Helm chart: allow using existing secrets for oncall secrets, slack, and telegram (#718)

* chart: allow to use oncall env from existing secret * chart: slack credentials from existing secret * chart: telegram token from existing secret * chart: fix mirage cipher IV length * chart: restore mirage cipher IV default and remove it from secret * chart: add keys for existing oncall secret * chart: add keys for existing slack secret * chart: add keys for existing telegram secret * chart: change key existingSecretName to existingSecret Co-authored-by: Ildar Iskhakov <Ildar.iskhakov@grafana.com>
2022-11-20 11:22:14 +07:00 · 2022-11-20 11:22:14 +07:00 · cb551d4bd5
commit cb551d4bd5
parent 671c3a74b9
3 changed files with 83 additions and 9 deletions
--- a/helm/oncall/templates/_env.tpl
+++ b/helm/oncall/templates/_env.tpl
@ -4,15 +4,15 @@
 - name: SECRET_KEY
  valueFrom:
    secretKeyRef:
-      name: {{ template "oncall.fullname" . }}
-      key: SECRET_KEY
+      name: {{ template "snippet.oncall.secret.name" . }}
+      key: {{ template "snippet.oncall.secret.secretKey" . }}
 - name: MIRAGE_SECRET_KEY
  valueFrom:
    secretKeyRef:
-      name: {{ template "oncall.fullname" . }}
-      key: MIRAGE_SECRET_KEY
+      name: {{ template "snippet.oncall.secret.name" . }}
+      key: {{ template "snippet.oncall.secret.mirageSecretKey" . }}
 - name: MIRAGE_CIPHER_IV
-  value: "1234567890abcdef"
+  value: "{{ .Values.oncall.mirageCipherIV | default "1234567890abcdef" }}"
 - name: DJANGO_SETTINGS_MODULE
  value: "settings.helm"
 - name: AMIXR_DJANGO_ADMIN_PATH
@ -25,18 +25,60 @@
  value: {{ .Values.broker.type | default "rabbitmq" }}
 {{- end -}}

+{{- define "snippet.oncall.secret.name" -}}
+{{- if .Values.oncall.secrets.existingSecret -}}
+{{ .Values.oncall.secrets.existingSecret }}
+{{- else -}}
+{{ template "oncall.fullname" . }}
+{{- end -}}
+{{- end -}}
+
+{{- define "snippet.oncall.secret.secretKey" -}}
+{{- if .Values.oncall.secrets.existingSecret -}}
+{{ required "oncall.secrets.secretKey is required if oncall.secret.existingSecret is not empty" .Values.oncall.secrets.secretKey }}
+{{- else -}}
+SECRET_KEY
+{{- end -}}
+{{- end -}}
+
+{{- define "snippet.oncall.secret.mirageSecretKey" -}}
+{{- if .Values.oncall.secrets.existingSecret -}}
+{{ required "oncall.secrets.mirageSecretKey is required if oncall.secret.existingSecret is not empty" .Values.oncall.secrets.mirageSecretKey }}
+{{- else -}}
+MIRAGE_SECRET_KEY
+{{- end -}}
+{{- end -}}
+
 {{- define "snippet.oncall.slack.env" -}}
 {{- if .Values.oncall.slack.enabled -}}
 - name: FEATURE_SLACK_INTEGRATION_ENABLED
  value: {{ .Values.oncall.slack.enabled | toString | title | quote }}
 - name: SLACK_SLASH_COMMAND_NAME
  value: "/{{ .Values.oncall.slack.commandName | default "oncall" }}"
+{{- if .Values.oncall.slack.existingSecret }}
+- name: SLACK_CLIENT_OAUTH_ID
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.oncall.slack.existingSecret }}
+      key: {{ required "oncall.slack.clientIdKey is required if oncall.slack.existingSecret is not empty" .Values.oncall.slack.clientIdKey }}
+- name: SLACK_CLIENT_OAUTH_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.oncall.slack.existingSecret }}
+      key: {{ required "oncall.slack.clientSecretKey is required if oncall.slack.existingSecret is not empty" .Values.oncall.slack.clientSecretKey }}
+- name: SLACK_SIGNING_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.oncall.slack.existingSecret }}
+      key: {{ required "oncall.slack.signingSecretKey is required if oncall.slack.existingSecret is not empty" .Values.oncall.slack.signingSecretKey }}
+{{- else }}
 - name: SLACK_CLIENT_OAUTH_ID
  value: {{ .Values.oncall.slack.clientId | default "" | quote }}
 - name: SLACK_CLIENT_OAUTH_SECRET
  value: {{ .Values.oncall.slack.clientSecret | default "" | quote }}
 - name: SLACK_SIGNING_SECRET
  value: {{ .Values.oncall.slack.signingSecret | default "" | quote }}
+{{- end }}
 - name: SLACK_INSTALL_RETURN_REDIRECT_HOST
  value: {{ .Values.oncall.slack.redirectHost | default (printf "https://%s" .Values.base_url) | quote }}
 {{- else -}}
@ -51,8 +93,16 @@
  value: {{ .Values.oncall.telegram.enabled | toString | title | quote }}
 - name: TELEGRAM_WEBHOOK_HOST
  value: {{ .Values.oncall.telegram.webhookUrl | default "" | quote }}
+{{- if .Values.oncall.telegram.existingSecret }}
+- name: TELEGRAM_TOKEN
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.oncall.telegram.existingSecret }}
+      key: {{ required "oncall.telegram.tokenKey is required if oncall.telegram.existingSecret is not empty" .Values.oncall.telegram.tokenKey }}
+{{- else }}
 - name: TELEGRAM_TOKEN
  value: {{ .Values.oncall.telegram.token | default "" | quote }}
+{{- end }}
 {{- else -}}
 - name: FEATURE_TELEGRAM_INTEGRATION_ENABLED
  value: {{ .Values.oncall.telegram.enabled | toString | title | quote }}
--- a/helm/oncall/templates/secrets.yaml
+++ b/helm/oncall/templates/secrets.yaml
@ -1,3 +1,4 @@
+{{- if not .Values.oncall.secrets.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@ -6,10 +7,9 @@ metadata:
    {{- include "oncall.labels" . | nindent 4 }}
 type: Opaque
 data:
-  SECRET_KEY: {{ randAlphaNum 40 | b64enc | quote }}
-  MIRAGE_SECRET_KEY: {{ randAlphaNum 40 | b64enc | quote }}
-  MIRAGE_CIPHER_IV: {{ randAlphaNum 40 | b64enc | quote }}
-
+  {{ template "snippet.oncall.secret.secretKey" . }}: {{ randAlphaNum 40 | b64enc | quote }}
+  {{ template "snippet.oncall.secret.mirageSecretKey" . }}: {{ randAlphaNum 40 | b64enc | quote }}
+{{- end }}
 ---
 {{ if and (not .Values.mariadb.enabled) (eq .Values.database.type "mysql") -}}
 apiVersion: v1
--- a/helm/oncall/values.yaml
+++ b/helm/oncall/values.yaml
@ -68,6 +68,17 @@ celery:
    #   memory: 128Mi

 oncall:
+  # Override default MIRAGE_CIPHER_IV (must be 16 bytes long)
+  # For existing installation, this should not be changed.
+  # mirageCipherIV: 1234567890abcdef
+  # oncall secrets
+  secrets:
+    # Use existing secret. (secretKey and mirageSecretKey is required)
+    existingSecret: ""
+    # the key in the secret containing secret key
+    secretKey: ""
+    # the key in the secret containing mirage secret key
+    mirageSecretKey: ""
  # slack configures the Grafana Oncall Slack ChatOps integration.
  slack:
    # enabled enable the Slack ChatOps integration for the Oncall Engine.
@ -84,12 +95,25 @@ oncall:
    # requests comming from Slack.
    # api.slack.com/apps/<yourApp> -> Basic Information -> App Credentials -> Signing Secret
    signingSecret: ~
+    # Use existing secret for clientId, clientSecret and signingSecret.
+    # clientIdKey, clientSecretKey and signingSecretKey are required
+    existingSecret: ""
+    # the key in the secret containing OAuth2 client ID
+    clientIdKey: ""
+    # the key in the secret containing OAuth2 client secret
+    clientSecretKey: ""
+    # the key in the secret containing the Slack app signature secret
+    signingSecretKey: ""
    # OnCall external URL
    redirectHost: ~
  telegram:
    enabled: false
    token: ~
    webhookUrl: ~
+    # Use exsting secret. (tokenKey is required)
+    existingSecret: ""
+    # the key in the secret containing Telegram token
+    tokenKey: ""
  smtp:
    enabled: false
    host: ~