-
-
Save pastukhov/9e894a71e5793cc56a5096a3dc199f5e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: batch/v1 | |
| kind: Job | |
| metadata: | |
| name: "{{.Release.Name}}-secrets-generator-pre-install-job" | |
| labels: | |
| heritage: {{.Release.Service | quote }} | |
| release: {{.Release.Name | quote }} | |
| chart: "{{.Chart.Name}}-{{.Chart.Version}}" | |
| annotations: | |
| "helm.sh/hook": pre-install,pre-upgrade | |
| "helm.sh/hook-weight": "-5" | |
| "helm.sh/hook-delete-policy": before-hook-creation | |
| spec: | |
| template: | |
| metadata: | |
| name: "{{.Release.Name}}-secrets-generator-pre-install-job" | |
| labels: | |
| heritage: {{.Release.Service | quote }} | |
| release: {{.Release.Name | quote }} | |
| chart: "{{.Chart.Name}}-{{.Chart.Version}}" | |
| spec: | |
| restartPolicy: Never | |
| serviceAccountName: {{.Release.Name}}-secrets-generator-sa | |
| containers: | |
| - name: secrets-generator | |
| image: "{{ .Values.graylog.secretsGenerator.image.repository }}:{{ .Values.graylog.secretsGenerator.image.tag }}" | |
| imagePullPolicy: {{ .Values.graylog.secretsGenerator.image.pullPolicy }} | |
| command: | |
| - /bin/bash | |
| - -ec | |
| - | | |
| kubectl -n {{ .Release.Namespace }} get secret {{ template "graylog.fullname" . }}-secrets > /dev/null 2>&1 && echo "{{ template "graylog.fullname" . }}-secrets exist" || echo "$SECRET" | kubectl -n {{ .Release.Namespace }} create -f - | |
| env: | |
| - name: SECRET | |
| value: | | |
| {{ tpl (.Files.Get "resources/secrets.yaml") . | indent 12 }} |
ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{.Release.Name}}-secrets-generator-sa
labels:
heritage: {{.Release.Service | quote }}
release: {{.Release.Name | quote }}
chart: "{{.Chart.Name}}-{{.Chart.Version}}"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-15"
"helm.sh/hook-delete-policy": before-hook-creation
namespace: {{ .Release.Namespace }}
RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{.Release.Name}}-secrets-generator-rolebinding
labels:
heritage: {{.Release.Service | quote }}
release: {{.Release.Name | quote }}
chart: "{{.Chart.Name}}-{{.Chart.Version}}"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-10"
"helm.sh/hook-delete-policy": before-hook-creation
namespace: {{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: {{.Release.Name}}-secrets-generator-sa
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{.Release.Name}}-secrets-generator-role
resources/secrets.yaml
{{- $graylogPasswordSecret := randAlphaNum 128 }}
{{- $graylogAdminPassword := randAlphaNum 64 }}
---
apiVersion: v1
kind: Secret
metadata:
annotations:
"helm.sh/resource-policy": keep
name: {{ template "graylog.fullname" . }}-secrets
labels:
configVersion: v1
app: {{ template "graylog.name" . }}
chart: {{ template "graylog.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
type: Opaque
data:
GRAYLOG_PASSWORD_SECRET: {{ $graylogPasswordSecret | b64enc | quote }}
GRAYLOG_ROOT_PASSWORD_SHA2: {{ $graylogAdminPassword | sha256sum | b64enc | quote }}
GRAYLOG_ADMIN_PASSWORD: {{ $graylogAdminPassword | b64enc | quote }}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
role