feat(helmfile): Add templating support for Cassandra external secrets

Signed-off-by: Axel Lender <lender@b1-systems.de>

docs/external-secrets.md

@@ -11,6 +11,7 @@ This document covers how to utilise external secrets and special requirements.
 * [General](#general)
 * [Components](#components)
   * [MinIO](#minio)
+  * [Cassandra](#cassandra)
 <!-- TOC -->
 
 # General
@@ -38,3 +39,20 @@ stringData:
 ```
 
 Further we need the credentials introduced at MinIO in various other components that didn't implement the special format from MinIO. Hence we have to create key-value-pairs of the passwords for them.
+## Cassandra
+
+Cassandra is pre-populated with information regarding Dovecot with a `cql` script. The openDesk default `initDB` setting is configured as follows:
+
+```yaml
+  initUserData.cql: >
+    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
+    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.username | quote }};
+    ALTER ROLE {{ .Values.databases.dovecotDictmap.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotDictmapUser "''" | squote }} AND LOGIN = true;
+    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotDictmap.name | quote }} TO {{ .Values.databases.dovecotDictmap.username | quote }};
+    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotACL.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
+    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }};
+    ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true;
+    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};
+```
+
+This has to be adapted into a secret that also holds a `cql` script and is named in `initDBSecret`.

helmfile/apps/services-external/values-cassandra.yaml.gotmpl

@@ -20,7 +20,10 @@ containerSecurityContext:
 dbUser:
   user: "root"
   password: {{ .Values.secrets.cassandra.rootPassword | quote }}
-
+  existingSecret:
+    name: {{ .Values.externalSecrets.cassandra.existingSecret.name | quote }}
+    keyMapping:
+      cassandra-password: {{ .Values.externalSecrets.cassandra.existingSecret.passwordKey | quote }}
 global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -35,6 +38,7 @@ ingress:
   annotations:
     {{ .Values.annotations.cassandra.ingress | toYaml | nindent 6 }}
 
+{{- if not .Values.externalSecrets.cassandra.initDBSecret }}
 initDB:
   initUserData.cql: >
     CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
@@ -45,6 +49,9 @@ initDB:
     CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }};
     ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true;
     GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};
+{{- end }}
+
+initDBSecret: {{ .Values.externalSecrets.cassandra.initDBSecret | quote }}
 
 # Will print a warning if unset but is automatically calculated:
 jvm:

helmfile/environments/default/external_secrets.yaml.gotmpl

@@ -21,4 +21,9 @@ externalSecrets:
       name: ~
       passwordKey: ~
       usernameKey: ~
+  cassandra:
+    initDBSecret: ~
+    existingSecret:
+      name: ~
+      passwordKey: ~
 ...