Merge pull request #3 from enix/frozen_password

Frozen password
enix · Apr 20, 2020 · e2a9773 · e2a9773
2 parents 5a78aa1 + bd1726e
commit e2a9773
Show file tree

Hide file tree

Showing 9 changed files with 80 additions and 23 deletions.
diff --git a/charts/netbox/Chart.yaml b/charts/netbox/Chart.yaml
@@ -3,7 +3,7 @@ apiVersion: v2
 appVersion: "v2.8.0"
 description: NetBox is an open source web application designed to help manage and document computer networks.
 name: netbox
-version: 1.1.0
+version: 1.2.0
 icon: https://github.com/netbox-community/netbox/raw/develop/docs/netbox_logo.svg?sanitize=true
 home: https://netbox.readthedocs.io/en/stable/
 sources:

diff --git a/charts/netbox/README.md b/charts/netbox/README.md
@@ -61,6 +61,7 @@ The command removes all the Kubernetes components associated with the chart and
 | emailServer | string | `nil` | Email server used by Netbox |
 | emailTimeout | int | `10` | Timeout in email communications |
 | emailUsername | string | `""` | Username to use on email server |
+| existingEnvSecret | string | `nil` | Provide secret environment variable. Should contain all netbox's expected secret env vars |
 | extraContainers | list | `[]` |  |
 | extraEnvs | object | `{}` |  |
 | extraInitContainers | list | `[]` |  |
@@ -73,7 +74,7 @@ The command removes all the Kubernetes components associated with the chart and
 | fullnameOverride | string | `""` | String to fully override netbox.fullname template with a string |
 | image.pullPolicy | string | `"IfNotPresent"` | Netbox image pull policy |
 | image.repository | string | `"netboxcommunity/netbox"` | Netbox image |
-| image.tag | string | `"v2.7.12"` | Netbox image version |
+| image.tag | string | `nil` | Netbox image version |
 | ingress.annotations | object | `{}` | Ingress annotations |
 | ingress.enabled | bool | `false` | Enable ingress controller resource |
 | ingress.hosts | list | `["netbox.local"]` | Ingress Hosts |
@@ -91,7 +92,11 @@ The command removes all the Kubernetes components associated with the chart and
 | nginxImage.repository | string | `"nginx"` | Nginx image |
 | nginxImage.tag | string | `"1.17.9-alpine"` | Nginx image version |
 | nodeSelector | object | `{}` | nodeSelector configuration on Netbox Pod |
-| persistence.enabled | bool | `true` | Enable persistency (Deployment mode) |
+| persistence.accessModes | list | `["ReadWriteOnce"]` | Persistent Volume Access Modes. Only for statefulSet Mode |
+| persistence.customVolumeClaims | string | `nil` | Entirely customize VolumeClaims. Only for statefulSet Mode |
+| persistence.enabled | bool | `true` | Enable statefulSet persistency |
+| persistence.size | string | `"5G"` | Size of data volume. Only for statefulSet Mode |
+| persistence.storageClassName | string | `nil` | Storage class of backing PVC. Only for statefulSet Mode |
 | postgresql.enabled | bool | `true` | Enable the postgresql sub-chart |
 | postgresql.host | string | `nil` | Host of the postgresql server to use |
 | postgresql.postgresqlDatabase | string | `"netbox"` | Postgresql database name |
@@ -101,22 +106,24 @@ The command removes all the Kubernetes components associated with the chart and
 | redis.cluster.enabled | bool | `false` | Enable the redis sub-chart cluster-mode |
 | redis.enabled | bool | `true` | Enable the redis sub-chart |
 | redis.host | string | `nil` | Host of the redis server |
+| redis.master.persistence.enabled | bool | `false` |  |
 | resources | object | `{}` | resources configuration on Netbox Pod |
 | restartPolicy | string | `"Always"` | Pods restart policy |
 | secretKey | string | `nil` | Netbox django secret key (use long random string) |
 | service.port | int | `80` | Port to use to access Netbox |
 | service.type | string | `"ClusterIP"` | Kubernetes Service type |
-| statefulSet.persistence.accessModes | list | `["ReadWriteOnce"]` | Persistent Volume Access Modes |
-| statefulSet.persistence.enabled | bool | `true` | Enable statefulSet persistency |
-| statefulSet.persistence.size | string | `"5G"` | Size of data volume |
-| statefulSet.persistence.storageClassName | string | `nil` | Storage class of backing PVC |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| serviceAccount.name | string | `nil` | Name of the service account to use. Default is derived from fullname template |
 | statefulSet.replicaCount | int | `1` | Number of Netbox Pods to run (StatefulSet mode) |
-| statefulSet.updateStrategy | object | `{"type":"RollingUpdate"}` | Update strategy policy |
+| superuser.apiToken | string | `nil` | API access token of the Netbox superuser to create on first launch |
 | superuser.email | string | `"[email protected]"` | Email of the Netbox superuser to create on first launch |
 | superuser.name | string | `"admin"` | Username of the Netbox superuser to create on first launch |
 | superuser.password | string | `nil` | Password of the Netbox superuser to create on first launch |
-| superuser.token | string | `nil` | API access token of the Netbox superuser to create on first launch |
+| superuserExistingSecret | string | `nil` | Use custom secret for initial superuser credentials. Should contain appropriate environment variable name (eg: SUPERUSER_PASSWORD) |
+| superuserSkip | bool | `false` | Don't create superuser on startup. |
 | tolerations | list | `[]` | tolerations to add on Netbox Pod |
+| updateStrategy | object | `{"type":"RollingUpdate"}` | Update strategy policy |
 
