Merge pull request #429 from percona/EVEREST-107-configmap-bug-2

EVEREST-107 | Secrets and ConfigMaps should not be updated during upgrades
percona · Nov 26, 2024 · f9a7eb8 · f9a7eb8
2 parents c159c55 + cf243a4
commit f9a7eb8
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 37 deletions.
diff --git a/charts/everest/README.md b/charts/everest/README.md
@@ -82,9 +82,11 @@ The following table shows the configurable parameters of the Percona Everest cha
 | server.apiRequestsRateLimit | int | `100` | Set the allowed number of requests per second. |
 | server.image | string | `"perconalab/everest"` | Image to use for the server container. |
 | server.initialAdminPassword | string | `""` | The initial password configured for the admin user. If unset, a random password is generated. It is strongly recommended to reset the admin password after installation. |
-| server.oidc | object | `{}` | OIDC configuration for Everest. The config specified here is applied during installation only. During upgrades, the existing config is preserved. To change the config after installation, you need to manually manage the `everest-settigs` ConfigMap. |
+| server.jwtKey | string | `""` | Key for signing JWT tokens. This needs to be an RSA private key. This is created during installation only. To update the key after installation, you need to manually update the `everest-jwt` Secret or use everestctl. |
+| server.oidc | object | `{}` | OIDC configuration for Everest. These settings are applied during installation only. To change the settings after installation, you need to manually update the `everest-settings` ConfigMap. |
+| server.rbac | object | `{"enabled":false,"policy":"g, admin, role:admin\n"}` | Settings for RBAC. These settings are applied during installation only. To change the settings after installation, you need to manually update the `everest-rbac` ConfigMap. |
 | server.rbac.enabled | bool | `false` | If set, enables RBAC for Everest. |
-| server.rbac.policy | string | `"g, admin, role:admin\n"` | RBAC policy configuration. Ignored if `rbac.enabled` is false. The policy specified here is applied during installation only. During upgrades, the existing policy is preserved. To change the policy after installation, you need to manually manage the `everest-rbac` ConfigMap. |
+| server.rbac.policy | string | `"g, admin, role:admin\n"` | RBAC policy configuration. Ignored if `rbac.enabled` is false. |
 | server.resources | object | `{"limits":{"cpu":"200m","memory":"500Mi"},"requests":{"cpu":"100m","memory":"20Mi"}}` | Resources to allocate for the server container. |
 | telemetry | bool | `true` | If set, enabled sending telemetry information. |
 | upgrade.preflightChecks | bool | `true` | If set, run preliminary checks before upgrading. It is strongly recommended to enable this setting. |

