Merge "Fluentd: Add support for arbitrary secret env variables"

2019-12-09 22:37:11 +00:00 · 2019-12-09 22:37:11 +00:00 · 3af64d1111
commit 3af64d1111
parent cecd63ef62 005ece16d4
5 changed files with 98 additions and 4 deletions
--- a/fluentd/templates/deployment-fluentd.yaml
+++ b/fluentd/templates/deployment-fluentd.yaml
@ -157,8 +157,11 @@ spec:
              value: {{ tuple "elasticsearch" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
            - name: KAFKA_BROKER
              value: {{ $kafkaBrokerURI }}
-{{- if .Values.pod.env.fluentd }}
-{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.pod.env.fluentd | indent 12 }}
+{{- if .Values.pod.env.fluentd.vars }}
+{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.pod.env.fluentd.vars | indent 12 }}
+{{- end }}
+{{- if .Values.pod.env.fluentd.secrets }}
+{{ tuple $envAll .Values.pod.env.fluentd.secrets | include "helm-toolkit.utils.to_k8s_env_secret_vars" | indent 12 }}
 {{- end }}
            - name: ELASTICSEARCH_USERNAME
              valueFrom:
@ -216,6 +219,12 @@ spec:
 {{- end }}
        - name: pod-etc-fluentd
          emptyDir: {}
+{{ if and (.Values.manifests.secret_fluentd_env) (.Values.pod.env.fluentd.secrets) }}
+        - name: {{ printf "%s-%s" $envAll.Release.Name "env-secret" | quote }}
+          secret:
+            secretName: {{ printf "%s-%s" $envAll.Release.Name "env-secret" | quote }}
+            defaultMode: 0444
+{{- end }}
        - name: fluentd-etc
          secret:
            secretName: {{ printf "%s-%s" $envAll.Release.Name "fluentd-etc" | quote }}
--- a/fluentd/templates/secret-fluentd.yaml
+++ b/fluentd/templates/secret-fluentd.yaml
@ -0,0 +1,29 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and (.Values.manifests.secret_fluentd_env) (.Values.pod.env.fluentd.secrets) }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-%s" $envAll.Release.Name "env-secret" | quote }}
+type: Opaque
+data:
+  {{ range $key, $value := .Values.pod.env.fluentd.secrets }}
+  {{$key | upper}}: {{ $value | b64enc }}
+  {{- end }}
+{{- end }}
--- a/fluentd/values.yaml
+++ b/fluentd/values.yaml
@ -407,7 +407,9 @@ network_policy:

 pod:
  env:
-    fluentd: null
+    fluentd:
+      vars: null
+      secrets: null
  tolerations:
    fluentd:
      enabled: false
@ -489,5 +491,6 @@ manifests:
      service_exporter: true
  network_policy: false
  secret_elasticsearch: true
+  secret_fluentd_env: true
  secret_kafka: false
  service_fluentd: true
--- a/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
+++ b/helm-toolkit/templates/utils/_to_k8s_env_secret_vars.tpl
@ -0,0 +1,48 @@
+{{/*
+Copyright 2019 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+abstract: |
+  Returns yaml formatted to be used in k8s templates as container
+  env vars injected via secrets. This requires a secret-<chartname> template to
+  be defined in the chart that can be used to house the desired secret
+  variables. For reference, see the fluentd chart.
+values: |
+  test:
+    secrets:
+      foo: bar
+
+usage: |
+  {{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
+return: |
+  - name: foo
+    valueFrom:
+      secretKeyRef:
+        name: "my-release-name-env-secret"
+        key: foo
+*/}}
+
+{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
+{{- $context := index . 0 -}}
+{{- $secrets := index . 1 -}}
+{{ range $key, $config := $secrets -}}
+- name: {{ $key }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
+      key: {{ $key }}
+{{ end -}}
+{{- end -}}
--- a/tools/deployment/common/fluentd-daemonset.sh
+++ b/tools/deployment/common/fluentd-daemonset.sh
@ -31,11 +31,16 @@ monitoring:
  prometheus:
    enabled: true
 pod:
+  env:
+    fluentd:
+      vars:
+        MY_TEST_VAR: FOO
+      secrets:
+        MY_TEST_SECRET: BAR
  security_context:
    fluentd:
      pod:
        runAsUser: 0
-
 deployment:
  type: DaemonSet
 conf: