mirror of
https://github.com/truenas/charts.git
synced 2026-06-18 01:26:53 +08:00
Consolidate secret under 1 class
This commit is contained in:
Stavros kois
@@ -1,99 +0,0 @@
|
||||
{{- define "ix.v1.common.class.certificate" -}}
|
||||
{{- $cert := .cert -}}
|
||||
{{- $root := .root -}}
|
||||
{{- $tlsCrtKey := "tls.crt" -}}
|
||||
{{- $tlsPrivateKey := "tls.key" -}}
|
||||
|
||||
{{- if not (hasKey $cert "id") -}} {{/* This is something that should not happen when using this library */}}
|
||||
{{- fail (printf "Certificate (%s) has no <id> key" $cert.nameOverride) -}}
|
||||
{{- end -}} {{/* It can only happen when consuing this function within this library */}}
|
||||
{{- $certID := (toString $cert.id) -}}
|
||||
|
||||
{{- if (include "ix.v1.common.certificate.exists" (dict "root" $root "certID" $certID)) -}}
|
||||
{{/* Generate secret name here so we can pass it to persistence if needed */}}
|
||||
{{- $secretName := include "ix.v1.common.names.fullname" $root -}}
|
||||
{{- if $cert.nameOverride -}}
|
||||
{{- $secretName = (printf "%v-%v-%v-%v" $secretName $cert.nameOverride "ixcert" $certID) -}}
|
||||
{{- else -}}
|
||||
{{- $secretName = (printf "%v-%v-%v" $secretName "ixcert" $certID) -}}
|
||||
{{- end -}}
|
||||
{{- $secretName = (printf "%v-%v" $secretName $root.Release.Revision) -}}
|
||||
|
||||
{{- if (hasKey $cert "cert") -}}
|
||||
{{/* Create the dict */}}
|
||||
{{- $persistenceDict := (dict "enabled" true "type" "secret" "objectName" $secretName) -}}
|
||||
|
||||
{{/* If cert is enabled */}}
|
||||
{{- if $cert.cert.enabled -}}
|
||||
{{/* And has a path... */}}
|
||||
{{- if $cert.cert.path -}}
|
||||
|
||||
{{/* Append mountPath and subPath */}}
|
||||
{{- $_ := set $persistenceDict "mountPath" (tpl $cert.cert.path $root) -}}
|
||||
{{- $_ := set $persistenceDict "subPath" $tlsCrtKey -}}
|
||||
|
||||
{{/* Append readOnly if defined. Actual content validation will be done when volume(Mount) is created */}}
|
||||
{{- if (hasKey $cert.cert "readOnly") -}}
|
||||
{{- $_ := set $persistenceDict "readOnly" $cert.cert.readOnly -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Append defaultMode. Actual content validation will be done when volume(Mount) is created */}}
|
||||
{{- if (hasKey $cert.cert "defaultMode") -}}
|
||||
{{- $_ := set $persistenceDict "defaultMode" $cert.cert.defaultMode -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Append into persistence, so it will create the volume and volumeMount. randAlhaNum is to avoid dupes */}}
|
||||
{{- $_ := set $root.Values.persistence (printf "ix-certificate-cert-%s-%s" $certID (randAlphaNum 5 | lower)) $persistenceDict -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if (hasKey $cert "key") -}}
|
||||
{{/* Create the dict */}}
|
||||
{{- $persistenceDict := (dict "enabled" true "type" "secret" "objectName" $secretName) -}}
|
||||
|
||||
{{/* If key is enabled */}}
|
||||
{{- if $cert.key.enabled -}}
|
||||
{{/* And has a path... */}}
|
||||
{{- if $cert.key.path -}}
|
||||
|
||||
{{/* Append mountPath and subPath */}}
|
||||
{{- $_ := set $persistenceDict "mountPath" (tpl $cert.key.path $root) -}}
|
||||
{{- $_ := set $persistenceDict "subPath" $tlsPrivateKey -}}
|
||||
|
||||
{{/* Append readOnly if defined. Actual content validation will be done when volume(Mount) is created */}}
|
||||
{{- if (hasKey $cert.key "readOnly") -}}
|
||||
{{- $_ := set $persistenceDict "readOnly" $cert.key.readOnly -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Append defaultMode if defined. Actual content validation will be done when volume(Mount) is created */}}
|
||||
{{- if (hasKey $cert.key "defaultMode") -}}
|
||||
{{- $_ := set $persistenceDict "defaultMode" $cert.key.defaultMode -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Append into persistence, so it will create the volume and volumeMount. randAlhaNum is to avoid dupes */}}
|
||||
{{- $_ := set $root.Values.persistence (printf "ix-certificate-key-%s-%s" $certID (randAlphaNum 5 | lower)) $persistenceDict -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
---
|
||||
apiVersion: {{ include "ix.v1.common.capabilities.secret.apiVersion" . }}
|
||||
kind: Secret
|
||||
type: {{ include "ix.v1.common.capabilities.secret.certificate.type" . }}
|
||||
metadata:
|
||||
name: {{ $secretName }}
|
||||
{{- $labels := (default dict (include "ix.v1.common.labels" $root | fromYaml)) -}}
|
||||
{{- with (include "ix.v1.common.util.labels.render" (dict "root" $root "labels" $labels) | trim) }}
|
||||
labels:
|
||||
{{- . | nindent 4 }}
|
||||
{{- end -}}
|
||||
{{- $annotations := (default dict (include "ix.v1.common.annotations" $root | fromYaml)) -}}
|
||||
{{- with (include "ix.v1.common.util.annotations.render" (dict "root" $root "annotations" $annotations) | trim) }}
|
||||
annotations:
|
||||
{{- . | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
{{ $tlsCrtKey }}: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "certificate") | toString | b64enc | quote }}
|
||||
{{ $tlsPrivateKey }}: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "privatekey") | toString | b64enc | quote }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
@@ -1,59 +0,0 @@
|
||||
{{- define "ix.v1.common.class.imagePullSecret" -}}
|
||||
{{- $imgPullCreds := .imgPullCreds -}}
|
||||
{{- $root := .root -}}
|
||||
|
||||
{{- if not $imgPullCreds.name -}}
|
||||
{{- fail "<name> is required for Image Pull Secrets Credentials" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if not (mustRegexMatch "^[a-zA-Z0-9-]*$" $imgPullCreds.name) -}}
|
||||
{{- fail (printf "<name> (%s) can only container this alphanumerical characters (- a-z A-Z 0-9)" $imgPullCreds.name) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $secretName := include "ix.v1.common.imagePullSecrets.name" (dict "root" $root "name" $imgPullCreds.name) -}}
|
||||
{{- $registrySecret := dict -}}
|
||||
|
||||
{{- if not $imgPullCreds.contents -}}
|
||||
{{- fail (printf "<contents> is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- with $imgPullCreds.contents -}}
|
||||
{{- if not .username -}}
|
||||
{{- fail (printf "<username> is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}}
|
||||
{{- end -}}
|
||||
{{- if not .password -}}
|
||||
{{- fail (printf "<password> is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}}
|
||||
{{- end -}}
|
||||
{{- if not .registry -}}
|
||||
{{- fail (printf "<registry> is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}}
|
||||
{{- end -}}
|
||||
{{- if not .email -}}
|
||||
{{- fail (printf "<email> is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Auth is b64encoded and then the whole secret is b64encoded */}}
|
||||
{{- $auth := printf "%s:%s" .username .password | b64enc -}}
|
||||
{{- $registry := (dict "username" .username "password" .password "email" .email "auth" $auth) -}}
|
||||
|
||||
{{- $_ := set $registrySecret "auths" dict -}}
|
||||
{{- $_ := set $registrySecret.auths (printf "%s" .registry) $registry }}
|
||||
---
|
||||
apiVersion: {{ include "ix.v1.common.capabilities.secret.apiVersion" $root }}
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ $secretName }}
|
||||
{{- $labels := include "ix.v1.common.labels" $root | fromYaml -}}
|
||||
{{- with (include "ix.v1.common.util.labels.render" (dict "root" $root "labels" $labels) | trim) }}
|
||||
labels:
|
||||
{{- . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- $annotations := include "ix.v1.common.annotations" $root | fromYaml -}}
|
||||
{{- with (include "ix.v1.common.util.annotations.render" (dict "root" $root "annotations" $annotations) | trim) }}
|
||||
annotations:
|
||||
{{- . | nindent 4 }}
|
||||
{{- end }}
|
||||
type: {{ include "ix.v1.common.capabilities.secret.imagePullSecret.type" $root }}
|
||||
data:
|
||||
.dockerconfigjson: {{ $registrySecret | toJson | b64enc }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
@@ -36,6 +36,7 @@ data:
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{/*
|
||||
TODO:
|
||||
Current "bugs", you can't disable per port portal,
|
||||
if port protocol is not HTTP or HTTPS,
|
||||
it will still create an HTTP portal.
|
||||
|
||||
39
library/common/1.0.0/templates/class/_secret.tpl
Normal file
39
library/common/1.0.0/templates/class/_secret.tpl
Normal file
@@ -0,0 +1,39 @@
|
||||
{{- define "ix.v1.common.class.secret" -}}
|
||||
{{- $secretName := .secretName -}}
|
||||
{{- $data := .data -}}
|
||||
{{- $type := .type -}}
|
||||
{{- $root := .root -}}
|
||||
{{- $typeClass := "" -}}
|
||||
|
||||
{{- if eq $type "certificate" -}}
|
||||
{{- $typeClass = (include "ix.v1.common.capabilities.secret.certificate.type" $root) -}}
|
||||
{{- else if eq $type "pullSecret" -}}
|
||||
{{- $typeClass = (include "ix.v1.common.capabilities.secret.imagePullSecret.type" $root) -}}
|
||||
{{- else -}}
|
||||
{{- $typeClass = "Opaque" -}}
|
||||
{{- end }}
|
||||
---
|
||||
apiVersion: {{ include "ix.v1.common.capabilities.secret.apiVersion" $root }}
|
||||
kind: Secret
|
||||
type: {{ $typeClass }}
|
||||
metadata:
|
||||
name: {{ $secretName }}
|
||||
{{- $labels := (default dict (include "ix.v1.common.labels" $root | fromYaml)) -}}
|
||||
{{- with (include "ix.v1.common.util.labels.render" (dict "root" $root "labels" $labels) | trim) }}
|
||||
labels:
|
||||
{{- . | nindent 4 }}
|
||||
{{- end -}}
|
||||
{{- $annotations := (default dict (include "ix.v1.common.annotations" $root | fromYaml)) -}}
|
||||
{{- with (include "ix.v1.common.util.annotations.render" (dict "root" $root "annotations" $annotations) | trim) }}
|
||||
annotations:
|
||||
{{- . | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
{{- if eq $type "pullSecret" }}
|
||||
.dockerconfigjson: {{ $data | toJson | b64enc }}
|
||||
{{- else if eq $type "certificate" -}}
|
||||
{{- range $k, $v := $data }}
|
||||
{{ $k }}: {{ $v | toString | b64enc }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
@@ -1,11 +1,3 @@
|
||||
{{/*
|
||||
Call this from other templates to create a Secret/k8s.tls.
|
||||
Pass a "root" object and the "certID"
|
||||
(certID comes from Scale's GUI definitions)
|
||||
If you also pass a "key" when calling this spawner,
|
||||
instead of creating a secret it will return you the value
|
||||
of that key (if exists)
|
||||
*/}}
|
||||
{{- define "ix.v1.common.spawner.certificate" -}}
|
||||
{{- $root := . -}}
|
||||
|
||||
@@ -22,12 +14,91 @@ of that key (if exists)
|
||||
{{- $name := .name -}}
|
||||
{{- $cert := .cert -}}
|
||||
{{- $root := .root -}}
|
||||
{{- $tlsCrtKey := "tls.crt" -}}
|
||||
{{- $tlsPrivateKey := "tls.key" -}}
|
||||
|
||||
{{/* Default to $name if there is not a nameOverride given */}}
|
||||
{{- if not $cert.nameOverride -}}
|
||||
{{- $_ := set $cert "nameOverride" $name -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Create the secret */}}
|
||||
{{- include "ix.v1.common.class.certificate" (dict "cert" $cert "root" $root) -}}
|
||||
{{- if not (hasKey $cert "id") -}} {{/* This is something that should not happen when using this library */}}
|
||||
{{- fail (printf "Certificate (%s) has no <id> key" $cert.nameOverride) -}}
|
||||
{{- end -}} {{/* It can only happen when consuing this function within this library */}}
|
||||
{{- $certID := (toString $cert.id) -}}
|
||||
|
||||
{{- if (include "ix.v1.common.certificate.exists" (dict "root" $root "certID" $certID)) -}}
|
||||
{{/* Generate secret name here so we can pass it to persistence if needed */}}
|
||||
{{- $secretName := include "ix.v1.common.names.fullname" $root -}}
|
||||
{{- if $cert.nameOverride -}}
|
||||
{{- $secretName = (printf "%v-%v-%v-%v" $secretName $cert.nameOverride "ixcert" $certID) -}}
|
||||
{{- else -}}
|
||||
{{- $secretName = (printf "%v-%v-%v" $secretName "ixcert" $certID) -}}
|
||||
{{- end -}}
|
||||
{{- $secretName = (printf "%v-%v" $secretName $root.Release.Revision) -}}
|
||||
|
||||
{{- if (hasKey $cert "cert") -}}
|
||||
{{/* Create the dict */}}
|
||||
{{- $persistenceDict := (dict "enabled" true "type" "secret" "objectName" $secretName) -}}
|
||||
|
||||
{{/* If cert is enabled */}}
|
||||
{{- if $cert.cert.enabled -}}
|
||||
{{/* And has a path... */}}
|
||||
{{- if $cert.cert.path -}}
|
||||
|
||||
{{/* Append mountPath and subPath */}}
|
||||
{{- $_ := set $persistenceDict "mountPath" (tpl $cert.cert.path $root) -}}
|
||||
{{- $_ := set $persistenceDict "subPath" $tlsCrtKey -}}
|
||||
|
||||
{{/* Append readOnly if defined. Actual content validation will be done when volume(Mount) is created */}}
|
||||
{{- if (hasKey $cert.cert "readOnly") -}}
|
||||
{{- $_ := set $persistenceDict "readOnly" $cert.cert.readOnly -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Append defaultMode. Actual content validation will be done when volume(Mount) is created */}}
|
||||
{{- if (hasKey $cert.cert "defaultMode") -}}
|
||||
{{- $_ := set $persistenceDict "defaultMode" $cert.cert.defaultMode -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Append into persistence, so it will create the volume and volumeMount. randAlhaNum is to avoid dupes */}}
|
||||
{{- $_ := set $root.Values.persistence (printf "ix-certificate-cert-%s-%s" $certID (randAlphaNum 5 | lower)) $persistenceDict -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if (hasKey $cert "key") -}}
|
||||
{{/* Create the dict */}}
|
||||
{{- $persistenceDict := (dict "enabled" true "type" "secret" "objectName" $secretName) -}}
|
||||
|
||||
{{/* If key is enabled */}}
|
||||
{{- if $cert.key.enabled -}}
|
||||
{{/* And has a path... */}}
|
||||
{{- if $cert.key.path -}}
|
||||
|
||||
{{/* Append mountPath and subPath */}}
|
||||
{{- $_ := set $persistenceDict "mountPath" (tpl $cert.key.path $root) -}}
|
||||
