feat: allow dsn to be configured optionally (#678)

ory · May 15, 2024 · 26bf845 · 26bf845
1 parent 2232c29
commit 26bf845
Show file tree

Hide file tree

Showing 12 changed files with 115 additions and 3 deletions.
diff --git a/docs/helm/hydra.md b/docs/helm/hydra.md
@@ -308,6 +308,11 @@ $ hydra token client \
 If you use need to construct DSN environment variable on the fly, you can leave
 `hydra.config.dsn` empty and provide custom DSN variable via `extraEnv`, e.g.:
 
+> **Note:** extraEnvs are defined separatly for individual objects (deployments,
+> statefulsets, jobs etc), and therefore you need to define the env for all
+> objects using it. Please refer to
+> [kratos values as an example](https://github.dev/ory/k8s/blob/master/helm/charts/kratos/values.yaml)
+
 ```yaml
 deployment:
   extraEnv:

diff --git a/docs/helm/keto.md b/docs/helm/keto.md
@@ -63,6 +63,26 @@ $ helm install \
     ory/keto
 ```
 
+### Set up DSN variable on runtime
+
+If you use need to construct DSN environment variable on the fly, you can leave
+`keto.config.dsn` empty and provide custom DSN variable via `extraEnv`, e.g.:
+
+> **Note:** extraEnvs are defined separatly for individual objects (deployments,
+> statefulsets, jobs etc), and therefore you need to define the env for all
+> objects using it. Please refer to
+> [kratos values as an example](https://github.dev/ory/k8s/blob/master/helm/charts/kratos/values.yaml)
+
+```yaml
+deployment:
+  extraEnv:
+    - name: DSN
+      valueFrom:
+        secretKeyRef:
+          name: keto-dsn-secret
+          key: dsn
+```
+
 ## Configuration
 
 You can pass your

diff --git a/docs/helm/kratos.md b/docs/helm/kratos.md
@@ -137,6 +137,48 @@ Additionally, the following extra settings are available:
 - `ingress.public.enabled` (bool): If enabled, an ingress is created on public
   endpoint Check values.yaml for more configuration options.
 
+### Set up DSN variable on runtime
+
+If you use need to construct DSN environment variable on the fly, you can leave
+`kratos.config.dsn` empty and provide custom DSN variable via `extraEnv`, e.g.:
+
+> **Note:** extraEnvs are defined separatly for individual objects (deployments,
+> statefulsets, jobs etc), and therefore you need to define the env for all
+> objects using it. Please refer to
+> [kratos values as an example](https://github.dev/ory/k8s/blob/master/helm/charts/kratos/values.yaml)
+
+```yaml
+deployment:
+  extraEnv:
+    - name: DSN
+      valueFrom:
+        secretKeyRef:
+          name: dsn-secret
+          key: dsn
+statefulSet:
+  extraEnv:
+    - name: DSN
+      valueFrom:
+        secretKeyRef:
+          name: dsn-secret
+          key: dsn
+job:
+  extraEnv:
+    - name: DSN
+      valueFrom:
+        secretKeyRef:
+          name: dsn-secret
+          key: dsn
+cronjob:
+  cleanup:
+    extraEnv:
+      - name: DSN
+        valueFrom:
+          secretKeyRef:
+            name: dsn-secret
+            key: dsn
+```
+
 ### Custom Secrets
 
 ```

diff --git a/hacks/manifests/dsn-secret.yaml b/hacks/manifests/dsn-secret.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+data:
+  dsn: cG9zdGdyZXM6Ly9wb3N0Z3JlczpvcnlAcG9zdGdyZXNxbC5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsL29yeV9rcmF0b3M/c3NsbW9kZT1kaXNhYmxlJm1heF9jb25uX2xpZmV0aW1lPTEwcwo=
+kind: Secret
+metadata:
+  name: dsn-secret
diff --git a/hacks/values/kratos.yaml b/hacks/values/kratos.yaml
@@ -73,7 +73,6 @@ kratos:
   config:
     # ciphers:
     #   algorithm: aes
-    dsn: "postgres://postgres:ory@postgresql.default.svc.cluster.local/ory_kratos?sslmode=disable&max_conn_lifetime=10s"
     selfservice:
       #      default_browser_return_url: http://127.0.0.1:4455/
       default_browser_return_url: "http://{{ .Values.global.dnsDomain }}:4455/"
@@ -230,6 +229,11 @@ deployment:
   extraEnv:
     - name: FOO
       value: BAR
+    - name: DSN
+      valueFrom:
+        secretKeyRef:
+          name: dsn-secret
+          key: dsn
   customLivenessProbe:
     failureThreshold: 5
     exec:
@@ -262,6 +266,12 @@ statefulSet:
   extraArgs:
     - --expose-metrics-port
     - "8080"
+  extraEnv:
+    - name: DSN
+      valueFrom:
+        secretKeyRef:
+          name: dsn-secret
+          key: dsn
   podMetadata:
     labels:
       ory.sh/pod_label: kratos_courier
@@ -272,6 +282,11 @@ statefulSet:
 
 job:
   extraEnv:
+    - name: DSN
+      valueFrom:
+        secretKeyRef:
+          name: dsn-secret
+          key: dsn
     - name: LOREM
       value: IPSUM
   extraInitContainers: |
@@ -328,6 +343,12 @@ cronjob:
         ory.sh/pod_annotation: kratos
     podSecurityContext:
       runAsNonRoot: true
+    extraEnv:
+      - name: DSN
+        valueFrom:
+          secretKeyRef:
+            name: dsn-secret
+            key: dsn
 
 serviceMonitor:
   enabled: true

diff --git a/helm/charts/keto/templates/_helpers.tpl b/helm/charts/keto/templates/_helpers.tpl
@@ -45,7 +45,9 @@ Create chart name and version as used by the chart label.
 Generate the dsn value
 */}}
 {{- define "keto.dsn" -}}
+{{ if .Values.keto.config.dsn }}
 {{- .Values.keto.config.dsn }}
+{{- end }}
 {{- end -}}
 
 {{/*
@@ -115,12 +117,12 @@ checksum/keto-secrets: {{ include (print $.Template.BasePath "/secrets.yaml") .
 {{- end }}
 
 {{/*
-Check the migration type value and fail if unexpected 
+Check the migration type value and fail if unexpected
 */}}
 {{- define "keto.automigration.typeVerification" -}}
 {{- if and .Values.keto.automigration.enabled  .Values.keto.automigration.type }}
   {{- if and (ne .Values.keto.automigration.type "initContainer") (ne .Values.keto.automigration.type "job") }}
     {{- fail "keto.automigration.type must be either 'initContainer' or 'job'" -}}
-  {{- end }}  
+  {{- end }}
 {{- end }}
 {{- end }}
diff --git a/helm/charts/keto/templates/deployment.yaml b/helm/charts/keto/templates/deployment.yaml
@@ -92,11 +92,13 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           env:
+            {{- if not (empty ( include "keto.dsn" . )) }}
             - name: DSN
               valueFrom:
                 secretKeyRef:
                   name: {{ include "keto.secretname" . }}
                   key: dsn
+            {{- end }}
             {{- with $migrationExtraEnv }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -177,11 +179,13 @@ spec:
           resources:
             {{- toYaml $resources | nindent 12 }}
           env:
+            {{- if not (empty ( include "keto.dsn" . )) }}
             - name: DSN
               valueFrom:
                 secretKeyRef:
                   name: {{ include "keto.secretname" . }}
                   key: dsn
+            {{- end }}
             {{- with .Values.deployment.extraEnv }}
               {{- toYaml . | nindent 12 }}
             {{- end }}

diff --git a/helm/charts/keto/templates/job-migration.yaml b/helm/charts/keto/templates/job-migration.yaml
@@ -75,11 +75,13 @@ spec:
           {{- toYaml . | nindent 10 }}
         {{- end }}
         env:
+          {{- if not (empty ( include "keto.dsn" . )) }}
           - name: DSN
             valueFrom:
               secretKeyRef:
                 name: {{ include "keto.secretname" . }}
                 key: dsn
+          {{- end }}
           {{- with $migrationExtraEnv }}
             {{- toYaml . | nindent 10 }}
           {{- end }}

diff --git a/helm/charts/kratos/templates/_helpers.tpl b/helm/charts/kratos/templates/_helpers.tpl
@@ -46,7 +46,9 @@ Create chart name and version as used by the chart label.
 Generate the dsn value
 */}}
 {{- define "kratos.dsn" -}}
+{{ if .Values.kratos.config.dsn }}
 {{- .Values.kratos.config.dsn }}
+{{- end }}
 {{- end -}}
 
 {{/*

diff --git a/helm/charts/kratos/templates/deployment-kratos.yaml b/helm/charts/kratos/templates/deployment-kratos.yaml
@@ -78,11 +78,13 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           env:
+            {{- if not (empty ( include "kratos.dsn" . )) }}
             - name: DSN
               valueFrom:
                 secretKeyRef:
                   name: {{ include "kratos.secretname" . }}
                   key: dsn
+            {{- end }}
           {{- if $migrationExtraEnv }}
             {{- toYaml $migrationExtraEnv | nindent 12 }}
           {{- end }}
@@ -146,11 +148,13 @@ spec:
             {{- end }}
             {{- end }}
           env:
+            {{- if not (empty ( include "kratos.dsn" . )) }}
             - name: DSN
               valueFrom:
                 secretKeyRef:
                   name: {{ include "kratos.secretname" . }}
                   key: dsn
+            {{- end }}
             - name: SECRETS_DEFAULT
               valueFrom:
                 secretKeyRef:

diff --git a/helm/charts/kratos/templates/job-migration.yaml b/helm/charts/kratos/templates/job-migration.yaml
@@ -60,11 +60,13 @@ spec:
         args: ["migrate", "sql", "-e", "--yes", "--config", "/etc/config/kratos.yaml"]
         {{- end }}
         env:
+          {{- if not (empty ( include "kratos.dsn" . )) }}
           - name: DSN
             valueFrom:
               secretKeyRef:
                 name: {{ include "kratos.secretname" . }}
                 key: dsn
+          {{- end }}
           {{- if $migrationExtraEnv }}
             {{- toYaml $migrationExtraEnv | nindent 10 }}
           {{- end }}

diff --git a/helm/charts/kratos/templates/statefulset-mail.yaml b/helm/charts/kratos/templates/statefulset-mail.yaml
@@ -85,11 +85,13 @@ spec:
               value: {{ .Values.statefulSet.log.format }}
             - name: LOG_LEVEL
               value: {{ .Values.statefulSet.log.level }}
+            {{- if not (empty ( include "kratos.dsn" . )) }}
             - name: DSN
               valueFrom:
                 secretKeyRef:
                   name: {{ include "kratos.secretname" . }}
                   key: dsn
+            {{- end }}
             - name: SECRETS_DEFAULT
               valueFrom:
                 secretKeyRef: