From 322c995c30e53d237ee731afdf0aa5da5c828f7e Mon Sep 17 00:00:00 2001 From: David Hadley Date: Fri, 19 Dec 2025 15:08:09 +0000 Subject: [PATCH] feat(charts): deterministic postgres secrets, sealed in host cluster --- charts/workflows-cluster/Chart.lock | 6 +- charts/workflows-cluster/Chart.yaml | 4 +- .../charts/secrets/Chart.yaml | 2 +- .../charts/secrets/templates/postgres.yaml | 126 ++++++++++++++++++ charts/workflows-cluster/staging-values.yaml | 4 + charts/workflows-cluster/values.yaml | 4 + charts/workflows/Chart.yaml | 2 +- charts/workflows/templates/_helpers.tpl | 14 -- ...postgres-application-passwords-secret.yaml | 8 -- .../postgres-initdb-script-secret.yaml | 7 - .../templates/postgres-passwords-secret.yaml | 14 -- charts/workflows/values.yaml | 10 +- 12 files changed, 146 insertions(+), 55 deletions(-) create mode 100644 charts/workflows-cluster/charts/secrets/templates/postgres.yaml delete mode 100644 charts/workflows/templates/_helpers.tpl delete mode 100644 charts/workflows/templates/postgres-application-passwords-secret.yaml delete mode 100644 charts/workflows/templates/postgres-initdb-script-secret.yaml delete mode 100644 charts/workflows/templates/postgres-passwords-secret.yaml diff --git a/charts/workflows-cluster/Chart.lock b/charts/workflows-cluster/Chart.lock index 223b7750e..f47de5b30 100644 --- a/charts/workflows-cluster/Chart.lock +++ b/charts/workflows-cluster/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 0.27.0 - name: secrets repository: file://./charts/secrets - version: 0.0.1 -digest: sha256:30a9de6808bdfa2051a4e45b6d59c9db02629094c86d79b9724ef465bc17468c -generated: "2025-08-28T16:18:55.766799125+01:00" + version: 0.0.2 +digest: sha256:f27e589c7a4ccf600d5417c3f6382c6c5feb5d2e1f9fb1200a1a5461f0036b44 +generated: "2025-12-19T15:35:52.972800866Z" diff --git a/charts/workflows-cluster/Chart.yaml b/charts/workflows-cluster/Chart.yaml index 2c94b8b37..e3409eacf 100644 --- a/charts/workflows-cluster/Chart.yaml +++ b/charts/workflows-cluster/Chart.yaml @@ -3,7 +3,7 @@ name: workflows-cluster description: A virtual cluster for Data Analysis workflows type: application -version: 0.9.22 +version: 0.9.23 dependencies: - name: common version: 2.23.0 @@ -13,5 +13,5 @@ dependencies: version: 0.27.0 - name: secrets repository: file://./charts/secrets - version: 0.0.1 + version: 0.0.2 condition: secrets.enabled diff --git a/charts/workflows-cluster/charts/secrets/Chart.yaml b/charts/workflows-cluster/charts/secrets/Chart.yaml index 1b483d3c9..5f6454d17 100644 --- a/charts/workflows-cluster/charts/secrets/Chart.yaml +++ b/charts/workflows-cluster/charts/secrets/Chart.yaml @@ -3,7 +3,7 @@ name: secrets description: Sealed secrets for the workflows platform type: application -version: 0.0.1 +version: 0.0.2 dependencies: - name: common diff --git a/charts/workflows-cluster/charts/secrets/templates/postgres.yaml b/charts/workflows-cluster/charts/secrets/templates/postgres.yaml new file mode 100644 index 000000000..10829e6fc --- /dev/null +++ b/charts/workflows-cluster/charts/secrets/templates/postgres.yaml @@ -0,0 +1,126 @@ +{{- if eq .Values.cluster "argus" }} +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: postgres-passwords + namespace: workflows +spec: + encryptedData: + password: AgANhuUeddILzy90b6IlUsYxkdEddMFMGDBEfe+rBxi8lPhh5kL+ippAiRpT1dTnE5OYK23j4ePCSPi6XEhRzR3qlTThCBAGEi16aknjNDbRzpZ7woUv0w9mlJe4WaDZ3KjtYMqWv4/d992t6bHBY3YJHHYx5i4DTp9wozTLfqPViI0GgbBDPjcFdnU5mY0y5R161YclQdAjQWZjezZZu34jDcMcY9+3aYGw8r+86dZihXfpTBV0krWdcgciUoILNoQdXOzzWIY/NcNeSBz65DdHRNwoo3/OTIpHKu7vnZZp/ltXLcB9MMQ6RdAC9SUupauxjH0jZgGgyERmBcRzX7uH2EBhYvzWLfsVL7TbnqRe69TdnsbGhVH37MHCHCKUCUXq8OUxMy8tlB/wlBpzn8jRqGapU+EsaC4Zo63/MBliCGEA7TKROddkSbD3MyDJ2tkYj86mr9M/Kl+Xy1BhjsP0uaZtFdn4R2Mex31LqbAi4o585X+jdox1VmDkh/3S6+CUTFiqo8nA9smBCjf/lIHDM/8UeWgWarfCCCbHXApcsPESc8IlYnr5VGcXWczLk3PCYL1av9gQdJOcu8axuFvTnev+9fzxRxxej0m6FiQ3NMyKND4CY70Rl4YpL1VSA5vCWlYuqeaGcE8vVutPb8Zrxq7SK+bzMNcIt4oBSeGKgMlr8js5HTI62NK3Zl2HDVUqDN3l8Td4DBx1rG5ba5s+Sh2xXttyRhA= + repmgr-password: AgA5B9YCmaGaKHBdArNs1iulEYfTCHuqOXX1nlYGlgHI0n6HI/8y5ifBT4o8sJ6FsfXjrm8ryWTsbL3qUmBwqeG7ypyqKDyfOt9r38b+Djkp78X4Uskl8Ctu63zHZGU0SFDSWEJtSDU4pMAQ+JsZlGX+Yz2VQ4gScfiXcLAkwg4bJboJ8MZqbuIEQCCcdosn3+XsUVihBXyINvZdVhhtloESFZ9JiEGHhlddjHye+EcSvs3Q6vUwWQARL3kVjJA2ADN4K+xkGiJrRR4q2E2RCmtPqNTq+mMj1fX8EWibP+vtzwFN+uFDVMIkVKEdv8FUVWST+DDmfcvBvahLtu1jBIdJnBlg+kzTkuDRyBlYDmdaoPqNB3tS05I+JdJYZjhKMksRyNj0/LI302OiGbi06dyLc09+rh0JlwOgSsT/h9P9g3nkDB0/S6+xKESTWryvkNy6LBwUFPB0wsjzC3r/34/WgDCw7GStcRw69bFjQicjPePwpKTU6ZIDTQ7rIfjK/f0DcxHgG1k9V9OWe5UJTxM3JInZ8wlaH1/Ird5T2roIYaF1FOFAveWY13KRrOr3HAwVE2PfynGOnGwlkZjAtXO+hawdRR2v1DWAgE2A8lXb7KeCg16JLBkb3aVH0MTXtCqTMZii16vUjzt8nFERLC8K2IZ1jxXJkHDWhpxbBMmeHNoQ1b4PEQcxiqQ7S6xNvCUXliBSdSsYfuDqliUBo4cG7ouJCtUauN8= + template: + metadata: + annotations: + kubernetes.io/service-account.name: workflows-user + name: postgres-passwords + namespace: workflows + type: Opaque +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: postgres-application-passwords + namespace: workflows +spec: + encryptedData: + passwords: AgBOXtZFarHamd7CeDEGIUoRmWf84aV8H7JgT63LCQFJ0v5y0VpRbPRhO6Tg7o3odbLr0QYb07DM9vXr4TeE7TdB+A0ipMnebpDB9yE/NIqd611vfhQhJUE4bBSTMGOaf7smwXnaBIGmNxUZFwNi3qWQyn3SxGEv4Vs7GM3WRe1iOXR7Tb/JfqPBWk7j/Cg4hf/VayZCNuDaJCZaUguYuhNMzX1w3HZwhfhK7ghbo0ICJibWxc86KZz1rsWtGrM0bRyrAWJtX7lrxkVH27xxeX2JJq1Q7VlA3npXGKM0HvP1JzVt7yH2vUNN4fDHl95E1VJYyl5s+bFLGMJpvKw5IGO+y7ZhyV5VY+BxQhu74RDrBZKmLhIJGMSKq3aybSS/AoZyO0byOywELba9n2FjA6bdoU0zaS3gvqHFmiruyY2tfpvGkwcuZCpt4DlIYixpWL5if+EJN17HzX/0+d3GjLYKbyNh3dJX2IiEX9W54MUA9frGY5ebYOjSihZoLMnfZ6fu6wPKkKbFMsXNOD2JW+vAnGdVzcD58jWEtXhepajmyf6QZdxwf/71eLm19lxiyACJheq7k6nHfgZqqWVtAs38sECK3bWtB7gj5G1wqoibzEh6lQFzEXtLeh5dPX0EZd3UMKYAvozNcpbLf4EaIq/nrV9bjFrKF2ON35BjJXVktHgVcQ1ug4wyG8tI0T6xKD3WlQ+2vVg80HqPY9gh91BkDXnzXYdr/qI= + usernames: AgDLzslNMyB760Z9D7vcjdVlWMaCc7M3rDlIM4QoAYWjd80Z5S+hGEAwlVSJyvfyi1+iq7PPKtmXXnWq/IQtkAJfUoykp0OO6K82IJsjDyhZLxyb5aSJGcEBHmiXsxCVQjzXSVyw54TW86XuBkLxK3MD2HrkwdGpCu/zcgYl88R7AOEtYC2cNoLHuBDYB/mAq/5BawRLTWI2fh030bYTeg8UAToBR9PvNf4+fIFap9i4zwLs/hw2Q1HJQDKL8Nq9qG5tcpAdwsBwjLt2zwF7lbFNrHyEn6onjvFOFyeysc/r7rBZJ9Kb9oLOxb8PBC1kLwOs9/d0a8wdnjpmH5YKXXjrCYOoduHxgA/t0ZmWlldF7cjAJjTzNpr6bHE6xWEIvcUS96XOY+3Q+r829D0UitOgbEw7tirNAzuyndTprqnaSYFPZThHBT478fQ6/DYZ1e4ak7ISdFc9f6xbbHeXv/vuKScYWgI3PgI1nt8f1xZtbUE5V9iWw5KXxPka5vH85UYN/4xjdwkCs2DZpWogbio2blbHRzl9TwXuA2eWgLTF+0ep99CIH0erg48UD+a/zM0GrHBcM/Oa/FqTDSdHhfr/4WRQb2AgdxfjcrlGUjIz15O7UwUQUAtZCGMPS+1feyM7TyTYEBt3IDIzo+c+nwp7ySgl3LOIZST5xNoqOpdd0ZtGPoyZYssGysXKArqng9Z3HgZ+wMjeIMXwya2qAg== + template: + metadata: + name: postgres-application-passwords + namespace: workflows + type: Opaque +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: postgres-argo-workflows-password + namespace: workflows +spec: + encryptedData: + password: AgBOY2wsugDA4KGrCPAsFRwXq4pnPrFW25NAi9O136b5hCjs/CJAWqcXFfmOnW6OKXCG/xUQrAnOzw/UGIXW7/YEACxm/KOGFVsGkvNvyGB0w1JPn1gRzPBZOXbYnkOwrdk6vPL8WQivAOk00sfk8k0+xw2uhuChNJOc4onbLzFwt1jffCPlRPgd8AXDY/e1OTB9B1uldJLp6Y3xsegEiWIeFrDsl+unrN6lp2Mxl9I989z4RmsvPqXRZaCTUkSHU6CdDR3WwvJBUpFJWCRBwclajStQ6X3YEZ/WFYx8GDLzTSYOP4LbxhPouMJa0MhTKN1HIhygxsfstDeNIIgD0hsaYn/hqSS1UbJDo25NMyJHV/cULF3uPIdSSmzU/WjLvvpcfySpEk6EntSVgOGH/RR+MwwT2/8Mcf1fTvCkOQXnmjLc9Iz+An/uJn4XDqpDzq0VwCYWcdpGIf2McX6sTKRbb2DL8/gT1Kpx48pZnbiXTFX8RZLDZaLoGLJq/dFod2tnhpEtuwTbXeqPQI+CKs3r32081bl3cmFeyxX3C1LqWPxbjLqwezYuEzogKzwExrtovwv/iQorYBbWBo6p17/OyDVQhKS8KE/yFp3pS3RbY+23wkQa19FX2RfAbZMX8ND0NsUj8xlgsd3edajiN8RqIy+2WqCmGkn1wbEggtc+ioPXnIcJKgwdCUFygQMi7rdZ0DgmHSCS8zXRxfvIhUaBVTkVU6u/9gw= + username: AgBJ+NkWCl5RCXj5R/z1/52Ow8EMX/K0mW1Fxc7t3D7UgyAZ0RG6VYgi5ZBBhCxUUwlhVL6CADRGEGUx47aXFVoDZvtTNFRVha33f41uqUAzmia2Z0k2ABvO2hEXlIR8pXUCdKODpHRU4pWRVYZ5oq0U3vDbpDbXht/p+el5Nb3apbPoUxGoTi5zK0SA8BaL7EGlknFl66RmfC/jAouyNyRyiVsCNmYEwTUl3isZQ1IAZpItHtFV25t4JuL2qXWpWZld/xeUOOhu15zLmjJp1K4HiW9gPfs87++cC/l+z7JB+iCZDTd00hPjqrlFIXDvLGRgRFv5Df9FYjZ1WUNNEJtxJC12D0zEWodmXdbsx6fJSqBKHb38JpBQbixMD+wD4+83nsKRZ8AfByU5Teq7d1xRLvd3CR+YU2QXaWqhz6+tKd0Q7F6bhL8ezXjQAIpc4bhaeeWiRXKCgCz7F8KcW9cIZvCJYWTxVYeqq2HFFUKlk90QSIRYteqIwsgG90TzC53LN31rUMw6kLJvCGn6ouVCHKIyDeaD0GhpFSUbaKl8zQuFXneCJhNIJCwXnf+qg1bbIK8yiKfhEU6PxX4f9Pa+0cD/UoTdm7KhKsYnw9lWffszRc5XLJ0oGCLyn7NpyKg4ZNtJ2ThwxnQoJG0IcOHpGvQ1/U/FNeoKxzpWbn/7o+EaukChGYf9tVLEUcI48ggVAB6tKSzeDSk7/kr6Ig== + template: + metadata: + name: postgres-argo-workflows-password + namespace: workflows + type: Opaque +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: postgres-initdb-script + namespace: workflows +spec: + encryptedData: + init.sql: AgDMErBkqZWkq8ZF3SEN4kikTy5zpeItfyXsr6232UtYA20beCOIRq4RIkTn7dE1uXKGtI2mIatZmmxw7H5zYZd9F1eic5QxNi8tMMHcWYkwzJxIw1t59IE9yyNoP38EVJqPglD+ep7JBPU3QCfqlFN5PUp660mL/iTgHNQHNTYd88/zbS8xVmlKJVBFPTGk/1nvWCzhJ5ffvPIG+faJj1DUDO3WctBQ8GKoIngAnjjU8PlU18OKMDH41NIUIgQq3UweNp0vf0DXMDJphmRQ4pNp3TAAor9SOFwvp0jhX499uJPedeMQ6ch8jjmvwj4jlZUa7ZtauRdkMFbz0n8CyxMRxvqJKQW8YxONnhz4ugbx7Ww4TZxFm+H7CQ+2LRES3OlrSn8y094+aLfLRvf83p8Vhuxy7s42Ap+pzwvw0hL8GFS+rNr/8l26B+alc/ztCkaLbZ7KiCtDmYQvj4ZFCV0DqpdhJEiL0AiVPIUcEwEJwuH5IWLflBsQB01gGssDCIcO3ZcdnRetgv1gmltEslO+g0CN+sNoiZ8nRW8FZ0ykyhL74oiG1wS+aaS4r2aZ9RDBAMrQgM3Dr9IbhUZJWwsMab3KmKCgs69PYHvv9Kdk1mWWvE/CIITE0cFjJPEljsm447sEoyVwTxK8ON460aoOcGCzl2AU7qORrrGQncw82xxf6JynVGrmuFidpuBp3nfeLs8TbD8QbQFntYAzWZgFthtP46qvYK4p62ju5TmvN1jY82GxisuHiOjpQ288axrStXojVTasAOZhqOZLLS9SEZlc8KmGZ9E3sNqyTSTiFIRCrRnC5A1/baLjXo0Z4SQh2LtaGKpwlMCUPpnRniDMtN763nuKNKcX + template: + metadata: + name: postgres-initdb-script + namespace: workflows + type: Opaque +{{- else if eq .Values.cluster "pollux" }} +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: postgres-passwords + namespace: workflows +spec: + encryptedData: + password: AgCD975klQIo4jCf3FWAlH5aszS+9Z6NH1pf2vS7v4FhXhgpcluoXv6YTcMPC5HJeH/sHHEEP391HhCSDOMaz04QssT3/E50GKFV7AJKdSuwYElt5qz0AzQVTdx2m5i+r/XzEOSAdQ7IghGx8h0pHNUC6uuU+9ByNBWYB1RtmOLGKir6la2TjQkogQz/JAK9GFjkw04XL6c678Swq8jS0KbrTzJYyVC1HVKVUNQGZ8N74ZiZaFz1tevpUINykrROYVhbNliuDVG7YCjKAFDWiQ+hpDxRzHjf7f5wJqlAsIgOZF/w/6t6vz+0tJoPZ2sqTftaZvc6VN0P+kTeXysQa4xfqKpsNbFWrvvjWQLzt25nM79KrDuDduUEcyX35gtBRIUx10gXCEb2SfiLvnYfg/MKTf/n00PBrWXi5h/bxWUKfg+Q330KMCha7iJVreUTk+sR+RIBs04mh+X2PR7EYCUBT474JZTidgN5tUxs4Lyd9q7dTxPklt4b0vzx5JOJPk55clWJe52u2O/49iYAnn0ZFlXqmW/qOzIGDENwdZxr8X80QtAtglhN7lkRaGIQ7zldaaiiEs0PsiAs0ITiO6L6plB71WOS5XiJg3hk+dcz1xZT+/OScHiOIZjFZ5AmTs+IW4EWIzNJ/kcVwe1Iz1pvK/AMvCGn2Hso9+IdBT/liheBP3eD09PPlyR6jyVMdtL+CF58UEAKE+qlUb6g5N+a/wo2helYJH1k25+kiZTPDQ== + repmgr-password: AgCinRf4ivcMlpyJykho83biVnyqQfwh9pOldXhEmUi4S8Xr9IeKXJC9VP+SsrGRJ1PD6h6PYf3IlgYx8ulJh+ucN+CHp8JRFApUTRhDcdF9lkyWvzdQAYbQGAx/rKkLfyam7HIy9HrAAMTUvagMFKQyW4bCM8Beqdqd5CYSjzL2nLl8jc3HcetFMjHTLgt7zpNWadFw4gLnmRr3kkb6CY31E+7warT3XxhJkRAjp1dt5GJ2zLS/jL/RadTINA2FBuDYp5puw6gKps7Up6tv421v3vUKk1erNiNktaTFqC5G4LEXiHJ3gFnMg8eC6aXxxHTe2OVAcLxWm/aC61MGt3jKuJpODHuuGftfu5ZgYNv3TRcrEtS+CGnXA3RgCvfdfvagkatCw8K4tsSajPYpSV0fdmOmQ4ey/eLUhYi7gkR98E78oLwMSx0aTr4GG1EZhL1gYYLdhdUqXJztL+4OXKo+nEs1egVPJAVkTzQycR7FIUJwZMlU4kPi5zRIyzXQelzNuWVDUB6tT+XL/hIHrzlLGfGBQCQlgEZCP+yG6wFBL/nQN5m6eUaWI3nd6qHMS+Z6FvC9+JS+MqM+0GKuDITuWjx279jDUEvgLRwpcGfA1L4NIV1xa7dZWZU7/tYKFghcRBrpwxivITsCRXtxB9X5q2NIE/pULv/WuuwG6TuRrqjbUS+EN5kh/MHYcA2jHiPsDtueCOmhaTRCs3QKurhXBz1g12NauDFZ/0Z+gsM6oA== + template: + metadata: + annotations: + kubernetes.io/service-account.name: workflows-user + name: postgres-passwords + namespace: workflows + type: Opaque +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: postgres-application-passwords + namespace: workflows +spec: + encryptedData: + passwords: AgC9QwtIoYwQ/KgnuEcXh/SJwST61+evmyIHd8gtZVKViPEPmflRVuuZ3e4wvgTlhAjOcZNL8AFEth2EV75pJA1BvVhl4/o4FD2mtXrK6nI/bX7KQ1MBmuQ0JeM/NCGUiC8y4W6WeaIw7yOQPgiKRlmqmNbInVP6pyYsWRNAI9UnVVAUvefvx5DGkJ+woEe9NKj3DpIKJ9BYLEySF2OKjO4PUBnCeEdkYIU+SYQ/rZjxevrA7cId9SiOfW8WUJB4dwZS+B3wRR9uS6pas1DlejomQv3QruIBNOsnsJj2ojkkWpZCIaIWDsROGSJy+HOl/u5vKjGERdmVCd/F21bX+vVy8sFU6sbR1h6cN2AzEB8LADmd++iqI0smeP1BUIPnV1Yhs+nXOlGuxWeO0CxGqn0Pi9SBSao2Lz4txAmfU7ZPnnE2NT3Pxp5IzEPKpskLWC6lzgRc/2/5JQZ81BJXMvaK64xqirAVJZDVuDNEzl6JTfAzK5P5hREsge6fOo8iupxRo/ESa7kCzlCBiNoR4hvaIZmvCqtbKhUtf0Hb1HdxGFU6TMgU6KQlz/m0xvQr77XQtZ9OAVbCnNl8YcNoN0QHHGemBjVeoOSb892y+zN+4uAtOaWyaYV/90oisH6fsao8vxA4dNL77dXzLt3I0guF1h0jAwBykRj8Xly9WJ1v1MI6AzN1eNWBaJJbJQqM5tXX9JZ8UVtAHpxOOFIKDXm4NMpTbFEcGpE= + usernames: AgBNaSYptjeYMUcQWA/B4rgEdUhB/4w3Lbw4WC9CiYbm4pc2sLTw2Tz7aytAK5vNWIAh13j3ZAq0CjMREJ6uu55JxhsK8YGus1rV8l8iqt4rGLcW9lbqA0Sz6wV7SCLqbdGIgUmILiNHPWKBhoBdyWiafgni8II33DY4AMtgt//+B5DVp8ttO3PfT5MIzvmWbzkGz/OC0BuRhrfefEKg6y9DcDDseeVli6hRAXee+rJ0DLXDzrwkWWzI5wRb0ndsZPltLYz8BgLW7+aHshU0HRl5iNU/A8VrvN3600uWDY48oReMqytkyvbP08JcXhwA/fcczqZiufsTZvwd/TFrd6L2h1dbO45O7aVahfOasY9AGj/kdBpRp+4jVqr/BfIJu2hFFqB6sCiCRck/7FUtx6R1xk87r1qTmcfTso9Bj8/XL99hIDwObTRC2cWQw4oLbwLEdzirjpPnHc3sDlnYDUQy0PpX7KRsJaZkqvLO+WhnmIuzFahWzCNTHTS5DIM16xVncNdx54ZQU1iUBuNcFrJuvVVVvfgXYqv8DS2MpUc4wn036ZWZILL9UjHv9xLtGeykfflFlnGJpa6SQRuJUISrTr0/Dz+aKimzQxraqLXzbpcO5i3n4gLwA+TOFURxaywN5ip5Ic4dnkut4MCwcDbbNSOSuPj7gSf6ElncDXuxWOQ8wDe9m6p8zBvRP0sE7fX7bEtkM9QwxJuk9Tcz5g== + template: + metadata: + name: postgres-application-passwords + namespace: workflows + type: Opaque +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: postgres-argo-workflows-password + namespace: workflows +spec: + encryptedData: + password: AgA9cVoZp5aMY5mfwSumn9n7d6RHfFmc00VXaKSIkqUIbIYl0KNS18iEvBuRkcuVELfDWZfOO039ArUMRHM5031P58x7fRS2fOcWtlnuF833VPiyCtwG9IM3PdnkN3rVDQd3THpcPyuIuX0kBT/+pKa7wvPHqnPtgCLxObLUqzZCoWr6+WTw61GeU9inuSb63RNKziwfy7BLisjfbL3E3KW74xNXtLNYYhj5eB+omCuia1125CIZwfVzbpqAfFxwmJVUjktOvk9/Qnv7YclkmtPFFEClXdiA4fh/e+C+E3c7I0hz3WhPasHopLay7WSfsAylqrBdpFG73/w39l0/vaeMOEGRTd+0wacJAQm6DkkhGCzDkF0BrB0Loqyq/nnJ9JpKvG6ESrGOhXi35JUVsWf6I/mKsyrd9DzpShSiuUAdfngY+7VbT9vrCHMtXo7RHp+D905LvfxV0/fSU1Sd6ZdYcE0/VFWzv93nN1IISJYdwSxOUxzw5X/ngz2LIKxw1oUPjYitBgDJOn1DQh4R0NvNhdpKTb8dwc4oARzjB861rsRufgC8Yo+MArAAK0L9zXVzlmpJBxsxEskwtzxDmVQiawGxhqryD5LER8sRL6yYlDKdTia3dSDm0ZITiwRhAtNAidOUNM7Z74D9DoC7XzmnoN2ROh7m3Xo14FLWOMdEsnblCvN3EhRK8IozvXYDhFlQsajCJTM41muNpbBWZwgCCcAFahIZERs= + username: AgAmj76ol4cIIQSIM2SqhCqa83EGqyTIhDPjIoWaB7v32DA9PwRoH5Foe7uiGW7I9evGTiidDVihGvaZg/BgDxFaKsCd74NGVZCczxXxR5Jkru2RsbSyCewFx5WY5OG6y60S0lw2mupxA/DuN63iDBD3d6uOtd+4038Ovmg3HJeVgTYMwQwPBlpCDJzZEiJvbc8fXTnnv8K6SGlOg0weBG/OfhyOF+MVL+W/pchllpHp0AkWDtu2eJwIhQcHghUoQX9pKmAz8TNnLadv0ChosfGJB/FbQdlB4C1POHEyvjuRxeD88GbBGNX47H8I5g6Q4qy3RZF5U2/YgCndhXOQf8ASsu0ZAa2eWpEXNcsOASRqNq8amhGU2uWQXoGtKXvDNGW8wdDv9t0EWWHcVXybndqfz4zaiSXR+1rJpAiMdd0GHDJcRTmQj2JllhQ1hID8SsjMtwgBTzCmeZRqjUchMS7HsL6/7NJY5MudST3knI2n5ZISvIO25Uw9aJ6pPnUZ0tNR244TYgqKHO5TNlOou6g/nESqEnR2Gk4yx6NNvADDcgmMZBYXIVJhM6hTH24d520vMJrMekyX8uIMVHVxyPkPEQJilYojzqGiWtPjvbpfF5jh6+gbJc2ddMnDq4MQvGPYumcM5IC0+pPAEdUvEjEKI4LAt5wPQNHEY+TqHbMsJF59/qnPW797uOV9hLb4+oXpw00XS9vllKyXazJsMw== + template: + metadata: + name: postgres-argo-workflows-password + namespace: workflows + type: Opaque +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: postgres-initdb-script + namespace: workflows +spec: + encryptedData: + init.sql: AgCMAUcfIwMH/y8FT+D0BXHm1mi/nvns0v4Shcn0Wq9Jg2wYh2SqSd2nFMU4pNZuONu/HEwiAtGQHy3Ev7bw971itFoDRSsAUpV16wdYGF7ic30D9NWFuvmjjqhIdx/SeT+MplRKSLIKvoyCrNEjra9xNdVoOi3cm0nT4w9UChEre4SfJMiMLZQX2tmfQTKASdJsx5XvV1YhIftb9ZWKbjfYDRCxLOI/mTV6aMluGEaHkQSH9/m24asuyax6gcZOpzLpIKKivLhj8NMBWAzY2YUFqxrZ/D6W6Ycr/iMhogHr2vnCCSWM8xlNPf6XBqqfipCn9URdCtC9glSnppXJpldB+m9iorTluvNQc/pro524VIWA/ANs92WqZqSVHt4b9E9gTX5FVeEYI4HCar/jAHK2FqWWaBXwAq54UfhTAQaJO/WbCUyzWHc+VAZld+RhxXpv+WKJjlq4qHREiDCUIYfRLPBM0+eQLQeNdG35LIFkIRYVQosClzyV7HlvFLqx3lUOi6zEYq3p4d9AlVsI78PjYrORlKnIhYWbV4kTnxfFaZvu9NO1toVnQFhwDavtBjI2iN+0ndpE4GLHc3TrKB7fLgh1vMJE5ZfbVTQqxihePNYyfFLsaCINu2bxR/32qYKVzH+4B/jpvv98Q1EcKPOvPh1t6eBgP1z10JNDEN3fzTjoHMb9kVxHfJHNjS8/gONdr1R8FN0OFXy9ZTrTP17rw7m1nkVAvkFiW0fw3z+bj9EP/iWCfmMsDqDRAEsecVK0TaQKX66EYXuI+/Vtfoi1+K+reVFCV0vB4ip1h9HfjWuSisx8swgrnA52BDpYcJ9YZV0DPwWPjReBlLiY6cOtlkuV8R15So+L + template: + metadata: + name: postgres-initdb-script + namespace: workflows + type: Opaque +{{ else }} +{{- end }} diff --git a/charts/workflows-cluster/staging-values.yaml b/charts/workflows-cluster/staging-values.yaml index 372cac0a1..0970e87f1 100644 --- a/charts/workflows-cluster/staging-values.yaml +++ b/charts/workflows-cluster/staging-values.yaml @@ -68,6 +68,10 @@ vcluster: "/sessionspaces-ispyb": "kube-system/sessionspaces-ispyb" "/artifact-s3-secret": "graph-proxy/artifact-s3-secret" "/s3-artifact": "workflows/artifact-s3" + "/postgres-passwords": "workflows/postgres-passwords" + "/postgres-argo-workflows-password": "workflows/postgres-argo-workflows-password" + "/postgres-application-passwords": "workflows/postgres-application-passwords" + "/postgres-initdb-script": "workflows/postgres-initdb-script" ingress: secretName: letsencrypt-kubernetes-staging-workflows-diamond-ac-uk diff --git a/charts/workflows-cluster/values.yaml b/charts/workflows-cluster/values.yaml index 7427a5c70..0895e42d5 100644 --- a/charts/workflows-cluster/values.yaml +++ b/charts/workflows-cluster/values.yaml @@ -123,6 +123,10 @@ vcluster: "/sessionspaces-ispyb": "kube-system/sessionspaces-ispyb" "/artifact-s3-secret": "graph-proxy/artifact-s3-secret" "/s3-artifact": "workflows/artifact-s3" + "/postgres-passwords": "workflows/postgres-passwords" + "/postgres-argo-workflows-password": "workflows/postgres-argo-workflows-password" + "/postgres-application-passwords": "workflows/postgres-application-passwords" + "/postgres-initdb-script": "workflows/postgres-initdb-script" rbac: clusterRole: enabled: false diff --git a/charts/workflows/Chart.yaml b/charts/workflows/Chart.yaml index 2ec81587d..b8789af43 100644 --- a/charts/workflows/Chart.yaml +++ b/charts/workflows/Chart.yaml @@ -3,7 +3,7 @@ name: workflows description: Data Analysis workflow orchestration type: application -version: 0.13.28 +version: 0.13.29 dependencies: - name: argo-workflows diff --git a/charts/workflows/templates/_helpers.tpl b/charts/workflows/templates/_helpers.tpl deleted file mode 100644 index e67c9a2b8..000000000 --- a/charts/workflows/templates/_helpers.tpl +++ /dev/null @@ -1,14 +0,0 @@ -{{/* -Create a new password for the argo_workflows user in postgres -*/}} -{{- define "workflows.argoWorkflowsPostgresPassword" }} -{{- $existing := (lookup "v1" "Secret" .Release.Namespace "postgres-application-passwords") }} - {{- if $existing }} - {{- index $existing.data "password" | b64dec }} - {{- else }} - {{- if not (index .Release "argoWorkflowsPostgresPassword" ) -}} - {{- $_ := set .Release "argoWorkflowsPostgresPassword" (randAlphaNum 24) }} - {{- end }} - {{- index .Release "argoWorkflowsPostgresPassword" }} - {{- end }} -{{- end }} diff --git a/charts/workflows/templates/postgres-application-passwords-secret.yaml b/charts/workflows/templates/postgres-application-passwords-secret.yaml deleted file mode 100644 index 6cae6638c..000000000 --- a/charts/workflows/templates/postgres-application-passwords-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: postgres-application-passwords -data: - usernames: {{ print "argo_workflows" | b64enc }} - passwords: {{ include "workflows.argoWorkflowsPostgresPassword" . | b64enc }} - diff --git a/charts/workflows/templates/postgres-initdb-script-secret.yaml b/charts/workflows/templates/postgres-initdb-script-secret.yaml deleted file mode 100644 index 5e9bb443f..000000000 --- a/charts/workflows/templates/postgres-initdb-script-secret.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: postgres-initdb-script -data: - init.sql: {{ printf "CREATE USER argo_workflows WITH PASSWORD '%s';\nCREATE DATABASE argo_workflows OWNER argo_workflows;" (include "workflows.argoWorkflowsPostgresPassword" .) | b64enc }} - diff --git a/charts/workflows/templates/postgres-passwords-secret.yaml b/charts/workflows/templates/postgres-passwords-secret.yaml deleted file mode 100644 index 7363eb201..000000000 --- a/charts/workflows/templates/postgres-passwords-secret.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{ $existing := lookup "v1" "Secret" .Release.Namespace "postgres-passwords" }} -apiVersion: v1 -kind: Secret -metadata: - name: postgres-passwords -data: - {{- if $existing }} - password: {{ index $existing.data "password" }} - repmgr-password: {{ index $existing.data "repmgr-password" }} - {{- else }} - password: {{ randAlphaNum 24 | b64enc }} - repmgr-password: {{ randAlphaNum 24 | b64enc }} - {{- end }} - diff --git a/charts/workflows/values.yaml b/charts/workflows/values.yaml index bde233a4c..b355cd44c 100644 --- a/charts/workflows/values.yaml +++ b/charts/workflows/values.yaml @@ -28,11 +28,11 @@ argo-workflows: database: argo_workflows tableName: workflows userNameSecret: - name: postgres-application-passwords - key: usernames + name: postgres-argo-workflows-password + key: username passwordSecret: - name: postgres-application-passwords - key: passwords + name: postgres-argo-workflows-password + key: password workflowDefaults: spec: serviceAccountName: argo-workflow @@ -92,7 +92,7 @@ postgresql-ha: pgpool: image: repository: bitnamilegacy/pgpool - exisitingSecret: pgpool-passwords + existingSecret: pgpool-passwords customUsersSecret: postgres-application-passwords resources: requests: