From 4f4e7dce5d1973209e9b5362d10dfa83680f522e Mon Sep 17 00:00:00 2001
From: Jacob Payne <jacob.payne@rancher.com>
Date: Wed, 12 Aug 2020 13:47:38 -0700
Subject: [PATCH] use secrets for certs and passwords

---
 .../outputs/elasticsearch/output.yaml         | 34 ++++++-------
 .../outputs/elasticsearch/secret.yaml         | 14 ------
 .../templates/outputs/kafka/output.yaml       | 36 ++++++-------
 .../templates/outputs/kafka/secret.yaml       | 28 -----------
 .../templates/outputs/splunk/output.yaml      |  6 +--
 .../templates/outputs/splunk/secret.yaml      | 11 ----
 .../rancher-logging/rancher-logging.patch     | 50 ++++++++++++++-----
 7 files changed, 76 insertions(+), 103 deletions(-)
 delete mode 100644 packages/rancher-logging/overlay/templates/outputs/elasticsearch/secret.yaml
 delete mode 100644 packages/rancher-logging/overlay/templates/outputs/kafka/secret.yaml
 delete mode 100644 packages/rancher-logging/overlay/templates/outputs/splunk/secret.yaml

diff --git a/packages/rancher-logging/overlay/templates/outputs/elasticsearch/output.yaml b/packages/rancher-logging/overlay/templates/outputs/elasticsearch/output.yaml
index 4f034d249..2ab2cc920 100644
--- a/packages/rancher-logging/overlay/templates/outputs/elasticsearch/output.yaml
+++ b/packages/rancher-logging/overlay/templates/outputs/elasticsearch/output.yaml
@@ -12,32 +12,32 @@ spec:
   {{- if .Values.elasticsearch.user }}
 user: {{ .Values.elasticsearch.user }}
   {{- end}}
-  {{- if .Values.elasticsearch.password }}
+{{- if .Values.elasticsearch.password.secret_name }}
 password:
   valueFrom:
     secretKeyRef:
-      name: {{ .Release.Name }}-elasticsearch
-      key: "password"
-  {{- end}}
-  {{- if .Values.elasticsearch.client_cert }}
+      name: {{ .Values.elasticsearch.password.secret_name }}
+      key: {{ .Values.elasticsearch.password.key }}
+{{- end}}
+{{- if .Values.elasticsearch.client_cert.secret_name }}
 client_cert:
   valueFrom:
     secretKeyRef:
-      name: {{ .Release.Name }}-elasticsearch
-      key: "client_cert"
-  {{- end}}
-  {{- if .Values.elasticsearch.client_key }}
+      name: {{ .Values.elasticsearch.client_cert.secret_name }}
+      key: {{ .Values.elasticsearch.client_cert.key }}
+{{- end}}
+{{- if .Values.elasticsearch.client_key.secret_name }}
 client_key:
   valueFrom:
     secretKeyRef:
-      name: {{ .Release.Name }}-elasticsearch
-      key: "client_key"
-  {{- end}}
-  {{- if .Values.elasticsearch.client_key_pass }}
+      name: {{ .Values.elasticsearch.client_key.secret_name }}
+      key: {{ .Values.elasticsearch.client_key.key }}
+{{- end}}
+{{- if .Values.elasticsearch.client_key_pass.secret_name }}
 client_key_pass:
   valueFrom:
     secretKeyRef:
-      name: {{ .Release.Name }}-elasticsearch
-      key: "client_key_pass"
-  {{- end}}
-  {{- end }}
+      name: {{ .Values.elasticsearch.client_key_pass.secret_name }}
+      key: {{ .Values.elasticsearch.client_key_pass.key }}
+{{- end}}
+{{- end }}
diff --git a/packages/rancher-logging/overlay/templates/outputs/elasticsearch/secret.yaml b/packages/rancher-logging/overlay/templates/outputs/elasticsearch/secret.yaml
deleted file mode 100644
index 3c04c8b6f..000000000
--- a/packages/rancher-logging/overlay/templates/outputs/elasticsearch/secret.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-{{- if .Values.elasticsearch.enabled }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-elasticsearch
-  labels:
-{{ include "logging-operator.labels" . | indent 4 }}
-type: Opaque
-data:
-  password: {{ .Values.elasticsearch.password | b64enc | quote }}
-  client_cert: {{ .Values.elasticsearch.client_cert | b64enc | quote }}
-  client_key: {{ .Values.elasticsearch.client_key | b64enc | quote }}
