From d790cd3ec448a87f7b251f734dd3ff2db0780c01 Mon Sep 17 00:00:00 2001 From: Markus Pesch Date: Wed, 22 Oct 2025 17:14:53 +0200 Subject: [PATCH] fix(secret): enforce basic auth credentials This patch remove generation of a random string for the username and password of the basic auth credentials. The problem with the random generated basic auth credentials is, that this leads to a new shasum of the secret. GitOps tools like ArgoCD detects a drift trigger a rolling update. To avoid this must now the basic auth credentials be defined to enable prometheus metrics. --- templates/secretPrometheusBasicAuth.yaml | 4 +-- .../deployment/prometheusPodMonitor.yaml | 2 ++ .../deployment/prometheusServiceMonitor.yaml | 2 ++ unittests/secrets/basicAuth.yaml | 28 ++++++++++++++++--- unittests/serviceAccount/serviceAccount.yaml | 8 +++--- unittests/services/service.yaml | 10 +++---- 6 files changed, 39 insertions(+), 15 deletions(-) diff --git a/templates/secretPrometheusBasicAuth.yaml b/templates/secretPrometheusBasicAuth.yaml index 2bb0a9f..0cde2ee 100644 --- a/templates/secretPrometheusBasicAuth.yaml +++ b/templates/secretPrometheusBasicAuth.yaml @@ -14,6 +14,6 @@ metadata: name: {{ include "reposilite.secrets.prometheusBasicAuth.name" . }} namespace: {{ .Release.Namespace }} stringData: - password: {{ default (randAlphaNum 16) .Values.prometheus.metrics.secret.new.basicAuthPassword }} - username: {{ default (randAlphaNum 16) .Values.prometheus.metrics.secret.new.basicAuthUsername }} + password: {{ required "Password for basic auth is required!" .Values.prometheus.metrics.secret.new.basicAuthPassword }} + username: {{ required "Username for basic auth is required!" .Values.prometheus.metrics.secret.new.basicAuthUsername }} {{- end }} diff --git a/unittests/deployment/prometheusPodMonitor.yaml b/unittests/deployment/prometheusPodMonitor.yaml index 565058f..f80507f 100644 --- a/unittests/deployment/prometheusPodMonitor.yaml +++ b/unittests/deployment/prometheusPodMonitor.yaml @@ -13,6 +13,8 @@ tests: set: prometheus.metrics.enabled: true prometheus.metrics.podMonitor.enabled: true + prometheus.metrics.secret.new.basicAuthPassword: "my-password" + prometheus.metrics.secret.new.basicAuthUsername: "my-username" asserts: - exists: path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials diff --git a/unittests/deployment/prometheusServiceMonitor.yaml b/unittests/deployment/prometheusServiceMonitor.yaml index 5d43fa3..4856b3f 100644 --- a/unittests/deployment/prometheusServiceMonitor.yaml +++ b/unittests/deployment/prometheusServiceMonitor.yaml @@ -13,6 +13,8 @@ tests: set: prometheus.metrics.enabled: true prometheus.metrics.serviceMonitor.enabled: true + prometheus.metrics.secret.new.basicAuthPassword: "my-password" + prometheus.metrics.secret.new.basicAuthUsername: "my-username" asserts: - exists: path: spec.template.metadata.annotations.checksum/secret-reposilite-unittest-basic-auth-credentials diff --git a/unittests/secrets/basicAuth.yaml b/unittests/secrets/basicAuth.yaml index 38ad9a0..5883a11 100644 --- a/unittests/secrets/basicAuth.yaml +++ b/unittests/secrets/basicAuth.yaml @@ -13,9 +13,29 @@ tests: - hasDocuments: count: 0 +- it: Throw error for missing basic auth password + set: + prometheus.metrics.enabled: true + # prometheus.metrics.secret.new.basicAuthPassword: "my-password" + prometheus.metrics.secret.new.basicAuthUsername: "my-username" + asserts: + - failedTemplate: + errorMessage: "Password for basic auth is required!" + +- it: Throw error for missing basic auth username + set: + prometheus.metrics.enabled: true + prometheus.metrics.secret.new.basicAuthPassword: "my-password" + # prometheus.metrics.secret.new.basicAuthUsername: "my-username" + asserts: + - failedTemplate: + errorMessage: "Username for basic auth is required!" + - it: Rendering secret with default values. set: prometheus.metrics.enabled: true + prometheus.metrics.secret.new.basicAuthPassword: "my-password" + prometheus.metrics.secret.new.basicAuthUsername: "my-username" asserts: - hasDocuments: count: 1 @@ -51,13 +71,13 @@ tests: asserts: - hasDocuments: count: 1 - - exists: + - isSubset: path: metadata.annotations - value: + content: foo: bar - - exists: + - isSubset: path: metadata.labels - value: + content: bar: foo - equal: path: metadata.name diff --git a/unittests/serviceAccount/serviceAccount.yaml b/unittests/serviceAccount/serviceAccount.yaml index 7157e45..f94587d 100644 --- a/unittests/serviceAccount/serviceAccount.yaml +++ b/unittests/serviceAccount/serviceAccount.yaml @@ -53,13 +53,13 @@ tests: asserts: - hasDocuments: count: 1 - - exists: + - isSubset: path: metadata.annotations - value: + content: foo: bar - - exists: + - isSubset: path: metadata.labels - value: + content: bar: foo - equal: path: metadata.name diff --git a/unittests/services/service.yaml b/unittests/services/service.yaml index e904ece..0e5f65d 100644 --- a/unittests/services/service.yaml +++ b/unittests/services/service.yaml @@ -78,35 +78,35 @@ tests: service.internalTrafficPolicy: "" asserts: - failedTemplate: - errorMessage: No internal traffic policy defined! + errorMessage: No internal traffic policy defined! - it: Require port. set: service.port: "" asserts: - failedTemplate: - errorMessage: No service port defined! + errorMessage: No service port defined! - it: Require scheme. set: service.scheme: "" asserts: - failedTemplate: - errorMessage: No service scheme defined! + errorMessage: The scheme of the serviceMonitor is not defined! - it: Require sessionAffinity. set: service.sessionAffinity: "" asserts: - failedTemplate: - errorMessage: No session affinity defined! + errorMessage: No session affinity defined! - it: Require service type. set: service.type: "" asserts: - failedTemplate: - errorMessage: No service type defined! + errorMessage: No service type defined! - it: Render service with custom annotations and labels. set: