🔒make gitlab credentials idempotent 🔒

rht-labs · Nov 12, 2024 · 1058eaf · 1058eaf
1 parent 689113d
commit 1058eaf
Show file tree

Hide file tree

Showing 5 changed files with 61 additions and 7 deletions.
diff --git a/tooling/charts/tl500-base/Chart.yaml b/tooling/charts/tl500-base/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: tl500-base
 description: A Helm chart for Kubernetes
 type: application
-version: 0.0.1
+version: 0.0.2
 appVersion: 0.0.1
 maintainers:
   - name: eformat

diff --git a/tooling/charts/tl500-base/templates/_helpers.tpl b/tooling/charts/tl500-base/templates/_helpers.tpl
@@ -92,17 +92,45 @@
 {{- end -}}
 
 {{- define "gitlab.root_password" -}}
-{{- print (randAlphaNum 10) -}}
+{{- $password := default (randAlphaNum 10) .Values.gitlab.credentials.root_password }}
+{{- if not .Values.gitlab.credentials.root_password }}
+{{- $existingSecret := (lookup "v1" "Secret" .Values.gitlab.namespace "gitlab-credentials") }}
+{{- if $existingSecret }}
+{{- $password = index $existingSecret.data "root_password" | b64dec }}
+{{- end -}}
+{{- end -}}
+{{- print $password -}}
 {{- end -}}
 
 {{- define "gitlab.postgres.user" -}}
-{{- print (randAlphaNum 10) -}}
+{{- $username := default (randAlphaNum 10) .Values.gitlab.credentials.postgres_user }}
+{{- if not .Values.gitlab.credentials.postgres_user }}
+{{- $existingSecret := (lookup "v1" "Secret" .Values.gitlab.namespace "gitlab-credentials") }}
+{{- if $existingSecret }}
+{{- $username = index $existingSecret.data "postgres_user" | b64dec }}
+{{- end -}}
+{{- end -}}
+{{- print $username -}}
 {{- end -}}
 
 {{- define "gitlab.postgres.password" -}}
-{{- print (randAlphaNum 10) -}}
+{{- $password := default (randAlphaNum 10) .Values.gitlab.credentials.postgres_password }}
+{{- if not .Values.gitlab.credentials.postgres_password }}
+{{- $existingSecret := (lookup "v1" "Secret" .Values.gitlab.namespace "gitlab-credentials") }}
+{{- if $existingSecret }}
+{{- $password = index $existingSecret.data "postgres_password" | b64dec }}
+{{- end -}}
+{{- end -}}
+{{- print $password -}}
 {{- end -}}
 
 {{- define "gitlab.postgres.admin_password" -}}
-{{- print (randAlphaNum 10) -}}
+{{- $password := default (randAlphaNum 10) .Values.gitlab.credentials.postgres_admin_password }}
+{{- if not .Values.gitlab.credentials.postgres_admin_password }}
+{{- $existingSecret := (lookup "v1" "Secret" .Values.gitlab.namespace "gitlab-credentials") }}
+{{- if $existingSecret }}
+{{- $password = index $existingSecret.data "postgres_admin_password" | b64dec }}
+{{- end -}}
+{{- end -}}
+{{- print $password -}}
 {{- end -}}
diff --git a/tooling/charts/tl500-base/templates/gitlab/deployments.yaml b/tooling/charts/tl500-base/templates/gitlab/deployments.yaml
@@ -1,4 +1,5 @@
 {{- if .Values.gitlab -}}
+{{ $root_pass := include "gitlab.root_password" . }}
 {{ $db_user := include "gitlab.postgres.user" . }}
 {{ $db_pass := include "gitlab.postgres.password" . }}
 {{ $db_admin_pass := include "gitlab.postgres.admin_password" . }}
@@ -72,7 +73,7 @@ spec:
         env:
         - name: GITLAB_OMNIBUS_CONFIG
           value:
-            root_pass='{{ $.Values.gitlab.root_password | default "kJ4e9qLkm4pOhQnbn7nE" }}';
+            root_pass='{{ $root_pass }}';
             external_url "https://{{ $.Values.gitlab_app_name }}.{{ include "tl500.app_domain" . }}";
             nginx['listen_port']=80;
             nginx['listen_https']=false;

diff --git a/tooling/charts/tl500-base/templates/gitlab/secrets.yaml b/tooling/charts/tl500-base/templates/gitlab/secrets.yaml
@@ -1,4 +1,24 @@
+{{- if .Values.gitlab -}}
+{{ $root_pass := include "gitlab.root_password" . }}
+{{ $db_user := include "gitlab.postgres.user" . }}
+{{ $db_pass := include "gitlab.postgres.password" . }}
+{{ $db_admin_pass := include "gitlab.postgres.admin_password" . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitlab-credentials
+  namespace: "{{ $.Values.gitlab.namespace }}"
+  annotations:
+    "helm.sh/resource-policy": "keep"
+type: Opaque
+data:
+  root_password: {{ $root_pass | b64enc | quote }}
+  postgres_user: {{ $db_user | b64enc | quote }}
+  postgres_password: {{ $db_pass | b64enc | quote }}
+  postgres_admin_password: {{ $db_admin_pass | b64enc | quote }}
 {{- if .Values.gitlab.cacert }}
+---
 apiVersion: v1
 data:
   ca-cert.crt: "{{ .Values.gitlab.cacert }}"
@@ -8,3 +28,4 @@ metadata:
   namespace: "{{ $.Values.gitlab.namespace }}"
 type: Opaque
 {{- end }}
+{{- end }}
diff --git a/tooling/charts/tl500-base/values.yaml b/tooling/charts/tl500-base/values.yaml
@@ -105,7 +105,11 @@ minio:
 
 gitlab:
   namespace: tl500-gitlab
-  root_password: 7aydhn160bOrrsGEbnd172rE
+  credentials:
+    root_password: ''
+    postgres_user: ''
+    postgres_password: ''
+    postgres_admin_password: ''
   imagestreams:
     - name: "gitlab-ce"
       tag_name: "gitlab-12.8.7"