From d938c9779450b689df03306ea22f8e15b618cfff Mon Sep 17 00:00:00 2001 From: Filippo Ledda Date: Wed, 6 Nov 2024 12:09:04 +0100 Subject: [PATCH] CH-162 support for dynamic random secrets --- .../helm/templates/auto-secrets.yaml | 9 ++++++--- docs/applications/secrets.md | 7 +++++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/deployment-configuration/helm/templates/auto-secrets.yaml b/deployment-configuration/helm/templates/auto-secrets.yaml index 27851ad9e..3dd6427fb 100644 --- a/deployment-configuration/helm/templates/auto-secrets.yaml +++ b/deployment-configuration/helm/templates/auto-secrets.yaml @@ -12,13 +12,16 @@ type: Opaque {{- $secret := (lookup "v1" "Secret" .root.Values.namespace $secret_name) }} {{- if $secret }} # secret already exists + stringData: {{- range $k, $v := .app.harness.secrets }} - {{- if $v }} + {{- if and $v (ne $v "?") }} # Set secret value to value in values.yaml if specified {{ $k }}: {{ $v }} - {{- else if not (hasKey $secret.data $k) }} - # Create a random secret value if not specified in values.yaml and is not already in the secret + {{- else if or (eq $v "?") (not (hasKey $secret.data $k)) }} + # Create a random secret value if not specified in values.yaml if: + # 1. it is not set and it is not already in the deployed secret (static random secret) + # 2. its value is ? (dynamic random secret) {{ $k }}: {{ randAlphaNum 20 }} {{- end}} {{- end }} diff --git a/docs/applications/secrets.md b/docs/applications/secrets.md index dfd72256d..5cac227ad 100644 --- a/docs/applications/secrets.md +++ b/docs/applications/secrets.md @@ -20,13 +20,16 @@ harness: secrets: unsecureSecret: secureSecret: - random-secret: "" + random-static-secret: "" + random-dynamic-secret: ? ``` Secret values are initialized in three different ways: * Set the secret's value (as in `unsecureSecret`). Do that only if you aware of what you are doing as the value may be pushed in the git(hub) repository. * Leave the secret's value `null` (as in `secureSecret`) to configure manually later in the ci/cd pipeline. -* Use the "" (empty string) value (as in `random-secret`) to let cloudharness generate a random value for you. +* Use the "" (empty string) value (as in `random-static-secret`) to let CloudHarness generate a random value for you. + This secret won't be updated after being set by any of the CloudHarness automations, so has to be managed through `kubectl` directly. +* Use the `?` value (as in `random-dynamic-secret`) to get a new random value for every deployment upgrade Secret editing/maintenance alternatives: * CI/CD Codefresh support: all `null` and `` secrets will be added to the codefresh deployment file(s) and can be set/overwritten through the codefresh variable configuration