generate secres manually

raresfirebolt · Mar 18, 2021 · 528c6e2 · 528c6e2
1 parent 88d1bb4
commit 528c6e2
Show file tree

Hide file tree

Showing 7 changed files with 39 additions and 3 deletions.
diff --git a/charts/repo/timescaledb-multinode-0.8.1.tgz b/charts/repo/timescaledb-multinode-0.8.1.tgz
diff --git a/charts/timescaledb-multinode/Chart.yaml b/charts/timescaledb-multinode/Chart.yaml
@@ -4,7 +4,7 @@
 apiVersion: v1
 name: timescaledb-multinode
 description: 'TimescaleDB Multinode Deployment.'
-version: 0.8.0
+version: 0.8.1
 # appVersion specifies the version of the software, which can vary wildly,
 # e.g. TimescaleDB 1.4.1 on PostgreSQL 11 or TimescaleDB 1.5.0 on PostgreSQL 12.
 # https://github.com/helm/helm/blob/master/docs/charts.md#the-appversion-field

diff --git a/charts/timescaledb-multinode/README.md b/charts/timescaledb-multinode/README.md
@@ -38,6 +38,25 @@ Alternatively, a YAML file that specifies the values for the parameters can be p
 ```console
 helm upgrade --install my-release -f myvalues.yaml .
 ```
+### Secret override
+
+In order to not have secrets stored in git, you can manually generate secrets for timescaledb-access endpoint and timescaledb-data endpoint.
+
+In values.yaml set:
+```console
+credentials:
+  fromValues: false
+```
+
+Then generate the secrets
+```console
+random_password () { < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32; }
+```
+
+```console
+kubectl create secret generic `my-release`-access --from-literal=password-superuser='<manually_generated_timescaledb-access_password>'
+kubectl create secret generic `my-release`-data --from-literal=password-superuser='<manually_generated_client_timescaledb-data_password>'
+```
 
 For details about what parameters you can set, have a look at the [Administrator Guide](admin-guide.md#configure)
 
@@ -108,6 +127,13 @@ our [TimescaleDB > Tutorial: Scaling out TimescaleDB](https://docs.timescale.com
 to create distributed hypertables and start using multinode TimescaleDB.
 
 ### Connecting from another pod
+If you are connecting from another pod you can disable external access completely by changing the service typpe from LoadBalancer to ClusterIP. Edit the following in values.yaml:
+
+```console
+access:
+  service:
+    type: ClusterIP
+```
 
 From inside a pod in the Kubernetes cluster, you need to use the
 internal DNS address, e.g.,

diff --git a/charts/timescaledb-multinode/admin-guide.md b/charts/timescaledb-multinode/admin-guide.md
@@ -23,6 +23,8 @@ The following table lists the configurable parameters of the TimescaleDB Helm ch
 | `image.tag`                       | The version of the image to pull            | `pg12.5-ts2.0.0-p0`
 | `image.pullPolicy`                | The pull policy                             | `IfNotPresent`                                      |
 | `credentials.accessNode.superuser`| Password of the superuser for the Access Node | `tea`                                             |
+|`access.service.type`   | Setup external access using LoadBalancer or ClusterIP  | `LoadBalancer`  |
+| `credentials.fromValues`  | Load credentials from values.yaml   | `true`  |
 | `credentials.dataNode.superuser`  | Password of the superuser for the Data Nodes  | `coffee`                                          |
 | `env`                             | Extra custom environment variables, expressed as [EnvVar](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#envvarsource-v1-core) | `PGDATA` and some language settings |
 | `resources`                       | Any resources you wish to assign to the pod | `{}`                                                |

diff --git a/charts/timescaledb-multinode/templates/sec-timescaledb.yaml b/charts/timescaledb-multinode/templates/sec-timescaledb.yaml
@@ -1,6 +1,7 @@
 # This file and its contents are licensed under the Apache License 2.0.
 # Please see the included NOTICE for copyright information and LICENSE for a copy of the license.
 
+{{- if .Values.credentials.fromValues }}
 ---
 apiVersion: v1
 kind: Secret
@@ -29,3 +30,4 @@ type: Opaque
 data:
   password-superuser: {{ .Values.credentials.dataNode.superuser | b64enc }}
 ...
+{{- end }}
diff --git a/charts/timescaledb-multinode/templates/svc-timescaledb-access.yaml b/charts/timescaledb-multinode/templates/svc-timescaledb-access.yaml
@@ -14,7 +14,7 @@ metadata:
   annotations:
     service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "4000"
 spec:
-  type: LoadBalancer
+  type: {{ .Values.access.service.type }}
   ports:
   - name: postgresql
     port: 5432

diff --git a/charts/timescaledb-multinode/values.yaml b/charts/timescaledb-multinode/values.yaml
@@ -11,11 +11,17 @@ image:
   # Image was built from
   # https://github.com/timescale/timescaledb-docker-ha
   repository: timescaledev/timescaledb-ha
-  tag: pg12-ts2.0.0-p0
+  tag: pg12-ts2.0-latest
   pullPolicy: IfNotPresent
 
+#enable external access using LoadBalancer
+access:
+  service:
+    type: ClusterIP
+
 # Credentials used by PostgreSQL
 credentials:
+  fromValues: false
   accessNode:
     superuser: tea
   dataNode: