Merge pull request #302 from bci-oss/feature/autogenerate-postgres-pw

Add autogenerate password secret for postgresql if not set

.github/workflows/helm-test.yml

@@ -1,5 +1,5 @@
-# Copyright (c) 2023 Robert Bosch Manufacturing Solutions GmbH
-# Copyright (c) 2023 Contributors to the Eclipse Foundation
+# Copyright (c) 2024 Robert Bosch Manufacturing Solutions GmbH
+# Copyright (c) 2024 Contributors to the Eclipse Foundation
 
 # See the NOTICE file(s) distributed with this work for additional
 # information regarding copyright ownership.
@@ -85,12 +85,17 @@ jobs:
         with:
           name: aas-registry-e2e-test-report
           path: /opt/report.html
+
+      - name: Generate random password (This password is only a placeholder for the next step and will not used). The postgresPassword/password will be set via postgres-init.yaml.
+        id: generate-password
+        run: |
+          echo "PASSWORD=PLACEHOLDER_PW" >> $GITHUB_ENV       
           
       - name: Run helm upgrade
         run: |
           helm repo add bitnami https://charts.bitnami.com/bitnami
           helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev
           helm install registry tractusx-dev/registry --version ${{ github.event.inputs.upgrade_from || '0.3.19' }}
           helm dependency update charts/registry
-          helm upgrade registry charts/registry
+          helm upgrade registry charts/registry --set global.postgresql.auth.postgresPassword=$PASSWORD --set global.postgresql.auth.password=$PASSWORD
         if: github.event_name != 'pull_request' || steps.list-changed.outputs.changed == 'true'

charts/registry/Chart.yaml

@@ -26,7 +26,7 @@ sources:
   - https://github.com/eclipse-tractusx/sldt-digital-twin-registry
 
 type: application
-version: 0.4.0
+version: 0.4.1
 appVersion: 0.3.23
 
 dependencies:

charts/registry/templates/registry/postgres-init.yaml

@@ -0,0 +1,60 @@
+# Copyright (c) 2024 Robert Bosch Manufacturing Solutions GmbH
+# Copyright (c) 2024 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+###############################################################
+{{- if .Values.enablePostgres }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.postgresql.auth.existingSecret }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade
+type: Opaque
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.postgresql.auth.existingSecret) }}
+{{- $defaultSecret := (lookup "v1" "Secret" .Release.Namespace ( printf "%s-postgresql" .Release.Name )) }}
+# 1. Check if given secret exists
+{{ if $secret -}}
+data:
+  {{- $postgresPassword:= ( .Values.postgresql.auth.password | b64enc) | default ( index $secret.data "postgres-password" ) | quote }}
+  postgres-password: {{ $postgresPassword }}
+  {{- $password:= ( .Values.postgresql.auth.password | b64enc) | default ( index $secret.data "password" ) | quote }}
+  password: {{ $password }}
+  SPRING_DATASOURCE_PASSWORD: {{ $password }}
+  SPRING_DATASOURCE_URL: {{ printf "jdbc:postgresql://%s-postgresql:%v/%s" .Release.Name .Values.postgresql.service.ports.postgresql .Values.postgresql.auth.database | b64enc }}
+  SPRING_DATASOURCE_USERNAME: {{ .Values.postgresql.auth.username | b64enc }}
+# 2. Check if default postgresql secret (Release.Name-postgresql) exists
+{{ else if $defaultSecret -}}
+data:
+  {{- $postgresPassword:= ( .Values.postgresql.auth.password | b64enc) | default ( index $defaultSecret.data "postgres-password" ) | quote }}
+  postgres-password: {{ $postgresPassword }}
+  {{- $password:= ( .Values.postgresql.auth.password | b64enc) | default ( index $defaultSecret.data "password" ) | quote }}
+  password: {{ $password }}
+  SPRING_DATASOURCE_PASSWORD: {{ $password }}
+  SPRING_DATASOURCE_URL: {{ printf "jdbc:postgresql://%s-postgresql:%v/%s" .Release.Name .Values.postgresql.service.ports.postgresql .Values.postgresql.auth.database | b64enc }}
+  SPRING_DATASOURCE_USERNAME: {{ .Values.postgresql.auth.username | b64enc }}
+{{ else -}}
+# 3. If no secret exists, use provided value from values file or generate a random one if secret not exists.
+stringData:
+  {{- $password:= .Values.postgresql.auth.password | default ( randAlphaNum 32 ) | quote }}
+  postgres-password: {{ $password }}
+  password: {{ $password }}
+  SPRING_DATASOURCE_PASSWORD: {{ $password }}
+  SPRING_DATASOURCE_URL: {{ printf "jdbc:postgresql://%s-postgresql:%v/%s" .Release.Name .Values.postgresql.service.ports.postgresql .Values.postgresql.auth.database }}
+  SPRING_DATASOURCE_USERNAME: {{ .Values.postgresql.auth.username }}
+{{ end }}
+{{- end -}}

charts/registry/templates/registry/registry-deployment.yaml

@@ -70,6 +70,8 @@ spec:
           envFrom:
             - secretRef:
                 name: {{ include "dtr.fullname" . }}
+            - secretRef:
+                name: {{ .Values.postgresql.auth.existingSecret }}
           resources:
 {{ .Values.registry.resources | toYaml | indent 12 }}
       imagePullSecrets:

charts/registry/templates/registry/registry-secret.yaml

@@ -1,6 +1,6 @@
 ###############################################################
-# Copyright (c) 2021, 2023 Robert Bosch Manufacturing Solutions GmbH
-# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation
+# Copyright (c) 2021, 2024 Robert Bosch Manufacturing Solutions GmbH
+# Copyright (c) 2021, 2024 Contributors to the Eclipse Foundation
 #
 # See the NOTICE file(s) distributed with this work for additional
 # information regarding copyright ownership.
@@ -24,11 +24,8 @@ metadata:
   name: {{ include "dtr.fullname" . }}
 type: Opaque
 data:
-  {{- if .Values.enablePostgres }}
-  SPRING_DATASOURCE_URL: {{ printf "jdbc:postgresql://%s-postgresql:%v/%s" .Release.Name .Values.postgresql.service.ports.postgresql .Values.postgresql.auth.database | b64enc }}
-  SPRING_DATASOURCE_USERNAME: {{ .Values.postgresql.auth.username | b64enc }}
-  SPRING_DATASOURCE_PASSWORD: {{ .Values.postgresql.auth.password | b64enc }}
-  {{- else }}
+  # If postgres enabled the environment values will be used from postgres-init.yaml
+  {{- if not .Values.enablePostgres }}
   SPRING_DATASOURCE_URL: {{ .Values.registry.dataSource.url | b64enc }}
   SPRING_DATASOURCE_USERNAME: {{ .Values.registry.dataSource.user | b64enc }}
   SPRING_DATASOURCE_PASSWORD: {{ .Values.registry.dataSource.password | b64enc }}

charts/registry/values.yaml

@@ -67,7 +67,7 @@ registry:
     ## In that case the postgresql auth parameters are used.
     url: jdbc:postgresql://database:5432
     user: default-user
-    password: ""
+    password:
   ingress:
     enabled: false
     tls: false
@@ -99,8 +99,11 @@ postgresql:
       postgresql: 5432
   auth:
     username: default-user
-    password: password
+    # if password is empty, the postgres password will be generated random via postgres-init
+    password:
     database: default-database
+    # -- Secret contains passwords for username postgres.
+    existingSecret: secret-dtr-postgres-init
 
 keycloak:
   postgresql: