Merge pull request #539 from paynejacob/logging-secrets

use secrets for certs and passwords
2020-08-14 10:20:47 -07:00 · 2020-08-14 10:20:47 -07:00 · 444367b353
parent abde68fd7a 4f4e7dce5d
commit 444367b353
7 changed files with 76 additions and 103 deletions
--- a/packages/rancher-logging/overlay/templates/outputs/elasticsearch/output.yaml
+++ b/packages/rancher-logging/overlay/templates/outputs/elasticsearch/output.yaml
@ -12,32 +12,32 @@ spec:
  {{- if .Values.elasticsearch.user }}
 user: {{ .Values.elasticsearch.user }}
  {{- end}}
-  {{- if .Values.elasticsearch.password }}
+{{- if .Values.elasticsearch.password.secret_name }}
 password:
  valueFrom:
    secretKeyRef:
-      name: {{ .Release.Name }}-elasticsearch
-      key: "password"
-  {{- end}}
-  {{- if .Values.elasticsearch.client_cert }}
+      name: {{ .Values.elasticsearch.password.secret_name }}
+      key: {{ .Values.elasticsearch.password.key }}
+{{- end}}
+{{- if .Values.elasticsearch.client_cert.secret_name }}
 client_cert:
  valueFrom:
    secretKeyRef:
-      name: {{ .Release.Name }}-elasticsearch
-      key: "client_cert"
-  {{- end}}
-  {{- if .Values.elasticsearch.client_key }}
+      name: {{ .Values.elasticsearch.client_cert.secret_name }}
+      key: {{ .Values.elasticsearch.client_cert.key }}
+{{- end}}
+{{- if .Values.elasticsearch.client_key.secret_name }}
 client_key:
  valueFrom:
    secretKeyRef:
-      name: {{ .Release.Name }}-elasticsearch
-      key: "client_key"
-  {{- end}}
-  {{- if .Values.elasticsearch.client_key_pass }}
+      name: {{ .Values.elasticsearch.client_key.secret_name }}
+      key: {{ .Values.elasticsearch.client_key.key }}
+{{- end}}
+{{- if .Values.elasticsearch.client_key_pass.secret_name }}
 client_key_pass:
  valueFrom:
    secretKeyRef:
-      name: {{ .Release.Name }}-elasticsearch
-      key: "client_key_pass"
-  {{- end}}
-  {{- end }}
+      name: {{ .Values.elasticsearch.client_key_pass.secret_name }}
+      key: {{ .Values.elasticsearch.client_key_pass.key }}
+{{- end}}
+{{- end }}
--- a/packages/rancher-logging/overlay/templates/outputs/elasticsearch/secret.yaml
+++ b/packages/rancher-logging/overlay/templates/outputs/elasticsearch/secret.yaml
@ -1,14 +0,0 @@
-{{- if .Values.elasticsearch.enabled }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-elasticsearch
-  labels:
-{{ include "logging-operator.labels" . | indent 4 }}
-type: Opaque
-data:
-  password: {{ .Values.elasticsearch.password | b64enc | quote }}
-  client_cert: {{ .Values.elasticsearch.client_cert | b64enc | quote }}
-  client_key: {{ .Values.elasticsearch.client_key | b64enc | quote }}
-  client_key_pass: {{ .Values.elasticsearch.client_key_pass | b64enc | quote }}
-{{- end }}
--- a/packages/rancher-logging/overlay/templates/outputs/kafka/output.yaml
+++ b/packages/rancher-logging/overlay/templates/outputs/kafka/output.yaml
@ -12,46 +12,46 @@ spec:
    format:
      type: json

