Provide confidential values as secret (#71)

* WIP: Provide confidential values as secret

* Fix parameter names in comment

* Provide demo credentials as base64

* Add named secret in values.yaml with default content

* Remove secret boilerplate in values.yaml

* Configure secret creation via flag

* Enhance secret configuration

- Use existingSecretName to configure secret via external secret
- rabbitmq uses its own naming syntax. We show them for convenience
- fixing external database property

Postgres secrets for external databases has to be added still

* Fix yaml syntax

* Fix yaml and property refs

* Adds configurable secret to external database

* Adjust minikube values

* Resolve go template issues

* Update documentation

* Fix wording

charts/geonode/templates/_helpers.tpl

@@ -42,7 +42,7 @@
 {{- end -}}
 {{- end -}}
 
-# secret key reference for the password of user:  .Values.postgres.geonodedatabase_and_username
+# secret key reference for the password of user:  .Values.postgres.geonode_databasename_and_username
 {{- define "database_geonode_password_secret_key_ref" -}}
 {{- if (index .Values "postgres-operator" "enabled") -}}
 "{{ .Values.postgres.geonode_databasename_and_username }}.{{ include "postgres_pod_name" . }}.credentials.postgresql.acid.zalan.do"
@@ -51,7 +51,7 @@
 {{- end -}}
 {{- end -}}
 
-# secret key reference for the password of user: .Values.postgres.geodatabasename_and_username
+# secret key reference for the password of user: .Values.postgres.geonode_databasename_and_username
 {{- define "database_geodata_password_secret_key_ref" -}}
 {{- if (index .Values "postgres-operator" "enabled") -}}
 "{{ .Values.postgres.geodata_databasename_and_username }}.{{ include "postgres_pod_name" . }}.credentials.postgresql.acid.zalan.do"

charts/geonode/templates/geonode/geonode-deploy.yaml

@@ -87,13 +87,17 @@ spec:
         - containerPort: 8001
 
         envFrom:
-          - configMapRef:
-              name: {{ include "geonode_pod_name" . }}-env
+        - configMapRef:
+            name: {{ include "geonode_pod_name" . }}-env
+        - secretRef:
+            name: {{ default "geonode-secret" .Values.geonode.secret.existingSecretName | quote }}
+        - secretRef:
+            name: {{ default "geoserver-secret" .Values.geoserver.secret.existingSecretName | quote }}
 
         env:
         - name: GEONODE_DATABASE_PASSWORD
           valueFrom:
-            secretKeyRef: 
+            secretKeyRef:
               name: {{ include "database_geonode_password_secret_key_ref" . }}
               key: password
         - name: GEONODE_GEODATABASE_PASSWORD
@@ -158,7 +162,6 @@ spec:
       # Celery is the task worker
       - name: {{ .Values.geonode.celery.container_name }}
         image: "{{ .Values.geonode.image.name }}:{{ .Values.geonode.image.tag }}"
-
         command:
         - bash
         - -c
@@ -176,6 +179,7 @@ spec:
           cd /usr/src/geonode-contribs/ldap; pip install --upgrade  -e .
           cd /usr/src/geonode/
           {{ end }}
+
           {{ if .Values.geonode.sentry.enabled }}
           pip install sentry-sdk
           {{ end }}
@@ -188,13 +192,17 @@ spec:
           dockerize -stdout /var/log/celery.log /usr/src/geonode/entrypoint.sh celery-cmd
 
         envFrom:
-          - configMapRef:
-              name: {{ include "geonode_pod_name" . }}-env
+        - configMapRef:
+            name: {{ include "geonode_pod_name" . }}-env
+        - secretRef:
+            name: {{ default "geonode-secret" .Values.geonode.secret.existingSecretName | quote }}
+        - secretRef:
+            name: {{ default "geoserver-secret" .Values.geoserver.secret.existingSecretName | quote }}
 
         env:
         - name: GEONODE_DATABASE_PASSWORD
           valueFrom:
-            secretKeyRef: 
+            secretKeyRef:
               name: {{ include "database_geonode_password_secret_key_ref" . }}
               key: password
         - name: GEONODE_GEODATABASE_PASSWORD

charts/geonode/templates/geonode/geonode-env.yaml

@@ -47,11 +47,6 @@ data:
   ALLOWED_HOSTS: "['django', '*', '{{ .Values.geonode.general.externalDomain }}']"
   PROXY_ALLOWED_HOSTS: 'localhost,django,geonode,geoserver,spatialreference.org,nominatim.openstreetmap.org,dev.openlayers.org'
 