diff --git a/charts/everest/templates/everest-server/accounts.secret.yaml b/charts/everest/templates/everest-server/accounts.secret.yaml
@@ -1,3 +1,4 @@
+{{- if .Release.IsInstall }}
 {{- $secretName := (printf "everest-accounts") -}}
 {{- $secret := (lookup "v1" "Secret" (include "everest.namespace" .) $secretName ) -}}
 apiVersion: v1
@@ -13,11 +14,11 @@ metadata:
     {{ $key }}: "{{ $value }}"
   {{- end }}
   {{- end }}
+    helm.sh/resource-policy: keep
 data:
   {{- if not $secret }}
   users.yaml: {{ tpl (.Files.Get "everest-admin.yaml.tpl") . | b64enc }}
   {{- else }}
-  {{- range $key, $value := $secret.data }}
-  {{ $key }}: {{ $value }}
-  {{- end }}
+  users.yaml: {{ index $secret.data "users.yaml" }}
   {{- end }}
+{{- end }}
diff --git a/charts/everest/templates/everest-server/jwt.secret.yaml b/charts/everest/templates/everest-server/jwt.secret.yaml
@@ -1,15 +1,11 @@
-{{- $secretName := (printf "everest-jwt") -}}
-{{- $secret := (lookup "v1" "Secret" (include "everest.namespace" .) $secretName ) -}}
+{{- if .Release.IsInstall }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ $secretName }}
+  name: "everest-jwt"
   namespace: {{ include  "everest.namespace" . }}
+  annotations:
+    helm.sh/resource-policy: keep
 data:
-  {{- if not $secret }}
-  id_rsa: {{ genPrivateKey "rsa" | b64enc  }}
-  {{- else }}
-  {{- range $key, $value := $secret.data }}
-  {{ $key }}: {{ $value }}
-  {{- end }}
-  {{- end }}
+  id_rsa: {{ .Values.server.jwtKey | default (genPrivateKey "rsa") | b64enc  }}
+{{- end }}
diff --git a/charts/everest/templates/everest-server/rbac.configmap.yaml b/charts/everest/templates/everest-server/rbac.configmap.yaml
@@ -1,17 +1,13 @@
-{{- $cmName := (printf "everest-rbac") -}}
-{{- $cm := (lookup "v1" "ConfigMap" (include "everest.namespace" .) $cmName ) -}}
+{{- if .Release.IsInstall }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ $cmName }}
+  name: "everest-rbac"
   namespace: {{ include  "everest.namespace" . }}
+  annotations:
+    helm.sh/resource-policy: keep
 data:
-  {{- if or (not $cm) .Release.IsInstall }}
   enabled: {{ .Values.server.rbac.enabled | default "false" | quote }}
   policy.csv: |
     {{- .Values.server.rbac.policy | nindent 4 }}
-  {{- else }}
-  {{- range $key, $value := $cm.data }}
-  {{ $key }}: {{ $value }}
-  {{- end }}
-  {{- end }}
+{{- end }}
diff --git a/charts/everest/templates/everest-server/settings.configmap.yaml b/charts/everest/templates/everest-server/settings.configmap.yaml
@@ -1,19 +1,15 @@
-{{- $cmName := (printf "everest-settings") -}}
-{{- $cm := (lookup "v1" "ConfigMap" (include "everest.namespace" .) $cmName ) -}}
+{{- if .Release.IsInstall }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ $cmName }}
+  name: "everest-settings"
   namespace: {{ include  "everest.namespace" . }}
+  annotations:
+    helm.sh/resource-policy: keep
 data:
-  {{- if or (not $cm) .Release.IsInstall }}
   {{- if .Values.server.oidc }}
   oidc.config: |
     {{- toYaml .Values.server.oidc | nindent 4 }}
   {{- end }}
-  {{- else }}
-  {{- range $key, $value := $cm.data }}
-  {{ $key }}: {{ $value }}
-  {{- end }}
-  {{- end }}
+{{- end }}
 
diff --git a/charts/everest/values.yaml b/charts/everest/values.yaml
@@ -17,17 +17,22 @@ server:
     requests:
       cpu: 100m
       memory: 20Mi
+  # -- Key for signing JWT tokens. This needs to be an RSA private key.
+  # This is created during installation only.
+  # To update the key after installation, you need to manually update the `everest-jwt` Secret or use everestctl.
+  jwtKey: ""
+  # -- Settings for RBAC.
+  # These settings are applied during installation only.
+  # To change the settings after installation, you need to manually update the `everest-rbac` ConfigMap.
   rbac:
     # -- If set, enables RBAC for Everest.
     enabled: false
     # -- RBAC policy configuration. Ignored if `rbac.enabled` is false.
-    # The policy specified here is applied during installation only. During upgrades, the existing policy is preserved.
-    # To change the policy after installation, you need to manually manage the `everest-rbac` ConfigMap.
     policy: |
       g, admin, role:admin
   # -- OIDC configuration for Everest.
-  # The config specified here is applied during installation only. During upgrades, the existing config is preserved.
-  # To change the config after installation, you need to manually manage the `everest-settigs` ConfigMap.
+  # These settings are applied during installation only.
+  # To change the settings after installation, you need to manually update the `everest-settings` ConfigMap.
   oidc: {}
   # issuerUrl: ""
   # clientId: ""