-  {{- if .Values.kakfa.username }}
+  {{- if .Values.kakfa.username.secret_name }}
    username:
      valueFrom:
        secretKeyRef:
-          name: {{ .Release.Name }}-kafka
-          key: "username"
+          name: {{ .Values.kakfa.username.secret_name }}
+          key: {{ .Values.kakfa.username.key }}
  {{- end }}
-  {{- if .Values.kakfa.password }}
+  {{- if .Values.kakfa.password.secret_name }}
    password:
      valueFrom:
        secretKeyRef:
-          name: {{ .Release.Name }}-kafka
-          key: "password"
+          name: {{ .Values.kakfa.password.secret_name }}
+          key: {{ .Values.kakfa.password.key }}
  {{- end }}
-  {{- if .Values.kakfa.ssl_ca_cert }}
+  {{- if .Values.kakfa.ssl_ca_cert.secret_name }}
    ssl_ca_cert:
      valueFrom:
        secretKeyRef:
-          name: {{ .Release.Name }}-kafka
-          key: "ssl_ca_cert"
+          name: {{ .Values.kakfa.ssl_ca_cert.secret_name }}
+          key: {{ .Values.kakfa.ssl_ca_cert.key }}
  {{- end }}
-  {{- if .Values.kakfa.ssl_client_cert }}
+  {{- if .Values.kakfa.ssl_client_cert.secret_name }}
    ssl_client_cert:
      valueFrom:
        secretKeyRef:
-          name: {{ .Release.Name }}-kafka
-          key: "ssl_client_cert"
+          name: {{ .Values.kakfa.ssl_client_cert.secret_name }}
+          key: {{ .Values.kakfa.ssl_client_cert.key }}
  {{- end }}
-  {{- if .Values.kakfa.ssl_client_cert_chain }}
+  {{- if .Values.kakfa.ssl_client_cert_chain.secret_name }}
    ssl_client_cert_chain:
      valueFrom:
        secretKeyRef:
-          name: {{ .Release.Name }}-kafka
-          key: "ssl_client_cert_chain"
+          name: {{ .Values.kakfa.ssl_client_cert_chain.secret_name }}
+          key: {{ .Values.kakfa.ssl_client_cert_chain.key }}
  {{- end }}
-  {{- if .Values.kakfa.ssl_client_cert_key }}
+  {{- if .Values.kakfa.ssl_client_cert_key.secret_name }}
    ssl_client_cert_key:
      valueFrom:
        secretKeyRef:
-          name: {{ .Release.Name }}-kafka
-          key: "ssl_client_cert_key"
+          name: {{ .Values.kakfa.ssl_client_cert_key.secret_name }}
+          key: {{ .Values.kakfa.ssl_client_cert_key.key }}
  {{- end }}
 {{- end }}
--- a/packages/rancher-logging/overlay/templates/outputs/kafka/secret.yaml
+++ b/packages/rancher-logging/overlay/templates/outputs/kafka/secret.yaml
@ -1,28 +0,0 @@
-{{- if .Values.kafka.enabled }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-kafka
-  labels:
-{{ include "logging-operator.labels" . | indent 4 }}
-type: Opaque
-data:
-{{- if .Values.kafka.username }}
-  username: {{ .Values.kafka.username }}
-{{- end }}
-{{- if .Values.kafka.password }}
-  password: {{ .Values.kafka.password }}
-{{- end }}
-{{- if .Values.kafka.ssl_ca_cert }}
-  ssl_ca_cert: {{ .Values.kafka.ssl_ca_cert }}
-{{- end }}
-{{- if .Values.kafka.ssl_client_cert }}
-  ssl_client_cert: {{ .Values.kafka.ssl_client_cert }}
-{{- end }}
-{{- if .Values.kafka.ssl_client_cert_chain }}
-  ssl_client_cert_chain: {{ .Values.kafka.ssl_client_cert_chain }}
-{{- end }}
-{{- if .Values.kafka.ssl_client_cert_key }}
-  ssl_client_cert_key: {{ .Values.kafka.ssl_client_cert_key }}
-{{- end }}
-{{- end }}
--- a/packages/rancher-logging/overlay/templates/outputs/splunk/output.yaml
+++ b/packages/rancher-logging/overlay/templates/outputs/splunk/output.yaml
@ -8,12 +8,12 @@ spec:
    hec_host: {{ .Values.splunk.host }}
    hec_port: {{ .Values.splunk.port }}
    protocol: {{ .Values.splunk.protocol }}
-{{- if .Values.splunk.index }}
+{{- if .Values.splunk.token.secret_name }}
    hec_token:
      valueFrom:
        secretKeyRef:
-          name: {{ .Release.Name }}-splunk
-          key: "hec_token"
+          name: {{ .Values.splunk.token.secret_name }}
+          key: {{ .Values.splunk.token.key }}
  {{- end }}
 {{- if .Values.splunk.index }}
    index: {{ .Values.splunk.index }}
--- a/packages/rancher-logging/overlay/templates/outputs/splunk/secret.yaml
+++ b/packages/rancher-logging/overlay/templates/outputs/splunk/secret.yaml
@ -1,11 +0,0 @@
-{{- if .Values.splunk.enabled }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-splunk
-  labels:
-{{ include "logging-operator.labels" . | indent 4 }}
-type: Opaque
-data:
-  hec_token: {{ .Values.splunk.token | b64enc | quote }}
-{{- end }}
--- a/packages/rancher-logging/rancher-logging.patch
+++ b/packages/rancher-logging/rancher-logging.patch
@ -31,7 +31,7 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/values
 
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
-@@ -76,4 +76,48 @@
+@@ -76,4 +76,70 @@
 monitoring:
   # Create a Prometheus Operator ServiceMonitor object
   serviceMonitor:
@ -44,10 +44,22 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/values
 +  index_name: fluentd
 +  scheme: http
 +  user: ""
-+  password: ""
-+  client_cert: ""
-+  client_key: ""
-+  client_key_pass: ""
+  password:
+    secret_name: ""
+    key: "password"
+  ca_file:
+    secret_name: ""
+    key: "ca_file"
+  client_cert:
+    secret_name: ""
+    key: "client_cert"
+  client_key:
+    secret_name: ""
+    key: "client_key"
+  client_key_pass:
+    secret_name: ""
+    key: "client_key_pass"
+
 +
 +kafka:
 +  enabled: false
@ -55,12 +67,24 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/values
 +  default_topic: "fluentd"
 +  sasl_over_ssl: false
 +  scram_mechanism: "PLAIN"
-+  username: ""
-+  password: ""
-+  ssl_ca_cert: ""
-+  ssl_client_cert: ""
-+  ssl_client_cert_chain: ""
-+  ssl_client_cert_key: ""
+  username:
+    secret_name: ""
+    key: "username"
+  password:
+    secret_name: ""
+    key: "password"
+  ssl_ca_cert:
+    secret_name: ""
+    key: "ssl_ca_cert"
+  ssl_client_cert:
+    secret_name: ""
+    key: "ssl_client_cert"
+  ssl_client_cert_chain:
+    secret_name: ""
+    key: "ssl_client_cert_chain"
+  ssl_client_cert_key:
+    secret_name: ""
+    key: "ssl_client_cert_key"
 +
 +splunk:
 +  enabled: false
@ -68,7 +92,9 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/values
 +  port: 8088
 +  protocol: http
 +  index: rancher
-+  token: ""
+  token:
+    secret_name: ""
+    key: "token"
 +  client_cert: ""
 +  client_key: ""
 +  insecure_ssl: false