Skip to content

Instantly share code, notes, and snippets.

@pastukhov pastukhov/Job
Created Oct 9, 2018

Embed
What would you like to do?
---
apiVersion: batch/v1
kind: Job
metadata:
name: "{{.Release.Name}}-secrets-generator-pre-install-job"
labels:
heritage: {{.Release.Service | quote }}
release: {{.Release.Name | quote }}
chart: "{{.Chart.Name}}-{{.Chart.Version}}"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation
spec:
template:
metadata:
name: "{{.Release.Name}}-secrets-generator-pre-install-job"
labels:
heritage: {{.Release.Service | quote }}
release: {{.Release.Name | quote }}
chart: "{{.Chart.Name}}-{{.Chart.Version}}"
spec:
restartPolicy: Never
serviceAccountName: {{.Release.Name}}-secrets-generator-sa
containers:
- name: secrets-generator
image: "{{ .Values.graylog.secretsGenerator.image.repository }}:{{ .Values.graylog.secretsGenerator.image.tag }}"
imagePullPolicy: {{ .Values.graylog.secretsGenerator.image.pullPolicy }}
command:
- /bin/bash
- -ec
- |
kubectl -n {{ .Release.Namespace }} get secret {{ template "graylog.fullname" . }}-secrets > /dev/null 2>&1 && echo "{{ template "graylog.fullname" . }}-secrets exist" || echo "$SECRET" | kubectl -n {{ .Release.Namespace }} create -f -
env:
- name: SECRET
value: |
{{ tpl (.Files.Get "resources/secrets.yaml") . | indent 12 }}
@pastukhov

This comment has been minimized.

Copy link
Owner Author

commented Oct 9, 2018

role

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: {{.Release.Name}}-secrets-generator-role
  labels:
    heritage: {{.Release.Service | quote }}
    release: {{.Release.Name | quote }}
    chart: "{{.Chart.Name}}-{{.Chart.Version}}"
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-weight": "-15"
    "helm.sh/hook-delete-policy": before-hook-creation
  namespace: {{ .Release.Namespace }}
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "create"]
@pastukhov

This comment has been minimized.

Copy link
Owner Author

commented Oct 9, 2018

ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{.Release.Name}}-secrets-generator-sa
  labels:
    heritage: {{.Release.Service | quote }}
    release: {{.Release.Name | quote }}
    chart: "{{.Chart.Name}}-{{.Chart.Version}}"
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-weight": "-15"
    "helm.sh/hook-delete-policy": before-hook-creation
  namespace: {{ .Release.Namespace }}

@pastukhov

This comment has been minimized.

Copy link
Owner Author

commented Oct 9, 2018

RoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{.Release.Name}}-secrets-generator-rolebinding
  labels:
    heritage: {{.Release.Service | quote }}
    release: {{.Release.Name | quote }}
    chart: "{{.Chart.Name}}-{{.Chart.Version}}"
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-weight": "-10"
    "helm.sh/hook-delete-policy": before-hook-creation
  namespace: {{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
  name: {{.Release.Name}}-secrets-generator-sa
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{.Release.Name}}-secrets-generator-role

@pastukhov

This comment has been minimized.

Copy link
Owner Author

commented Oct 9, 2018

resources/secrets.yaml

{{- $graylogPasswordSecret := randAlphaNum 128 }}
{{- $graylogAdminPassword := randAlphaNum 64 }}
---
apiVersion: v1
kind: Secret
metadata:
  annotations:
    "helm.sh/resource-policy": keep
  name: {{ template "graylog.fullname" . }}-secrets
  labels:
    configVersion: v1
    app: {{ template "graylog.name" . }}
    chart: {{ template "graylog.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
type: Opaque
data:
  GRAYLOG_PASSWORD_SECRET: {{ $graylogPasswordSecret | b64enc | quote }}
  GRAYLOG_ROOT_PASSWORD_SHA2: {{ $graylogAdminPassword | sha256sum | b64enc | quote }}
  GRAYLOG_ADMIN_PASSWORD: {{ $graylogAdminPassword | b64enc | quote }}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.