feat(secret): support annotations and labels for the basic auth secret

2025-09-29 22:53:21 +02:00
parent ba1fd42cfc
commit 1323f74351
11 changed files with 336 additions and 17 deletions
--- a/templates/_deployment.tpl
+++ b/templates/_deployment.tpl
@@ -27,8 +27,8 @@
 {{- end }}
 {{- if or (eq (include "reposilite.podMonitor.enabled" $ ) "true") (eq (include "reposilite.serviceMonitor.enabled" $ ) "true") -}}
-{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_USER" "valueFrom" (dict "secretKeyRef" (dict "name" (include "reposilite.secrets.prometheusBasicAuth.name" $) "key" "username")))) }}
+{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_USER" "valueFrom" (dict "secretKeyRef" (dict "name" (include "reposilite.secrets.prometheusBasicAuth.name" $) "key" (include "reposilite.secrets.prometheusBasicAuth.usernameKey" $))))) }}
-{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_PASSWORD" "valueFrom" (dict "secretKeyRef" (dict "name" (include "reposilite.secrets.prometheusBasicAuth.name" $) "key" "password")))) }}
+{{- $env = concat $env (list (dict "name" "REPOSILITE_PROMETHEUS_PASSWORD" "valueFrom" (dict "secretKeyRef" (dict "name" (include "reposilite.secrets.prometheusBasicAuth.name" $) "key" (include "reposilite.secrets.prometheusBasicAuth.passwordKey" $))))) }}
 {{- end }}
 {{ toYaml (dict "env" $env) }}
--- a/templates/_pod.tpl
+++ b/templates/_pod.tpl
@@ -4,7 +4,7 @@
 {{- define "reposilite.pod.annotations" -}}
 {{ include "reposilite.annotations" . }}
-{{- if .Values.prometheus.metrics.enabled -}}
+{{- if and .Values.prometheus.metrics.enabled (not .Values.prometheus.metrics.secret.existing.enabled) -}}
 {{- printf "checksum/secret-%s: %s" (include "reposilite.secrets.prometheusBasicAuth.name" $) (include (print $.Template.BasePath "/secretPrometheusBasicAuth.yaml") . | sha256sum) }}
 {{- end -}}
 {{- end }}
--- a/templates/_secrets.tpl
+++ b/templates/_secrets.tpl
@@ -4,16 +4,50 @@
 {{- define "reposilite.secrets.prometheusBasicAuth.annotations" -}}
 {{ include "reposilite.annotations" . }}
 {{- if .Values.prometheus.metrics.secret.new.annotations }}
 {{ toYaml .Values.prometheus.metrics.secret.new.annotations }}
 {{- end }}
 {{- end }}
 {{/* labels */}}
 {{- define "reposilite.secrets.prometheusBasicAuth.labels" -}}
 {{ include "reposilite.labels" . }}
 {{- if .Values.prometheus.metrics.secret.new.labels }}
 {{ toYaml .Values.prometheus.metrics.secret.new.labels }}
 {{- end }}
 {{- end }}
 {{/* names */}}
 {{- define "reposilite.secrets.prometheusBasicAuth.name" -}}
-{{ include "reposilite.fullname" . }}-basic-auth-credentials
+{{- if and .Values.prometheus.metrics.secret.existing.enabled (gt (len .Values.prometheus.metrics.secret.existing.secretName) 0) }}
-{{- end -}}
+{{- print .Values.prometheus.metrics.secret.existing.secretName -}}
 {{- else if and .Values.prometheus.metrics.secret.existing.enabled (eq (len .Values.prometheus.metrics.secret.existing.secretName) 0) }}
 {{ fail "Name of the existing secret that contains the credentials for basic auth is not defined!" }}
 {{- else if not .Values.prometheus.metrics.secret.existing.enabled }}
 {{- printf "%s-basic-auth-credentials" (include "reposilite.fullname" $) -}}
 {{- end }}
 {{- end }}
 {{/* secretKeyNames */}}
 {{- define "reposilite.secrets.prometheusBasicAuth.passwordKey" -}}
 {{- if and .Values.prometheus.metrics.secret.existing.enabled (gt (len .Values.prometheus.metrics.secret.existing.basicAuthPasswordKey) 0) -}}
 {{- .Values.prometheus.metrics.secret.existing.basicAuthPasswordKey -}}
 {{- else if and .Values.prometheus.metrics.secret.existing.enabled (eq (len .Values.prometheus.metrics.secret.existing.basicAuthPasswordKey) 0) }}
 {{ fail "Name of the key in the secret that contains the password for basic auth is not defined!" }}
 {{- else if and (not .Values.prometheus.metrics.secret.existing.enabled) }}
 {{- print "password" -}}
 {{- end }}
 {{- end }}
 {{- define "reposilite.secrets.prometheusBasicAuth.usernameKey" -}}
 {{- if and .Values.prometheus.metrics.secret.existing.enabled (gt (len .Values.prometheus.metrics.secret.existing.basicAuthUsernameKey) 0) -}}
 {{- .Values.prometheus.metrics.secret.existing.basicAuthUsernameKey -}}
 {{- else if and .Values.prometheus.metrics.secret.existing.enabled (eq (len .Values.prometheus.metrics.secret.existing.basicAuthUsernameKey) 0) }}
 {{ fail "Name of the key in the secret that contains the username for basic auth is not defined!" }}
 {{- else if and (not .Values.prometheus.metrics.secret.existing.enabled) }}
 {{- print "username" -}}
 {{- end }}
 {{- end }}
--- a/templates/podMonitor.yaml
+++ b/templates/podMonitor.yaml
@@ -17,10 +17,10 @@ spec:
  podMetricsEndpoints:
  - basicAuth:
      password:
-        key: password
+        key: {{ include "reposilite.secrets.prometheusBasicAuth.passwordKey" . }}
        name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
      username:
-        key: username
+        key: {{ include "reposilite.secrets.prometheusBasicAuth.usernameKey" . }}
        name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
    enableHttp2: {{ required "The enableHttp2 option of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.enableHttp2 }}
    followRedirects: {{ required "The followRedirects option of the podMonitor is not defined!" .Values.prometheus.metrics.podMonitor.followRedirects }}
--- a/templates/secretPrometheusBasicAuth.yaml
+++ b/templates/secretPrometheusBasicAuth.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.prometheus.metrics.enabled }}
+{{- if and .Values.prometheus.metrics.enabled (not .Values.prometheus.metrics.secret.existing.enabled) }}
 ---
 apiVersion: v1
 kind: Secret
@@ -14,6 +14,6 @@ metadata:
  name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
  namespace: {{ .Release.Namespace }}
 stringData:
-  password: {{ default (randAlphaNum 16) .Values.prometheus.metrics.basicAuthPassword }}
+  password: {{ default (randAlphaNum 16) .Values.prometheus.metrics.secret.new.basicAuthPassword }}
-  username: {{ default (randAlphaNum 16) .Values.prometheus.metrics.basicAuthUsername }}
+  username: {{ default (randAlphaNum 16) .Values.prometheus.metrics.secret.new.basicAuthUsername }}
 {{- end }}
--- a/templates/serviceMonitor.yaml
+++ b/templates/serviceMonitor.yaml
@@ -17,10 +17,10 @@ spec:
  endpoints:
  - basicAuth:
      password:
-        key: password
+        key: {{ include "reposilite.secrets.prometheusBasicAuth.passwordKey" . }}
        name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
      username:
-        key: username
+        key: {{ include "reposilite.secrets.prometheusBasicAuth.usernameKey" . }}
        name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
    enableHttp2: {{ required "The enableHttp2 option of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.enableHttp2 }}
    followRedirects: {{ required "The followRedirects option of the serviceMonitor is not defined!" .Values.prometheus.metrics.serviceMonitor.followRedirects }}
--- a/unittests/deployment/prometheusPodMonitor.yaml
+++ b/unittests/deployment/prometheusPodMonitor.yaml
@@ -35,3 +35,73 @@ tests:
            name: reposilite-unittest-basic-auth-credentials
            key: username
    template: templates/deployment.yaml
 - it: Rendering default environment variables with enabled prometheus metrics serviceMonitor and external secret
  set:
    prometheus.metrics.enabled: true
    prometheus.metrics.secret.existing.enabled: true
    prometheus.metrics.secret.existing.basicAuthUsernameKey: my-username-key
    prometheus.metrics.secret.existing.basicAuthPasswordKey: my-password-key
    prometheus.metrics.secret.existing.secretName: my-secret
    prometheus.metrics.podMonitor.enabled: true
  asserts:
  - notExists:
      path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials
    template: templates/deployment.yaml
  - contains:
      path: spec.template.spec.containers[0].env
      content:
        name: REPOSILITE_PROMETHEUS_PASSWORD
        valueFrom:
          secretKeyRef:
            name: my-secret
            key: my-password-key
    template: templates/deployment.yaml
  - contains:
      path: spec.template.spec.containers[0].env
      content:
        name: REPOSILITE_PROMETHEUS_USER
        valueFrom:
          secretKeyRef:
            name: my-secret
            key: my-username-key
    template: templates/deployment.yaml
 - it: Fail when existing secret name is undefined
  set:
    prometheus.metrics.enabled: true
    prometheus.metrics.secret.existing.enabled: true
    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
    prometheus.metrics.secret.existing.secretName: ""
    prometheus.metrics.podMonitor.enabled: true
  asserts:
  - failedTemplate:
      errorMessage: "Name of the existing secret that contains the credentials for basic auth is not defined!"
    template: templates/deployment.yaml
 - it: Fail when the name of the key in the secret that contains the username for basic auth is undefined
  set:
    prometheus.metrics.enabled: true
    prometheus.metrics.secret.existing.enabled: true
    prometheus.metrics.secret.existing.basicAuthUsernameKey: ""
    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
    prometheus.metrics.secret.existing.secretName: "my-secret"
    prometheus.metrics.podMonitor.enabled: true
  asserts:
  - failedTemplate:
      errorMessage: "Name of the key in the secret that contains the username for basic auth is not defined!"
    template: templates/deployment.yaml
 - it: Fail when the name of the key in the secret that contains the password for basic auth is undefined
  set:
    prometheus.metrics.enabled: true
    prometheus.metrics.secret.existing.enabled: true
    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
    prometheus.metrics.secret.existing.basicAuthPasswordKey: ""
    prometheus.metrics.secret.existing.secretName: "my-secret"
    prometheus.metrics.podMonitor.enabled: true
  asserts:
  - failedTemplate:
      errorMessage: "Name of the key in the secret that contains the password for basic auth is not defined!"
    template: templates/deployment.yaml
--- a/unittests/deployment/prometheusServiceMonitor.yaml
+++ b/unittests/deployment/prometheusServiceMonitor.yaml
@@ -0,0 +1,107 @@
 chart:
  appVersion: 0.1.0
  version: 0.1.0
 suite: Add prometheus basic auth variables
 release:
  name: reposilite-unittest
  namespace: testing
 templates:
 - templates/deployment.yaml
 - templates/secretPrometheusBasicAuth.yaml
 tests:
 - it: Rendering default environment variables with enabled prometheus metrics serviceMonitor
  set:
    prometheus.metrics.enabled: true
    prometheus.metrics.serviceMonitor.enabled: true
  asserts:
  - exists:
      path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials
    template: templates/deployment.yaml
  - contains:
      path: spec.template.spec.containers[0].env
      content:
        name: REPOSILITE_PROMETHEUS_PASSWORD
        valueFrom:
          secretKeyRef:
            name: reposilite-unittest-basic-auth-credentials
            key: password
    template: templates/deployment.yaml
  - contains:
      path: spec.template.spec.containers[0].env
      content:
        name: REPOSILITE_PROMETHEUS_USER
        valueFrom:
          secretKeyRef:
            name: reposilite-unittest-basic-auth-credentials
            key: username
    template: templates/deployment.yaml
 - it: Rendering default environment variables with enabled prometheus metrics serviceMonitor and external secret
