Helm-Toolkit: Move sensitive config data to secrets.

This PS updates helm toolkit, and effected charts in
openstack-helm-infra to use Secrets rather than configmaps for
application configuration, as they in many cases contain sensitive data.

Change-Id: Idd17812437465368e92c9fec0d5b634bbf6dc23a
Signed-off-by: Pete Birley <pete@port.direct>

.zuul.yaml

@@ -32,6 +32,7 @@
               - ^doc/.*$
               - ^releasenotes/.*$
         - openstack-helm-infra-kubernetes-keystone-auth:
+            voting: false
             irrelevant-files:
               - ^.*\.rst$
               - ^doc/.*$
@@ -55,6 +56,7 @@
               - ^doc/.*$
               - ^releasenotes/.*$
         - openstack-helm-infra-kubernetes-keystone-auth:
+            voting: false
             irrelevant-files:
               - ^.*\.rst$
               - ^doc/.*$

helm-toolkit/templates/manifests/_job-bootstrap.yaml

@@ -92,8 +92,8 @@ spec:
         - name: etc-service
           emptyDir: {}
         - name: bootstrap-conf
-          configMap:
+          secret:
-            name: {{ $configMapEtc | quote }}
+            secretName: {{ $configMapEtc | quote }}
             defaultMode: 0444
 {{- if $podVols }}
 {{ $podVols | toYaml | indent 8 }}

helm-toolkit/templates/manifests/_job-db-drop-mysql.yaml.tpl

@@ -118,8 +118,8 @@ spec:
         - name: etc-service
           emptyDir: {}
         - name: db-drop-conf
-          configMap:
+          secret:
-            name: {{ $configMapEtc | quote }}
+            secretName: {{ $configMapEtc | quote }}
             defaultMode: 0444
 {{- end -}}
 {{- end -}}

helm-toolkit/templates/manifests/_job-db-init-mysql.yaml.tpl

@@ -115,8 +115,8 @@ spec:
         - name: etc-service
           emptyDir: {}
         - name: db-init-conf
-          configMap:
+          secret:
-            name: {{ $configMapEtc | quote }}
+            secretName: {{ $configMapEtc | quote }}
             defaultMode: 0444
 {{- end -}}
 {{- end -}}

helm-toolkit/templates/manifests/_job-db-sync.yaml.tpl

@@ -88,8 +88,8 @@ spec:
         - name: etc-service
           emptyDir: {}
         - name: db-sync-conf
-          configMap:
+          secret:
-            name: {{ $configMapEtc | quote }}
+            secretName: {{ $configMapEtc | quote }}
             defaultMode: 0444
 {{- if $podVols }}
 {{ $podVols | toYaml | indent 8 }}

helm-toolkit/templates/snippets/_values_template_renderer.tpl

@@ -67,13 +67,23 @@ return: |
 {{- $envAll := index . "envAll" -}}
 {{- $template := index . "template" -}}
 {{- $key := index . "key" -}}
+{{- $format := index . "format" | default "configMap" -}}
 {{- with $envAll -}}
 {{- $templateRendered := tpl ( $template | toYaml ) . }}
+{{- if eq $format "Secret" }}
 {{- if hasPrefix "|\n" $templateRendered }}
-{{ $key }}: {{ $templateRendered }}
+{{ $key }}: {{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | b64enc }}
+{{- else }}
+{{ $key }}: {{ $templateRendered | b64enc }}
+{{- end -}}
+{{- else }}
+{{- if hasPrefix "|\n" $templateRendered }}
+{{ $key }}: |
+{{ regexReplaceAllLiteral "\n  " ( $templateRendered | trimPrefix "|\n" | trimPrefix "  " ) "\n" | indent 2 }}
 {{- else }}
 {{ $key }}: |
 {{ $templateRendered | indent 2 }}
 {{- end -}}
 {{- end -}}
 {{- end -}}
+{{- end -}}

ldap/templates/configmap-etc.yaml

@@ -13,15 +13,16 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
+
 {{- if .Values.manifests.configmap_etc }}
 ---
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
 metadata:
   name: ldap-etc
+type: Opaque
 data:
 {{- if .Values.bootstrap.enabled }}
-  sample_data.ldif: |
+  sample_data.ldif: {{ .Values.data.sample | b64enc }}
-{{ .Values.data.sample | indent 4 }}
 {{- end }}
 {{- end }}