From 26bf8455dece6bf44f303ccb58046d872fc910be Mon Sep 17 00:00:00 2001 From: Dave Lahn Date: Wed, 15 May 2024 09:40:59 +0100 Subject: [PATCH] feat: allow dsn to be configured optionally (#678) --- docs/helm/hydra.md | 5 +++ docs/helm/keto.md | 20 +++++++++ docs/helm/kratos.md | 42 +++++++++++++++++++ hacks/manifests/dsn-secret.yaml | 6 +++ hacks/values/kratos.yaml | 23 +++++++++- helm/charts/keto/templates/_helpers.tpl | 6 ++- helm/charts/keto/templates/deployment.yaml | 4 ++ helm/charts/keto/templates/job-migration.yaml | 2 + helm/charts/kratos/templates/_helpers.tpl | 2 + .../kratos/templates/deployment-kratos.yaml | 4 ++ .../kratos/templates/job-migration.yaml | 2 + .../kratos/templates/statefulset-mail.yaml | 2 + 12 files changed, 115 insertions(+), 3 deletions(-) create mode 100644 hacks/manifests/dsn-secret.yaml diff --git a/docs/helm/hydra.md b/docs/helm/hydra.md index d3e69f335a..2f8df7c531 100644 --- a/docs/helm/hydra.md +++ b/docs/helm/hydra.md @@ -308,6 +308,11 @@ $ hydra token client \ If you use need to construct DSN environment variable on the fly, you can leave `hydra.config.dsn` empty and provide custom DSN variable via `extraEnv`, e.g.: +> **Note:** extraEnvs are defined separatly for individual objects (deployments, +> statefulsets, jobs etc), and therefore you need to define the env for all +> objects using it. Please refer to +> [kratos values as an example](https://github.dev/ory/k8s/blob/master/helm/charts/kratos/values.yaml) + ```yaml deployment: extraEnv: diff --git a/docs/helm/keto.md b/docs/helm/keto.md index 5c5c3732c8..2ccb57e66d 100644 --- a/docs/helm/keto.md +++ b/docs/helm/keto.md @@ -63,6 +63,26 @@ $ helm install \ ory/keto ``` +### Set up DSN variable on runtime + +If you use need to construct DSN environment variable on the fly, you can leave +`keto.config.dsn` empty and provide custom DSN variable via `extraEnv`, e.g.: + +> **Note:** extraEnvs are defined separatly for individual objects (deployments, +> statefulsets, jobs etc), and therefore you need to define the env for all +> objects using it. Please refer to +> [kratos values as an example](https://github.dev/ory/k8s/blob/master/helm/charts/kratos/values.yaml) + +```yaml +deployment: + extraEnv: + - name: DSN + valueFrom: + secretKeyRef: + name: keto-dsn-secret + key: dsn +``` + ## Configuration You can pass your diff --git a/docs/helm/kratos.md b/docs/helm/kratos.md index ed2c3d8030..606a9e80a7 100644 --- a/docs/helm/kratos.md +++ b/docs/helm/kratos.md @@ -137,6 +137,48 @@ Additionally, the following extra settings are available: - `ingress.public.enabled` (bool): If enabled, an ingress is created on public endpoint Check values.yaml for more configuration options. +### Set up DSN variable on runtime + +If you use need to construct DSN environment variable on the fly, you can leave +`kratos.config.dsn` empty and provide custom DSN variable via `extraEnv`, e.g.: + +> **Note:** extraEnvs are defined separatly for individual objects (deployments, +> statefulsets, jobs etc), and therefore you need to define the env for all +> objects using it. Please refer to +> [kratos values as an example](https://github.dev/ory/k8s/blob/master/helm/charts/kratos/values.yaml) + +```yaml +deployment: + extraEnv: + - name: DSN + valueFrom: + secretKeyRef: + name: dsn-secret + key: dsn +statefulSet: + extraEnv: + - name: DSN + valueFrom: + secretKeyRef: + name: dsn-secret + key: dsn +job: + extraEnv: + - name: DSN + valueFrom: + secretKeyRef: + name: dsn-secret + key: dsn +cronjob: + cleanup: + extraEnv: + - name: DSN + valueFrom: + secretKeyRef: + name: dsn-secret + key: dsn +``` + ### Custom Secrets ``` diff --git a/hacks/manifests/dsn-secret.yaml b/hacks/manifests/dsn-secret.yaml new file mode 100644 index 0000000000..63ffdfcd14 --- /dev/null +++ b/hacks/manifests/dsn-secret.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +data: + dsn: cG9zdGdyZXM6Ly9wb3N0Z3JlczpvcnlAcG9zdGdyZXNxbC5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsL29yeV9rcmF0b3M/c3NsbW9kZT1kaXNhYmxlJm1heF9jb25uX2xpZmV0aW1lPTEwcwo= +kind: Secret +metadata: + name: dsn-secret diff --git a/hacks/values/kratos.yaml b/hacks/values/kratos.yaml index d1280de1ec..15d811f0e6 100644 --- a/hacks/values/kratos.yaml +++ b/hacks/values/kratos.yaml @@ -73,7 +73,6 @@ kratos: config: # ciphers: # algorithm: aes - dsn: "postgres://postgres:ory@postgresql.default.svc.cluster.local/ory_kratos?sslmode=disable&max_conn_lifetime=10s" selfservice: # default_browser_return_url: http://127.0.0.1:4455/ default_browser_return_url: "http://{{ .Values.global.dnsDomain }}:4455/" @@ -230,6 +229,11 @@ deployment: extraEnv: - name: FOO value: BAR + - name: DSN + valueFrom: + secretKeyRef: + name: dsn-secret + key: dsn customLivenessProbe: failureThreshold: 5 exec: @@ -262,6 +266,12 @@ statefulSet: extraArgs: - --expose-metrics-port - "8080" + extraEnv: + - name: DSN + valueFrom: + secretKeyRef: + name: dsn-secret + key: dsn podMetadata: labels: ory.sh/pod_label: kratos_courier @@ -272,6 +282,11 @@ statefulSet: job: extraEnv: + - name: DSN + valueFrom: + secretKeyRef: + name: dsn-secret + key: dsn - name: LOREM value: IPSUM extraInitContainers: | @@ -328,6 +343,12 @@ cronjob: ory.sh/pod_annotation: kratos podSecurityContext: runAsNonRoot: true + extraEnv: + - name: DSN + valueFrom: + secretKeyRef: + name: dsn-secret + key: dsn serviceMonitor: enabled: true diff --git a/helm/charts/keto/templates/_helpers.tpl b/helm/charts/keto/templates/_helpers.tpl index dd33f1eefc..59aa6faba7 100644 --- a/helm/charts/keto/templates/_helpers.tpl +++ b/helm/charts/keto/templates/_helpers.tpl @@ -45,7 +45,9 @@ Create chart name and version as used by the chart label. Generate the dsn value */}} {{- define "keto.dsn" -}} +{{ if .Values.keto.config.dsn }} {{- .Values.keto.config.dsn }} +{{- end }} {{- end -}} {{/* @@ -115,12 +117,12 @@ checksum/keto-secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . {{- end }} {{/* -Check the migration type value and fail if unexpected +Check the migration type value and fail if unexpected */}} {{- define "keto.automigration.typeVerification" -}} {{- if and .Values.keto.automigration.enabled .Values.keto.automigration.type }} {{- if and (ne .Values.keto.automigration.type "initContainer") (ne .Values.keto.automigration.type "job") }} {{- fail "keto.automigration.type must be either 'initContainer' or 'job'" -}} - {{- end }} + {{- end }} {{- end }} {{- end }} diff --git a/helm/charts/keto/templates/deployment.yaml b/helm/charts/keto/templates/deployment.yaml index dfbf925642..e6cb374009 100644 --- a/helm/charts/keto/templates/deployment.yaml +++ b/helm/charts/keto/templates/deployment.yaml @@ -92,11 +92,13 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} env: + {{- if not (empty ( include "keto.dsn" . )) }} - name: DSN valueFrom: secretKeyRef: name: {{ include "keto.secretname" . }} key: dsn + {{- end }} {{- with $migrationExtraEnv }} {{- toYaml . | nindent 12 }} {{- end }} @@ -177,11 +179,13 @@ spec: resources: {{- toYaml $resources | nindent 12 }} env: + {{- if not (empty ( include "keto.dsn" . )) }} - name: DSN valueFrom: secretKeyRef: name: {{ include "keto.secretname" . }} key: dsn + {{- end }} {{- with .Values.deployment.extraEnv }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/helm/charts/keto/templates/job-migration.yaml b/helm/charts/keto/templates/job-migration.yaml index 8b701c3b36..6446e5e700 100644 --- a/helm/charts/keto/templates/job-migration.yaml +++ b/helm/charts/keto/templates/job-migration.yaml @@ -75,11 +75,13 @@ spec: {{- toYaml . | nindent 10 }} {{- end }} env: + {{- if not (empty ( include "keto.dsn" . )) }} - name: DSN valueFrom: secretKeyRef: name: {{ include "keto.secretname" . }} key: dsn + {{- end }} {{- with $migrationExtraEnv }} {{- toYaml . | nindent 10 }} {{- end }} diff --git a/helm/charts/kratos/templates/_helpers.tpl b/helm/charts/kratos/templates/_helpers.tpl index dc3f0eed86..cec82b906d 100644 --- a/helm/charts/kratos/templates/_helpers.tpl +++ b/helm/charts/kratos/templates/_helpers.tpl @@ -46,7 +46,9 @@ Create chart name and version as used by the chart label. Generate the dsn value */}} {{- define "kratos.dsn" -}} +{{ if .Values.kratos.config.dsn }} {{- .Values.kratos.config.dsn }} +{{- end }} {{- end -}} {{/* diff --git a/helm/charts/kratos/templates/deployment-kratos.yaml b/helm/charts/kratos/templates/deployment-kratos.yaml index 53f0912600..92d683995e 100644 --- a/helm/charts/kratos/templates/deployment-kratos.yaml +++ b/helm/charts/kratos/templates/deployment-kratos.yaml @@ -78,11 +78,13 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} env: + {{- if not (empty ( include "kratos.dsn" . )) }} - name: DSN valueFrom: secretKeyRef: name: {{ include "kratos.secretname" . }} key: dsn + {{- end }} {{- if $migrationExtraEnv }} {{- toYaml $migrationExtraEnv | nindent 12 }} {{- end }} @@ -146,11 +148,13 @@ spec: {{- end }} {{- end }} env: + {{- if not (empty ( include "kratos.dsn" . )) }} - name: DSN valueFrom: secretKeyRef: name: {{ include "kratos.secretname" . }} key: dsn + {{- end }} - name: SECRETS_DEFAULT valueFrom: secretKeyRef: diff --git a/helm/charts/kratos/templates/job-migration.yaml b/helm/charts/kratos/templates/job-migration.yaml index bbd0fef98b..92fd2974bc 100644 --- a/helm/charts/kratos/templates/job-migration.yaml +++ b/helm/charts/kratos/templates/job-migration.yaml @@ -60,11 +60,13 @@ spec: args: ["migrate", "sql", "-e", "--yes", "--config", "/etc/config/kratos.yaml"] {{- end }} env: + {{- if not (empty ( include "kratos.dsn" . )) }} - name: DSN valueFrom: secretKeyRef: name: {{ include "kratos.secretname" . }} key: dsn + {{- end }} {{- if $migrationExtraEnv }} {{- toYaml $migrationExtraEnv | nindent 10 }} {{- end }} diff --git a/helm/charts/kratos/templates/statefulset-mail.yaml b/helm/charts/kratos/templates/statefulset-mail.yaml index bbebdb29f5..b62c5e7492 100644 --- a/helm/charts/kratos/templates/statefulset-mail.yaml +++ b/helm/charts/kratos/templates/statefulset-mail.yaml @@ -85,11 +85,13 @@ spec: value: {{ .Values.statefulSet.log.format }} - name: LOG_LEVEL value: {{ .Values.statefulSet.log.level }} + {{- if not (empty ( include "kratos.dsn" . )) }} - name: DSN valueFrom: secretKeyRef: name: {{ include "kratos.secretname" . }} key: dsn + {{- end }} - name: SECRETS_DEFAULT valueFrom: secretKeyRef: