Charts: Use secrets for configs in chart

This updates the osh-infra charts to use a secret for their
configuration files instead of a configmap, allowing for the
storage of sensitive information

Change-Id: Ia32587162288df0b297c45fd43b55cef381cb064

elasticsearch/templates/configmap-etc.yaml

@@ -20,21 +20,17 @@ limitations under the License.
 {{- if and (.Values.conf.elasticsearch.repository.enabled) (empty .Values.conf.elasticsearch.config.path.repo) -}}
 {{- set .Values.conf.elasticsearch.config.path "repo" .Values.conf.elasticsearch.repository.location -}}
 {{- end -}}
-
 ---
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
 metadata:
   name: elasticsearch-etc
+type: Opaque
 data:
-  elasticsearch.yml: |
-{{ toYaml .Values.conf.elasticsearch.config | indent 4 }}
-  log4j2.properties: |
-{{- tuple .Values.conf.elasticsearch "etc/_log4j2.properties.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
-  action_file.yml: |
-{{ toYaml .Values.conf.curator.action_file | indent 4 }}
-  config.yml: |
-{{ toYaml .Values.conf.curator.config | indent 4 }}
+  elasticsearch.yml: {{ toYaml .Values.conf.elasticsearch.config | b64enc }}
+  action_file.yml: {{ toYaml .Values.conf.curator.action_file | b64enc }}
+  config.yml: {{ toYaml .Values.conf.curator.config | b64enc }}
 #NOTE(portdirect): this must be last, to work round helm ~2.7 bug.
-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf") | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf" "format" "Secret") | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.log4j2 "key" "log4j2.properties" "format" "Secret") | indent 2 }}
 {{- end }}

elasticsearch/templates/cron-job-curator.yaml

@@ -74,7 +74,7 @@ spec:
                 name: elasticsearch-bin
                 defaultMode: 0555
             - name: elasticsearch-etc
-              configMap:
-                name: elasticsearch-etc
+              secret:
+                secretName: elasticsearch-etc
                 defaultMode: 0444
 {{- end }}

elasticsearch/templates/deployment-client.yaml

@@ -234,8 +234,8 @@ spec:
             name: elasticsearch-bin
             defaultMode: 0555
         - name: elasticsearch-etc
-          configMap:
-            name: elasticsearch-etc
+          secret:
+            secretName: elasticsearch-etc
             defaultMode: 0444
         - name: storage
           emptyDir: {}

elasticsearch/templates/deployment-master.yaml

@@ -190,8 +190,8 @@ spec:
             name: elasticsearch-bin
             defaultMode: 0555
         - name: elasticsearch-etc
-          configMap:
-            name: elasticsearch-etc
+          secret:
+            secretName: elasticsearch-etc
             defaultMode: 0444
         - name: storage
           emptyDir: {}

elasticsearch/templates/etc/_log4j2.properties.tpl

@@ -1,37 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-appender.console.type = Console
-appender.console.name = console
-appender.console.layout.type = PatternLayout
-appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n
-
-appender.rolling.type = RollingFile
-appender.rolling.name = rolling
-appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${hostName}.log
-appender.rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${hostName}.log.%i
-appender.rolling.layout.type = PatternLayout
-appender.rolling.layout.pattern = [%d{DEFAULT}][%-5p][%-25c] %.10000m%n
-appender.rolling.policies.type = Policies
-appender.rolling.policies.size.type = SizeBasedTriggeringPolicy
-appender.rolling.policies.size.size=100MB
-appender.rolling.strategy.type = DefaultRolloverStrategy
-appender.rolling.strategy.max = 5
-appender.rolling.strategy.fileIndex = min
-
-rootLogger.level = info
-rootLogger.appenderRef.console.ref = console
-rootLogger.appenderRef.rolling.ref = rolling

