From edee1b0da17a088950c47764f5131a0518c2ac46 Mon Sep 17 00:00:00 2001
From: Aron Kaufmann <100943793+AronKa-SAG@users.noreply.github.com>
Date: Fri, 14 Jun 2024 16:23:51 +0200
Subject: [PATCH] Add possibility to read metering truststore Password by
secretKeyRef (#90)
* added possibility for secretKeyRef for metering truststorePassword
added new values to values.yaml
* upped chart version
added new version to readme
* added extraVolumes and extraVolumeMounts to kibana
* added custom logging configuration to kibana
* updated readme
---
apigateway/helm/Chart.yaml | 2 +-
apigateway/helm/README.md | 12 ++++++++
apigateway/helm/README.md.gotmpl | 1 +
apigateway/helm/templates/kibana.yaml | 29 +++++++++++++++++--
apigateway/helm/values.yaml | 40 +++++++++++++++++++++++++++
common/helm/templates/_metering.tpl | 8 ++++++
6 files changed, 89 insertions(+), 3 deletions(-)
diff --git a/apigateway/helm/Chart.yaml b/apigateway/helm/Chart.yaml
index fdbfccc..67fb9de 100644
--- a/apigateway/helm/Chart.yaml
+++ b/apigateway/helm/Chart.yaml
@@ -33,7 +33,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.2.4
+version: 1.2.5
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
diff --git a/apigateway/helm/README.md b/apigateway/helm/README.md
index 1b72d46..2fdff3c 100644
--- a/apigateway/helm/README.md
+++ b/apigateway/helm/README.md
@@ -165,6 +165,7 @@ Sub-folder `examples` contains some *values* examples for more use-cases. To use
| `1.2.2` | Option in `values.yaml` to create a ServiceMonitor added. |
| `1.2.3` | Job template added to create house keeping (cron) jobs. |
| `1.2.4` | Added Kibana extra container configuration, set by Values.kibana.extraContainers.
Added ServiceMonitor matchLabel for a specific service. The service is set by .Values.serviceMonitor.serviceName defaulting to API Gateways runtime service. |
+| `1.2.5` | Added possibility to read metering truststore password by secretKeyRef.
Added custom logging configuration for Kibana. |
## Values
@@ -314,9 +315,16 @@ Sub-folder `examples` contains some *values* examples for more use-cases. To use
| kibana.allowAnonymousStatus | bool | `true` | Enable anonymous access to /api/status. |
| kibana.annotations | object | `{}` | Annotations for Kibana |
| kibana.count | int | `1` | |
+| kibana.customLogging | object | `{"appenders":{},"enabled":false,"loggers":[],"root":{}}` | Custom logging configuration for kibana container. |
+| kibana.customLogging.appenders | object | `{}` | Define appenders for custom logging config. Example for logging to file: file: type: file fileName: /usr/share/kibana/logs/kibana.log layout: type: pattern |
+| kibana.customLogging.enabled | bool | `false` | Enable custom logging configuration. |
+| kibana.customLogging.loggers | list | `[]` | Define loggers other than root logger. Example for custom server logger: - name: server appenders: [console] level: warn |
+| kibana.customLogging.root | object | `{}` | Define which appenders are used by root logger. Example for logging to file additionally to default/console: appenders: [file, default] level: warn |
| kibana.extraContainers | list | `[]` | The definition of extra containers for kibana. |
| kibana.extraInitContainers | list | `[]` | The definition of extra initContainers for kibana. |
| kibana.extraLabels | object | `{}` | Additional labels to be added to kibana pod labels. |
+| kibana.extraVolumeMounts | list | `[]` | The definition of extra volumeMounts for kibana. |
+| kibana.extraVolumes | list | `[]` | The definition of extra volumes for kibana. |
| kibana.image | string | `nil` | The image that should be used. By default ECK will use the official Elasticsearch images. Overwrite this to use an image from an internal registry or any custom images. Make sure that the image corresponds to the version field. |
| kibana.livenessProbe | object | `{}` | Configure Kibana's livenessProbe. |
| kibana.podSecurityContext | object | `{}` | The pod securityContext for kibana pod. |
@@ -353,6 +361,10 @@ Sub-folder `examples` contains some *values* examples for more use-cases. To use
| metering.serverUrl | string | `"https://metering.softwareag.cloud/api/measurements"` | The URL of the metering aggregator server REST API. |
| metering.trustStoreFile | string | `nil` | The absolute path to the metering client truststore that is used for HTTPS connections. Add this value in any of the following cases: *If you use the Software AG Metering Server on premises (via HTTPS) and the certificates in the truststore do not match the certificates configured in Software AG Runtime (CTP). *If you use a metering proxy that terminates the SSL connection to the Metering Server in Software AG Cloud. |
| metering.trustStorePassword | string | `nil` | The password for the metering client truststore. Configure this property only if you use a truststore. |
+| metering.truststorePasswordFromSecret | object | `{"enabled":false,"secretKey":"","secretName":""}` | Configuration for secretKeyRef containing the password for the metering client truststore. Configure this property only if you use a truststore. Mutually exclusive with providing the password directly over metering.trustStorePassword. |
+| metering.truststorePasswordFromSecret.enabled | bool | `false` | enable secretKeyRef instead of providing password directly |
+| metering.truststorePasswordFromSecret.secretKey | string | `""` | Key containing the truststore password in the referenced secret |
+| metering.truststorePasswordFromSecret.secretName | string | `""` | Name of the referenced secret |
| nameOverride | string | `""` | Overwrites Chart name of release name in workload name. As default, the workload name is release name + '-' + Chart name. The workload name is at the end release name + '-' + value of `nameOverride`. |
| nodeSelector | object | `{}` | |
| podAnnotations | object | `{}` | |
diff --git a/apigateway/helm/README.md.gotmpl b/apigateway/helm/README.md.gotmpl
index 553117c..1fd15fe 100644
--- a/apigateway/helm/README.md.gotmpl
+++ b/apigateway/helm/README.md.gotmpl
@@ -166,5 +166,6 @@ Sub-folder `examples` contains some *values* examples for more use-cases. To use
| `1.2.2` | Option in `values.yaml` to create a ServiceMonitor added. |
| `1.2.3` | Job template added to create house keeping (cron) jobs. |
| `1.2.4` | Added Kibana extra container configuration, set by Values.kibana.extraContainers.
Added ServiceMonitor matchLabel for a specific service. The service is set by .Values.serviceMonitor.serviceName defaulting to API Gateways runtime service. |
+| `1.2.5` | Added possibility to read metering truststore password by secretKeyRef.
Added custom logging configuration for Kibana. |
{{ template "chart.valuesSection" . }}
diff --git a/apigateway/helm/templates/kibana.yaml b/apigateway/helm/templates/kibana.yaml
index 9e6eabb..5b3ecb2 100644
--- a/apigateway/helm/templates/kibana.yaml
+++ b/apigateway/helm/templates/kibana.yaml
@@ -50,6 +50,21 @@ spec:
{{- else }}
elasticsearch.ssl.verificationMode: none
{{- end }}
+ {{- if .Values.kibana.customLogging.enabled }}
+ logging:
+ {{- if .Values.kibana.customLogging.appenders }}
+ appenders:
+ {{- toYaml .Values.kibana.customLogging.appenders | nindent 8 }}
+ {{- end }}
+ {{- if .Values.kibana.customLogging.root }}
+ root:
+ {{- toYaml .Values.kibana.customLogging.root | nindent 8 }}
+ {{- end }}
+ {{- if .Values.kibana.customLogging.loggers }}
+ loggers:
+ {{- toYaml .Values.kibana.customLogging.loggers | nindent 8 }}
+ {{- end }}
+ {{- end }}
http:
tls:
selfSignedCertificate:
@@ -83,14 +98,19 @@ spec:
initContainers:
{{- toYaml .Values.kibana.extraInitContainers | nindent 8 }}
{{- end }}
- {{- if .Values.kibana.tls.enabled }}
+ {{- if or ( .Values.kibana.tls.enabled ) ( .Values.kibana.extraVolumes ) }}
volumes:
+ {{- if .Values.kibana.tls.enabled }}
- name: elasticsearch-certs
secret:
secretName: {{ .Values.kibana.tls.secretName }}
items:
- key: {{ .Values.kibana.tls.trustStoreName }}
path: truststore.p12
+ {{- end }}
+ {{- if .Values.kibana.extraVolumes }}
+ {{- toYaml .Values.kibana.extraVolumes | nindent 8 }}
+ {{- end }}
{{- end }}
containers:
- name: kibana
@@ -124,12 +144,17 @@ spec:
livenessProbe:
{{- toYaml .Values.kibana.livenessProbe | nindent 12 }}
{{- end }}
- {{- if .Values.kibana.tls.enabled }}
+ {{- if or ( .Values.kibana.tls.enabled ) ( .Values.kibana.extraVolumeMounts ) }}
volumeMounts:
+ {{- if .Values.kibana.tls.enabled }}
- name: elasticsearch-certs
mountPath: /usr/share/kibana/config/elasticsearch-certs/truststore.p12
subPath: truststore.p12
readOnly: true
+ {{- end }}
+ {{- if .Values.kibana.extraVolumeMounts }}
+ {{- toYaml .Values.kibana.extraVolumeMounts | nindent 12 }}
+ {{- end }}
{{- end }}
{{- if .Values.kibana.extraContainers }}
{{- toYaml .Values.kibana.extraContainers | nindent 8 }}
diff --git a/apigateway/helm/values.yaml b/apigateway/helm/values.yaml
index 2c3e7da..fdeac77 100644
--- a/apigateway/helm/values.yaml
+++ b/apigateway/helm/values.yaml
@@ -492,6 +492,16 @@ metering:
# -- The password for the metering client truststore.
# Configure this property only if you use a truststore.
trustStorePassword:
+ # -- Configuration for secretKeyRef containing the password for the metering client truststore.
+ # Configure this property only if you use a truststore.
+ # Mutually exclusive with providing the password directly over metering.trustStorePassword.
+ truststorePasswordFromSecret:
+ # -- enable secretKeyRef instead of providing password directly
+ enabled: false
+ # -- Name of the referenced secret
+ secretName: ""
+ # -- Key containing the truststore password in the referenced secret
+ secretKey: ""
elasticsearch:
@@ -635,6 +645,36 @@ kibana:
# -- The securityContext for kibana container.
securityContext: {}
+ # -- Custom logging configuration for kibana container.
+ customLogging:
+ # -- Enable custom logging configuration.
+ enabled: false
+ # -- Define appenders for custom logging config.
+ # Example for logging to file:
+ # file:
+ # type: file
+ # fileName: /usr/share/kibana/logs/kibana.log
+ # layout:
+ # type: pattern
+ appenders: {}
+ # -- Define which appenders are used by root logger.
+ # Example for logging to file additionally to default/console:
+ # appenders: [file, default]
+ # level: warn
+ root: {}
+ # -- Define loggers other than root logger.
+ # Example for custom server logger:
+ # - name: server
+ # appenders: [console]
+ # level: warn
+ loggers: []
+
+ # -- The definition of extra volumes for kibana.
+ extraVolumes: []
+
+ # -- The definition of extra volumeMounts for kibana.
+ extraVolumeMounts: []
+
# -- The definition of extra containers for kibana.
extraContainers: []
diff --git a/common/helm/templates/_metering.tpl b/common/helm/templates/_metering.tpl
index 20ea229..33264fa 100644
--- a/common/helm/templates/_metering.tpl
+++ b/common/helm/templates/_metering.tpl
@@ -27,7 +27,15 @@ Usage:
value: "{{ .Values.metering.logLevel }}"
- name: "METERING_TRUSTSTORE_FILE"
value: "{{ .Values.metering.trustStoreFile }}"
+{{- if .Values.metering.truststorePasswordFromSecret.enabled -}}
+- name: "METERING_TRUSTSTORE_PASSWORD"
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Values.metering.truststorePasswordFromSecret.secretName }}
+ key: {{ .Values.metering.truststorePasswordFromSecret.secretKey }}
+{{- else -}}
- name: "METERING_TRUSTSTORE_PASSWORD"
value: "{{ .Values.metering.trustStorePassword }}"
{{- end -}}
+{{- end -}}
{{- end }}
\ No newline at end of file