Registry token

traefikee/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: traefikee
-version: 1.8.0
+version: 1.9.0
 appVersion: v2.9.1
 # Because of https://github.com/helm/helm/issues/3810 the pre-release version suffix has to be define.
 # This allows the installation on Kubernetes cluster with a pre-release version (e.g. v1.19.9-gke.1900)

traefikee/templates/NOTES.txt

@@ -0,0 +1,16 @@
+Thank you for installing {{ .Chart.Name }}.
+
+Your release is named {{ .Release.Name }}.
+
+To learn more about the release, try:
+
+  $ helm status {{ .Release.Name }}
+  $ helm get all {{ .Release.Name }}
+
+{{ if not (empty (.Values.registry).tokenSecret) }}
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! WARNING: please note registry.tokenSecret was introduced to ease deployments on non-production environment. !!
+!!          On production this can cause security issues and you may prefer specifying registry.tokenSecretRef !!
+!!          instead !                                                                                          !!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+{{ end }}

traefikee/templates/_helpers.tpl

@@ -58,14 +58,33 @@ release: {{ .Values.cluster }}
 {{- end }}
 
 {{/*
-Generates registry token.
+Generates or load registry token.
 */}}
 {{- define "traefikee-helm-chart.registry-token" -}}
-{{- $tokenSecret := (lookup "v1" "Secret" .Release.Namespace (print .Values.cluster "-registry-token")) | default dict }}
-{{- $tokenSecretData := (get $tokenSecret "data") | default dict }}
-{{- $tokenStr := (get $tokenSecretData "token" | b64dec ) | default "" }}
-{{- if eq $tokenStr "" }}
-{{- $tokenStr = randAlphaNum 10 }}
-{{- end }}
+{{/* tokenSecretRef is provided, load it */}}
+  {{- $tokenStr := "" }}
+  {{- if eq (.Values.registry).manualTokenSecret true }}
+    {{- if not (empty (.Values.registry).tokenSecretRef) }}
+      {{- $tokenNS := .Release.Namespace }}
+      {{- if not (empty (.Values.registry.tokenSecretRef).namespace) }}
+        {{- $tokenNS := .Values.registry.tokenSecretRef.namespace }}
+      {{- end }}
+
+      {{- if empty (.Values.registry.tokenSecretRef).name }}
+        {{- fail "ERROR: registry.tokenSecretRef needs at least secret name to be specified !"}}
+      {{- end }}
+
+      {{- $tokenSecret := (lookup "v1" "Secret" $tokenNS (.Values.registry.tokenSecretRef).name) }}
+      {{- $tokenSecretData := (get $tokenSecret "data") | default dict }}
+      {{- $tokenStr = (get $tokenSecretData "token" | b64dec ) | default "" }}
+      {{- if eq $tokenStr "" }}
+        {{- fail (printf "ERROR: failed to lookup token from secret %s/%s" $tokenNS (.Values.registry.tokenSecretRef.name))}}
+      {{- end }}
+    {{- end }}
+  {{- else if not (empty (.Values.registry).tokenSecret) }}
+    {{- $tokenStr = (.Values.registry).tokenSecret | default dict }}
+  {{- else }} {{/* generate a random string */}}
+    {{- $tokenStr = randAlphaNum 10 }}
+  {{- end }}
 {{- printf "%s" $tokenStr | nospace | b64enc }}
 {{- end }}

traefikee/templates/stateful-sets.yaml

@@ -1,5 +1,9 @@
 {{- $tokenStr := include "traefikee-helm-chart.registry-token" . }}
-{{- if empty (.Values.registry).manualTokenSecret }}
+{{- $tokenShaSum := $tokenStr | sha256sum }}
+{{- $tokenRefName := (printf "%s-registry-token" .Values.cluster) }}
+
+{{- if or (empty (.Values.registry).manualTokenSecret) (eq (.Values.registry).manualTokenSecret false)}}
+---
 apiVersion: v1
 kind: Secret
 metadata:
@@ -10,6 +14,8 @@ metadata:
 type: Opaque
 data:
   token: {{ $tokenStr }}
+{{ else }}
+  {{- $tokenRefName = .Values.registry.tokenSecretRef.name }}
 {{- end }}
 
 ---
@@ -40,7 +46,7 @@ spec:
       annotations:
         # This ensures that the registry pods will be rollout,
         # if the token for the plugin registry has changed since last deployment.
-        checksum/config: {{ $tokenStr | sha256sum }}
+        checksum/config: {{ $tokenShaSum }}
         {{- with (.Values.registry).podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -88,7 +94,7 @@ spec:
             - name: PLUGIN_REGISTRY_TOKEN
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.cluster }}-registry-token
+                  name: {{ $tokenRefName }}
                   key: token
           securityContext:
             readOnlyRootFilesystem: true
@@ -170,10 +176,10 @@ spec:
   template:
     metadata:
       annotations:
-        # This ensures that the controller pods will be rollout,
+        # This ensures that the registry pods will be rollout,
         # if the token for the plugin registry has changed since last deployment.
-        checksum/config: {{ $tokenStr | sha256sum }}
-        {{- with .Values.controller.podAnnotations }}
+        checksum/config: {{ $tokenShaSum }}
+        {{- with (.Values.controller).podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
       labels:
@@ -225,7 +231,7 @@ spec:
             - name: PLUGIN_REGISTRY_TOKEN
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.cluster }}-registry-token
+                  name: {{ $tokenRefName }}
                   key: token
           {{- with .Values.controller.env }}
             {{- toYaml . | nindent 12 }}

traefikee/tests/controller_test.yaml

@@ -225,3 +225,38 @@ tests:
       - equal:
           path: spec.template.spec.imagePullSecrets[0].name
           value: regcred
+  - it: should generate a default token secret
+    documentIndex: 0
+    asserts:
+      - isKind:
+          of: Secret
+      - hasDocuments:
+          count: 3
+      - matchRegex:
+          path: data.token
+          pattern: "[a-zA-Z0-9]{14}[=]{2}"
+  - it: should use generated token secret or specified token
+    documentIndex: 1
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.name
+          value: "default-registry-token"
+  - it: should fail because of missing secret name
+    set:
+      registry:
+        manualTokenSecret: true
+        tokenSecretRef:
+          namespace: test
+    asserts:
+      - failedTemplate:
+          errorMessage: "registry.tokenSecretRef needs at least secret name to be specified !"
+  - it: should fail because the secret can't be look up
+    set:
+      registry:
+        manualTokenSecret: true
+        tokenSecretRef:
+          name: test
+    asserts:
+      - failedTemplate:
+          errorMessage: "failed to lookup token from secret NAMESPACE/test"
+  - it: should fail

traefikee/values.yaml

@@ -40,7 +40,6 @@ registry:
                   values:
                     - registry
             topologyKey: "kubernetes.io/hostname"
-
 #   serviceLabels:
 #     foo: bar
 #   serviceAnnotations:
@@ -53,7 +52,14 @@ registry:
 #     foo: bar
 #   podAnnotations:
 #     foo: bar
-#   manualTokenSecret: true
+## Needed if you setup the registry token manually before deploying TraefikEE
+#  manualTokenSecret: true
+#  tokenSecretRef:
+#    name: secret
+#    namespace: othernamespace
+## Set the registry token directly in Values
+#  tokenSecret: "NJ00yx60K+Wm1yufuBM6fLq3fVKcv44RvBsVGiH40+U="
+
 
 controller:
   replicas: 1