-  # Admin Settings
-  ADMIN_USERNAME: {{ .Values.geonode.general.superUser.username | quote }}
-  ADMIN_EMAIL: {{ .Values.geonode.general.superUser.email | quote }}
-  ADMIN_PASSWORD: {{ .Values.geonode.general.superUser.password | quote }}
-
   # General settings
   FREETEXT_KEYWORDS_READONLY: {{ include "boolean2str" .Values.geonode.general.freetext_keywords_readonly | quote }}
   FIXTURE_DIRS: "[ '/usr/src/geonode/geonode/fixtures' ]"
@@ -71,11 +66,8 @@ data:
   DJANGO_EMAIL_BACKEND: {{ .Values.geonode.mail.backend | quote }}
   DJANGO_EMAIL_HOST: {{ .Values.geonode.mail.host | quote }}
   DJANGO_EMAIL_PORT: {{ .Values.geonode.mail.port | quote }}
-  DJANGO_EMAIL_HOST_USER: {{ .Values.geonode.mail.user | quote }}
-  DJANGO_EMAIL_HOST_PASSWORD: {{ .Values.geonode.mail.password | quote }}
   DJANGO_EMAIL_USE_TLS: {{ include "boolean2str" .Values.geonode.mail.tls | quote }}
   DJANGO_EMAIL_USE_SSL: {{ include "boolean2str" .Values.geonode.mail.use_ssl | quote }}
-  DEFAULT_FROM_EMAIL: {{ .Values.geonode.mail.from | quote }}
 
   # PATH
   # TODO (mwall) allign with volumeMount locations
@@ -115,7 +107,6 @@ data:
   LDAP_ENABLED:  {{ include "boolean2str" .Values.geonode.ldap.enabled | quote }}
   LDAP_SERVER_URL: {{ .Values.geonode.ldap.uri | quote }}
   LDAP_BIND_DN: {{ .Values.geonode.ldap.bind_dn | quote }}
-  LDAP_BIND_PASSWORD: {{ .Values.geonode.ldap.bind_password | quote }}
   LDAP_USER_SEARCH_DN: {{ .Values.geonode.ldap.user_search_dn | quote }}
   LDAP_USER_SEARCH_FILTERSTR: {{ .Values.geonode.ldap.user_search_filterstr | quote }}
   LDAP_ALWAYS_UPDATE_USER: {{ .Values.geonode.ldap.always_update_user | quote }}
@@ -180,8 +171,6 @@ data:
   GEOSERVER_PUBLIC_LOCATION: "{{ include "public_url" . }}/geoserver/"
   GEOSERVER_PUBLIC_SCHEMA: {{ .Values.geonode.general.externalScheme | quote }}
   GEOSERVER_LOCATION: "http://{{ include "geoserver_pod_name" . }}:{{ .Values.geoserver.port }}/geoserver/"
-  GEOSERVER_ADMIN_USER: {{ .Values.geoserver.admin_username | quote }}
-  GEOSERVER_ADMIN_PASSWORD: {{ .Values.geoserver.admin_password | quote }}
 
   OGC_REQUEST_TIMEOUT: {{ .Values.geonode.general.ogc_request_timeout | quote }}
   OGC_REQUEST_MAX_RETRIES: '1'

charts/geonode/templates/geonode/geonode-secret.yaml

@@ -0,0 +1,21 @@
+{{- if empty .Values.geonode.secret.existingSecretName }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: geonode-secret
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  # superuser credentials
+  ADMIN_USERNAME: {{ .Values.geonode.secret.superUser.username | b64enc }}
+  ADMIN_PASSWORD: {{ .Values.geonode.secret.superUser.password | b64enc }}
+  ADMIN_EMAIL: {{ .Values.geonode.secret.superUser.email | b64enc }}
+
+  # mail secrets
+  DJANGO_EMAIL_HOST_USER: {{ .Values.geonode.secret.mail.user | b64enc }}
+  DJANGO_EMAIL_HOST_PASSWORD: {{ .Values.geonode.secret.mail.password | b64enc }}
+  DEFAULT_FROM_EMAIL: {{ .Values.geonode.secret.mail.from | b64enc }}
+
+  # ldap secrets
+  LDAP_BIND_PASSWORD: {{ .Values.geonode.secret.ldap.bind_password | b64enc }}
+{{ end }}

charts/geonode/templates/geoserver/geoserver-deploy.yaml

@@ -63,8 +63,10 @@ spec:
         - containerPort: {{ .Values.geoserver.port }}
 
         envFrom:
-          - configMapRef:
-              name:  {{ include "geoserver_pod_name" . }}-env
+        - configMapRef:
+            name:  {{ include "geoserver_pod_name" . }}-env
+        - secretRef:
+            name: {{ default "geoserver-secret" .Values.geoserver.secret.existingSecretName | quote }}
 
         env:
           # read auto generated password from secret

charts/geonode/templates/geoserver/geoserver-env.yaml

@@ -17,6 +17,3 @@ data:
   DATABASE_PORT: "{{ include "database_port" . }}"
   GEONODE_GEODATABASE: {{ .Values.postgres.geonode_databasename_and_username | quote  }}
   GEONODE_GEODATABASE_SCHEMA: {{ .Values.postgres.schema | quote }}
-
-  GEOSERVER_ADMIN_USER: {{ .Values.geoserver.admin_username | quote }}
-  GEOSERVER_ADMIN_PASSWORD: {{ .Values.geoserver.admin_password | quote }}

charts/geonode/templates/geoserver/geoserver-secret.yaml

@@ -0,0 +1,12 @@
+{{- if empty .Values.geoserver.secret.existingSecretName }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: geoserver-secret
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  # geoserver admin credentials
+  GEOSERVER_ADMIN_USER: {{ .Values.geoserver.secret.admin_username | b64enc }}
+  GEOSERVER_ADMIN_PASSWORD: {{ .Values.geoserver.secret.admin_password | b64enc }}
+{{ end }}

charts/geonode/templates/postgres/postgres-external-geodata-secrets.yaml

@@ -1,10 +1,11 @@
-{{ if .Values.postgres.external_postgres.enabled }}
+{{ if and .Values.postgres.external_postgres.enabled (not .Values.postgres.external_postgres.secret.existingSecretName )}}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ .Release.Name }}-geodata-external-secrets
+  namespace: {{ .Release.Namespace }}
 type: Opaque
 data:
-  username: {{ .Values.postgres.geodatabasename_and_username | quote }}
-  password: {{ .Values.postgres.external_postgres.geodata_password | b64enc }}
+  username: {{ .Values.postgres.geodata_databasename_and_username | b64enc }}
+  password: {{ .Values.postgres.external_postgres.secret.geodata_password | b64enc }}
 {{ end }}

charts/geonode/templates/postgres/postgres-external-geonode-secrets.yaml

@@ -1,10 +1,11 @@
-{{ if .Values.postgres.external_postgres.enabled }}
+{{ if and .Values.postgres.external_postgres.enabled (not .Values.postgres.external_postgres.secret.existingSecretName )}}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ .Release.Name }}-geonode-external-secrets
+  namespace: {{ .Release.Namespace }}
 type: Opaque
 data:
-  username: {{ .Values.postgres.username | quote }}
-  password: {{ .Values.postgres.external_postgres.geonode_password | b64enc }}
+  username: {{ .Values.postgres.username | b64enc }}
+  password: {{ .Values.postgres.external_postgres.secret.geonode_password | b64enc }}
 {{ end }}

charts/geonode/templates/postgres/postgres-external-postgres-secrets.yaml

@@ -1,10 +1,11 @@
-{{ if .Values.postgres.external_postgres.enabled }}
+{{ if and .Values.postgres.external_postgres.enabled (not .Values.postgres.external_postgres.secret.existingSecretName )}}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ .Release.Name }}-postgres-external-secrets
+  namespace: {{ .Release.Namespace }}
 type: Opaque
 data:
-  username: {{ .Values.postgres.username | quote }}
-  password: {{ .Values.postgres.external_postgres.postgres_password | b64enc }}
+  username: {{ .Values.postgres.username | b64enc }}
+  password: {{ .Values.postgres.external_postgres.secret.postgres_password | b64enc }}
 {{ end }}

charts/geonode/values.yaml

@@ -1,10 +1,10 @@
-
 global:
   # -- storageClass used by helm dependencies pvc
   storageClass:
   # -- storage access mode used by helm dependency pvc
   accessMode: ReadWriteMany
 
+
 # geonode configuration
 geonode:
   # -- pod name
@@ -31,6 +31,28 @@ geonode:
   tasks_post_script: |
     print("tasks_post_script not defined ...")
 
+  secret:
+    # -- name of an existing Secret to use. Set, if you want to separately maintain the Secret.
+    existingSecretName: ""
+    superUser:
+      # -- admin username
+      username: admin
+      # -- admin panel password
+      password: geonode
+      # -- admin user password
+      email: [email protected]
+    mail:
+      # -- define mail user to send mails from
+      user: "changeme"
+      # -- set password for mailuser in geonode
+      password: "changeme"
+      # -- define from mail-addr 
+      from: "[email protected]"
+    ldap:
+      # -- ldap password
+      bind_password: password
+
+
   resources:
     requests:
       # -- requested memory as in resource.requests.memory (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
@@ -109,6 +131,7 @@ geonode:
     cheaper_busyness_backlog_step: 2
 
   general:
+
     # -- external ingress schema. If set to 'https', make sure to configure TLS either by 
     # configuring tls certificate or using cert-manager. Available options: (http|https)
     externalScheme: http
@@ -139,14 +162,6 @@ geonode:
     # -- OGC_REQUEST_POOL_CONNECTIONS
     ogc_request_pool_connections: 10
 
-    superUser:
-      # -- admin username
-      username: admin
-      # -- admin panel password
-      password: geonode
-      # -- admin user password
-      email: [email protected]
-
     publishing:
       # -- RESOURCE_PUBLISHING By default, the GeoNode application allows GeoNode staff members to publish/unpublish resources.
       # By default, resources are published when created. When this setting is set to True the staff members will be able to unpublish
@@ -183,12 +198,6 @@ geonode:
     tls: true
     # -- enable ssl for geonode mail (only tls or ssl can be true not both)
     use_ssl: False
-    # -- define mail user to send mails from
-    user: "changeme"
-    # -- set password for mailuser in geonode
-    password: "changeme"
-    # -- define from mail-addr 
-    from: "[email protected]"
 
   ldap:
     # -- enable ldap AUTHENTICATION_BACKENDS in DJANGO Geonode
@@ -197,8 +206,6 @@ geonode:
     uri: ldap://example.com
     # -- ldap user bind dn
     bind_dn: "CN=Users,DC=ad,DC=example,DC=com"
-    # -- ldap password
-    bind_password: password
     # -- ldap user search dn
     user_search_dn: "OU=User,DC=ad,DC=example,DC=com"
     # -- ldap user filterstr
@@ -244,7 +251,7 @@ geonode:
     # -- If True, new user accounts will be created as inactive. The user must use the activation link to activate his account.
     conformation_required: True
     # -- Specifies the login method to use – whether the user logs in by entering their username, e-mail address, or either one of both. Setting this to “email” requires email_required=True
-    authentication_method: "user_email"
+    authentication_method: "username_email"
     # -- group name to add new registered users to, requires auto_assign_registered_members_to_registered: True.
     registered_members_group_name:
     # -- if set to True new registered user will be add to defined group in registered_members_group_name
@@ -309,10 +316,14 @@ geoserver:
     tag: '2.23.0'
   # -- geoserver port
   port: 8080
-  # -- geoserver admin username
-  admin_username: admin
-  # -- geoserver admin password
-  admin_password: "geoserver"
+
+  secret:
+    # -- name of an existing Secret to use. Set, if you want to separately maintain the Secret.
+    existingSecretName: ""
+    # -- geoserver admin username
+    admin_username: admin
+    # -- geoserver admin password
+    admin_password: "geoserver"
 
   # -- geoserver kube resources
   resources:
@@ -356,7 +367,7 @@ nginx:
       # -- limit cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
       cpu: "800m"
 
-# -- pycsw integration is based on https://github.com/geopython/pycsw/blob/master/docker/kubernetes
+# pycsw integration is based on https://github.com/geopython/pycsw/blob/master/docker/kubernetes
 pycsw:
   # -- enable single pycsw pod
   enabled: True
@@ -386,8 +397,8 @@ pycsw:
       memory: "1Gi"
       # -- limit cpu as in resource.requests.cpu (https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
       cpu: "500m"
-  # copied from 4.1.x: https://github.com/GeoNode/geonode/blob/master/geonode/catalogue/backends/pycsw_local_mappings.py
-  # -- pycsw config file parameters, see docs: https://docs.pycsw.org/_/downloads/en/latest/pdf/
+  # -- pycsw local mappings, copied from 4.1.x: https://github.com/GeoNode/geonode/blob/master/geonode/catalogue/backends/pycsw_local_mappings.py
+  # @default -- MD_CORE_MODEL = { ... }
   mappings: |-
     MD_CORE_MODEL = {
       "typename": "pycsw:CoreMetadata",
@@ -452,7 +463,9 @@ pycsw:
           "pycsw:Links": "download_links",
       },
     }
-  config: |-
+  # -- pycsw config file parameters, see docs: https://docs.pycsw.org/_/downloads/en/latest/pdf/
+  # @default -- [server] ...
+  config: |
     [server]
         home=/home/pycsw
         url=$(PYCSW_SERVER_URL)
@@ -532,6 +545,8 @@ rabbitmq:
     username: rabbituser
     password: rabbitpassword
     erlangCookie: jixYBsiZ9RivaLXC02pTwGjvIo0nHtVu
+    existingPasswordSecret: ""
+    existingErlangSecret: ""
   persistence:
     enabled: False
 
@@ -574,9 +589,12 @@ postgres:
     enabled: False
     hostname: my-external-postgres.com
     port: 5432
-    postgres_password: postgres
-    geonode_password: geonode
-    geodata_password: geogeonode
+    secret:
+      # -- name of an existing Secret to use. Set, if you want to separately maintain the Secret.
+      existingSecretName: ""
+      postgres_password: postgres
+      geonode_password: geonode
+      geodata_password: geogeonode
 
 # VALUES DEFINITION: https://github.com/zalando/postgres-operator/blob/master/charts/postgres-operator/values.yaml
 postgres-operator: