Merge pull request #277 from openziti/jan94-allowCustomAdminSecret

Jan94 allow custom admin secret
openziti · Nov 15, 2024 · 59be920 · 59be920
2 parents 6f1907d + 0cd96e0
commit 59be920
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 6 deletions.
diff --git a/charts/ziti-controller/Chart.yaml b/charts/ziti-controller/Chart.yaml
@@ -16,4 +16,4 @@ dependencies:
 description: Host an OpenZiti controller in Kubernetes
 name: ziti-controller
 type: application
-version: 1.1.2
+version: 1.1.3
diff --git a/charts/ziti-controller/README.md b/charts/ziti-controller/README.md
@@ -2,7 +2,7 @@
 
 # ziti-controller
 
-![Version: 1.1.2](https://img.shields.io/badge/Version-1.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.15](https://img.shields.io/badge/AppVersion-1.1.15-informational?style=flat-square)
+![Version: 1.1.3](https://img.shields.io/badge/Version-1.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.1.15](https://img.shields.io/badge/AppVersion-1.1.15-informational?style=flat-square)
 
 Host an OpenZiti controller in Kubernetes
 
@@ -237,6 +237,7 @@ For more information, please check [here](https://openziti.io/docs/learn/core-co
 | ctrlPlane.service.enabled | bool | `true` | create a separate cluster service for the ctrl plane; enabling this requires you to also set the host and port for a separate ctrl plane TLS listener |
 | ctrlPlane.service.type | string | `"ClusterIP"` | expose the service as a ClusterIP, NodePort, or LoadBalancer |
 | ctrlPlaneCasBundle.namespaceSelector | object | `{}` | namespaces where trust-manager will create the Bundle resource containing Ziti's trusted CA certs (default: empty means all namespaces) |
+| customAdminSecretName | string | `""` | set the admin user and password from a custom secret The custom admin secret must be of the following format: apiVersion: v1 kind: Secret metadata:   name: myCustomAdminSecret type: Opaque data:   admin-user:   admin-password: |
 | dbFile | string | `"ctrl.db"` | name of the BoltDB file |
 | edgeSignerPki.admin_client_cert.duration | string | `"8760h"` | admin client certificate duration as Go time.Duration |
 | edgeSignerPki.admin_client_cert.renewBefore | string | `"720h"` | renew admin client certificate before expiry as Go time.Duration |
@@ -334,6 +335,7 @@ For more information, please check [here](https://openziti.io/docs/learn/core-co
 | trust-manager.crds.enabled | bool | `false` | CRDs must be applied in advance of installing the parent chart |
 | trust-manager.enabled | bool | `false` | install the trust-manager subchart |
 | trustDomain | string | `""` | permanent SPIFFE ID to use for this controller's trust domain (default: random, fixed for the life of the chart release) |
+| useCustomAdminSecret | bool | `false` | allow for using a custom admin secret, which has to be created beforehand if enabled, the admin secret will not be generated by this Helm chart |
 | webBindingPki.altServerCerts | list | `[]` |  |
 | webBindingPki.enabled | bool | `true` | generate a separate PKI root of trust for web bindings, i.e., client, management, and prometheus APIs |
 

diff --git a/charts/ziti-controller/templates/deployment.yaml b/charts/ziti-controller/templates/deployment.yaml
@@ -41,12 +41,20 @@ spec:
             - name: ZITI_ADMIN_USER
               valueFrom:
                 secretKeyRef:
-                  name:  {{ include "ziti-controller.fullname" . }}-admin-secret
+                {{- if .Values.useCustomAdminSecret }}
+                  name:  {{ .Values.customAdminSecretName }}
+                {{- else }}
+                  name: {{ include "ziti-controller.fullname" . }}-admin-secret
+                {{- end }}
                   key: admin-user
             - name: ZITI_ADMIN_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name:  {{ include "ziti-controller.fullname" . }}-admin-secret
+                {{- if .Values.useCustomAdminSecret }}
+                  name:  {{ .Values.customAdminSecretName }}
+                {{- else }}
+                  name: {{ include "ziti-controller.fullname" . }}-admin-secret
+                {{- end }}
                   key: admin-password
             - name: ZITI_TRUST_DOMAIN
               valueFrom:
@@ -146,12 +154,20 @@ spec:
             - name: ZITI_ADMIN_USER
               valueFrom:
                 secretKeyRef:
-                  name:  {{ include "ziti-controller.fullname" . }}-admin-secret
+                {{- if .Values.useCustomAdminSecret }}
+                  name:  {{ .Values.customAdminSecretName }}
+                {{- else }}
+                  name: {{ include "ziti-controller.fullname" . }}-admin-secret
+                {{- end }}
                   key: admin-user
             - name: ZITI_ADMIN_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name:  {{ include "ziti-controller.fullname" . }}-admin-secret
+                {{- if .Values.useCustomAdminSecret }}
+                  name:  {{ .Values.customAdminSecretName }}
+                {{- else }}
+                  name: {{ include "ziti-controller.fullname" . }}-admin-secret
+                {{- end }}
                   key: admin-password
             - name: ZITI_TRUST_DOMAIN
               valueFrom:

diff --git a/charts/ziti-controller/templates/secrets.yaml b/charts/ziti-controller/templates/secrets.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.useCustomAdminSecret }}
 ---
 apiVersion: v1
 kind: Secret
@@ -18,6 +19,7 @@ data:
   # set the secret values..
   admin-password: {{ $adminPassword | quote }}
   admin-user: {{ $adminUser | quote }}
+{{- end }}
 
 ---
 apiVersion: v1

diff --git a/charts/ziti-controller/values.yaml b/charts/ziti-controller/values.yaml
@@ -130,6 +130,23 @@ envSecrets: {}
 #        name: some-secret
 #        key: some_secret_key
 
+
+# -- allow for using a custom admin secret, which has to be created beforehand
+# if enabled, the admin secret will not be generated by this Helm chart
+useCustomAdminSecret: false
+
+# -- set the admin user and password from a custom secret
+# The custom admin secret must be of the following format:
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: myCustomAdminSecret
+# type: Opaque
+# data:
+#   admin-user:
+#   admin-password:
+customAdminSecretName: ""
+
 prometheus:
   # -- cluster service target port on the container
   containerPort: 9090