{{- $_ := set $persistenceDict "subPath" $tlsPrivateKey -}}
|
||||
|
||||
{{/* Append readOnly if defined. Actual content validation will be done when volume(Mount) is created */}}
|
||||
{{- if (hasKey $cert.key "readOnly") -}}
|
||||
{{- $_ := set $persistenceDict "readOnly" $cert.key.readOnly -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Append defaultMode if defined. Actual content validation will be done when volume(Mount) is created */}}
|
||||
{{- if (hasKey $cert.key "defaultMode") -}}
|
||||
{{- $_ := set $persistenceDict "defaultMode" $cert.key.defaultMode -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Append into persistence, so it will create the volume and volumeMount. randAlhaNum is to avoid dupes */}}
|
||||
{{- $_ := set $root.Values.persistence (printf "ix-certificate-key-%s-%s" $certID (randAlphaNum 5 | lower)) $persistenceDict -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- $certData := dict -}}
|
||||
{{- $_ := set $certData $tlsCrtKey (include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "certificate")) -}}
|
||||
{{- $_ := set $certData $tlsPrivateKey (include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "privatekey")) -}}
|
||||
|
||||
{{/* Create the secret */}}
|
||||
{{- include "ix.v1.common.class.secret" (dict "root" $root "secretName" $secretName "data" $certData "type" "certificate") -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
@@ -1,7 +1,46 @@
|
||||
{{- define "ix.v1.common.spawner.imagePullSecret" -}}
|
||||
{{- $root := . -}}
|
||||
{{- range $idx, $imgPullCreds := .Values.imagePullCredentials -}}
|
||||
{{- if $imgPullCreds.enabled -}}
|
||||
{{- include "ix.v1.common.class.imagePullSecret" (dict "root" $ "imgPullCreds" $imgPullCreds ) -}}
|
||||
|
||||
{{- if not $imgPullCreds.name -}}
|
||||
{{- fail "<name> is required for Image Pull Secrets Credentials" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if not (mustRegexMatch "^[a-zA-Z0-9-]*$" $imgPullCreds.name) -}}
|
||||
{{- fail (printf "<name> (%s) can only container this alphanumerical characters (- a-z A-Z 0-9)" $imgPullCreds.name) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $secretName := include "ix.v1.common.imagePullSecrets.name" (dict "root" $root "name" $imgPullCreds.name) -}}
|
||||
{{- $registrySecret := dict -}}
|
||||
|
||||
{{- if not $imgPullCreds.contents -}}
|
||||
{{- fail (printf "<contents> is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- with $imgPullCreds.contents -}}
|
||||
{{- if not .username -}}
|
||||
{{- fail (printf "<username> is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}}
|
||||
{{- end -}}
|
||||
{{- if not .password -}}
|
||||
{{- fail (printf "<password> is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}}
|
||||
{{- end -}}
|
||||
{{- if not .registry -}}
|
||||
{{- fail (printf "<registry> is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}}
|
||||
{{- end -}}
|
||||
{{- if not .email -}}
|
||||
{{- fail (printf "<email> is not defined in Image Pull Secrets Credential (%s)" $imgPullCreds.name) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Auth is b64encoded and then the whole secret is b64encoded */}}
|
||||
{{- $auth := printf "%s:%s" .username .password | b64enc -}}
|
||||
{{- $registry := (dict "username" .username "password" .password "email" .email "auth" $auth) -}}
|
||||
|
||||
{{- $_ := set $registrySecret "auths" dict -}}
|
||||
{{- $_ := set $registrySecret.auths (printf "%s" .registry) $registry -}}
|
||||
|
||||
{{- include "ix.v1.common.class.secret" (dict "root" $root "secretName" $secretName "data" $registrySecret "type" "pullSecret") -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
Reference in New Issue
Block a user