Fluentd: Add support for arbitrary secret env variables

This adds a helm-toolkit util for consuming arbitrary secret env variables via pod env variables. It also updates the Fluentd chart to add a release secret that is used to house the secret env variables defined in the chart's values.yaml. This can be used as an example to expand to other charts where this functionality is desired Change-Id: I9ef606840af92e54b2204e637c58442085e2c748 Signed-off-by: Steve Wilkerson <sw5822@att.com>
2019-12-09 11:44:30 -06:00 · 2019-12-09 11:44:30 -06:00 · 005ece16d4
commit 005ece16d4
parent 385803eef2
5 changed files with 98 additions and 4 deletions
--- a/fluentd/templates/deployment-fluentd.yaml
+++ b/fluentd/templates/deployment-fluentd.yaml
@ -157,8 +157,11 @@ spec:
              value: {{ tuple "elasticsearch" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
            - name: KAFKA_BROKER
              value: {{ $kafkaBrokerURI }}
-{{- if .Values.pod.env.fluentd }}
-{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.pod.env.fluentd | indent 12 }}
+{{- if .Values.pod.env.fluentd.vars }}
+{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.pod.env.fluentd.vars | indent 12 }}
+{{- end }}
+{{- if .Values.pod.env.fluentd.secrets }}
+{{ tuple $envAll .Values.pod.env.fluentd.secrets | include "helm-toolkit.utils.to_k8s_env_secret_vars" | indent 12 }}
 {{- end }}
            - name: ELASTICSEARCH_USERNAME
              valueFrom:
@ -216,6 +219,12 @@ spec:
 {{- end }}
        - name: pod-etc-fluentd
          emptyDir: {}
+{{ if and (.Values.manifests.secret_fluentd_env) (.Values.pod.env.fluentd.secrets) }}
+        - name: {{ printf "%s-%s" $envAll.Release.Name "env-secret" | quote }}
+          secret:
+            secretName: {{ printf "%s-%s" $envAll.Release.Name "env-secret" | quote }}
+            defaultMode: 0444
+{{- end }}
        - name: fluentd-etc
          secret:
            secretName: {{ printf "%s-%s" $envAll.Release.Name "fluentd-etc" | quote }}
--- a/fluentd/templates/secret-fluentd.yaml
+++ b/fluentd/templates/secret-fluentd.yaml
@ -0,0 +1,29 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and (.Values.manifests.secret_fluentd_env) (.Values.pod.env.fluentd.secrets) }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-%s" $envAll.Release.Name "env-secret" | quote }}
+type: Opaque
+data:
+  {{ range $key, $value := .Values.pod.env.fluentd.secrets }}
+  {{$key | upper}}: {{ $value | b64enc }}
+  {{- end }}
+{{- end }}
--- a/fluentd/values.yaml
+++ b/fluentd/values.yaml
@ -407,7 +407,9 @@ network_policy:

 pod:
  env:
-    fluentd: null
+    fluentd:
+      vars: null
+      secrets: null
  tolerations:
    fluentd:
      enabled: false
@ -489,5 +491,6 @@ manifests:
      service_exporter: true
  network_policy: false
  secret_elasticsearch: true
+  secret_fluentd_env: true
  secret_kafka: false
  service_fluentd: true
--- a/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
+++ b/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@ -0,0 +1,48 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
--- a/tools/deployment/common/fluentd-daemonset.sh
+++ b/tools/deployment/common/fluentd-daemonset.sh
@ -31,11 +31,16 @@ monitoring:
  prometheus:
    enabled: true
 pod:
+  env:
+    fluentd:
+      vars:
+        MY_TEST_VAR: FOO
+      secrets:
+        MY_TEST_SECRET: BAR
  security_context:
    fluentd:
      pod:
        runAsUser: 0
-
 deployment:
  type: DaemonSet
 conf: