Merge pull request #27 from naimadswdn/master

Improve existingSecret feature. Password can be provided from values.…
Enapter · Jun 17, 2021 · b4979e0 · b4979e0
2 parents eaf0675 + b106068
commit b4979e0
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 48 deletions.
diff --git a/keydb/README.md b/keydb/README.md
@@ -30,61 +30,63 @@ helm install keydb enapter/keydb
 
 The following table lists the configurable parameters of the KeyDB chart and their default values.
 
-| Parameter                       | Description                                                 | Default                                   |
-|:--------------------------------|:------------------------------------------------------------|:------------------------------------------|
-| `image`                         | KeyDB docker image                                          | `eqalpha/keydb:x86_64_v6.0.16`            |
-| `imagePullPolicy`               | K8s imagePullPolicy                                         | `IfNotPresent`                            |
-| `nodes`                         | Number of KeyDB master pods                                 | `3`                                       |
-| `password`                      | If enabled KeyDB servers are password-protected             | `""`                                      |
-| `existingSecret`                | If enabled exporter password is taken from existing secret  | `""`                                      |
-| `port`                          | KeyDB service port clients connect to                       | `6379`                                    |
-| `threads`                       | KeyDB server-threads per node                               | `2`                                       |
-| `appendonly`                    | KeyDB appendonly setting                                    | `"no"`                                    |
-| `configExtraArgs`               | Additional configuration arguments for KeyDB                | `{}`                                      |
-| `podAnnotations`                | KeyDB pods annotations                                      | `{}`                                      |
-| `tolerations`                   | KeyDB tolerations setting                                   | `{}`                                      |
-| `additionalAffinities`          | Additional affinities for StatefulSet                       | `{}`                                      |
-| `extraInitContainers`           | Additional init containers for StatefulSet                  | `[]`                                      |
-| `extraContainers`               | Additional sidecar containers for StatefulSet               | `[]`                                      |
-| `extraVolumes`                  | Additional volumes for init and sidecar containers          | `[]`                                      |
-| `livenessProbe`                 | LivenessProbe for KeyDB pods                                | Look values.yaml                          |
-| `readinessProbe`                | ReadinessProbe for KeyDB pods                               | Look values.yaml                          |
-| `startupProbe`                  | StartupProbe for KeyDB pods                                 | Look values.yaml                          |
-| `persistentVolume.enabled`      | Should PVC be created via volumeClaimTemplates              | `true`                                    |
-| `persistentVolume.accessModes`  | Volume access modes                                         | `[ReadWriteOnce]`                         |
-| `persistentVolume.size`         | Size of the volume                                          | `1Gi`                                     |
-| `persistentVolume.storageClass` | StorageClassName for volume                                 | ``                                        |
-| `resources`                     | Resources for KeyDB containers                              | `{}`                                      |
-| `securityContext`               | SecurityContext for KeyDB pods                              | `{}`                                      |
-| `service.annotations`           | Service annotations                                         | `{}`                                      |
-| `loadBalancer.enabled`          | Create LoadBalancer service                                 | `false`                                   |
-| `loadBalancer.annotations`      | Annotations for LB                                          | `{}`                                      |
-| `loadBalancer.extraSpec`        | Additional spec for LB                                      | `{}`                                      |
-| `serviceMonitor.enabled`        | Prometheus operator ServiceMonitor                          | `false`                                   |
-| `serviceMonitor.labels`         | Additional labels for ServiceMonitor                        | `{}`                                      |
-| `serviceMonitor.annotations`    | Additional annotations for ServiceMonitor                   | `{}`                                      |
-| `serviceMonitor.interval`       | ServiceMonitor scrape interval                              | `30s`                                     |
-| `serviceMonitor.scrapeTimeout`  | ServiceMonitor scrape timeout                               | `nil`                                     |
-| `exporter.enabled`              | Prometheus Exporter sidecar contaner                        | `false`                                   |
-| `exporter.image`                | Exporter Image                                              | `oliver006/redis_exporter:v1.12.1-alpine` |
-| `exporter.pullPolicy`           | Exporter imagePullPolicy                                    | `IfNotPresent`                            |
-| `exporter.port`                 | `prometheus.io/port`                                        | `9121`                                    |
-| `exporter.scrapePath`           | `prometheus.io/path`                                        | `/metrics`                                |
-| `exporter.livenessProbe`        | LivenessProbe for sidecar Prometheus exporter               | Look values.yaml                          |
-| `exporter.readinessProbe`       | ReadinessProbe for sidecar Prometheus exporter              | Look values.yaml                          |
-| `exporter.startupProbe`         | StartupProbe for sidecar Prometheus exporter                | Look values.yaml                          |
-| `exporter.resources`            | Resources for sidecar Prometheus container                  | `{}`                                      |
-| `exporter.extraArgs`            | Additional arguments for exporter                           | `{}`                                      |
+| Parameter                       | Description                                             | Default                                   |
+|:--------------------------------|:---------------------------------------------------|:------------------------------------------|
+| `image`                         | KeyDB docker image                                 | `eqalpha/keydb:x86_64_v6.0.16`            |
+| `imagePullPolicy`               | K8s imagePullPolicy                                | `IfNotPresent`                            |
+| `nodes`                         | Number of KeyDB master pods                        | `3`                                       |
+| `password`                      | If enabled KeyDB servers are password-protected    | `""`                                      |
+| `existingSecret`                | If enabled password is taken from secret           | `""`                                      |
+| `port`                          | KeyDB service port clients connect to              | `6379`                                    |
+| `threads`                       | KeyDB server-threads per node                      | `2`                                       |
+| `appendonly`                    | KeyDB appendonly setting                           | `"no"`                                    |
+| `configExtraArgs`               | Additional configuration arguments for KeyDB       | `{}`                                      |
+| `podAnnotations`                | KeyDB pods annotations                             | `{}`                                      |
+| `tolerations`                   | KeyDB tolerations setting                          | `{}`                                      |
+| `additionalAffinities`          | Additional affinities for StatefulSet              | `{}`                                      |
+| `extraInitContainers`           | Additional init containers for StatefulSet         | `[]`                                      |
+| `extraContainers`               | Additional sidecar containers for StatefulSet      | `[]`                                      |
+| `extraVolumes`                  | Additional volumes for init and sidecar containers | `[]`                                      |
+| `livenessProbe`                 | LivenessProbe for KeyDB pods                       | Look values.yaml                          |
+| `readinessProbe`                | ReadinessProbe for KeyDB pods                      | Look values.yaml                          |
+| `startupProbe`                  | StartupProbe for KeyDB pods                        | Look values.yaml                          |
+| `persistentVolume.enabled`      | Should PVC be created via volumeClaimTemplates     | `true`                                    |
+| `persistentVolume.accessModes`  | Volume access modes                                | `[ReadWriteOnce]`                         |
+| `persistentVolume.size`         | Size of the volume                                 | `1Gi`                                     |
+| `persistentVolume.storageClass` | StorageClassName for volume                        | ``                                        |
+| `resources`                     | Resources for KeyDB containers                     | `{}`                                      |
+| `securityContext`               | SecurityContext for KeyDB pods                     | `{}`                                      |
+| `service.annotations`           | Service annotations                                | `{}`                                      |
+| `loadBalancer.enabled`          | Create LoadBalancer service                        | `false`                                   |
+| `loadBalancer.annotations`      | Annotations for LB                                 | `{}`                                      |
+| `loadBalancer.extraSpec`        | Additional spec for LB                             | `{}`                                      |
+| `serviceMonitor.enabled`        | Prometheus operator ServiceMonitor                 | `false`                                   |
+| `serviceMonitor.labels`         | Additional labels for ServiceMonitor               | `{}`                                      |
+| `serviceMonitor.annotations`    | Additional annotations for ServiceMonitor          | `{}`                                      |
+| `serviceMonitor.interval`       | ServiceMonitor scrape interval                     | `30s`                                     |
+| `serviceMonitor.scrapeTimeout`  | ServiceMonitor scrape timeout                      | `nil`                                     |
+| `exporter.enabled`              | Prometheus Exporter sidecar contaner               | `false`                                   |
+| `exporter.image`                | Exporter Image                                     | `oliver006/redis_exporter:v1.12.1-alpine` |
+| `exporter.pullPolicy`           | Exporter imagePullPolicy                           | `IfNotPresent`                            |
+| `exporter.port`                 | `prometheus.io/port`                               | `9121`                                    |
+| `exporter.scrapePath`           | `prometheus.io/path`                               | `/metrics`                                |
+| `exporter.livenessProbe`        | LivenessProbe for sidecar Prometheus exporter      | Look values.yaml                          |
+| `exporter.readinessProbe`       | ReadinessProbe for sidecar Prometheus exporter     | Look values.yaml                          |
+| `exporter.startupProbe`         | StartupProbe for sidecar Prometheus exporter       | Look values.yaml                          |
+| `exporter.resources`            | Resources for sidecar Prometheus container         | `{}`                                      |
+| `exporter.extraArgs`            | Additional arguments for exporter                  | `{}`                                      |
 
