From f394f88cb6dd60528b7364b253c8c345a904035e Mon Sep 17 00:00:00 2001 From: NEwa-05 Date: Wed, 12 Apr 2023 11:18:05 +0200 Subject: [PATCH] Registry token --- traefikee/Chart.yaml | 2 +- traefikee/templates/NOTES.txt | 16 ++++++++++++ traefikee/templates/_helpers.tpl | 33 ++++++++++++++++++------ traefikee/templates/stateful-sets.yaml | 20 +++++++++------ traefikee/tests/controller_test.yaml | 35 ++++++++++++++++++++++++++ traefikee/values.yaml | 10 ++++++-- 6 files changed, 99 insertions(+), 17 deletions(-) create mode 100644 traefikee/templates/NOTES.txt diff --git a/traefikee/Chart.yaml b/traefikee/Chart.yaml index b240978..ffb0dbd 100644 --- a/traefikee/Chart.yaml +++ b/traefikee/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: traefikee -version: 1.8.0 +version: 1.9.0 appVersion: v2.9.1 # Because of https://github.com/helm/helm/issues/3810 the pre-release version suffix has to be define. # This allows the installation on Kubernetes cluster with a pre-release version (e.g. v1.19.9-gke.1900) diff --git a/traefikee/templates/NOTES.txt b/traefikee/templates/NOTES.txt new file mode 100644 index 0000000..55b035f --- /dev/null +++ b/traefikee/templates/NOTES.txt @@ -0,0 +1,16 @@ +Thank you for installing {{ .Chart.Name }}. + +Your release is named {{ .Release.Name }}. + +To learn more about the release, try: + + $ helm status {{ .Release.Name }} + $ helm get all {{ .Release.Name }} + +{{ if not (empty (.Values.registry).tokenSecret) }} +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +!! WARNING: please note registry.tokenSecret was introduced to ease deployments on non-production environment. !! +!! On production this can cause security issues and you may prefer specifying registry.tokenSecretRef !! +!! instead ! !! +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +{{ end }} diff --git a/traefikee/templates/_helpers.tpl b/traefikee/templates/_helpers.tpl index 4d73436..ffef241 100644 --- a/traefikee/templates/_helpers.tpl +++ b/traefikee/templates/_helpers.tpl @@ -58,14 +58,33 @@ release: {{ .Values.cluster }} {{- end }} {{/* -Generates registry token. +Generates or load registry token. */}} {{- define "traefikee-helm-chart.registry-token" -}} -{{- $tokenSecret := (lookup "v1" "Secret" .Release.Namespace (print .Values.cluster "-registry-token")) | default dict }} -{{- $tokenSecretData := (get $tokenSecret "data") | default dict }} -{{- $tokenStr := (get $tokenSecretData "token" | b64dec ) | default "" }} -{{- if eq $tokenStr "" }} -{{- $tokenStr = randAlphaNum 10 }} -{{- end }} +{{/* tokenSecretRef is provided, load it */}} + {{- $tokenStr := "" }} + {{- if eq (.Values.registry).manualTokenSecret true }} + {{- if not (empty (.Values.registry).tokenSecretRef) }} + {{- $tokenNS := .Release.Namespace }} + {{- if not (empty (.Values.registry.tokenSecretRef).namespace) }} + {{- $tokenNS := .Values.registry.tokenSecretRef.namespace }} + {{- end }} + + {{- if empty (.Values.registry.tokenSecretRef).name }} + {{- fail "ERROR: registry.tokenSecretRef needs at least secret name to be specified !"}} + {{- end }} + + {{- $tokenSecret := (lookup "v1" "Secret" $tokenNS (.Values.registry.tokenSecretRef).name) }} + {{- $tokenSecretData := (get $tokenSecret "data") | default dict }} + {{- $tokenStr = (get $tokenSecretData "token" | b64dec ) | default "" }} + {{- if eq $tokenStr "" }} + {{- fail (printf "ERROR: failed to lookup token from secret %s/%s" $tokenNS (.Values.registry.tokenSecretRef.name))}} + {{- end }} + {{- end }} + {{- else if not (empty (.Values.registry).tokenSecret) }} + {{- $tokenStr = (.Values.registry).tokenSecret | default dict }} + {{- else }} {{/* generate a random string */}} + {{- $tokenStr = randAlphaNum 10 }} + {{- end }} {{- printf "%s" $tokenStr | nospace | b64enc }} {{- end }} diff --git a/traefikee/templates/stateful-sets.yaml b/traefikee/templates/stateful-sets.yaml