feat: allow looking up values

trustification · Nov 25, 2024 · b32c8d5 · b32c8d5
1 parent b59e701
commit b32c8d5
Show file tree

Hide file tree

Showing 9 changed files with 83 additions and 28 deletions.
diff --git a/charts/trustify/templates/helpers/_oidc.tpl b/charts/trustify/templates/helpers/_oidc.tpl
@@ -17,8 +17,12 @@ Arguments: (dict)
 */}}
 {{- define "trustification.oidc.clientId" }}
 {{- $client := get .root.Values.oidc.clients .clientId -}}
+{{- if kindIs "map" $client.clientId }}
+{{- include "_trustify.valueFrom" (dict "root" .root "valueFrom" $client.clientId.valueFrom ) }}
+{{- else }}
 {{- $client.clientId | default .clientId }}
 {{- end }}
+{{- end }}
 
 {{/*
 Configuration required for setting up an OIDC client for making requests
@@ -60,8 +64,12 @@ Arguments (dict):
   * client - client object
 */}}
 {{- define "trustification.oidc.issuerUrl" }}
-{{- if .client.issuerUrl }}
+{{- if kindIs "map" .client.issuerUrl }}
+{{- include "_trustify.valueFrom" (dict "root" .root "valueFrom" .client.issuerUrl.valueFrom ) }}
+{{- else if .client.issuerUrl }}
 {{- .client.issuerUrl }}
+{{- else if kindIs "map" .root.Values.oidc.issuerUrl }}
+{{- include "_trustify.valueFrom" (dict "root" .root "valueFrom" .root.Values.oidc.issuerUrl.valueFrom ) }}
 {{- else if .root.Values.oidc.issuerUrl }}
 {{- .root.Values.oidc.issuerUrl }}
 {{- else -}}

diff --git a/charts/trustify/templates/helpers/_storage.tpl b/charts/trustify/templates/helpers/_storage.tpl
@@ -18,12 +18,12 @@ Arguments (dict):
 
 {{- include "_trustification.storage.common.envVars" ( set (deepCopy .) "storage" .storage ) }}
 
-{{- if .storage.filesystem }}
-{{- include "_trustification.storage.filesystem.envVars" ( set (deepCopy .) "storage" .storage.filesystem ) }}
-{{- else if .storage.s3 }}
-{{- include "_trustification.storage.s3.envVars" ( set (deepCopy .) "storage" .storage.s3 ) }}
+{{- if eq .storage.type "filesystem" }}
+{{- include "_trustification.storage.filesystem.envVars" . }}
+{{- else if eq .storage.type "s3" }}
+{{- include "_trustification.storage.s3.envVars" . }}
 {{- else }}
-{{- fail "Storage must either be set to .filesystem or .s3" }}
+{{- fail ".storage.type must either be set to 'filesystem' or 's3'" }}
 {{- end }}
 {{- end }}
 
@@ -62,7 +62,7 @@ Arguments (dict):
   value: "eu-west-1" # just a dummy value
 {{ else }}
 - name: TRUSTD_S3_REGION
-  value: "{{ .storage.region }}"
+  {{- include "trustification.common.envVarValue" .storage.region | nindent 2 }}
 {{ end }}
 
 - name: TRUSTD_S3_BUCKET

diff --git a/charts/trustify/templates/helpers/_value.tpl b/charts/trustify/templates/helpers/_value.tpl
@@ -0,0 +1,22 @@
+{{/*
+Get value from a resource. Currenlty only from secrets.
+
+Arguments (dict):
+  * .root - .
+  * .valueFrom - The "valueFrom" object
+*/}}
+{{- define "_trustify.valueFrom" }}
+
+{{- if .valueFrom.secretKeyRef }}
+{{- $secret := lookup "v1" "Secret" .root.Release.Namespace .valueFrom.secretKeyRef.name }}
+{{- required "Key not present in Secret" (index $secret.data .valueFrom.secretKeyRef.key ) | b64dec }}
+
+{{- else if .valueFrom.configMapKeyRef }}
+{{- $config := lookup "v1" "ConfigMap" .root.Release.Namespace .valueFrom.configMapKeyRef.name }}
+{{- required "Key not present in ConfigMap" (index $config.data .valueFrom.configMapKeyRef.key ) }}
+
+{{- else }}
+{{- fail "valueFrom can only use .secretKeyRef or .configMapRef" }}
+{{- end }}
+
+{{- end }}
diff --git a/charts/trustify/values.schema.json b/charts/trustify/values.schema.json
@@ -502,9 +502,7 @@
       "additionalProperties": false,
       "properties": {
         "issuerUrl": {
-          "type": "string",
-          "format": "uri",
-          "description": "The URL to the issuer.\n"
+          "$ref": "#/definitions/ValueOrRef"
         },
         "insecure": {
           "type": "boolean",
@@ -537,7 +535,7 @@
       "type": "object",
       "properties": {
         "clientId": {
-          "type": "string"
+          "$ref": "#/definitions/ValueOrRef"
         },
         "issuerUrl": {
           "type": "string",
@@ -732,6 +730,12 @@
       ],
       "additionalProperties": false,
       "properties": {
+        "type": {
+          "type": "string",
+          "enum": [
+            "s3"
+          ]
+        },
         "accessKey": {
           "description": "The access key/username to the storage resource\n",
           "$ref": "#/definitions/ValueOrRef"
@@ -754,7 +758,7 @@
           ],
           "properties": {
             "region": {
-              "type": "string"
+              "$ref": "#/definitions/ValueOrRef"
             }
           }
         },

diff --git a/charts/trustify/values.schema.yaml b/charts/trustify/values.schema.yaml
@@ -401,10 +401,7 @@ definitions:
     additionalProperties: false
     properties:
       issuerUrl:
-        type: string
-        format: uri
-        description: |
-          The URL to the issuer.
+        $ref: "#/definitions/ValueOrRef"
 
       insecure:
         type: boolean
@@ -436,7 +433,7 @@ definitions:
     type: object
     properties:
       clientId:
-        type: string
+        $ref: "#/definitions/ValueOrRef"
       issuerUrl:
         type: string
         format: uri
@@ -573,6 +570,10 @@ definitions:
       - bucket
     additionalProperties: false
     properties:
+      type:
+        type: string
+        enum:
+          - s3
       accessKey:
         description: |
           The access key/username to the storage resource
@@ -591,7 +592,7 @@ definitions:
           - region
         properties:
           region:
-            type: string
+            $ref: "#/definitions/ValueOrRef"
       - type: object
         required:
           - endpoint

diff --git a/charts/trustify/values.yaml b/charts/trustify/values.yaml
@@ -14,9 +14,7 @@ ingress: {}
 
 tls: {}
 
-storage:
-  type: filesystem
-  size: 32Gi
+storage: {}
 
 database: {}
 
@@ -25,10 +23,8 @@ openshift:
 
 oidc:
   clients:
-    frontend:
-      clientId: frontend
+    frontend: {}
     cli:
-      clientId: cli
       clientSecret:
 
 serviceMonitor:

diff --git a/values-minikube.yaml b/values-minikube.yaml
@@ -2,6 +2,10 @@ appDomain: change-me
 
 tracing: { }
 
+storage:
+  type: filesystem
+  size: 32Gi
+
 database:
   host: infrastructure-postgresql
   port: "5432"

diff --git a/values-ocp-aws.yaml b/values-ocp-aws.yaml
@@ -8,7 +8,11 @@ authenticator:
 
 storage:
   type: s3
-  region: <region> # <2>
+  region:
+    valueFrom:
+      configMapKeyRef:
+        name: aws-storage
+        key: region
   bucket: trustify-jreimann
   accessKey:
     valueFrom:
@@ -84,12 +88,24 @@ modules:
     enabled: true
 
 oidc:
-  issuerUrl: <issuer-url> # <4>
+  issuerUrl:
+    valueFrom:
+      configMapKeyRef:
+        name: aws-oidc
+        key: issuer-url
   clients:
     frontend:
-      clientId: <client-id> # <5>
+      clientId:
+        valueFrom:
+          secretKeyRef:
+            name: oidc-frontend
+            key: client-id
     cli:
-      clientId: <client-id> # <6>
+      clientId:
+        valueFrom:
+          secretKeyRef:
+            name: oidc-cli
+            key: client-id
       clientSecret:
         valueFrom:
           secretKeyRef:

diff --git a/values-ocp-no-aws.yaml b/values-ocp-no-aws.yaml
@@ -3,6 +3,10 @@ appDomain: change-me
 ingress:
   className: openshift-default
 
+storage:
+  type: filesystem
+  size: 32Gi
+
 database:
   host: infrastructure-postgresql
   port: "5432"