  set:
    prometheus.metrics.enabled: true
    prometheus.metrics.secret.existing.enabled: true
    prometheus.metrics.secret.existing.basicAuthUsernameKey: my-username-key
    prometheus.metrics.secret.existing.basicAuthPasswordKey: my-password-key
    prometheus.metrics.secret.existing.secretName: my-secret
    prometheus.metrics.serviceMonitor.enabled: true
  asserts:
  - notExists:
      path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials
    template: templates/deployment.yaml
  - contains:
      path: spec.template.spec.containers[0].env
      content:
        name: REPOSILITE_PROMETHEUS_PASSWORD
        valueFrom:
          secretKeyRef:
            name: my-secret
            key: my-password-key
    template: templates/deployment.yaml
  - contains:
      path: spec.template.spec.containers[0].env
      content:
        name: REPOSILITE_PROMETHEUS_USER
        valueFrom:
          secretKeyRef:
            name: my-secret
            key: my-username-key
    template: templates/deployment.yaml
 - it: Fail when existing secret name is undefined
  set:
    prometheus.metrics.enabled: true
    prometheus.metrics.secret.existing.enabled: true
    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
    prometheus.metrics.secret.existing.secretName: ""
    prometheus.metrics.serviceMonitor.enabled: true
  asserts:
  - failedTemplate:
      errorMessage: "Name of the existing secret that contains the credentials for basic auth is not defined!"
    template: templates/deployment.yaml
 - it: Fail when the name of the key in the secret that contains the username for basic auth is undefined
  set:
    prometheus.metrics.enabled: true
    prometheus.metrics.secret.existing.enabled: true
    prometheus.metrics.secret.existing.basicAuthUsernameKey: ""
    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
    prometheus.metrics.secret.existing.secretName: "my-secret"
    prometheus.metrics.serviceMonitor.enabled: true
  asserts:
  - failedTemplate:
      errorMessage: "Name of the key in the secret that contains the username for basic auth is not defined!"
    template: templates/deployment.yaml
 - it: Fail when the name of the key in the secret that contains the password for basic auth is undefined
  set:
    prometheus.metrics.enabled: true
    prometheus.metrics.secret.existing.enabled: true
    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
    prometheus.metrics.secret.existing.basicAuthPasswordKey: ""
    prometheus.metrics.secret.existing.secretName: "my-secret"
    prometheus.metrics.serviceMonitor.enabled: true
  asserts:
  - failedTemplate:
      errorMessage: "Name of the key in the secret that contains the password for basic auth is not defined!"
    template: templates/deployment.yaml
--- a/unittests/secrets/basicAuth.yaml
+++ b/unittests/secrets/basicAuth.yaml
@@ -0,0 +1,78 @@
 chart:
  appVersion: 0.1.0
  version: 0.1.0
 suite: Secret reposilite template
 release:
  name: reposilite-unittest
  namespace: testing
 templates:
 - templates/secretPrometheusBasicAuth.yaml
 tests:
 - it: Skip rendering
  asserts:
  - hasDocuments:
      count: 0
 - it: Rendering secret with default values.
  set:
    prometheus.metrics.enabled: true
  asserts:
  - hasDocuments:
      count: 1
  - containsDocument:
      apiVersion: v1
      kind: Secret
      name: reposilite-unittest-basic-auth-credentials
      namespace: testing
  - notExists:
      path: metadata.annotations
  - equal:
      path: metadata.labels
      value:
        app.kubernetes.io/instance: reposilite-unittest
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: reposilite
        app.kubernetes.io/version: 0.1.0
        helm.sh/chart: reposilite-0.1.0
  - exists:
      path: stringData.password
  - exists:
      path: stringData.username
 - it: Rendering secret with custom values.