 ## Using existingSecret
 
-When definining existingSecret (by default is "") password for Prometheus exporter is taken from that secret name, instead of being exposed as environemnt variable. \
+When definining existingSecret (by default is "") password value is ignored. Password is taken from that secret, instead of being provided as plain text under values.yaml file. \
 Secret key must be *password*. \
 Example of of such secret: 
 ```bash
 kubectl create secret generic keydb-password --from-literal=password=KEYDB_PASSWORD
 ```
 Definition of existingSecret in that case:
 ```yaml
+password: ""
 existingSecret: keydb-password
 ```
+It is important to use only one way of providing passwords: via plain text under values.yaml or using already existing secret.
diff --git a/keydb/templates/secret-utils.yaml b/keydb/templates/secret-utils.yaml
@@ -26,7 +26,10 @@ stringData:
         --port "$port" \
         --protected-mode no \
         --server-threads {{ .Values.threads | int }} \
-{{- if .Values.password }}
+{{- if .Values.existingSecret }}
+        --masterauth $REDIS_PASSWORD \
+        --requirepass $REDIS_PASSWORD \
+{{- else if .Values.password }}
         --masterauth {{ .Values.password }} \
         --requirepass {{ .Values.password }} \
 {{- end }}

diff --git a/keydb/templates/sts.yaml b/keydb/templates/sts.yaml
@@ -54,6 +54,14 @@ spec:
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         command:
         - /utils/server.sh
+        {{- if .Values.existingSecret }}
+        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.existingSecret }}
+              key: password
+        {{- end }}
         ports:
         - name: keydb
           containerPort: 6379
@@ -89,7 +97,7 @@ spec:
         env:
         - name: REDIS_ADDR
           value: redis://localhost:6379
-        {{- if and .Values.password .Values.existingSecret }}
+        {{- if .Values.existingSecret }}
         - name: REDIS_PASSWORD
           valueFrom:
             secretKeyRef: