xebialabs · vpugar-digital · Mar 16, 2023
diff --git a/Chart.yaml b/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: v10.3
+appVersion: v23.1
 description: A Helm chart for XL Release
 name: digitalai-release-ocp
-version: 22.0
+version: "23.1"
 
 dependencies:
 

diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -31,3 +31,141 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Remove Nginx regex from NOTES.txt.
+*/}}
+{{- define "path.fullname" -}}
+{{- $ingressclass := index .Values "ingress" "annotations" "kubernetes.io/ingress.class" }}
+{{- if and .Values.ingress.Enabled }}
+{{- if contains $ingressclass "nginx" }}
+{{- $name := ( split "(" .Values.ingress.path)._0 -}}
+{{- printf "%s" $name -}}/
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+Renders a value that contains template.
+Usage:
+{{ include "render-value" ( dict "value" .Values.path.to.the.Value "context" $) }}
+*/}}
+{{- define "render.value" -}}
+  {{- if kindIs "string" .value -}}
+    {{- tpl .value .context -}}
+  {{- else -}}
+    {{- tpl (.value | toYaml) .context }}
+  {{- end -}}
+{{- end -}}
+
+{{- define "render.value-secret" -}}
+  {{- if .value -}}
+    {{- if kindIs "string" .value -}}
+valueFrom:
+    secretKeyRef:
+        name: {{ .defaultName }}
+        key: {{ .defaultKey }}
+    {{- else -}}
+        {{- tpl (.value | toYaml) .context }}
+    {{- end -}}
+  {{- else -}}
+    {{- if .default -}}
+valueFrom:
+    secretKeyRef:
+        name: {{ .defaultName }}
+        key: {{ .defaultKey }}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{- define "render.value-if-not-secret" -}}
+    {{- if .value -}}
+        {{- if kindIs "string" .value -}}
+            {{ .key }}: {{ .value | b64enc | quote }}
+        {{- end -}}
+    {{- else -}}
+      {{- if .default -}}
+        {{ .key }}: {{ .default | b64enc | quote }}
+      {{- end -}}
+    {{- end -}}
+{{- end -}}
+
+{{/*
+Compile all warnings into a single message, and call fail.
+*/}}
+{{- define "release.validateValues" -}}
+{{- $messages := list -}}
+{{- $messages = append $messages (include "release.validateValues.mandatory" (dict "name" "xlrLicense" "value" .Values.xlrLicense ) ) -}}
+{{- $messages = append $messages (include "release.validateValues.mandatory" (dict "name" "RepositoryKeystore" "value" .Values.RepositoryKeystore ) ) -}}
+{{- $messages = append $messages (include "release.validateValues.mandatory" (dict "name" "KeystorePassphrase" "value" .Values.KeystorePassphrase ) ) -}}
+{{- if .Values.UseExistingDB.Enabled -}}
+{{- $messages = append $messages (include "release.validateValues.mandatory" (dict "name" "UseExistingDB.XLR_DB_USER" "value" .Values.UseExistingDB.XLR_DB_USER ) ) -}}
+{{- $messages = append $messages (include "release.validateValues.mandatory" (dict "name" "UseExistingDB.XLR_DB_PASS" "value" .Values.UseExistingDB.XLR_DB_PASS ) ) -}}
+{{- $messages = append $messages (include "release.validateValues.mandatory" (dict "name" "UseExistingDB.XLR_REPORT_DB_USER" "value" .Values.UseExistingDB.XLR_REPORT_DB_USER ) ) -}}
+{{- $messages = append $messages (include "release.validateValues.mandatory" (dict "name" "UseExistingDB.XLR_REPORT_DB_PASS" "value" .Values.UseExistingDB.XLR_REPORT_DB_PASS ) ) -}}
+{{- end -}}
+{{- if .Values.UseExistingMQ.Enabled -}}
+{{- $messages = append $messages (include "release.validateValues.mandatory" (dict "name" "UseExistingMQ.XLR_TASK_QUEUE_USERNAME" "value" .Values.UseExistingMQ.XLR_TASK_QUEUE_USERNAME ) ) -}}
+{{- $messages = append $messages (include "release.validateValues.mandatory" (dict "name" "UseExistingMQ.XLR_TASK_QUEUE_PASSWORD" "value" .Values.UseExistingMQ.XLR_TASK_QUEUE_PASSWORD ) ) -}}
+{{- end -}}
+{{- if .Values.oidc.external -}}
+{{- $messages = append $messages (include "release.validateValues.mandatory" (dict "name" "oidc.clientSecret" "value" .Values.oidc.clientSecret ) ) -}}
+{{- end -}}
+{{- if .Values.AdminPassword -}}
+{{- $messages = append $messages (include "validate.existing.secret" (dict "value" .Values.AdminPassword "context" $) ) -}}
+{{- end -}}
+
+
+{{- $messages = without $messages "" -}}
+{{- $message := join "\n" $messages -}}
+
+{{- if and $message .Values.K8sSetup.validateValues -}}
+{{-   printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
+{{- end -}}
+
+{{- end -}}
+
+
+{{/*
+Validate values of Release - KeystorePassphrase
+*/}}
+{{- define "release.validateValues.mandatory" -}}
+{{- if not .value -}}
+release: {{ .name }}
+    The `{{ .name }}` is empty. It is mandatory to set.
+{{- end -}}
+{{- end -}}
+
+{{- define "validate.existing.secret" -}}
+  {{- if .value -}}
+    {{- if not (kindIs "string" .value) -}}
+      {{- if .value.valueFrom.secretKeyRef.name }}
+        {{- $exists := include "secrets.exists" (dict "secret" .value.valueFrom.secretKeyRef.name "context" .context) -}}
+        {{- if not $exists -}}
+            secret: {{ .value.valueFrom.secretKeyRef.name }}
+                The `{{ .value.valueFrom.secretKeyRef.name }}` does not exist.
+        {{- end -}}
+      {{- else -}}
+          secret: unknown
+              The `{{ .value }}` is not reference to secret.
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+{{- end }}
+
+{{/*
+Returns whether a previous generated secret already exists
+
+Usage:
+{{ include "secrets.exists" (dict "secret" "secret-name" "context" $) }}
+
+Params:
+  - secret - String - Required - Name of the 'Secret' resource where the password is stored.
+  - context - Context - Required - Parent context.
+*/}}
+{{- define "secrets.exists" -}}
+{{- $secret := (lookup "v1" "Secret" .context.Release.Namespace .secret) -}}
+{{- if $secret -}}
+  {{- true -}}
+{{- end -}}
+{{- end -}}
diff --git a/templates/configuration-management.yaml b/templates/configuration-management.yaml
@@ -11,11 +11,26 @@ data:
     {{- range $.Values.release.configurationManagement.configuration.resetFiles }}
     rm -fv /opt/xebialabs/xl-release-server/conf/{{ . }};
     {{- end }}
-    echo "Finished reset of the conf files"; 
-    mkdir /opt/xebialabs/xl-release-server/xlr-configuration-management/; 
+    echo "Finished reset of the conf files";
+    mkdir /opt/xebialabs/xl-release-server/xlr-configuration-management/;
     ORIGINAL_PWD=$(pwd);
-    cd /opt/xebialabs/xl-release-server/xlr-configuration-management/; 
-    cp /opt/xebialabs/xlr-configuration-management/* .; chmod +x *.sh; 
+    cd /opt/xebialabs/xl-release-server/xlr-configuration-management/;
+    cp /opt/xebialabs/xlr-configuration-management/* .; chmod +x *.sh;
+
+    if [ -z "$OIDC_CLIENT_ID" ]; then
+      echo "Not generating xl-release.conf.template as no OIDC configuration"
+    else;
+      if [[ ${OP_GENERATE_XL_CONFIG,,} != "true" ]]; then
+          echo "Not generating xl-release.conf.template as OP_GENERATE_XL_CONFIG != 'true'"
+          cp ${APP_HOME}/default-conf/op-xl-release.conf.template > ${APP_HOME}/default-conf/xl-release.conf.template
+      elif [ -e ${APP_HOME}/default-conf/op-xl-release.conf.template ]; then
+          echo "Generate configuration file default-conf/xl-release.conf.template from environment parameters"
+          sed -e "s#\${OIDC_CLIENT_ID}#${OIDC_CLIENT_ID}#g" \
+              -e "s#\${OIDC_CLIENT_SECRET}#${OIDC_CLIENT_SECRET}#g" \
+              ${APP_HOME}/default-conf/op-xl-release.conf.template > ${APP_HOME}/default-conf/xl-release.conf.template
+      fi
+    fi
+
     [ -x ./op-configuration-management.sh ] && ./op-configuration-management.sh;
     cd $ORIGINAL_PWD;
     echo "Finished release configuration management";

diff --git a/templates/oidc.yaml b/templates/oidc.yaml
@@ -8,7 +8,7 @@ metadata:
     chart: {{ template "xl-release.chart" . }}
     release: {{ .Release.Name }}
 data:
-  xl-release.conf.template: |
+  op-xl-release.conf.template: |
     xl {
       cluster {
         # mode: "default", "hot-standby", "full"
@@ -63,8 +63,8 @@ data:
             providers {
                 oidc {
                     {{- if .Values.oidc.external }}
-                    clientId={{ .Values.oidc.clientId | quote }}
-                    clientSecret={{ .Values.oidc.clientSecret | quote }}
+                    clientId=${OIDC_CLIENT_ID}
+                    clientSecret=${OIDC_CLIENT_SECRET}
                     {{- if .Values.oidc.clientAuthMethod }}
                     clientAuthMethod={{ .Values.oidc.clientAuthMethod | quote }}
                     {{- end }}
@@ -75,14 +75,14 @@ data:
                         {{- if .Values.oidc.clientAuthJwt.keyStore.enable }}
                         keyStore {
                             path={{ default "" .Values.oidc.clientAuthJwt.keyStore.path | quote }}
-                            password={{ default "" .Values.oidc.clientAuthJwt.keyStore.password | quote }}
+                            password=${OIDC_CLIENT_AUTH_JWT_KEYSTORE_PASSWORD}
                             type={{ default "" .Values.oidc.clientAuthJwt.keyStore.type | quote }}
                         }
                         {{- end }}
                         {{- if .Values.oidc.clientAuthJwt.key.enable }}
                         key {
                             alias={{ default "" .Values.oidc.clientAuthJwt.key.alias | quote }}
-                            password={{ default "" .Values.oidc.clientAuthJwt.key.password | quote }}
+                            password=${OIDC_CLIENT_AUTH_JWT_KEY_PASSWORD}
                         }
                         {{- end }}
                     }
@@ -115,7 +115,7 @@ data:
                         audience={{ default "" .Values.oidc.accessToken.audience | quote }}
                         keyRetrievalUri={{ default "" .Values.oidc.accessToken.keyRetrievalUri | quote }}
                         jwsAlg={{ default "" .Values.oidc.accessToken.jwsAlg | quote }}
-                        secretKey={{ default "" .Values.oidc.accessToken.secretKey | quote }}
+                        secretKey=${OIDC_ACCESS_TOKEN_SECRET_KEY}
                         }
                     {{- end }}
                     {{- if .Values.oidc.proxyHost }}

diff --git a/templates/secrets.yaml b/templates/secrets.yaml
@@ -9,27 +9,29 @@ metadata:
     heritage: {{ .Release.Service }}
 type: Opaque
 data:
-  {{ if .Values.AdminPassword }}
-  release-password:  {{ .Values.AdminPassword | b64enc | quote }}
-  {{ else }}
-  release-password: {{ randAlphaNum 10 | b64enc | quote }}
-  {{ end }}
-  {{ if .Values.xlrLicense }}
-  xlr-License: {{ .Values.xlrLicense | b64enc | quote }}
-  {{ end }}
-  {{ if .Values.RepositoryKeystore }}
-  repositoryKeystore: {{ .Values.RepositoryKeystore | b64enc | quote }}
-  {{ end }}
-  {{ if .Values.KeystorePassphrase }}
-  keystorePassphrase: {{ .Values.KeystorePassphrase | b64enc | quote }}
-  {{ end }}
-  {{ if .Values.UseExistingDB.Enabled }}
-  databaseUsername: {{ .Values.UseExistingDB.XLR_DB_USER | b64enc | quote }}
-  databasePassword: {{ .Values.UseExistingDB.XLR_DB_PASS | b64enc | quote }}
-  reportDatabaseUsername: {{ .Values.UseExistingDB.XLR_REPORT_DB_USER | b64enc | quote }}
-  reportDatabasePassword: {{ .Values.UseExistingDB.XLR_REPORT_DB_PASS | b64enc | quote }}
-  {{ end }}
-  {{ if .Values.UseExistingMQ.Enabled }}
-  rabbitmqUsername: {{ .Values.UseExistingMQ.XLR_TASK_QUEUE_USERNAME | b64enc | quote }}
-  rabbitmqPassword: {{ .Values.UseExistingMQ.XLR_TASK_QUEUE_PASSWORD | b64enc | quote }}
-  {{ end }}
+  {{- include "render.value-if-not-secret" (dict "key" "release-password" "value" .Values.AdminPassword "default" (randAlphaNum 10) ) | nindent 2 -}}
+  {{- include "render.value-if-not-secret" (dict "key" "xlr-License" "value" .Values.xlrLicense) | nindent 2 -}}
+  {{- include "render.value-if-not-secret" (dict "key" "repositoryKeystore" "value" .Values.RepositoryKeystore) | nindent 2 -}}
+  {{- include "render.value-if-not-secret" (dict "key" "keystorePassphrase" "value" .Values.KeystorePassphrase) | nindent 2 -}}
+  {{- if .Values.UseExistingDB.Enabled -}}
+  {{- include "render.value-if-not-secret" (dict "key" "databaseUsername" "value" .Values.UseExistingDB.XLR_DB_USER) | nindent 2 -}}
+  {{- include "render.value-if-not-secret" (dict "key" "databasePassword" "value" .Values.UseExistingDB.XLR_DB_PASS) | nindent 2 -}}
+  {{- include "render.value-if-not-secret" (dict "key" "reportDatabaseUsername" "value" .Values.UseExistingDB.XLR_REPORT_DB_USER) | nindent 2 -}}
+  {{- include "render.value-if-not-secret" (dict "key" "reportDatabasePassword" "value" .Values.UseExistingDB.XLR_REPORT_DB_PASS) | nindent 2 -}}
+  {{- end -}}
+  {{- if .Values.UseExistingMQ.Enabled -}}
+  {{- include "render.value-if-not-secret" (dict "key" "rabbitmqUsername" "value" .Values.UseExistingMQ.XLR_TASK_QUEUE_USERNAME) | nindent 2 -}}
+  {{- include "render.value-if-not-secret" (dict "key" "rabbitmqPassword" "value" .Values.UseExistingMQ.XLR_TASK_QUEUE_PASSWORD) | nindent 2 -}}
+  {{- end -}}
+  {{- if .Values.oidc.external -}}
+  {{- include "render.value-if-not-secret" (dict "key" "oidcClientId" "value" .Values.oidc.clientId) | nindent 2 -}}
+  {{- include "render.value-if-not-secret" (dict "key" "oidcClientSecret" "value" .Values.oidc.clientSecret) | nindent 2 -}}
+  {{- if .Values.oidc.clientAuthJwt.enable -}}
+  {{- include "render.value-if-not-secret" (dict "key" "oidcClientAuthJwtKeyStorePassword" "value" .Values.oidc.clientAuthJwt.keyStore.password) | nindent 2 -}}
+  {{- include "render.value-if-not-secret" (dict "key" "oidcClientAuthJwtKeyPassword" "value" .Values.oidc.clientAuthJwt.key.password) | nindent 2 -}}
+  {{- end -}}
+  {{- if .Values.oidc.accessToken.enable -}}
+  {{- include "render.value-if-not-secret" (dict "key" "oidcAccessTokenSecretKey" "value" .Values.oidc.accessToken.secretKey) | nindent 2 -}}
+  {{- end -}}
+  {{- end -}}
+