  set:
    prometheus.metrics.enabled: true
    prometheus.metrics.secret.new.basicAuthPassword: foo
    prometheus.metrics.secret.new.basicAuthUsername: bar
    prometheus.metrics.secret.new.annotations:
      foo: bar
    prometheus.metrics.secret.new.labels:
      bar: foo
  asserts:
  - hasDocuments:
      count: 1
  - exists:
      path: metadata.annotations
      value:
        foo: bar
  - exists:
      path: metadata.labels
      value:
        bar: foo
  - equal:
      path: metadata.name
      value: reposilite-unittest-basic-auth-credentials
  - equal:
      path: stringData.password
      value: foo
  - equal:
      path: stringData.username
      value: bar
 - it: Skip rendering if existing secret is used
  set:
    prometheus.metrics.enabled: true
    prometheus.metrics.secret.existing.enabled: true
  asserts:
  - hasDocuments:
      count: 0
--- a/unittests/serviceMonitors/serviceMonitor.yaml
+++ b/unittests/serviceMonitors/serviceMonitor.yaml
@@ -129,6 +129,10 @@ tests:
 - it: Change defaults
  set:
    prometheus.metrics.enabled: true
    prometheus.metrics.secret.existing.enabled: true
    prometheus.metrics.secret.existing.secretName: "my-secret"
    prometheus.metrics.secret.existing.basicAuthUsernameKey: "my-username-key"
    prometheus.metrics.secret.existing.basicAuthPasswordKey: "my-password-key"
    prometheus.metrics.serviceMonitor.enabled: true
    prometheus.metrics.serviceMonitor.enableHttp2: false
    prometheus.metrics.serviceMonitor.followRedirects: true
@@ -147,6 +151,15 @@ tests:
  asserts:
  - hasDocuments:
      count: 1
  - isSubset:
      path: spec.endpoints[0].basicAuth
      content:
        password:
          key: my-password-key
          name: my-secret
        username:
          key: my-username-key
          name: my-secret
  - equal:
      path: spec.endpoints[0].enableHttp2
      value: false
--- a/values.yaml
+++ b/values.yaml
@@ -396,13 +396,30 @@ persistentVolumeClaim:
 ## @section Prometheus
 prometheus:
  ## @param prometheus.metrics.enabled Enable of scraping metrics by Prometheus.
  ## @param prometheus.metrics.basicAuthUsername Username for basic auth. The username and password is required by reposilite to expose metrics. Default: random alpha numeric string.
  ## @param prometheus.metrics.basicAuthPassword Password for basic auth. The username and password is required by reposilite to expose metrics. Default random alpha numeric string.
  metrics:
    ## @param prometheus.metrics.enabled Enable of scraping metrics by Prometheus.
    enabled: false
-    basicAuthUsername: ""
+
-    basicAuthPassword: ""
+    secret:
      ## @param prometheus.metrics.secret.existing.enabled Use an existing secret containing the basic auth credentials.
      ## @param prometheus.metrics.secret.existing.secretName Name of the secret containing the basic auth credentials.
      ## @param prometheus.metrics.secret.existing.basicAuthUsernameKey Name of the key in the secret that contains the username for basic auth.
      ## @param prometheus.metrics.secret.existing.basicAuthPasswordKey Name of the key in the secret that contains the password for basic auth.
      existing:
        enabled: false
        secretName: ""
        basicAuthUsernameKey: ""
        basicAuthPasswordKey: ""
      ## @param prometheus.metrics.secret.new.annotations Additional secret annotations.
      ## @param prometheus.metrics.secret.new.labels Additional secret labels.
      ## @param prometheus.metrics.secret.new.basicAuthUsername Username for basic auth. The username and password is required by reposilite to expose metrics. Default: random alpha numeric string.
      ## @param prometheus.metrics.secret.new.basicAuthPassword Password for basic auth. The username and password is required by reposilite to expose metrics. Default random alpha numeric string.
      new:
        annotations: {}
        labels: {}
        basicAuthUsername: ""
        basicAuthPassword: ""
    ## @param prometheus.metrics.podMonitor.enabled Enable creation of a podMonitor. Excludes the existence of a serviceMonitor resource.
    ## @param prometheus.metrics.podMonitor.annotations Additional podMonitor annotations.