Fix eyaml secret configuration (#112)

* handle properly eyaml keys

* Add warning message is unsecure solution is define

* fix issue when eyaml is not enable

* update changelog & Chart.yaml

* fix chart version

* fix chart version

Co-authored-by: Miroslav Hadzhiev <[email protected]>

CHANGELOG.md

@@ -5,6 +5,13 @@ numbering uses [semantic versioning](http://semver.org).
 
 NOTE: The change log until version `v0.2.4` is auto-generated.
 
+## [v5.19.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v5.19.0) (2022-05-27)
+
+- feat: deploy only necessary configuration regarding the solution (secret, keys defined in values.yaml, configmap )
+- feat deploy only the most secure configuration (secret > keys defined in values.yaml > configMap)
+- feat: generate a warning if configmap or keys are defined in values.yaml is used
+- feat: generate an error if keys are defined in values.yaml and if .Values.eyaml.public_key or .Values.eyaml.private_key is missing
+
 ## [v5.18.0](https://github.com/puppetlabs/puppetserver-helm-chart/tree/v5.18.0) (2022-05-20)
 
 - feat: add pod security policies

Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: puppetserver
-version: 5.18.0
+version: 5.19.0
 appVersion: 7.4.2
 description: Puppet automates the delivery and operation of software.
 keywords: ["puppet", "puppetserver", "automation", "iac", "infrastructure", "cm", "ci", "cd"]

templates/NOTES.txt

@@ -21,5 +21,12 @@ Control Repo: "{{.Values.puppetserver.puppeturl}}"
 Hieradata Repo: "{{.Values.hiera.hieradataurl}}"
 {{- end }}
 
+{{ if .Values.hiera.eyaml.existingMap -}}
+WARNING: you specified a ConfigMap for eyaml secret and it unsecure 
+{{- end }}
+{{- if or (.Values.hiera.eyaml.public_key) (.Values.hiera.eyaml.private_key) }}
+WARNING: you specified a eyaml keys inside the values.yaml and it unsecure 
+{{- end }}
+
 If you need to get your password for PuppetDB and PostgreSQL:
 $ printf $(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "puppetdb.secret" . }} -o jsonpath="{.data.password}" | base64 --decode);echo

templates/_helpers.tpl

@@ -348,6 +348,20 @@ Create the name for the r10k.hiera.viaHttps secret.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Create the name for the hiera eyaml private key Secrets.
+*/}}
+{{- define "puppetserver.hiera.privateSecret" -}}
+  eyamlpriv-secret
+{{- end -}}
+
+{{/*
+Create the name for the hiera eyaml public cert Secrets.
+*/}}
+{{- define "puppetserver.hiera.publicSecret" -}}
+  eyamlpub-secret
+{{- end -}}
+
 {{/* *************************************************************************************
 The following definitions were more complex and necessary during part of this development.
 Now they are essentially just stubs but left here in case they might be needed again soon.
@@ -370,17 +384,3 @@ Create the name for the hiera eyaml key secret (private/public keys combined).
   {{- .Values.hiera.eyaml.existingSecret -}}
 {{- end -}}
 {{- end -}}
-
-{{/*
-Create the name for the hiera eyaml private key Secrets.
-*/}}
-{{- define "puppetserver.hiera.privateSecret" -}}
-  eyamlpriv-secret
-{{- end -}}
-
-{{/*
-Create the name for the hiera eyaml public cert Secrets.
-*/}}
-{{- define "puppetserver.hiera.publicSecret" -}}
-  eyamlpub-secret
-{{- end -}}

templates/private_key.pkcs7.pem.yaml

@@ -1,10 +1,12 @@
-{{- if and (.Values.hiera.eyaml.private_key) (not .Values.r10k.hiera.viaSsh.credentials.existingSecret) }}
+{{- if and (.Values.hiera.eyaml.public_key) (not .Values.r10k.hiera.viaSsh.credentials.existingSecret) (not .Values.hiera.eyaml.existingSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:
   name:  {{ include "puppetserver.hiera.privateSecret" . }}
   labels:
     {{- include "puppetserver.hiera.labels" . | nindent 4 }}
 data:
-  private_key.pkcs7.pem: {{ .Values.hiera.eyaml.private_key | nindent 4 | b64enc }}
+  private_key.pkcs7.pem: {{ required "A valid .Values.hiera.eyaml.private_key required!" .Values.hiera.eyaml.private_key | nindent 4 | b64enc }}
 {{- end }}
+
+

templates/public_key.pkcs7.pem.yaml

@@ -1,10 +1,12 @@
-{{- if and (.Values.hiera.eyaml.public_key) (not .Values.r10k.hiera.viaSsh.credentials.existingSecret) }}
+{{- if and (.Values.hiera.eyaml.private_key) (not .Values.r10k.hiera.viaSsh.credentials.existingSecret) (not .Values.hiera.eyaml.existingSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:
   name:  {{ include "puppetserver.hiera.publicSecret" . }}
   labels:
     {{- include "puppetserver.hiera.labels" . | nindent 4 }}
 data:
-  public_key.pkcs7.pem: {{ .Values.hiera.eyaml.public_key | nindent 4 | b64enc }}
+  public_key.pkcs7.pem: {{ required "A valid .Values.hiera.eyaml.public_key required!" .Values.hiera.eyaml.public_key | nindent 4 | b64enc }}
 {{- end }}
+
+

templates/puppetserver-deployment-masters.yaml

@@ -81,11 +81,9 @@ spec:
               {{- end }}
               cp /etc/puppetlabs/puppet/configmap/site.pp /etc/puppetlabs/puppet/manifests/site.pp;
               chown puppet:puppet /etc/puppetlabs/puppet/manifests/site.pp;
-              {{- if or (.Values.hiera.eyaml.private_key) (.Values.hiera.eyaml.existingMap) }}
+              {{- if or (.Values.hiera.eyaml.public_key) (.Values.hiera.eyaml.private_key) (.Values.hiera.eyaml.existingMap) -}}
               cp /etc/puppetlabs/puppet/configmap/eyaml/*private_key.pkcs7.pem /etc/puppetlabs/puppet/eyaml/keys/;
               chown puppet:puppet /etc/puppetlabs/puppet/eyaml/keys/*private_key.pkcs7.pem;
-              {{- end }}
-              {{- if or (.Values.hiera.eyaml.public_key) (.Values.hiera.eyaml.existingMap) }}
               cp /etc/puppetlabs/puppet/configmap/eyaml/*public_key.pkcs7.pem /etc/puppetlabs/puppet/eyaml/keys/;
               chown puppet:puppet /etc/puppetlabs/puppet/eyaml/keys/*public_key.pkcs7.pem;
               {{- end }}
@@ -133,16 +131,14 @@ spec:
             - name: manifests-volume
               mountPath: /etc/puppetlabs/puppet/configmap/site.pp
               subPath: site.pp
-            {{- if .Values.hiera.eyaml.existingMap }}
+            {{- if and (.Values.hiera.eyaml.existingMap) (not .Values.hiera.eyaml.public_key) (not .Values.hiera.eyaml.private_key) (not .Values.hiera.eyaml.existingSecret) }}
             - name: eyaml-volume
               mountPath: /etc/puppetlabs/puppet/configmap/eyaml
             {{- end }}
-            {{- if and (.Values.hiera.eyaml.public_key) (not .Values.hiera.eyaml.existingMap)}}
+            {{- if and (or (.Values.hiera.eyaml.public_key) (.Values.hiera.eyaml.private_key)) (not .Values.hiera.eyaml.existingSecret)}}
             - name: eyamlpub-volume
               mountPath: /etc/puppetlabs/puppet/configmap/eyaml/public_key.pkcs7.pem
               subPath: public_key.pkcs7.pem
-            {{- end }}
-            {{- if and (.Values.hiera.eyaml.private_key) (not .Values.hiera.eyaml.existingMap)}}
             - name: eyamlpriv-volume
               mountPath: /etc/puppetlabs/puppet/configmap/eyaml/private_key.pkcs7.pem
               subPath: private_key.pkcs7.pem
@@ -333,20 +329,17 @@ spec:
         - name: eyaml-volume
           secret:
             secretName: {{ .Values.hiera.eyaml.existingSecret }}
-        {{- else if .Values.hiera.eyaml.existingMap }}
-        - name: eyaml-volume
-          configMap:
-            name: {{ .Values.hiera.eyaml.existingMap }}
-        {{- end }}
-        {{- if and (.Values.hiera.eyaml.public_key) (not .Values.hiera.eyaml.existingMap) (not .Values.hiera.eyaml.existingSecret)}}
+        {{- else if or (.Values.hiera.eyaml.public_key) (.Values.hiera.eyaml.private_key) }}
         - name: eyamlpub-volume
           secret:
             secretName: {{ template "puppetserver.hiera.publicSecret" . }}
-        {{- end }}
-        {{- if and (.Values.hiera.eyaml.private_key) (not .Values.hiera.eyaml.existingMap) (not .Values.hiera.eyaml.existingSecret)}}
         - name: eyamlpriv-volume
           secret:
             secretName: {{ template "puppetserver.hiera.privateSecret" . }}
+        {{- else if .Values.hiera.eyaml.existingMap  }}
+        - name: eyaml-volume
+          configMap:
+            name: {{ .Values.hiera.eyaml.existingMap }}
         {{- end }}
         {{- if or (.Values.r10k.code.viaSsh.credentials.existingSecret) (and (.Values.r10k.code.viaSsh.credentials.ssh.value) (.Values.r10k.code.viaSsh.credentials.known_hosts.value)) }}
         - name: r10k-code-ssh

templates/puppetserver-statefulset-compilers.yaml

@@ -72,11 +72,9 @@ spec:
               {{- end }}
               cp /etc/puppetlabs/puppet/configmap/site.pp /etc/puppetlabs/puppet/manifests/site.pp;
               chown puppet:puppet /etc/puppetlabs/puppet/manifests/site.pp;
-              {{- if or (.Values.hiera.eyaml.private_key) (.Values.hiera.eyaml.existingMap) }}
+              {{- if or (.Values.hiera.eyaml.public_key) (.Values.hiera.eyaml.private_key) (.Values.hiera.eyaml.existingMap) -}}
               cp /etc/puppetlabs/puppet/configmap/eyaml/*private_key.pkcs7.pem /etc/puppetlabs/puppet/eyaml/keys/;
               chown puppet:puppet /etc/puppetlabs/puppet/eyaml/keys/*private_key.pkcs7.pem;
-              {{- end }}
-              {{- if or (.Values.hiera.eyaml.public_key) (.Values.hiera.eyaml.existingMap) }}
               cp /etc/puppetlabs/puppet/configmap/eyaml/*public_key.pkcs7.pem /etc/puppetlabs/puppet/eyaml/keys/;
               chown puppet:puppet /etc/puppetlabs/puppet/eyaml/keys/*public_key.pkcs7.pem;
               {{- end }}
@@ -119,16 +117,14 @@ spec:
             - name: manifests-volume
               mountPath: /etc/puppetlabs/puppet/configmap/site.pp
               subPath: site.pp
-            {{- if .Values.hiera.eyaml.existingMap }}
+            {{- if and (.Values.hiera.eyaml.existingMap) (not .Values.hiera.eyaml.public_key) (not .Values.hiera.eyaml.private_key) (not .Values.hiera.eyaml.existingSecret) }}
             - name: eyaml-volume
               mountPath: /etc/puppetlabs/puppet/configmap/eyaml
             {{- end }}
-            {{- if and (.Values.hiera.eyaml.public_key) (not .Values.hiera.eyaml.existingMap)}}
+            {{- if and (or (.Values.hiera.eyaml.public_key) (.Values.hiera.eyaml.private_key)) (not .Values.hiera.eyaml.existingSecret)}}
             - name: eyamlpub-volume
               mountPath: /etc/puppetlabs/puppet/configmap/eyaml/public_key.pkcs7.pem
               subPath: public_key.pkcs7.pem
-            {{- end }}
-            {{- if and (.Values.hiera.eyaml.private_key) (not .Values.hiera.eyaml.existingMap)}}
             - name: eyamlpriv-volume
               mountPath: /etc/puppetlabs/puppet/configmap/eyaml/private_key.pkcs7.pem
               subPath: private_key.pkcs7.pem
@@ -288,20 +284,17 @@ spec:
         - name: eyaml-volume
           secret:
             secretName: {{ .Values.hiera.eyaml.existingSecret }}
-        {{- else if .Values.hiera.eyaml.existingMap }}
-        - name: eyaml-volume
-          configMap:
-            name: {{ .Values.hiera.eyaml.existingMap }}
-        {{- end }}
-        {{- if and (.Values.hiera.eyaml.public_key) (not .Values.hiera.eyaml.existingMap) (not .Values.hiera.eyaml.existingSecret)}}
+        {{- else if or (.Values.hiera.eyaml.public_key) (.Values.hiera.eyaml.private_key) }}
         - name: eyamlpub-volume
           secret:
             secretName: {{ template "puppetserver.hiera.publicSecret" . }}
-        {{- end }}
-        {{- if and (.Values.hiera.eyaml.private_key) (not .Values.hiera.eyaml.existingMap) (not .Values.hiera.eyaml.existingSecret)}}
         - name: eyamlpriv-volume
           secret:
             secretName: {{ template "puppetserver.hiera.privateSecret" . }}
+        {{- else if .Values.hiera.eyaml.existingMap }}
+        - name: eyaml-volume
+          configMap:
+            name: {{ .Values.hiera.eyaml.existingMap }}
         {{- end }}
         {{- if or (.Values.r10k.code.viaSsh.credentials.existingSecret) (and (.Values.r10k.code.viaSsh.credentials.ssh.value) (.Values.r10k.code.viaSsh.credentials.known_hosts.value)) }}
         - name: r10k-code-ssh