feat: Helm-Chart Support External Secret Operator / feat: support for reload when secret changed

Author: tkcontiant

charts/ext-postgres-operator/Chart.yaml

@@ -8,5 +8,5 @@ description: |
 
 type: application
 
-version: 2.1.0
+version: 2.1.1
 appVersion: "2.0.0"

charts/ext-postgres-operator/templates/external-secret.yaml

@@ -0,0 +1,35 @@
+{{- if and (.Capabilities.APIVersions.Has "external-secrets.io/v1beta1") (.Values.ExternalSecret) }}
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ include "chart.fullname" . }}-external-secret
+  namespace: {{ if .Values.ExternalSecret.namespace }}{{ .Values.ExternalSecret.namespace }}{{ else }}{{ .Release.Namespace }}{{ end }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+spec:
+  refreshInterval: {{ .Values.ExternalSecret.refreshInterval | default "2s"}}
+  secretStoreRef:
+    kind: {{ .Values.ExternalSecret.secretStoreKind | default "SecretStore" }}
+    name: {{ .Values.ExternalSecret.secretStore | quote }}
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: {{ include "chart.fullname" . }}
+    template:
+      data:
+        POSTGRES_HOST: {{ .Values.postgres.host | quote }}
+        POSTGRES_USER: "{{ `{{ .username }}` }}"
+        POSTGRES_PASS: "{{ `{{ .password }}` }}"
+        POSTGRES_URI_ARGS: {{ .Values.postgres.uri_args | quote }}
+        POSTGRES_CLOUD_PROVIDER: {{ .Values.postgres.cloud_provider | quote }}
+        POSTGRES_DEFAULT_DATABASE: {{ .Values.postgres.default_database | quote }}
+  data:
+    - secretKey: username
+      remoteRef:
+        key: {{ .Values.ExternalSecret.remoteKey | quote }}
+        property: username
+    - secretKey: password
+      remoteRef:
+        key: {{ .Values.ExternalSecret.remoteKey | quote }}
+        property: password
+{{- end }}

charts/ext-postgres-operator/templates/operator.yaml

@@ -7,6 +7,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   {{- with .Values.deploymentAnnotations }}
   annotations:
+    checksum/env_config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+    checksum/env_config: {{ include (print $.Template.BasePath "/external-secret.yaml") . | sha256sum }}
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:

charts/ext-postgres-operator/templates/secret.yaml

@@ -1,12 +1,12 @@
-{{- if (not .Values.existingSecret) }}
+{{- if and (not .Values.existingSecret) (not .Values.ExternalSecret) }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
   annotations:
     "helm.sh/resource-policy": keep
   name: {{ include "chart.fullname" . }}
-  namespace: {{ .Release.namespace }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "chart.labels" . | nindent 4 }}
 type: Opaque

charts/ext-postgres-operator/templates/serviceaccount.yaml

@@ -9,4 +9,4 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
   namespace: {{ .Release.Namespace }}
-
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}

charts/ext-postgres-operator/values.yaml

@@ -4,7 +4,7 @@
 
 replicaCount: 1
 
-revisionHistoryLimit: 10
+revisionHistoryLimit: 3
 
 image:
   repository: ghcr.io/movetokube/postgres-operator
@@ -27,12 +27,13 @@ serviceAccount:
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name: ""
+  automount: true
 
 deploymentAnnotations: {}
 
 podAnnotations: {}
 
-# Additionnal labels to add to the pod.
+# Additional labels to add to the pod.
 podLabels: {}
 
 podSecurityContext:
@@ -45,8 +46,7 @@ securityContext:
     drop:
       - "ALL"
 
-resources:
-  {}
+resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
@@ -79,11 +79,11 @@ watchNamespace: ""
 # Define connection to postgres database server
 postgres:
   # postgres hostname
-  host: "localhost"
-  # postgres admin user and password
-  user: "admin"
-  password: "password"
-  # additional connection args to pg driver
+  host: "xxxxxxxxxx"
+  # postgres admin user and password ( ignored if existingSecret or ExternalSecret is set )
+  user: "XXXXXXXXXX"
+  password: "XXXXXXXXXX"
+  # additional connection args to pg driver (Example "sslmode=disable")
   uri_args: ""
   # postgres cloud provider, could be AWS, Azure, GCP or empty (default)
   cloud_provider: ""
@@ -98,10 +98,21 @@ volumeMounts: []
 
 # Existing secret where values to connect to Postgres are defined.
 # If not set a new secret will be created, filled with information under the postgres key above.
+# If ExternalSecret is set, existingSecret is ignored.
 existingSecret: ""
 
-# Additionnal environment variables to add to the pod (map of key / value)
-env: {}
+# Support for ExternalSecret Operator to fetch Postgres credentials from an external secret store.
+ExternalSecret: {}
+  # secretStore: "aws-secretsmanager-euc1"                   # (Mandatory) Name of the SecretStore or ClusterSecretStore to reference in the ExternalSecret
+  # remoteKey: "rds!db-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # (Mandatory) Remote key in the external secret store where Postgres credentials are stored
+  # namespace: ""                                          # (Optional), defaults to release namespace
+  # secretStoreKind: ""                                    # (Optional), defaults to SecretStore / SecretStore or ClusterSecretStore
+  # refreshInterval: "2s"                                  # (Optional), defaults to SecretStore / SecretStore or ClusterSecretStore
+
+# Additional environment variables to add to the pod (map of key / value)
+env:
+  POSTGRES_INSTANCE: "XXXXXXXXXX"
+  # POSTGRES_CLOUD_PROVIDER: "AWS"
 
 nodeSelector: {}