From 3265932328624d2fcecb39263b15ddbf022e90dd Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Mon, 1 Nov 2021 10:24:12 -0500 Subject: [PATCH 1/5] template st2client config --- templates/deployments.yaml | 4 +--- templates/jobs.yaml | 8 ++------ values.yaml | 16 ++++++++++++++++ 3 files changed, 19 insertions(+), 9 deletions(-) diff --git a/templates/deployments.yaml b/templates/deployments.yaml index d1458cc6..5e99c511 100644 --- a/templates/deployments.yaml +++ b/templates/deployments.yaml @@ -1499,9 +1499,7 @@ spec: - '-ec' - | cat < /root/.st2/config - [credentials] - username = ${ST2_AUTH_USERNAME} - password = ${ST2_AUTH_PASSWORD} + {{- tpl .Values.st2client.st2clientConfig . | nindent 12 }} EOT containers: - name: st2client diff --git a/templates/jobs.yaml b/templates/jobs.yaml index 59ab9cbd..8d1d4b5b 100644 --- a/templates/jobs.yaml +++ b/templates/jobs.yaml @@ -166,9 +166,7 @@ spec: - '-ec' - | cat < /root/.st2/config - [credentials] - username = ${ST2_AUTH_USERNAME} - password = ${ST2_AUTH_PASSWORD} + {{- tpl .Values.jobs.st2clientConfig . | nindent 12 }} EOT containers: - name: st2-apikey-load @@ -282,9 +280,7 @@ spec: - '-ec' - | cat < /root/.st2/config - [credentials] - username = ${ST2_AUTH_USERNAME} - password = ${ST2_AUTH_PASSWORD} + {{- tpl .Values.jobs.st2clientConfig . | nindent 12 }} EOT containers: - name: st2-key-load diff --git a/values.yaml b/values.yaml index 0dc843ca..f14a36c4 100644 --- a/values.yaml +++ b/values.yaml @@ -623,6 +623,14 @@ st2sensorcontainer: # The st2client deployment/pod simplifies ad-hoc administration. # st2client is a special purpose actionrunner pod, but you can customize it separately st2client: + # st2client config (~/.st2/config) template for jobs that need it. + # You can access env variables here because this is used in a bash heredoc. + # For example, you could use a var injected with envFromSecrets. + # Note that Helm templating is supported in this block! + st2clientConfig: | + [credentials] + username = ${ST2_AUTH_USERNAME} + password = ${ST2_AUTH_PASSWORD} env: {} # HTTP_PROXY: http://proxy:1234 ## These named secrets (managed outside this chart) will be added to envFrom. @@ -725,6 +733,14 @@ st2chatops: ## Various batch jobs (apply-rbac-definitions, apikey-load, key-load, register-content) ## jobs: + # st2client config (~/.st2/config) template for jobs that need it. + # You can access env variables here because this is used in a bash heredoc. + # For example, you could use a var injected with envFromSecrets. + # Note that Helm templating is supported in this block! + st2clientConfig: | + [credentials] + username = ${ST2_AUTH_USERNAME} + password = ${ST2_AUTH_PASSWORD} annotations: {} # Override default image settings (for now, only tag can be overridden) # The Jobs use the st2actionrunner image From afb98d8a7d2218a9eda5bf67e1a2bdf08b154b97 Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Mon, 1 Nov 2021 10:31:01 -0500 Subject: [PATCH 2/5] add envFromSecrets to generate-st2client-config initContainers --- templates/deployments.yaml | 4 ++++ templates/jobs.yaml | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/templates/deployments.yaml b/templates/deployments.yaml index 5e99c511..2d502c4c 100644 --- a/templates/deployments.yaml +++ b/templates/deployments.yaml @@ -1490,6 +1490,10 @@ spec: name: {{ .Release.Name }}-st2-urls - secretRef: name: {{ .Release.Name }}-st2-auth + {{- range .Values.st2client.envFromSecrets }} + - secretRef: + name: {{ . }} + {{- end }} volumeMounts: - name: st2client-config-vol mountPath: /root/.st2/ diff --git a/templates/jobs.yaml b/templates/jobs.yaml index 8d1d4b5b..64a87ab8 100644 --- a/templates/jobs.yaml +++ b/templates/jobs.yaml @@ -157,6 +157,10 @@ spec: name: {{ .Release.Name }}-st2-urls - secretRef: name: {{ .Release.Name }}-st2-auth + {{- range .Values.jobs.envFromSecrets }} + - secretRef: + name: {{ . }} + {{- end }} volumeMounts: - name: st2client-config-vol mountPath: /root/.st2/ @@ -271,6 +275,10 @@ spec: name: {{ .Release.Name }}-st2-urls - secretRef: name: {{ .Release.Name }}-st2-auth + {{- range .Values.jobs.envFromSecrets }} + - secretRef: + name: {{ . }} + {{- end }} volumeMounts: - name: st2client-config-vol mountPath: /root/.st2/ From 9887e5794727730b5f694435ca3006a288147e4d Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Mon, 1 Nov 2021 10:35:47 -0500 Subject: [PATCH 3/5] add changelog entry --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 80ed731c..4fdfc845 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ * Some `helm upgrades` do not need to run all the jobs. An upgrade that only touches RBAC config, for example, does not need to run the register-content job. Use `--set 'jobs.skip={apikey_load,key_load,register_content}'` to skip the other jobs. (#255) (by @cognifloyd) * Refactor deployments/jobs to inject st2 username/password via `envFrom` instead of via `env`. (#257) (by @cognifloyd) * New feature: Add `envFromSecrets` to `st2actionrunner`, `st2client`, `st2sensorcontainer`, and jobs. This is useful for adding custom secrets to the environment. This complements the `extra_volumes` feature (loading secrets as files) to facilitate loading secrets that are not easily injected via the filesystem. (#259) (by @cognifloyd) +* Template `~/.st2/config`. This allows customizing the settings used by the `st2client` and jobs pods for using the st2 apis. (#262) (by @cognifloyd) ## v0.70.0 * New feature: Shared packs volumes `st2.packs.volumes`. Allow using cluster-specific persistent volumes to store packs, virtualenvs, and (optionally) configs. This enables using `st2 pack install`. It even works with `st2packs` images in `st2.packs.images`. (#199) (by @cognifloyd) From e46fa5062c3da12f0b22c6340b0272b83231f912 Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Mon, 1 Nov 2021 10:57:08 -0500 Subject: [PATCH 4/5] correct docstring --- values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values.yaml b/values.yaml index f14a36c4..a19ab42f 100644 --- a/values.yaml +++ b/values.yaml @@ -623,7 +623,7 @@ st2sensorcontainer: # The st2client deployment/pod simplifies ad-hoc administration. # st2client is a special purpose actionrunner pod, but you can customize it separately st2client: - # st2client config (~/.st2/config) template for jobs that need it. + # st2client config (~/.st2/config) template. # You can access env variables here because this is used in a bash heredoc. # For example, you could use a var injected with envFromSecrets. # Note that Helm templating is supported in this block! From 9929d1580b2ac206bfbeeee4ed241adb92c9a7c1 Mon Sep 17 00:00:00 2001 From: Jacob Floyd Date: Wed, 10 Nov 2021 09:46:34 -0600 Subject: [PATCH 5/5] include st2clientConfig link --- values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/values.yaml b/values.yaml index 7c3b24d8..6fd49aab 100644 --- a/values.yaml +++ b/values.yaml @@ -624,6 +624,7 @@ st2sensorcontainer: # st2client is a special purpose actionrunner pod, but you can customize it separately st2client: # st2client config (~/.st2/config) template. + # see: https://docs.stackstorm.com/reference/cli.html#configuration-file # You can access env variables here because this is used in a bash heredoc. # For example, you could use a var injected with envFromSecrets. # Note that Helm templating is supported in this block! @@ -738,6 +739,7 @@ st2chatops: ## jobs: # st2client config (~/.st2/config) template for jobs that need it. + # see: https://docs.stackstorm.com/reference/cli.html#configuration-file # You can access env variables here because this is used in a bash heredoc. # For example, you could use a var injected with envFromSecrets. # Note that Helm templating is supported in this block!