Merge pull request #25 from directus-labs/secrets-in-secrets

Secrets in k8s secrets
directus-labs · Jul 31, 2024 · 70f602e · 70f602e
2 parents 5298929 + 0e0f50e
commit 70f602e
Show file tree

Hide file tree

Showing 6 changed files with 98 additions and 40 deletions.
diff --git a/charts/directus/CHANGELOG.md b/charts/directus/CHANGELOG.md
@@ -0,0 +1,18 @@
+# Change Log
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/)
+and this project adheres to [Semantic Versioning](http://semver.org/)
+
+## [1.0.0] - 2024-07-31
+
+**Breaking change**
+
+Reworked environment variable setting and injection.
+
+### Added
+
+- Move sensetive values to the `secret` k8s resource
+- Move not-sensetive variables to the `configmap` k8s resource
+- Inject variables from `configmap` and `secrets` to the application pods
diff --git a/charts/directus/Chart.yaml b/charts/directus/Chart.yaml
@@ -15,19 +15,19 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 1.0.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "10"
+appVersion: "10.13.1"
 
 dependencies:
 - name: mariadb
   version: "~18.0.2"
   repository: "https://charts.bitnami.com/bitnami"
-  condition: mariadb.enabled
+  condition: mariadb.enableInstallation
 - name: redis
   version: "~19.6.4"
   repository: "https://charts.bitnami.com/bitnami"

diff --git a/charts/directus/templates/configmap.yaml b/charts/directus/templates/configmap.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "directus.fullname" . }}-configmap
+  labels:
+    app.kubernetes.io/name: {{ include "directus.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ include "directus.chart" . }}
+data:
+  DB_CLIENT: "mysql"
+  DB_HOST: {{- if .Values.mariadb.mariadbURL }} "{{ .Values.mariadb.mariadbURL }}" {{- else }} "{{ .Release.Name }}-mariadb.{{ .Release.Namespace }}.svc.cluster.local" {{- end }}
+  DB_PORT: "3306"
+  DB_DATABASE: "{{ .Values.mariadb.auth.database }}"
+  DB_USER: "{{ .Values.mariadb.auth.username }}"
+  ADMIN_EMAIL: "{{ .Values.adminEmail }}"
diff --git a/charts/directus/templates/deployment.yaml b/charts/directus/templates/deployment.yaml
@@ -33,7 +33,30 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          envFrom:
+            - configMapRef:
+                name: {{ include "directus.fullname" . }}-configmap
           env:
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.mariadb.auth.existingSecret }}
+                  key: mariadb-password
+            - name: ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.mariadb.auth.existingSecret }}
+                  key: ADMIN_PASSWORD
+            - name: SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.mariadb.auth.existingSecret }}
+                  key: SECRET
+            - name: KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.mariadb.auth.existingSecret }}
+                  key: KEY
             {{- if .Values.ingress.enabled }}
             - name: PUBLIC_URL
               value: http{{ if .Values.ingress.tls }}s{{ end }}://{{(index .Values.ingress.hosts 0).host }}
@@ -66,4 +89,4 @@ spec:
       {{- with .Values.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+      {{- end }}
diff --git a/charts/directus/templates/secrets.yaml b/charts/directus/templates/secrets.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.mariadb.auth.createSecrets }}
+{{- $dbPassword := randAlphaNum 10 | nospace -}}
+{{- $adminPassword := randAlphaNum 10 | nospace -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.mariadb.auth.existingSecret }}
+  labels:
+    app.kubernetes.io/name: {{ include "directus.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ include "directus.chart" . }}
+  annotations:
+    helm.sh/resource-policy: keep
+    helm.sh/hook: "pre-install"
+    helm.sh/hook-delete-policy: "before-hook-creation"
+type: Opaque
+data:
+  ADMIN_PASSWORD: {{ $adminPassword | b64enc | quote }}
+  SECRET: {{ randAlphaNum 10 | b64enc | quote }}
+  KEY: {{ randAlphaNum 10 | b64enc | quote }}
+  mariadb-root-password: {{ randAlphaNum 10 | b64enc | quote }}
+  mariadb-password: {{ $dbPassword | b64enc | quote }}
+  mariadb-replication-password: {{ randAlphaNum 10 | b64enc | quote }}
+{{- end }}
diff --git a/charts/directus/values.yaml b/charts/directus/values.yaml
@@ -14,6 +14,8 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
+adminEmail: "admin@example.com"
+
 serviceAccount:
   # Specifies whether a service account should be created
   create: true
@@ -56,32 +58,8 @@ ingress:
   #    hosts:
   #      - chart-example.local
 
-# ToDo: move secret values to the k8s secrets and make them random
-# DB_HOST: MUST be {helm-release-name}-mariadb.default.svc.cluster.local
-# DB_DATABASE MUST be set to the same value as mariadb.auth.database
-# DB_USER MUST be set to the same value as mariadb.auth.username
-# DB_PASSWORD MUST be set to the same value as mariadb.auth.password
-extraEnvVars:
-  - name: DB_CLIENT
-    value: "mysql"
-  - name: DB_HOST
-    value: "directus-mariadb.default.svc.cluster.local"
-  - name: DB_PORT
-    value: "3306"
-  - name: DB_DATABASE
-    value: "directus"
-  - name: DB_USER
-    value: "directus"
-  - name: DB_PASSWORD
-    value: "directus_password"
-  - name: ADMIN_EMAIL
-    value: "admin@example.com"
-  - name: ADMIN_PASSWORD
-    value: "secret_password"
-  - name: SECRET
-    value: "ZkksLHP8T9bYAEVXcJEu"
-  - name: KEY
-    value: "HBdzQQGb4npHNdHRtAH7"
+extraEnvVars: []
+
 
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
@@ -109,19 +87,17 @@ tolerations: []
 affinity: {}
 
 mariadb:
-  enabled: true
+  # The switch to switch off the installation of the mariadb, the rest of the settings are being used during the installation
+  enableInstallation: true
   auth:
-    ## MariaDB root password
-    ## ref: https://github.com/bitnami/bitnami-docker-mariadb#setting-the-root-password-on-first-run
-    ##
-    rootPassword: "super_root_password"
-    ## MariaDB custom user and database
-    ## ref: https://github.com/bitnami/bitnami-docker-mariadb/blob/master/README.md#creating-a-database-on-first-run
-    ## ref: https://github.com/bitnami/bitnami-docker-mariadb/blob/master/README.md#creating-a-database-user-on-first-run
-    ##
+    # If you want to use your own mariadb secret, set `createSecrets` to false and 
+    createSecrets: true
+    # The secret has to contain the keys  `mariadb-root-password`, `mariadb-replication-password`, `mariadb-password`, `ADMIN_PASSWORD`, `KEY`, `SECRET`
+    existingSecret: "directus-secret"
     database: directus
     username: "directus"
-    password: "directus_password"
+  # Set the URL to the mariadb instance, otherwise leave it empty to use one that installed in the cluster
+  mariadbURL: ""
 
 redis:
   enabled: true