-  client_key_pass: {{ .Values.elasticsearch.client_key_pass | b64enc | quote }}
-{{- end }}
diff --git a/packages/rancher-logging/overlay/templates/outputs/kafka/output.yaml b/packages/rancher-logging/overlay/templates/outputs/kafka/output.yaml
index f321fd420..e7d9f2ab6 100644
--- a/packages/rancher-logging/overlay/templates/outputs/kafka/output.yaml
+++ b/packages/rancher-logging/overlay/templates/outputs/kafka/output.yaml
@@ -12,46 +12,46 @@ spec:
     format:
       type: json
 
-  {{- if .Values.kakfa.username }}
+  {{- if .Values.kakfa.username.secret_name }}
     username:
       valueFrom:
         secretKeyRef:
-          name: {{ .Release.Name }}-kafka
-          key: "username"
+          name: {{ .Values.kakfa.username.secret_name }}
+          key: {{ .Values.kakfa.username.key }}
   {{- end }}
-  {{- if .Values.kakfa.password }}
+  {{- if .Values.kakfa.password.secret_name }}
     password:
       valueFrom:
         secretKeyRef:
-          name: {{ .Release.Name }}-kafka
-          key: "password"
+          name: {{ .Values.kakfa.password.secret_name }}
+          key: {{ .Values.kakfa.password.key }}
   {{- end }}
-  {{- if .Values.kakfa.ssl_ca_cert }}
+  {{- if .Values.kakfa.ssl_ca_cert.secret_name }}
     ssl_ca_cert:
       valueFrom:
         secretKeyRef:
-          name: {{ .Release.Name }}-kafka
-          key: "ssl_ca_cert"
+          name: {{ .Values.kakfa.ssl_ca_cert.secret_name }}
+          key: {{ .Values.kakfa.ssl_ca_cert.key }}
   {{- end }}
-  {{- if .Values.kakfa.ssl_client_cert }}
+  {{- if .Values.kakfa.ssl_client_cert.secret_name }}
     ssl_client_cert:
       valueFrom:
         secretKeyRef:
-          name: {{ .Release.Name }}-kafka
-          key: "ssl_client_cert"
+          name: {{ .Values.kakfa.ssl_client_cert.secret_name }}
+          key: {{ .Values.kakfa.ssl_client_cert.key }}
   {{- end }}
-  {{- if .Values.kakfa.ssl_client_cert_chain }}
+  {{- if .Values.kakfa.ssl_client_cert_chain.secret_name }}
     ssl_client_cert_chain:
       valueFrom:
         secretKeyRef:
-          name: {{ .Release.Name }}-kafka
-          key: "ssl_client_cert_chain"
+          name: {{ .Values.kakfa.ssl_client_cert_chain.secret_name }}
+          key: {{ .Values.kakfa.ssl_client_cert_chain.key }}
   {{- end }}
-  {{- if .Values.kakfa.ssl_client_cert_key }}
+  {{- if .Values.kakfa.ssl_client_cert_key.secret_name }}
     ssl_client_cert_key:
       valueFrom:
         secretKeyRef:
-          name: {{ .Release.Name }}-kafka
-          key: "ssl_client_cert_key"
+          name: {{ .Values.kakfa.ssl_client_cert_key.secret_name }}
+          key: {{ .Values.kakfa.ssl_client_cert_key.key }}
   {{- end }}
 {{- end }}
diff --git a/packages/rancher-logging/overlay/templates/outputs/kafka/secret.yaml b/packages/rancher-logging/overlay/templates/outputs/kafka/secret.yaml
deleted file mode 100644
index b26384ca8..000000000
--- a/packages/rancher-logging/overlay/templates/outputs/kafka/secret.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-{{- if .Values.kafka.enabled }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-kafka
-  labels:
-{{ include "logging-operator.labels" . | indent 4 }}
-type: Opaque
-data:
-{{- if .Values.kafka.username }}
-  username: {{ .Values.kafka.username }}
-{{- end }}
-{{- if .Values.kafka.password }}
-  password: {{ .Values.kafka.password }}
-{{- end }}
-{{- if .Values.kafka.ssl_ca_cert }}
-  ssl_ca_cert: {{ .Values.kafka.ssl_ca_cert }}
-{{- end }}
-{{- if .Values.kafka.ssl_client_cert }}
-  ssl_client_cert: {{ .Values.kafka.ssl_client_cert }}
-{{- end }}
-{{- if .Values.kafka.ssl_client_cert_chain }}
-  ssl_client_cert_chain: {{ .Values.kafka.ssl_client_cert_chain }}
-{{- end }}
