From 6a3c73a09d19fa43b6e64f1d5f20177f7c38586a Mon Sep 17 00:00:00 2001
From: Axel Lender <lender@b1-systems.de>
Date: Wed, 11 Jun 2025 12:56:33 +0200
Subject: [PATCH] feat(helmfile): Add templating support for Cassandra external
 secrets

Signed-off-by: Axel Lender <lender@b1-systems.de>
---
 docs/external-secrets.md                       | 18 ++++++++++++++++++
 .../values-cassandra.yaml.gotmpl               |  9 ++++++++-
 .../default/external_secrets.yaml.gotmpl       |  5 +++++
 3 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/docs/external-secrets.md b/docs/external-secrets.md
index c3bf46bb..ffc18895 100644
--- a/docs/external-secrets.md
+++ b/docs/external-secrets.md
@@ -11,6 +11,7 @@ This document covers how to utilise external secrets and special requirements.
 * [General](#general)
 * [Components](#components)
   * [MinIO](#minio)
+  * [Cassandra](#cassandra)
 <!-- TOC -->
 
 # General
@@ -38,3 +39,20 @@ stringData:
 ```
 
 Further we need the credentials introduced at MinIO in various other components that didn't implement the special format from MinIO. Hence we have to create key-value-pairs of the passwords for them.
+## Cassandra
+
+Cassandra is pre-populated with information regarding Dovecot with a `cql` script. The openDesk default `initDB` setting is configured as follows:
+
+```yaml
+  initUserData.cql: >
+    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
+    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.username | quote }};
+    ALTER ROLE {{ .Values.databases.dovecotDictmap.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotDictmapUser "''" | squote }} AND LOGIN = true;
+    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotDictmap.name | quote }} TO {{ .Values.databases.dovecotDictmap.username | quote }};
+    CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotACL.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
+    CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }};
+    ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true;
+    GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};
+```
+
+This has to be adapted into a secret that also holds a `cql` script and is named in `initDBSecret`.
diff --git a/helmfile/apps/services-external/values-cassandra.yaml.gotmpl b/helmfile/apps/services-external/values-cassandra.yaml.gotmpl
index a1fd9ae8..69554caf 100644
--- a/helmfile/apps/services-external/values-cassandra.yaml.gotmpl
+++ b/helmfile/apps/services-external/values-cassandra.yaml.gotmpl
@@ -20,7 +20,10 @@ containerSecurityContext:
 dbUser:
   user: "root"
   password: {{ .Values.secrets.cassandra.rootPassword | quote }}
-
+  existingSecret:
+    name: {{ .Values.externalSecrets.cassandra.existingSecret.name | quote }}
+    keyMapping:
+      cassandra-password: {{ .Values.externalSecrets.cassandra.existingSecret.passwordKey | quote }}
 global:
   imagePullSecrets:
     {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -35,6 +38,7 @@ ingress:
   annotations:
     {{ .Values.annotations.cassandra.ingress | toYaml | nindent 6 }}
 
+{{- if not .Values.externalSecrets.cassandra.initDBSecret }}
 initDB:
   initUserData.cql: >
     CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
@@ -45,6 +49,9 @@ initDB:
     CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }};
     ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true;
     GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};
+{{- end }}
+
+initDBSecret: {{ .Values.externalSecrets.cassandra.initDBSecret | quote }}
 
 # Will print a warning if unset but is automatically calculated:
 jvm:
diff --git a/helmfile/environments/default/external_secrets.yaml.gotmpl b/helmfile/environments/default/external_secrets.yaml.gotmpl
index 8e4581c7..9bc55232 100644
--- a/helmfile/environments/default/external_secrets.yaml.gotmpl
+++ b/helmfile/environments/default/external_secrets.yaml.gotmpl
@@ -21,4 +21,9 @@ externalSecrets:
       name: ~
       passwordKey: ~
       usernameKey: ~
+  cassandra:
+    initDBSecret: ~
+    existingSecret:
+      name: ~
+      passwordKey: ~
 ...
\ No newline at end of file