elasticsearch/templates/statefulset-data.yaml

@@ -187,8 +187,8 @@ spec:
             name: elasticsearch-bin
             defaultMode: 0555
         - name: elasticsearch-etc
-          configMap:
-            name: elasticsearch-etc
+          secret:
+            secretName: elasticsearch-etc
             defaultMode: 0444
         {{ if .Values.storage.filesystem_repository.enabled }}
         - name: snapshots

elasticsearch/values.yaml

@@ -271,6 +271,26 @@ conf:
           Require valid-user
       </Proxy>
     </VirtualHost>
+  log4j2: |
+    appender.console.type=Console
+    appender.console.name=console
+    appender.console.layout.type=PatternLayout
+    appender.console.layout.pattern="[%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n"
+    appender.rolling.type=RollingFile
+    appender.rolling.name=rolling
+    appender.rolling.fileName="${sys:es.logs.base_path}${sys:file.separator}${hostName}.log"
+    appender.rolling.filePattern="${sys:es.logs.base_path}${sys:file.separator}${hostName}.log.%i"
+    appender.rolling.layout.type=PatternLayout
+    appender.rolling.layout.pattern="[%d{DEFAULT}][%-5p][%-25c] %.10000m%n"
+    appender.rolling.policies.type=Policies
+    appender.rolling.policies.size.type=SizeBasedTriggeringPolicy
+    appender.rolling.policies.size.size=100MB
+    appender.rolling.strategy.type=DefaultRolloverStrategy
+    appender.rolling.strategy.max=5
+    appender.rolling.strategy.fileIndex=min
+    rootLogger.level=info
+    rootLogger.appenderRef.console.ref=console
+    rootLogger.appenderRef.rolling.ref=rolling
   init:
     max_map_count: 262144
   curator:
@@ -408,10 +428,6 @@ conf:
       type: fs
     env:
       java_opts: "-Xms256m -Xmx256m"
-  log4j2:
-    override:
-    prefix:
-    append:
   prometheus_elasticsearch_exporter:
     es:
       all: true

fluent-logging/templates/configmap-etc.yaml

@@ -18,18 +18,15 @@ limitations under the License.
 {{- $envAll := . }}
 ---
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
 metadata:
   name: fluent-logging-etc
+type: Opaque
 data:
-  fluent-bit.conf: |
-{{ include "fluent_logging.utils.to_fluentbit_conf" .Values.conf.fluentbit | indent 4 }}
-  parsers.conf: |
-{{ include "fluent_logging.utils.to_fluentbit_conf" .Values.conf.parsers | indent 4 }}
-  fluent.conf: |
-{{ include "fluent_logging.utils.to_fluentd_conf" .Values.conf.td_agent | indent 4 }}
+  fluent-bit.conf: {{ include "fluent_logging.utils.to_fluentbit_conf" .Values.conf.fluentbit | b64enc }}
+  parsers.conf: {{ include "fluent_logging.utils.to_fluentbit_conf" .Values.conf.parsers | b64enc }}
+  fluent.conf: {{ include "fluent_logging.utils.to_fluentd_conf" .Values.conf.td_agent | b64enc }}
 {{ range $template, $fields := .Values.conf.templates }}
-  {{ $template }}.json: |
-{{ toJson $fields | indent 4 }}
+  {{ $template }}.json: {{ toJson $fields | b64enc }}
 {{ end }}
 {{- end }}

fluent-logging/templates/daemonset-fluent-bit.yaml

@@ -148,8 +148,8 @@ spec:
             name: fluent-logging-bin
             defaultMode: 0555
         - name: fluent-logging-etc
-          configMap:
-            name: fluent-logging-etc
+          secret:
+            secretName: fluent-logging-etc
             defaultMode: 0444
 {{ if $mounts_fluentbit.volumes }}{{ toYaml $mounts_fluentbit.volumes | indent 8 }}{{ end }}
 {{- end }}

fluent-logging/templates/deployment-fluentd.yaml

@@ -150,8 +150,8 @@ spec:
         - name: pod-etc-fluentd
           emptyDir: {}
         - name: fluent-logging-etc
-          configMap:
-            name: fluent-logging-etc
+          secret:
+            secretName: fluent-logging-etc
             defaultMode: 0444
         - name: fluent-logging-bin
           configMap:

fluent-logging/templates/job-elasticsearch-template.yaml

@@ -78,8 +78,8 @@ spec:
             name: fluent-logging-bin
             defaultMode: 0555
         - name: fluent-logging-etc
-          configMap:
-            name: fluent-logging-etc
-            defaultMode: 0666
+          secret:
+            secretName: fluent-logging-etc
+            defaultMode: 0444
 {{ if $mounts_elasticsearch_template.volumes }}{{ toYaml $mounts_elasticsearch_template.volumes | indent 8 }}{{ end }}
 {{- end }}

grafana/templates/configmap-etc.yaml

@@ -30,21 +30,18 @@ limitations under the License.
 {{- end -}}
 ---
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
 metadata:
   name: grafana-etc
+type: Opaque
 data:
-  datasources.yaml: |
-{{- include "grafana.utils.generate_datasources" (dict "envAll" $envAll "datasources" .Values.conf.provisioning.datasources) | indent 4 }}
-  dashboards.yaml: |
-{{ toYaml .Values.conf.provisioning.dashboards | indent 4 }}
-  grafana.ini: |
-{{ include "helm-toolkit.utils.to_ini" .Values.conf.grafana | indent 4 }}
+  datasources.yaml: {{ include "grafana.utils.generate_datasources" (dict "envAll" $envAll "datasources" .Values.conf.provisioning.datasources) | b64enc }}
+  dashboards.yaml: {{ toYaml .Values.conf.provisioning.dashboards | b64enc }}
+  grafana.ini: {{ include "helm-toolkit.utils.to_ini" .Values.conf.grafana | b64enc }}
 {{ if not (empty .Values.conf.ldap) }}
-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ldap.template "key" "ldap.toml") | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.ldap.template "key" "ldap.toml" "format" "Secret") | indent 2 }}
 {{ end }}
 {{ range $key, $value := .Values.conf.dashboards }}
-  {{$key}}.json: |
-{{ toJson $value | indent 4 }}
+  {{$key}}.json: {{ toJson $value | b64enc }}
 {{ end }}
 {{- end }}

grafana/templates/deployment.yaml

@@ -115,8 +115,8 @@ spec:
             name: grafana-bin
             defaultMode: 0555
         - name: grafana-etc
-          configMap:
-            name: grafana-etc
+          secret:
+            secretName: grafana-etc
             defaultMode: 0444
         - name: data
           emptyDir: {}

kibana/templates/configmap-etc.yaml

@@ -18,12 +18,12 @@ limitations under the License.
 {{- $envAll := . }}
 ---
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
 metadata:
   name: kibana-etc
+type: Opaque
 data:
-  kibana.yml: |
-{{ toYaml .Values.conf.kibana | indent 4 }}
+  kibana.yml: {{ toYaml .Values.conf.kibana | b64enc }}
 #NOTE(portdirect): this must be last, to work round helm ~2.7 bug.
-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf") | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf" "format" "Secret") | indent 2 }}
 {{- end }}

kibana/templates/deployment.yaml

@@ -127,7 +127,7 @@ spec:
             name: kibana-bin
             defaultMode: 0555
         - name: kibana-etc
-          configMap:
-            name: kibana-etc
+          secret:
+            secretName: kibana-etc
             defaultMode: 0444
 {{- end }}

nagios/templates/configmap-etc.yaml

@@ -14,25 +14,27 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{ define "configmap_etc._nagios_objects" }}
+{{- tuple "contact" $.Values.conf.nagios.contacts | include "nagios.utils.object_definition" }}
+{{- tuple "contactgroup" $.Values.conf.nagios.contactgroups | include "nagios.utils.object_definition" }}
+{{- tuple "host" $.Values.conf.nagios.hosts | include "nagios.utils.object_definition" }}
+{{- tuple "hostgroup" $.Values.conf.nagios.host_groups | include "nagios.utils.object_definition" }}
+{{- tuple "command" $.Values.conf.nagios.commands | include "nagios.utils.object_definition" }}
+{{- tuple "service" $.Values.conf.nagios.services | include "nagios.utils.object_definition" }}
+{{- end }}
+
 {{- if .Values.manifests.configmap_etc }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
 metadata:
   name: nagios-etc
+type: Opaque
 data:
-  cgi.cfg: |+
-{{ include "nagios.utils.to_nagios_conf" .Values.conf.nagios.cgi | indent 4 }}
-  nagios.cfg: |+
-{{ include "nagios.utils.to_nagios_conf" .Values.conf.nagios.nagios | indent 4 }}
-  nagios_objects.cfg: |+
-{{- tuple "contact" .Values.conf.nagios.contacts | include "nagios.utils.object_definition" | indent 4 }}
-{{- tuple "contactgroup" .Values.conf.nagios.contactgroups | include "nagios.utils.object_definition" | indent 4 }}
-{{- tuple "host" .Values.conf.nagios.hosts | include "nagios.utils.object_definition" | indent 4 }}
-{{- tuple "hostgroup" .Values.conf.nagios.host_groups | include "nagios.utils.object_definition" | indent 4 }}
-{{- tuple "command" .Values.conf.nagios.commands | include "nagios.utils.object_definition" | indent 4 }}
-{{- tuple "service" .Values.conf.nagios.services | include "nagios.utils.object_definition" | indent 4 }}
+  cgi.cfg: {{ include "nagios.utils.to_nagios_conf" .Values.conf.nagios.cgi | b64enc }}
+  nagios.cfg: {{ include "nagios.utils.to_nagios_conf" .Values.conf.nagios.nagios | b64enc }}
+  nagios_objects.cfg: {{ include "configmap_etc._nagios_objects" $ | b64enc }}
 #NOTE(portdirect): this must be last, to work round helm ~2.7 bug.
-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf") | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf" "format" "Secret") | indent 2 }}
 {{- end }}

nagios/templates/deployment.yaml

@@ -162,8 +162,8 @@ spec:
               readOnly: true
       volumes:
         - name: nagios-etc
-          configMap:
-            name: nagios-etc
+          secret:
+            secretName: nagios-etc
             defaultMode: 0444
         - name: pod-etc-apache
           emptyDir: {}

prometheus/templates/configmap-etc.yaml

@@ -38,16 +38,15 @@ limitations under the License.
 
 ---
 apiVersion: v1
-kind: ConfigMap
+kind: Secret
 metadata:
   name: prometheus-etc
+type: Opaque
 data:
-  prometheus.yml: |+
-{{ toYaml .Values.conf.prometheus.scrape_configs | indent 4 }}
+  prometheus.yml: {{ toYaml .Values.conf.prometheus.scrape_configs | b64enc }}
 {{ range $key, $value := .Values.conf.prometheus.rules }}
-  {{ $key }}.rules: |
-{{ toYaml $value | indent 4 }}
+  {{ $key }}.rules: {{ toYaml $value | b64enc }}
 {{ end }}
 #NOTE(srwilkers): this must be last, to work round helm ~2.7 bug.
-{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf") | indent 2 }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.httpd "key" "httpd.conf" "format" "Secret") | indent 2 }}
 {{- end }}

prometheus/templates/statefulset.yaml

@@ -189,8 +189,9 @@ spec:
         - name: rulesprometheus
           emptyDir: {}
         - name: prometheus-etc
-          configMap:
-            name: prometheus-etc
+          secret:
+            secretName: prometheus-etc
+            defaultMode: 0444
         - name: prometheus-bin
           configMap:
             name: prometheus-bin