index 2728934..2d15883 100644 --- a/traefikee/templates/stateful-sets.yaml +++ b/traefikee/templates/stateful-sets.yaml @@ -1,5 +1,9 @@ {{- $tokenStr := include "traefikee-helm-chart.registry-token" . }} -{{- if empty (.Values.registry).manualTokenSecret }} +{{- $tokenShaSum := $tokenStr | sha256sum }} +{{- $tokenRefName := (printf "%s-registry-token" .Values.cluster) }} + +{{- if or (empty (.Values.registry).manualTokenSecret) (eq (.Values.registry).manualTokenSecret false)}} +--- apiVersion: v1 kind: Secret metadata: @@ -10,6 +14,8 @@ metadata: type: Opaque data: token: {{ $tokenStr }} +{{ else }} + {{- $tokenRefName = .Values.registry.tokenSecretRef.name }} {{- end }} --- @@ -40,7 +46,7 @@ spec: annotations: # This ensures that the registry pods will be rollout, # if the token for the plugin registry has changed since last deployment. - checksum/config: {{ $tokenStr | sha256sum }} + checksum/config: {{ $tokenShaSum }} {{- with (.Values.registry).podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -88,7 +94,7 @@ spec: - name: PLUGIN_REGISTRY_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.cluster }}-registry-token + name: {{ $tokenRefName }} key: token securityContext: readOnlyRootFilesystem: true @@ -170,10 +176,10 @@ spec: template: metadata: annotations: - # This ensures that the controller pods will be rollout, + # This ensures that the registry pods will be rollout, # if the token for the plugin registry has changed since last deployment. - checksum/config: {{ $tokenStr | sha256sum }} - {{- with .Values.controller.podAnnotations }} + checksum/config: {{ $tokenShaSum }} + {{- with (.Values.controller).podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} labels: @@ -225,7 +231,7 @@ spec: - name: PLUGIN_REGISTRY_TOKEN valueFrom: secretKeyRef: - name: {{ .Values.cluster }}-registry-token + name: {{ $tokenRefName }} key: token {{- with .Values.controller.env }} {{- toYaml . | nindent 12 }} diff --git a/traefikee/tests/controller_test.yaml b/traefikee/tests/controller_test.yaml index c91af56..5e7a3e7 100644 --- a/traefikee/tests/controller_test.yaml +++ b/traefikee/tests/controller_test.yaml @@ -225,3 +225,38 @@ tests: - equal: path: spec.template.spec.imagePullSecrets[0].name value: regcred + - it: should generate a default token secret + documentIndex: 0 + asserts: + - isKind: + of: Secret + - hasDocuments: + count: 3 + - matchRegex: + path: data.token + pattern: "[a-zA-Z0-9]{14}[=]{2}" + - it: should use generated token secret or specified token + documentIndex: 1 + asserts: + - equal: + path: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.name + value: "default-registry-token" + - it: should fail because of missing secret name + set: + registry: + manualTokenSecret: true + tokenSecretRef: + namespace: test + asserts: + - failedTemplate: + errorMessage: "registry.tokenSecretRef needs at least secret name to be specified !" + - it: should fail because the secret can't be look up + set: + registry: + manualTokenSecret: true + tokenSecretRef: + name: test + asserts: + - failedTemplate: + errorMessage: "failed to lookup token from secret NAMESPACE/test" + - it: should fail diff --git a/traefikee/values.yaml b/traefikee/values.yaml index de3f006..382108b 100644 --- a/traefikee/values.yaml +++ b/traefikee/values.yaml @@ -40,7 +40,6 @@ registry: values: - registry topologyKey: "kubernetes.io/hostname" - # serviceLabels: # foo: bar # serviceAnnotations: @@ -53,7 +52,14 @@ registry: # foo: bar # podAnnotations: # foo: bar -# manualTokenSecret: true +## Needed if you setup the registry token manually before deploying TraefikEE +# manualTokenSecret: true +# tokenSecretRef: +# name: secret +# namespace: othernamespace +## Set the registry token directly in Values +# tokenSecret: "NJ00yx60K+Wm1yufuBM6fLq3fVKcv44RvBsVGiH40+U=" + controller: replicas: 1