Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Allow specifying API Key via reference to an external Secret #72

Merged
merged 10 commits into from
Dec 19, 2023
Merged

feat: Allow specifying API Key via reference to an external Secret #72

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
a27c44f
initial
ekampf Dec 15, 2023
eb7a089
Adding test infra
ekampf Dec 15, 2023
87cbdc2
Revert "initial"
ekampf Dec 15, 2023
40c396f
test
ekampf Dec 15, 2023
45e0271
run helm tests in ci
ekampf Dec 15, 2023
160ee60
fix name
ekampf Dec 15, 2023
820eccb
Add existingAPIKeySecret to values.yaml
ekampf Dec 15, 2023
4160cc3
implemented
ekampf Dec 15, 2023
da779c9
Fix desc
ekampf Dec 19, 2023
5a91c7b
added comment
ekampf Dec 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
initial
  • Loading branch information
@ekampf
ekampf committed Dec 15, 2023
commit a27c44ff0414e6a7fb73814a59ca546ed5d7110d
20 changes: 20 additions & 0 deletions deploy/twingate-operator/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,3 +60,23 @@ Create the name of the service account to use
{{- default "twingate-operator" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

{{/*
Get the Secret object name
*/}}
{{- define "twingate-operator.secretName" -}}
{{- if .Values.twingateOperator.existingAPIKeySecret -}}
{{- printf "%s" (tpl .Values.twingateOperator.existingAPIKeySecret.name $) -}}
{{- else -}}
{{- default (include "twingate-operator.fullname" .) -}}
{{- end -}}

{{/*
Get the Secret object apikey key
*/}}
{{- define "twingate-operator.secretApiKey" -}}
{{- if .Values.twingateOperator.existingAPIKeySecret -}}
{{- printf "%s" (tpl .Values.twingateOperator.existingAPIKeySecret.key $) -}}
{{- else -}}
{{- printf "TWINGATE_API_KEY" -}}
{{- end -}}
9 changes: 5 additions & 4 deletions deploy/twingate-operator/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,11 +44,12 @@ spec:
- "--verbose"
- "--liveness=http://0.0.0.0:8080/healthz"
- "--log-format={{ $logFormat }}"
envFrom:
- secretRef:
name: {{ include "twingate-operator.fullname" . }}
optional: false
env:
- name: TWINGATE_API_KEY
valueFrom:
secretKeyRef:
name: {{ include "twingate-operator.secretName" }}
key: {{ include "twingate-operator.secretApiKey" }}
- name: TWINGATE_NETWORK
value: {{ required "Network name required" .Values.twingateOperator.network }}
- name: TWINGATE_HOST
Expand Down
6 changes: 4 additions & 2 deletions deploy/twingate-operator/templates/secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
{{- if not .Values.twingateOperator.existingAPIKeySecret -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "twingate-operator.fullname" . }}
name: {{ include "twingate-operator.secretName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "twingate-operator.labels" . | nindent 4 }}
data:
TWINGATE_API_KEY: {{ required "API Key required" .Values.twingateOperator.apiKey | b64enc }}
{{ include "twingate-operator.secretApiKey" }}: {{ required "API Key required" .Values.twingateOperator.apiKey | b64enc }}
{{- end -}}
36 changes: 35 additions & 1 deletion deploy/twingate-operator/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,9 +47,43 @@
"type": "object",
"default": {},
"title": "The twingateOperator Schema",
"required": ["apiKey", "network", "remoteNetworkId"],
"oneOf": [
{
"required": ["apiKey", "network", "remoteNetworkId"]
},
{
"required": ["existingSecret", "network", "remoteNetworkId"]
}
],
"properties": {
"apiKey": { "type": "string" },
"existingAPIKeySecret": {
"type": "object",
"title": "An existing secret with the API Key to be used by the operator. If this is specified, the apiKey field will be ignored.",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is correct. When I pass in both twingateOperator.existingAPIKeySecret.name and twingateOperator.apiKey the apiKey is not ignored. It throws an error

helm template --debug -f values.yaml --set twingateOperator.existingAPIKeySecret.name=mysecret --set twingateOperator.existingAPIKeySecret.key=mykey --set twingateOperator.apiKey=test --set twingateOperator.network=test --set twingateOperator.remoteNetworkId=test .

Error: values don't meet the specifications of the schema(s) in the following chart(s):
twingate-operator:
- twingateOperator: Must validate one and only one schema (oneOf)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right. I learned how to use oneOf :)
will update

"required": ["name", "key"],
"properties": {
"name": {
"type": "string",
"default": "",
"title": "The name of the Secret object",
"examples": [
"twingate-operator"
]
},
"key": {
"type": "string",
"default": "",
"title": "The key for the API Key value in the Secret object",
"examples": [
"TWINGATE_API_KEY"
]
}
},
"examples": [{
"name": "twingate-operator",
"key": "apiKey"
}]
},
"network": { "type": "string" },
"remoteNetworkId": { "type": "string" },
"logFormat": {
Expand Down
3 changes: 3 additions & 0 deletions deploy/twingate-operator/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@

twingateOperator: {}
Copy link
Member

@twingate-blee twingate-blee Dec 18, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since apiKey, network, remoteNetworkId are required should we have those uncommented so people don't think they are optional.

Also maybe add a comment to either use apiKey or existingAPIKeySecret.

When not passing either there is an error

twingate-operator:
- twingateOperator: Must validate one and only one schema (oneOf)
- twingateOperator: apiKey is required

Should that be changed to "apiKey or existingAPIKeySecret1.name is required"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I dont control that error information it comes from schema validation...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re uncommenting - I want people to explicitly have to uncomment and put values there rather than run with default values which will seem like its working

# apiKey: "<api key>"
# existingAPIKeySecret:
# name: my-secret
# key: TWINGATE_API_KEY
# network: "<network slug>"
# remoteNetworkId: "<remote network id>"
# logFormat: "plain|full|json"
Expand Down