sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-08 00:11:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat(helmfile): Add templating support for Cassandra external secrets

Browse Source 
Signed-off-by: Axel Lender <lender@b1-systems.de>
This commit is contained in:
Axel Lender
2025-06-11 12:56:33 +02:00
parent 42773e62eb
commit 6a3c73a09d
3 changed files with 31 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
docs/external-secrets.md
View File

@@ -11,6 +11,7 @@ This document covers how to utilise external secrets and special requirements.
* [General](#general) * [General](#general)
* [Components](#components) * [Components](#components)
* [MinIO](#minio) * [MinIO](#minio)
* [Cassandra](#cassandra)
<!-- TOC --> <!-- TOC -->
# General # General
@@ -38,3 +39,20 @@ stringData:
``` ```
Further we need the credentials introduced at MinIO in various other components that didn't implement the special format from MinIO. Hence we have to create key-value-pairs of the passwords for them. Further we need the credentials introduced at MinIO in various other components that didn't implement the special format from MinIO. Hence we have to create key-value-pairs of the passwords for them.
## Cassandra
Cassandra is pre-populated with information regarding Dovecot with a `cql` script. The openDesk default `initDB` setting is configured as follows:
```yaml
initUserData.cql: >
CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.username | quote }};
ALTER ROLE {{ .Values.databases.dovecotDictmap.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotDictmapUser "''" | squote }} AND LOGIN = true;
GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotDictmap.name | quote }} TO {{ .Values.databases.dovecotDictmap.username | quote }};
CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotACL.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }};
ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true;
GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};
```
This has to be adapted into a secret that also holds a `cql` script and is named in `initDBSecret`.

9
helmfile/apps/services-external/values-cassandra.yaml.gotmpl
View File

@@ -20,7 +20,10 @@ containerSecurityContext:
dbUser: dbUser:
user: "root" user: "root"
password: {{ .Values.secrets.cassandra.rootPassword | quote }} password: {{ .Values.secrets.cassandra.rootPassword | quote }}
existingSecret:
name: {{ .Values.externalSecrets.cassandra.existingSecret.name | quote }}
keyMapping:
cassandra-password: {{ .Values.externalSecrets.cassandra.existingSecret.passwordKey | quote }}
global: global:
imagePullSecrets: imagePullSecrets:
{{ .Values.global.imagePullSecrets | toYaml | nindent 4 }} {{ .Values.global.imagePullSecrets | toYaml | nindent 4 }}
@@ -35,6 +38,7 @@ ingress:
annotations: annotations:
{{ .Values.annotations.cassandra.ingress | toYaml | nindent 6 }} {{ .Values.annotations.cassandra.ingress | toYaml | nindent 6 }}
{{- if not .Values.externalSecrets.cassandra.initDBSecret }}
initDB: initDB:
initUserData.cql: > initUserData.cql: >
CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 }; CREATE KEYSPACE IF NOT EXISTS {{ .Values.databases.dovecotDictmap.name | quote }} WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 1 };
@@ -45,6 +49,9 @@ initDB:
CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }}; CREATE ROLE IF NOT EXISTS {{ .Values.databases.dovecotACL.username | quote }};
ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true; ALTER ROLE {{ .Values.databases.dovecotACL.username | quote }} WITH PASSWORD = {{ regexReplaceAll "'" .Values.secrets.cassandra.dovecotACLUser "''" | squote }} AND LOGIN = true;
GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }}; GRANT ALL ON KEYSPACE {{ .Values.databases.dovecotACL.name | quote }} TO {{ .Values.databases.dovecotACL.username | quote }};
{{- end }}
initDBSecret: {{ .Values.externalSecrets.cassandra.initDBSecret | quote }}
# Will print a warning if unset but is automatically calculated: # Will print a warning if unset but is automatically calculated:
jvm: jvm:

5
helmfile/environments/default/external_secrets.yaml.gotmpl
View File

@@ -21,4 +21,9 @@ externalSecrets:
name: ~ name: ~
passwordKey: ~ passwordKey: ~
usernameKey: ~ usernameKey: ~
cassandra:
initDBSecret: ~
existingSecret:
name: ~
passwordKey: ~
... ...