 ## License
 

diff --git a/charts/netbox/templates/NOTES.txt b/charts/netbox/templates/NOTES.txt
@@ -19,3 +19,14 @@
   echo "Visit http://127.0.0.1:8080 to use your application"
   kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME 8080:80
 {{- end }}
+
+--------------------------------
+To get the admin password, run the following command:
+```
+# Username (default: admin)
+kubectl -n {{ .Release.Namespace }} get secret {{ include "netbox.superuser.secretName" . }} -o jsonpath='{ .data.SUPERUSER_NAME }' | base64 -d; echo
+# Password (default: <random>)
+kubectl -n {{ .Release.Namespace }} get secret {{ include "netbox.superuser.secretName" . }} -o jsonpath='{ .data.SUPERUSER_PASSWORD }' | base64 -d; echo
+```
+WARNING:
+If you want to change the superuser's password: use the WebUI, reset it via helm-values won't work.
diff --git a/charts/netbox/templates/_helpers.tpl b/charts/netbox/templates/_helpers.tpl
@@ -71,6 +71,10 @@ Create the name of the service account to use
 {{ include "netbox.fullname" . }}-env
 {{- end -}}
 
+{{- define "netbox.superuser.secretName" -}}
+{{ include "netbox.fullname" . }}-superuser
+{{- end -}}
+
 {{- define "netbox.nginxConfigName" -}}
 {{ include "netbox.fullname" . }}-nginx
 {{- end -}}

diff --git a/charts/netbox/templates/_netbox.tpl b/charts/netbox/templates/_netbox.tpl
@@ -38,6 +38,15 @@ template:
           {{- else }}
             name: {{ include "netbox.env.secretName" . | quote }}
           {{- end }}
+        {{- if not .Values.superuserSkip }}
+        - secretRef:
+          {{- if .Values.superuserExistingSecret }}
+            name: {{ .Values.superuserExistingSecret |quote }}
+          {{- else }}
+            name: {{ include "netbox.superuser.secretName" . | quote }}
+          {{- end }}
+            optional: true
+        {{- end }}
 {{- if or (or .Values.postgresql.enabled .Values.redis.enabled) .Values.redis.existingSecret }}
         env:
 {{- if or .Values.postgresql.enabled .Values.postgresql.existingSecret}}
@@ -97,6 +106,9 @@ template:
           mountPath: /etc/netbox-nginx/
         - name: netbox-static-files
           mountPath: /opt/netbox/netbox/static
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
       {{- range $container := .Values.extraContainers }}
       - {{ $container | toYaml | indent 8 | trim }}
       {{- end }}

diff --git a/charts/netbox/templates/env-configmap.yaml b/charts/netbox/templates/env-configmap.yaml
@@ -21,8 +21,7 @@ data:
   EMAIL_PORT: '{{ .Values.emailPort }}'
   EMAIL_SERVER: '{{ .Values.emailServer }}'
   EMAIL_TIMEOUT: '{{ .Values.emailTimeout }}'
-  SUPERUSER_NAME: '{{ .Values.superuser.name }}'
-  SUPERUSER_EMAIL: '{{ .Values.superuser.email }}'
+  SKIP_SUPERUSER: {{ .Values.superuserSkip | ternary "true" "false"  | quote }}
 {{- range $key, $value := .Values.extraEnvs }}
   {{ $key }}: '{{ $value }}'
 {{- end }}
diff --git a/charts/netbox/templates/env-secret.yaml b/charts/netbox/templates/env-secret.yaml
@@ -24,16 +24,6 @@ data:
 {{- with .Values.emailPassword }}
   EMAIL_PASSWORD: {{ . | b64enc | quote }}
 {{- end }}
-{{- if .Values.superuser.password }}
-  SUPERUSER_PASSWORD: {{ .Values.superuser.password | b64enc | quote }}
-{{- else }}
-  SUPERUSER_PASSWORD: {{ randAscii 10 | trimall "'" | b64enc | quote }}
-{{- end }}
-{{- if .Values.superuser.token }}
-  SUPERUSER_TOKEN: {{ .Values.superuser.token | b64enc | quote }}
-{{- else }}
-  SUPERUSER_TOKEN: {{ randAscii 40 | trimall "'" | b64enc | quote }}
-{{- end }}
 {{- range $key, $value := .Values.extraSecretEnvs }}
   {{ $key }}: {{ $value | b64enc | quote }}
 {{- end }}

diff --git a/charts/netbox/templates/superuser-secret.yaml b/charts/netbox/templates/superuser-secret.yaml
@@ -0,0 +1,23 @@
+{{- if not .Values.superuserSkip }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "netbox.superuser.secretName" . }}
+  labels:
+    {{- include "netbox.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install
+data:
+  SUPERUSER_NAME: {{ .Values.superuser.name | b64enc | quote }}
+  SUPERUSER_EMAIL: {{ .Values.superuser.email | b64enc | quote }}
+{{- if .Values.superuser.password }}
+  SUPERUSER_PASSWORD: {{ .Values.superuser.password | b64enc | quote }}
+{{- else }}
+  SUPERUSER_PASSWORD: {{ randAlphaNum 14 | b64enc | quote }}
+{{- end }}
+{{- if .Values.superuser.apiToken }}
+  SUPERUSER_API_TOKEN: {{ .Values.superuser.apiToken | b64enc | quote }}
+{{- else }}
+  SUPERUSER_API_TOKEN: {{ randAlphaNum 40 | b64enc | quote }}
+{{- end }}
+{{- end }}
diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml
@@ -139,15 +139,22 @@ emailPassword: ""
 # secretKey -- Netbox django secret key (use long random string)
 secretKey:
 
+# superuserSkip -- Don't create superuser on startup.
+superuserSkip: false
+
+# superuserExistingSecret -- Use custom secret for initial superuser credentials.
+# Should contain appropriate environment variable name (eg: SUPERUSER_PASSWORD)
+superuserExistingSecret:
+
 superuser:
   # superuser.email -- Email of the Netbox superuser to create on first launch
   email: [email protected]
   # superuser.name -- Username of the Netbox superuser to create on first launch
   name: admin
   # superuser.password -- Password of the Netbox superuser to create on first launch
   password:
-  # superuser.token -- API access token of the Netbox superuser to create on first launch
-  token:
+  # superuser.apiToken -- API access token of the Netbox superuser to create on first launch
+  apiToken:
 
 # existingEnvSecret -- Provide secret environment variable. Should contain all netbox's expected secret env vars
 existingEnvSecret:
@@ -189,3 +196,7 @@ redis:
   enabled: true
   # redis.host -- Host of the redis server
   host:
+  master:
+    persistence:
+      # redis.master.persistence.enable -- Persistence for redis, not really needed for netbox
+      enabled: false