CH-162 support for dynamic random secrets

MetaCell · Nov 6, 2024 · d938c97 · d938c97
1 parent b27916f
commit d938c97
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 5 deletions.
diff --git a/deployment-configuration/helm/templates/auto-secrets.yaml b/deployment-configuration/helm/templates/auto-secrets.yaml
@@ -12,13 +12,16 @@ type: Opaque
 {{- $secret := (lookup "v1" "Secret" .root.Values.namespace $secret_name) }}
 {{- if $secret }}
 # secret already exists
+
 stringData:
   {{- range $k, $v := .app.harness.secrets }}
-    {{- if $v }}
+    {{- if and $v (ne $v "?") }}
   # Set secret value to value in values.yaml if specified
   {{ $k }}: {{ $v }}
-    {{- else if not (hasKey $secret.data $k) }}
-  # Create a random secret value if not specified in values.yaml and is not already in the secret
+    {{- else if or (eq $v "?") (not (hasKey $secret.data $k)) }}
+  # Create a random secret value if not specified in values.yaml if:
+  # 1. it is not set and it is not already in the deployed secret (static random secret)
+  # 2. its value is ? (dynamic random secret)
   {{ $k }}: {{ randAlphaNum 20 }}
     {{- end}}
   {{- end }}

diff --git a/docs/applications/secrets.md b/docs/applications/secrets.md
@@ -20,13 +20,16 @@ harness:
   secrets:
     unsecureSecret: <value>
     secureSecret:
-    random-secret: ""
+    random-static-secret: ""
+    random-dynamic-secret: ?
 ```
 
 Secret values are initialized in three different ways:
 * Set the secret's value (as in `unsecureSecret`). Do that only if you aware of what you are doing as the value may be pushed in the git(hub) repository.
 * Leave the secret's value `null` (as in `secureSecret`) to configure manually later in the ci/cd pipeline.
-* Use the "" (empty string) value (as in `random-secret`) to let cloudharness generate a random value for you.
+* Use the "" (empty string) value (as in `random-static-secret`) to let CloudHarness generate a random value for you. 
+  This secret won't be updated after being set by any of the CloudHarness automations, so has to be managed through `kubectl` directly.
+* Use the `?` value (as in `random-dynamic-secret`) to get a new random value for every deployment upgrade
 
 Secret editing/maintenance alternatives:
 * CI/CD Codefresh support: all `null` and `<value>` secrets will be added to the codefresh deployment file(s) and can be set/overwritten through the codefresh variable configuration