADLESS_BROWSER_HOST: {{ include "lightdash.headlessBrowser.host" . }}
   HEADLESS_BROWSER_PORT: {{ include "lightdash.headlessBrowser.port" .  | quote }}
   {{- toYaml .Values.configMap | nindent 2 }}
-{{- end }}
+{{- end }}
diff --git a/charts/lightdash/templates/deployment.yaml b/charts/lightdash/templates/deployment.yaml
@@ -36,28 +36,18 @@ spec:
           command: {{ .Values.image.command }}
           args: {{ .Values.image.args }}
           env:
-            {{- if .Values.postgresql.enabled }}
             - name: PGPASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: {{ template "lightdash.fullname" $ }}
-                  key: PGPASSWORD
-            {{- else }}
-            - name: PGPASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "lightdash.postgresql.secretName" . }}
-                  key: {{ include "lightdash.database.existingsecret.key" . }}
-            {{- end }}
+                  name: {{ (include "lightdash.database.secretName" .) }}
+                  key: {{ (include "lightdash.database.secret.passwordKey" .) }}
           envFrom:
-          {{- if $.Values.configMap }}
             - configMapRef:
                 name: {{ template "lightdash.fullname" $ }}
-          {{- end }}
-          {{- if $.Values.secrets }}
+            {{ if .Values.secrets }}
             - secretRef:
                 name: {{ template "lightdash.fullname" $ }}
-          {{- end }}
+            {{ end }}
           ports:
             - name: http
               containerPort: {{ .Values.service.port }}

diff --git a/charts/lightdash/templates/external-db.yaml b/charts/lightdash/templates/external-db.yaml
@@ -1,11 +1,15 @@
-{{- if not .Values.postgresql.enabled }}
+{{- if not .Values.postgresql.enabled -}}
+{{- if not .Values.externalDatabase.existingSecret -}}
+# The user is using an external database and has not provided a secret with the credentials.
+# This creates a secret with the password provided in the values.yaml
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "lightdash.postgresql.secretName" . }}
+  name: {{ include "lightdash.database.secretName" . }}
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-weight: "-1"
 data:
-  postgresql-password: {{ .Values.externalDatabase.password | b64enc }}
+  {{ include "lightdash.database.secret.passwordKey" . }}: {{ (include "lightdash.database.password") | b64enc}}
+{{- end }}
 {{- end }}
diff --git a/charts/lightdash/templates/secrets.yaml b/charts/lightdash/templates/secrets.yaml
@@ -1,15 +1,13 @@
-{{- if .Values.secrets }}
+{{- if .Values.secrets -}}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ template "lightdash.fullname" . }}
   labels:
     {{- include "lightdash.labels" . | nindent 4 }}
 type: Opaque
-stringData:
-  PGPASSWORD: {{ .Values.postgresql.auth.password }}
 data:
 {{- range $key, $value := .Values.secrets }}
   {{ $key }}: {{ default "MISSING" $value | b64enc | quote }}
-{{- end }}
-{{- end}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/lightdash/values.yaml b/charts/lightdash/values.yaml
@@ -38,7 +38,7 @@ replicaCount: 1
 image:
   repository: lightdash/lightdash
   pullPolicy: IfNotPresent
-  tag: 0.316.0
+  tag: ""
 
 imagePullSecrets: []
 
@@ -139,12 +139,12 @@ browserless-chrome:
 
 ## PostgreSQL chart configuration
 ## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/values.yaml
-## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart
-## @param postgresql.postgresqlUsername Lightdash Postgresql username
-## @param postgresql.postgresqlPassword Lightdash Postgresql password
-## @param postgresql.postgresqlDatabase Lightdash Postgresql database
-## @param postgresql.existingSecret Name of an existing secret containing the PostgreSQL password ('postgresql-password' key)
-## @param postgresql.containerSecurityContext.runAsNonRoot Ensures the container will run with a non-root user
+## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart (i.e. deploy postgres in k8s)
+## @param postgresql.auth.username Lightdash Postgresql username (creates non-admin user)
+## @param postgresql.auth.password Lightdash Postgresql password (creates non-admin user)
+## @param postgresql.auth.database Lightdash Postgresql database (creates new database)
+## @param postgresql.auth.existingSecret An existing secret to use for the postgres password
+## @param postgresql.auth.secretKeys.userPasswordKey Key  in the existingSecret to use for the postgres password
 ## @param postgresql.commonAnnotations.helm.sh/hook It will determine when the hook should be rendered
 ## @param postgresql.commonAnnotations.helm.sh/hook-weight The order in which the hooks are executed. If weight is lower, it has higher priority
 ##
@@ -153,11 +153,11 @@ postgresql:
   ## with Postgres 10 helm chart, user "postgres" has superuser privileges (fixing lightdash uuid)
   auth:
     username: lightdash
-    password: lightdash
+    password: ""
     database: lightdash
-    ## This secret is used in case of postgresql.enabled=true and we would like to specify password for newly created postgresql instance
-    ##
     existingSecret: ""
+    secretKeys:
+      userPasswordKey: "password"
   commonAnnotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-weight: "-1"
@@ -166,8 +166,8 @@ postgresql:
 ## @param externalDatabase.host Database host
 ## @param externalDatabase.user non-root Username for Lightdash Database
 ## @param externalDatabase.password Database password
-## @param externalDatabase.existingSecret Name of an existing secret resource containing the DB password
-## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the DB password
+## @param externalDatabase.existingSecret Name of an existing secret resource containing the DB password. If not set a secret will be created from the value in externalDatabase.password
+## @param externalDatabase.secretKeys.passwordKey (only used when externalDatabase.existingSecret is set) Key in the existing secret resource containing the DB password
 ## @param externalDatabase.database Database name
 ## @param externalDatabase.port Database port number
 ##
@@ -176,14 +176,18 @@ externalDatabase:
   user: lightdash
   password: ""
   existingSecret: ""
-  existingSecretPasswordKey: ""
+  secretKeys:
+    passwordKey: "postgresql-password"
   database: lightdash
   port: 5432
 
 ## @param additional sidecar containers for the lightdash image
 extraContainers: []
 
 ## Create service account for workload identity
+## @param serviceAccount.create create a service account for workload identity
+## @param serviceAccount.name name for the created service account
+## @param serviceAccount.annotations
 serviceAccount:
   create: true
   name: ""