Merge pull request #172 from burigolucas/crc-openshift-v4.17.0

🔒make gitlab credentials idempotent 🔒
rht-labs · Nov 21, 2024 · a53a57d · a53a57d
2 parents 689113d + ef609bc
commit a53a57d
Show file tree

Hide file tree

Showing 11 changed files with 210 additions and 111 deletions.
diff --git a/tooling/charts/tl500-base/Chart.yaml b/tooling/charts/tl500-base/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: tl500-base
 description: A Helm chart for Kubernetes
 type: application
-version: 0.0.1
+version: 0.0.2
 appVersion: 0.0.1
 maintainers:
   - name: eformat

diff --git a/tooling/charts/tl500-base/templates/_helpers.tpl b/tooling/charts/tl500-base/templates/_helpers.tpl
@@ -92,17 +92,49 @@
 {{- end -}}
 
 {{- define "gitlab.root_password" -}}
-{{- print (randAlphaNum 10) -}}
+{{- $secretName := (printf "%v-credentials" .Values.gitlab.app_name) -}}
+{{- $password := default (randAlphaNum 10) .Values.gitlab.credentials.root_password }}
+{{- if not .Values.gitlab.credentials.root_password }}
+{{- $existingSecret := (lookup "v1" "Secret" .Values.gitlab.namespace $secretName) }}
+{{- if $existingSecret }}
+{{- $password = index $existingSecret.data "root_password" | b64dec }}
+{{- end -}}
+{{- end -}}
+{{- print $password -}}
 {{- end -}}
 
 {{- define "gitlab.postgres.user" -}}
-{{- print (randAlphaNum 10) -}}
+{{- $secretName := (printf "%v-credentials" .Values.gitlab.app_name) -}}
+{{- $username := default (randAlphaNum 10) .Values.gitlab.credentials.postgres_user }}
+{{- if not .Values.gitlab.credentials.postgres_user }}
+{{- $existingSecret := (lookup "v1" "Secret" .Values.gitlab.namespace $secretName) }}
+{{- if $existingSecret }}
+{{- $username = index $existingSecret.data "postgres_user" | b64dec }}
+{{- end -}}
+{{- end -}}
+{{- print $username -}}
 {{- end -}}
 
 {{- define "gitlab.postgres.password" -}}
-{{- print (randAlphaNum 10) -}}
+{{- $secretName := (printf "%v-credentials" .Values.gitlab.app_name) -}}
+{{- $password := default (randAlphaNum 10) .Values.gitlab.credentials.postgres_password }}
+{{- if not .Values.gitlab.credentials.postgres_password }}
+{{- $existingSecret := (lookup "v1" "Secret" .Values.gitlab.namespace $secretName) }}
+{{- if $existingSecret }}
+{{- $password = index $existingSecret.data "postgres_password" | b64dec }}
+{{- end -}}
+{{- end -}}
+{{- print $password -}}
 {{- end -}}
 
 {{- define "gitlab.postgres.admin_password" -}}
-{{- print (randAlphaNum 10) -}}
+{{- $secretName := (printf "%v-credentials" .Values.gitlab.app_name) -}}
+{{- $password := default (randAlphaNum 10) .Values.gitlab.credentials.postgres_admin_password }}
+{{- if not .Values.gitlab.credentials.postgres_admin_password }}
+{{- $existingSecret := (lookup "v1" "Secret" .Values.gitlab.namespace $secretName) }}
+{{- if $existingSecret }}
+{{- $password = index $existingSecret.data "postgres_admin_password" | b64dec }}
+{{- end -}}
+{{- end -}}
+{{- print $password -}}
 {{- end -}}
diff --git a/tooling/charts/tl500-base/templates/gitlab/anyuid-scc.yaml b/tooling/charts/tl500-base/templates/gitlab/anyuid-scc.yaml
@@ -2,13 +2,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: system:openshift:scc:anyuid
+  name: system:openshift:scc:anyuid-{{ .Values.gitlab.app_name }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: system:openshift:scc:anyuid
 subjects:
 - kind: ServiceAccount
-  name: {{ .Values.gitlab_app_name }}-user
+  name: {{ .Values.gitlab.app_name }}-user
   namespace: {{ .Values.gitlab.namespace }}
 {{- end }}