171 lines
7.9 KiB
Smarty
171 lines
7.9 KiB
Smarty
{{/*
|
||
生成 Secret 的名称。
|
||
调用:
|
||
{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }}
|
||
参数:
|
||
- existingSecret: 字符串(可选)。用户定义的已存在的 Secret。允许该值为用户定义的 Secret 的名称字符串。
|
||
- defaultNameSuffix: 字符串(可选)。用于相同部署时的 Secret 前缀。
|
||
- context: 字典(必须)。父级上下文信息。
|
||
*/}}
|
||
{{- define "common.secrets.name" -}}
|
||
{{- $name := (include "common.names.fullname" .context) -}}
|
||
|
||
{{- if .defaultNameSuffix -}}
|
||
{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}}
|
||
{{- end -}}
|
||
|
||
{{- with .existingSecret -}}
|
||
{{- if not (typeIs "string" .) -}}
|
||
{{- with .name -}}
|
||
{{- $name = . -}}
|
||
{{- end -}}
|
||
{{- else -}}
|
||
{{- $name = . -}}
|
||
{{- end -}}
|
||
{{- end -}}
|
||
|
||
{{- printf "%s" $name -}}
|
||
{{- end -}}
|
||
|
||
{{/*
|
||
生成 Secret 的键信息。
|
||
调用:
|
||
{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }}
|
||
参数:
|
||
- existingSecret: 字符串(可选)。用户定义的已存在的 Secret。允许该值为用户定义的 Secret 的名称字符串。
|
||
- key: 字符串(必须)。键名。
|
||
*/}}
|
||
{{- define "common.secrets.key" -}}
|
||
{{- $key := .key -}}
|
||
|
||
{{- if .existingSecret -}}
|
||
{{- if not (typeIs "string" .existingSecret) -}}
|
||
{{- if .existingSecret.keyMapping -}}
|
||
{{- $key = index .existingSecret.keyMapping $.key -}}
|
||
{{- end -}}
|
||
{{- end }}
|
||
{{- end -}}
|
||
|
||
{{- printf "%s" $key -}}
|
||
{{- end -}}
|
||
|
||
{{/*
|
||
生成 Secret 的密码信息(或从已创建的信息中获取)。
|
||
调用:
|
||
{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "honorProvidedValues" false "context" $) }}
|
||
参数:
|
||
- secret - String - Required - Name of the 'Secret' resource where the password is stored.
|
||
- key - String - Required - Name of the key in the secret.
|
||
- providedValues - List<String> - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value.
|
||
- length - int - Optional - Length of the generated random password.
|
||
- strong - Boolean - Optional - Whether to add symbols to the generated random password.
|
||
- chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart.
|
||
- context - Context - Required - Parent context.
|
||
- failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets.
|
||
- skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted.
|
||
- skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret.
|
||
- honorProvidedValues - Boolean - Optional - Default to false. If set to true, the values in providedValues have higher priority than an existing secret
|
||
The order in which this function returns a secret password:
|
||
1. Password provided via the values.yaml if honorProvidedValues = true
|
||
(If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned)
|
||
2. Already existing 'Secret' resource
|
||
(If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned)
|
||
3. Password provided via the values.yaml if honorProvidedValues = false
|
||
(If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned)
|
||
4. Randomly generated secret password
|
||
(A new random secret password with the length specified in the 'length' parameter will be generated and returned)
|
||
*/}}
|
||
{{- define "common.secrets.passwords.manage" -}}
|
||
|
||
{{- $password := "" }}
|
||
{{- $subchart := "" }}
|
||
{{- $chartName := default "" .chartName }}
|
||
{{- $passwordLength := default 10 .length }}
|
||
{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }}
|
||
{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }}
|
||
{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }}
|
||
{{- if $secretData }}
|
||
{{- if hasKey $secretData .key }}
|
||
{{- $password = index $secretData .key | b64dec }}
|
||
{{- else if not (eq .failOnNew false) }}
|
||
{{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}}
|
||
{{- end -}}
|
||
{{- end }}
|
||
|
||
{{- if and $providedPasswordValue .honorProvidedValues }}
|
||
{{- $password = $providedPasswordValue | toString }}
|
||
{{- end }}
|
||
|
||
{{- if not $password }}
|
||
{{- if $providedPasswordValue }}
|
||
{{- $password = $providedPasswordValue | toString }}
|
||
{{- else }}
|
||
{{- if .context.Values.enabled }}
|
||
{{- $subchart = $chartName }}
|
||
{{- end -}}
|
||
|
||
{{- if not (eq .failOnNew false) }}
|
||
{{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}}
|
||
{{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}}
|
||
{{- $passwordValidationErrors := list $requiredPasswordError -}}
|
||
{{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}}
|
||
{{- end }}
|
||
|
||
{{- if .strong }}
|
||
{{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }}
|
||
{{- $password = randAscii $passwordLength }}
|
||
{{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
|
||
{{- $password = printf "%s%s" $subStr $password | toString | shuffle }}
|
||
{{- else }}
|
||
{{- $password = randAlphaNum $passwordLength }}
|
||
{{- end }}
|
||
{{- end -}}
|
||
{{- end -}}
|
||
{{- if not .skipB64enc }}
|
||
{{- $password = $password | b64enc }}
|
||
{{- end -}}
|
||
{{- if .skipQuote -}}
|
||
{{- printf "%s" $password -}}
|
||
{{- else -}}
|
||
{{- printf "%s" $password | quote -}}
|
||
{{- end -}}
|
||
{{- end -}}
|
||
|
||
{{/*
|
||
从存在的 Secret 中获取键对应的值,如果不存在则返回默认值。
|
||
调用:
|
||
{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }}
|
||
参数:
|
||
- secret: 字符串(必须)。存储密码的 Secret 的名字。
|
||
- key: 字符串(必须)。Secret 中键的名字。
|
||
- defaultValue: 字符串(必须)。 `values.yaml`配置文件中该键对应的路径,如:"mysql.password"。获取第一个定义的值。
|
||
- context: 上下文(必须)。 父级上下文信息。
|
||
*/}}
|
||
{{- define "common.secrets.lookup" -}}
|
||
{{- $value := "" -}}
|
||
{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}}
|
||
{{- if and $secretData (hasKey $secretData .key) -}}
|
||
{{- $value = index $secretData .key -}}
|
||
{{- else if .defaultValue -}}
|
||
{{- $value = .defaultValue | toString | b64enc -}}
|
||
{{- end -}}
|
||
{{- if $value -}}
|
||
{{- printf "%s" $value -}}
|
||
{{- end -}}
|
||
{{- end -}}
|
||
|
||
{{/*
|
||
检测是否已存在一个旧版本的 Secret定义(true/false)。
|
||
调用:
|
||
{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }}
|
||
参数:
|
||
- secret: 字符串(必须)。用于存放密码的 Secret 的名字。
|
||
- context: 上下文(必须)。父级上下文信息。
|
||
*/}}
|
||
{{- define "common.secrets.exists" -}}
|
||
{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }}
|
||
{{- if $secret }}
|
||
{{- true -}}
|
||
{{- end -}}
|
||
{{- end -}}
|