-
Notifications
You must be signed in to change notification settings - Fork 177
/
web-secrets.yaml
142 lines (142 loc) · 9.54 KB
/
web-secrets.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
{{- if .Values.web.enabled }}
{{- if .Values.secrets.create }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "concourse.web.fullname" . }}
labels:
app: {{ template "concourse.web.fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if .Values.secrets.annotations }}
annotations:
{{ toYaml .Values.secrets.annotations | indent 4 }}
{{- end }}
type: Opaque
data:
host-key: {{ .Values.secrets.hostKey | b64enc | quote }}
session-signing-key: {{ .Values.secrets.sessionSigningKey | b64enc | quote }}
worker-key-pub: {{ .Values.secrets.workerKeyPub | b64enc | quote }}
{{- if .Values.concourse.web.clientConfig.enabled }}
client-id: {{ template "concourse.secret.required" dict "key" "clientId" "is" "concourse.web.clientConfig.enabled" "root" . }}
client-secret: {{ template "concourse.secret.required" dict "key" "clientSecret" "is" "concourse.web.clientConfig.enabled" "root" . }}
{{- end }}
{{- if .Values.concourse.web.tsa.clientConfig.enabled }}
tsa-client-id: {{ template "concourse.secret.required" dict "key" "tsaClientId" "is" "concourse.web.tsa.clientConfig.enabled" "root" . }}
tsa-client-secret: {{ template "concourse.secret.required" dict "key" "tsaClientSecret" "is" "concourse.web.tsa.clientConfig.enabled" "root" . }}
{{- end }}
{{- if not .Values.postgresql.enabled }}
postgresql-user: {{ template "concourse.secret.required" dict "key" "postgresUser" "isnt" "postgresql.enabled" "root" . }}
postgresql-password: {{ template "concourse.secret.required" dict "key" "postgresPassword" "isnt" "postgresql.enabled" "root" . }}
postgresql-ca-cert: {{ default "" .Values.secrets.postgresCaCert | b64enc | quote }}
postgresql-client-cert: {{ default "" .Values.secrets.postgresClientCert | b64enc | quote }}
postgresql-client-key: {{ default "" .Values.secrets.postgresClientKey | b64enc | quote }}
{{- end }}
{{- if .Values.concourse.web.encryption.enabled }}
encryption-key: {{ template "concourse.secret.required" dict "key" "encryptionKey" "is" "concourse.encryption.enabled" "root" . }}
old-encryption-key: {{ default "" .Values.secrets.oldEncryptionKey | b64enc | quote }}
{{- end }}
{{- if .Values.concourse.web.localAuth.enabled }}
local-users: {{ .Values.secrets.localUsers | b64enc | quote }}
{{- end }}
{{- if .Values.concourse.web.auth.cf.enabled }}
cf-client-id: {{ template "concourse.secret.required" dict "key" "cfClientId" "is" "concourse.web.auth.cf.enabled" "root" . }}
cf-client-secret: {{ template "concourse.secret.required" dict "key" "cfClientSecret" "is" "concourse.web.auth.cf.enabled" "root" . }}
cf-ca-cert: {{ default "" .Values.secrets.cfCaCert | b64enc | quote }}
{{- end }}
{{- if .Values.concourse.web.auth.bitbucketCloud.enabled }}
bitbucket-cloud-client-id: {{ template "concourse.secret.required" dict "key" "bitbucketCloudClientId" "is" "concourse.web.auth.bitbucketCloud.enabled" "root" . }}
bitbucket-cloud-client-secret: {{ template "concourse.secret.required" dict "key" "bitbucketCloudClientSecret" "is" "concourse.web.auth.bitbucketCloud.enabled" "root" . }}
{{- end }}
{{- if .Values.concourse.web.auth.github.enabled }}
github-client-id: {{ template "concourse.secret.required" dict "key" "githubClientId" "is" "concourse.web.auth.github.enabled" "root" . }}
github-client-secret: {{ template "concourse.secret.required" dict "key" "githubClientSecret" "is" "concourse.web.auth.github.enabled" "root" . }}
github-ca-cert: {{ default "" .Values.secrets.githubCaCert | b64enc | quote }}
{{- end }}
{{- if .Values.concourse.web.auth.gitlab.enabled }}
gitlab-client-id: {{ template "concourse.secret.required" dict "key" "gitlabClientId" "is" "concourse.web.auth.gitlab.enabled" "root" . }}
gitlab-client-secret: {{ template "concourse.secret.required" dict "key" "gitlabClientSecret" "is" "concourse.web.auth.gitlab.enabled" "root" . }}
{{- end }}
{{- if .Values.concourse.web.auth.ldap.enabled }}
ldap-ca-cert: {{ default "" .Values.secrets.ldapCaCert | b64enc | quote }}
{{- end }}
{{- if .Values.concourse.web.auth.saml.enabled }}
{{- if not .Values.concourse.web.auth.saml.insecureSkipVerify }}
saml-ca-cert: {{ default "" .Values.secrets.samlCaCert | b64enc | quote }}
{{- end }}
{{- end }}
{{- if .Values.concourse.web.auth.oauth.enabled }}
oauth-client-id: {{ template "concourse.secret.required" dict "key" "oauthClientId" "is" "concourse.web.auth.oauth.enabled" "root" . }}
oauth-client-secret: {{ template "concourse.secret.required" dict "key" "oauthClientSecret" "is" "concourse.web.auth.oauth.enabled" "root" . }}
oauth-ca-cert: {{ default "" .Values.secrets.oauthCaCert | b64enc | quote }}
{{- end }}
{{- if .Values.concourse.web.auth.oidc.enabled }}
oidc-client-id: {{ template "concourse.secret.required" dict "key" "oidcClientId" "is" "concourse.web.auth.oidc.enabled" "root" . }}
oidc-client-secret: {{ template "concourse.secret.required" dict "key" "oidcClientSecret" "is" "concourse.web.auth.oidc.enabled" "root" . }}
oidc-ca-cert: {{ default "" .Values.secrets.oidcCaCert | b64enc | quote }}
{{- end }}
{{- if .Values.concourse.web.auth.microsoft.enabled }}
microsoft-client-id: {{ template "concourse.secret.required" dict "key" "microsoftClientId" "is" "concourse.web.auth.microsoft.enabled" "root" . }}
microsoft-client-secret: {{ template "concourse.secret.required" dict "key" "microsoftClientSecret" "is" "concourse.web.auth.microsoft.enabled" "root" . }}
{{- end }}
{{- if .Values.concourse.web.tls.enabled }}
{{- if not .Values.concourse.web.letsEncrypt.enabled }}
web-tls-cert: {{ template "concourse.secret.required" dict "key" "webTlsCert" "is" "concourse.web.tls.enabled" "root" . }}
web-tls-key: {{ template "concourse.secret.required" dict "key" "webTlsKey" "is" "concourse.web.tls.enabled" "root" . }}
{{- if .Values.secrets.webTlsCaCert }}
web-tls-ca-cert: {{ template "concourse.secret.required" dict "key" "webTlsCaCert" "is" "concourse.web.tls.enabled" "root" . }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.concourse.web.vault.enabled }}
vault-ca-cert: {{ default "" .Values.secrets.vaultCaCert | b64enc | quote }}
vault-client-token: {{ default "" .Values.secrets.vaultClientToken | b64enc | quote }}
vault-client-cert: {{ default "" .Values.secrets.vaultClientCert | b64enc | quote }}
vault-client-key: {{ default "" .Values.secrets.vaultClientKey | b64enc | quote }}
vault-client-auth-param: {{ default "" .Values.secrets.vaultAuthParam | b64enc | quote }}
{{- end }}
{{- if .Values.concourse.web.credhub.enabled }}
credhub-ca-cert: {{ default "" .Values.secrets.credhubCaCert | b64enc | quote }}
{{- if eq .Values.concourse.web.credhub.authenticationMode "secrets" }}
credhub-client-id: {{ template "concourse.secret.required" dict "key" "credhubClientId" "is" "authenticationMode set to 'secrets' with concourse.web.credhub.enabled" "root" . }}
credhub-client-secret: {{ template "concourse.secret.required" dict "key" "credhubClientSecret" "is" "authenticationMode set to 'secrets' with concourse.web.credhub.enabled" "root" . }}
{{- else if eq .Values.concourse.web.credhub.authenticationMode "mtls" }}
credhub-client-cert: {{ template "concourse.secret.required" dict "key" "credhubClientCert" "is" "authenticationMode set to 'mtls' with concourse.web.credhub.enabled" "root" . }}
credhub-client-key: {{ template "concourse.secret.required" dict "key" "credhubClientKey" "is" "authenticationMode set to 'mtls' with concourse.web.credhub.enabled" "root" . }}
{{- else }}
{{- required (printf "value %s is not recognized as an option for concourse.web.credhub.authenticationMode" .Values.concourse.web.credhub.authenticationMode) "" }}
{{- end }}
{{- end }}
{{- if .Values.concourse.web.conjur.enabled }}
conjur-account: {{ template "concourse.secret.required" dict "key" "conjurAccount" "is" "concourse.web.auth.conjur.enabled" "root" . }}
conjur-authn-login: {{ template "concourse.secret.required" dict "key" "conjurAuthnLogin" "is" "concourse.web.auth.conjur.enabled" "root" . }}
conjur-authn-api-key: {{ default "" .Values.secrets.conjurAuthnApiKey | b64enc | quote }}
conjur-authn-token-file: {{ default "" .Values.secrets.conjurAuthnTokenFile | b64enc | quote }}
conjur-ca-cert: {{ default "" .Values.secrets.conjurCACert | b64enc | quote }}
{{- end }}
{{- if .Values.concourse.web.awsSsm.enabled }}
aws-ssm-access-key: {{ default "" .Values.secrets.awsSsmAccessKey | b64enc | quote }}
aws-ssm-secret-key: {{ default "" .Values.secrets.awsSsmSecretKey | b64enc | quote }}
{{- if .Values.secrets.awsSsmSessionToken }}
aws-ssm-session-token: {{ .Values.secrets.awsSsmSessionToken | b64enc | quote }}
{{- end }}
{{- end }}
{{- if .Values.concourse.web.awsSecretsManager.enabled }}
aws-secretsmanager-access-key: {{ default "" .Values.secrets.awsSecretsmanagerAccessKey | b64enc | quote }}
aws-secretsmanager-secret-key: {{ default "" .Values.secrets.awsSecretsmanagerSecretKey | b64enc | quote }}
{{- if .Values.secrets.awsSecretsmanagerSessionToken }}
aws-secretsmanager-session-token: {{ .Values.secrets.awsSecretsmanagerSessionToken | b64enc | quote }}
{{- end }}
{{- end }}
{{- if .Values.concourse.web.influxdb.enabled }}
influxdb-password: {{ default "" .Values.secrets.influxdbPassword | b64enc | quote }}
{{- end }}
{{- if .Values.concourse.web.syslog.enabled }}
syslog-ca-cert: {{ default "" .Values.secrets.syslogCaCert | b64enc | quote }}
{{- end }}
{{- range .Values.secrets.teamAuthorizedKeys}}
{{ .team }}-team-authorized-key: {{ .key | b64enc | quote }}
{{- end}}
{{- end }}
{{- end }}