-{{- if .Values.kafka.ssl_client_cert_key }}
-  ssl_client_cert_key: {{ .Values.kafka.ssl_client_cert_key }}
-{{- end }}
-{{- end }}
diff --git a/packages/rancher-logging/overlay/templates/outputs/splunk/output.yaml b/packages/rancher-logging/overlay/templates/outputs/splunk/output.yaml
index 60bd0bff0..60d8a97a0 100644
--- a/packages/rancher-logging/overlay/templates/outputs/splunk/output.yaml
+++ b/packages/rancher-logging/overlay/templates/outputs/splunk/output.yaml
@@ -8,12 +8,12 @@ spec:
     hec_host: {{ .Values.splunk.host }}
     hec_port: {{ .Values.splunk.port }}
     protocol: {{ .Values.splunk.protocol }}
-{{- if .Values.splunk.index }}
+{{- if .Values.splunk.token.secret_name }}
     hec_token:
       valueFrom:
         secretKeyRef:
-          name: {{ .Release.Name }}-splunk
-          key: "hec_token"
+          name: {{ .Values.splunk.token.secret_name }}
+          key: {{ .Values.splunk.token.key }}
   {{- end }}
 {{- if .Values.splunk.index }}
     index: {{ .Values.splunk.index }}
diff --git a/packages/rancher-logging/overlay/templates/outputs/splunk/secret.yaml b/packages/rancher-logging/overlay/templates/outputs/splunk/secret.yaml
deleted file mode 100644
index 42d203a1d..000000000
--- a/packages/rancher-logging/overlay/templates/outputs/splunk/secret.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-{{- if .Values.splunk.enabled }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-splunk
-  labels:
-{{ include "logging-operator.labels" . | indent 4 }}
-type: Opaque
-data:
-  hec_token: {{ .Values.splunk.token | b64enc | quote }}
-{{- end }}
diff --git a/packages/rancher-logging/rancher-logging.patch b/packages/rancher-logging/rancher-logging.patch
index 41d55d79e..c097cd0e9 100644
--- a/packages/rancher-logging/rancher-logging.patch
+++ b/packages/rancher-logging/rancher-logging.patch
@@ -31,7 +31,7 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/values
  
  resources: {}
    # We usually recommend not to specify default resources and to leave this as a conscious
-@@ -76,4 +76,48 @@
+@@ -76,4 +76,70 @@
  monitoring:
    # Create a Prometheus Operator ServiceMonitor object
    serviceMonitor:
@@ -44,10 +44,22 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/values
 +  index_name: fluentd
 +  scheme: http
 +  user: ""
-+  password: ""
-+  client_cert: ""
-+  client_key: ""
-+  client_key_pass: ""
++  password:
++    secret_name: ""
++    key: "password"
++  ca_file:
++    secret_name: ""
++    key: "ca_file"
++  client_cert:
++    secret_name: ""
++    key: "client_cert"
++  client_key:
++    secret_name: ""
++    key: "client_key"
++  client_key_pass:
++    secret_name: ""
++    key: "client_key_pass"
++
 +
 +kafka:
 +  enabled: false
@@ -55,12 +67,24 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/values
 +  default_topic: "fluentd"
 +  sasl_over_ssl: false
 +  scram_mechanism: "PLAIN"
-+  username: ""
-+  password: ""
-+  ssl_ca_cert: ""
-+  ssl_client_cert: ""
-+  ssl_client_cert_chain: ""
-+  ssl_client_cert_key: ""
++  username:
++    secret_name: ""
++    key: "username"
++  password:
++    secret_name: ""
++    key: "password"
++  ssl_ca_cert:
++    secret_name: ""
++    key: "ssl_ca_cert"
++  ssl_client_cert:
++    secret_name: ""
++    key: "ssl_client_cert"
++  ssl_client_cert_chain:
++    secret_name: ""
++    key: "ssl_client_cert_chain"
++  ssl_client_cert_key:
++    secret_name: ""
++    key: "ssl_client_cert_key"
 +
 +splunk:
 +  enabled: false
@@ -68,7 +92,9 @@ diff -x '*.tgz' -x '*.lock' -uNr packages/rancher-logging/charts-original/values
 +  port: 8088
 +  protocol: http
 +  index: rancher
-+  token: ""
++  token:
++    secret_name: ""
++    key: "token"
 +  client_cert: ""
 +  client_key: ""
 +  insecure_ssl: false