fix(secret): enforce basic auth credentials

This patch remove generation of a random string for the username and password of
the basic auth credentials.

The problem with the random generated basic auth credentials is, that this leads
to a new shasum of the secret. GitOps tools like ArgoCD detects a drift trigger
a rolling update.

To avoid this must now the basic auth credentials be defined to enable
prometheus metrics.
This commit is contained in:
2025-10-22 17:14:53 +02:00
parent d2c329e1be
commit d790cd3ec4
6 changed files with 39 additions and 15 deletions

View File

@@ -14,6 +14,6 @@ metadata:
name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }}
namespace: {{ .Release.Namespace }}
stringData:
password: {{ default (randAlphaNum 16) .Values.prometheus.metrics.secret.new.basicAuthPassword }}
username: {{ default (randAlphaNum 16) .Values.prometheus.metrics.secret.new.basicAuthUsername }}
password: {{ required "Password for basic auth is required!" .Values.prometheus.metrics.secret.new.basicAuthPassword }}
username: {{ required "Username for basic auth is required!" .Values.prometheus.metrics.secret.new.basicAuthUsername }}
{{- end }}

View File

@@ -13,6 +13,8 @@ tests:
set:
prometheus.metrics.enabled: true
prometheus.metrics.podMonitor.enabled: true
prometheus.metrics.secret.new.basicAuthPassword: "my-password"
prometheus.metrics.secret.new.basicAuthUsername: "my-username"
asserts:
- exists:
path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials

View File

@@ -13,6 +13,8 @@ tests:
set:
prometheus.metrics.enabled: true
prometheus.metrics.serviceMonitor.enabled: true
prometheus.metrics.secret.new.basicAuthPassword: "my-password"
prometheus.metrics.secret.new.basicAuthUsername: "my-username"
asserts:
- exists:
path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials

View File

@@ -13,9 +13,29 @@ tests:
- hasDocuments:
count: 0
- it: Throw error for missing basic auth password
set:
prometheus.metrics.enabled: true
# prometheus.metrics.secret.new.basicAuthPassword: "my-password"
prometheus.metrics.secret.new.basicAuthUsername: "my-username"
asserts:
- failedTemplate:
errorMessage: "Password for basic auth is required!"
- it: Throw error for missing basic auth username
set:
prometheus.metrics.enabled: true
prometheus.metrics.secret.new.basicAuthPassword: "my-password"
# prometheus.metrics.secret.new.basicAuthUsername: "my-username"
asserts:
- failedTemplate:
errorMessage: "Username for basic auth is required!"
- it: Rendering secret with default values.
set:
prometheus.metrics.enabled: true
prometheus.metrics.secret.new.basicAuthPassword: "my-password"
prometheus.metrics.secret.new.basicAuthUsername: "my-username"
asserts:
- hasDocuments:
count: 1
@@ -51,13 +71,13 @@ tests:
asserts:
- hasDocuments:
count: 1
- exists:
- isSubset:
path: metadata.annotations
value:
content:
foo: bar
- exists:
- isSubset:
path: metadata.labels
value:
content:
bar: foo
- equal:
path: metadata.name

View File

@@ -53,13 +53,13 @@ tests:
asserts:
- hasDocuments:
count: 1
- exists:
- isSubset:
path: metadata.annotations
value:
content:
foo: bar
- exists:
- isSubset:
path: metadata.labels
value:
content:
bar: foo
- equal:
path: metadata.name

View File

@@ -78,35 +78,35 @@ tests:
service.internalTrafficPolicy: ""
asserts:
- failedTemplate:
errorMessage: No internal traffic policy defined!
errorMessage: No internal traffic policy defined!
- it: Require port.
set:
service.port: ""
asserts:
- failedTemplate:
errorMessage: No service port defined!
errorMessage: No service port defined!
- it: Require scheme.
set:
service.scheme: ""
asserts:
- failedTemplate:
errorMessage: No service scheme defined!
errorMessage: The scheme of the serviceMonitor is not defined!
- it: Require sessionAffinity.
set:
service.sessionAffinity: ""
asserts:
- failedTemplate:
errorMessage: No session affinity defined!
errorMessage: No session affinity defined!
- it: Require service type.
set:
service.type: ""
asserts:
- failedTemplate:
errorMessage: No service type defined!
errorMessage: No service type defined!
- it: Render service with custom annotations and labels.
set: