diff --git a/charts/README.md b/charts/README.md
index 4e124d9e48ac74a1ea4101739e0816727a0e2bcc..760e7ea5f29c4d6208d839f78b502565bc691aab 100644
--- a/charts/README.md
+++ b/charts/README.md
@@ -56,10 +56,50 @@ The basic configuration for each component of the SKA TANGO-controls docker imag
We launch the SKA TANGO-controls docker images with:
```
-$ make install-chart
+$ make k8s-install-chart
```
To clean up the Helm Chart release:
```
-$make uninstall-chart
-```
\ No newline at end of file
+$make k8s-uninstall-chart
+```
+
+Vault Secrets
+-------------
+
+When deploying to a remote cluster we may want to use the vault to fetch secrets.
+
+The tango-base charts are configured to allow the use of vault in the **tangodb** and **databaseds** database containers.
+
+When the vault is enable in your chart, vault annotations are added to the chart templates allowing the secrets to be injected in the container
+
+This secret file, in the examples, are formatted as a key/value pairs allowing us the ability to source the file and consequently add the variables as environment variables. This is useful for database containers.
+
+But be aware that sourcing the secret file, depending on your container specification, may disrupt its normal startup flow.
+
+After sourcing the file you need to run the necessary scrips / commands so that your application starts correctly. This changes from application to application.
+
+
+Enable vault secrets in the tango charts
+-------------------------------------
+
+To use vault configure in the values.yml (this is the tangodb example):
+
+```yaml
+tangodb:
+
+...
+
+ vault:
+ useVault: true
+ secretPath: stfc
+ role: kube-role
+```
+
+**parameter**|**description**
+:-----:|:-----:
+useVault| turn it on/off
+secretPath| starting path for the secret in the server
+role| vault role to use
+
+If you are using **minikube** set the **useVault** parameter to false, remove it or remove the vault section entirely.
diff --git a/charts/ska-tango-base/templates/databaseds.yaml b/charts/ska-tango-base/templates/databaseds.yaml
index 06ee9c69eed27be0b4d38134231441b5e6425000..6e4aa2f915786ac329641ed0f55b0873a186919b 100644
--- a/charts/ska-tango-base/templates/databaseds.yaml
+++ b/charts/ska-tango-base/templates/databaseds.yaml
@@ -72,17 +72,37 @@ spec:
domain: {{ .Values.databaseds.domain }}
intent: {{ .Values.databaseds.intent }}
{{ toYaml (coalesce .Values.global.labels .Values.labels "label:none") | indent 8 }}
+ annotations:
+{{ if ((.Values.databaseds.vault).useVault) }}
+ vault.hashicorp.com/agent-inject: "true"
+ vault.hashicorp.com/agent-inject-status: "update"
+ vault.hashicorp.com/agent-inject-secret-config: "{{ .Values.databaseds.vault.secretPath }}/ska-tango-base/databaseds"
+ vault.hashicorp.com/agent-inject-template-config: |
+ {{`{{- with secret `}}"{{ .Values.databaseds.vault.secretPath }}/ska-tango-base/databaseds"{{` -}}`}}
+ {{`{{- range $k, $v := .Data.data }}`}}
+ {{`export {{ $k }}={{ $v }}`}}
+ {{`{{- end }}`}}
+ {{`{{- end }}`}}
+ vault.hashicorp.com/role: "{{ .Values.databaseds.vault.role }}"
+{{ end }}
+{{ if or (.Values.global.annotations) (.Values.annotations) }}
+{{ toYaml (coalesce .Values.global.annotations .Values.annotations) | indent 8 }}
+{{ end }}
spec:
containers:
- name: databaseds
image: "{{ .Values.databaseds.image.registry }}/{{ .Values.databaseds.image.image }}:{{ .Values.databaseds.image.tag }}"
imagePullPolicy: {{ .Values.databaseds.image.pullPolicy }}
command:
- - retry
+ - retry
- --tries={{$tries}}
- --sleep={{$sleep}}
- --
- - /usr/local/bin/wait-for-it.sh
+{{ if ((.Values.databaseds.vault).useVault) }}
+ - . /vault/secrets/config || true && /usr/local/bin/wait-for-it.sh # ST-1064: allow the file to not exist if running on minikube
+{{ else }}
+ - /usr/local/bin/wait-for-it.sh # ST-1064: allow the file to not exist if running on min
+{{ end }}
- {{ template "ska-tango-base.name" . }}-{{ .Values.tangodb.component }}:3306
- --timeout=60
- --strict
@@ -101,9 +121,9 @@ spec:
- name: MYSQL_USER
value: "{{ .Values.tangodb.db.user }}"
- name: MYSQL_PASSWORD
- value: "{{ .Values.tangodb.db.password }}"
+ value: "{{ .Values.tangodb.db.password }}" # ST-1064: Check if this overwrites the injected value
- name: TANGO_SERVER_PUBLISH_HOSTNAME
- value: {{ tpl ($databaseds_name | toString) . }}.{{ .Release.Namespace }}.svc.{{ $cluster_domain }}
+ value: {{ tpl ($databaseds_name | toString) . }}.{{ .Release.Namespace }}.svc.{{ $cluster_domain }}
ports:
- name: ds
containerPort: {{ $databaseds_port }}
diff --git a/charts/ska-tango-base/templates/tangodb.yaml b/charts/ska-tango-base/templates/tangodb.yaml
index b6441331864805ca10ad3a293f542be61dde1253..548bf497641fd6d851f9ea98043f31257b602717 100644
--- a/charts/ska-tango-base/templates/tangodb.yaml
+++ b/charts/ska-tango-base/templates/tangodb.yaml
@@ -63,8 +63,20 @@ spec:
domain: {{ .Values.tangodb.domain }}
intent: {{ .Values.tangodb.intent }}
{{ toYaml (coalesce .Values.global.labels .Values.labels "label:none") | indent 8 }}
-{{ if or (.Values.global.annotations) (.Values.annotations) }}
annotations:
+{{ if ((.Values.tangodb.vault).useVault) }}
+ vault.hashicorp.com/agent-inject: "true"
+ vault.hashicorp.com/agent-inject-status: "update"
+ vault.hashicorp.com/agent-inject-secret-config: "{{ .Values.tangodb.vault.secretPath }}/ska-tango-base/tangodb"
+ vault.hashicorp.com/agent-inject-template-config: |
+ {{`{{- with secret `}}"{{ .Values.tangodb.vault.secretPath }}/ska-tango-base/tangodb"{{` -}}`}}
+ {{`{{- range $k, $v := .Data.data }}`}}
+ {{`export {{ $k }}={{ $v }}`}}
+ {{`{{- end }}`}}
+ {{`{{- end }}`}}
+ vault.hashicorp.com/role: "{{ .Values.tangodb.vault.role }}"
+{{ end }}
+{{ if or (.Values.global.annotations) (.Values.annotations) }}
{{ toYaml (coalesce .Values.global.annotations .Values.annotations) | indent 8 }}
{{ end }}
spec:
@@ -72,6 +84,13 @@ spec:
- name: tangodb
image: "{{ .Values.tangodb.image.registry }}/{{ .Values.tangodb.image.image }}:{{ .Values.tangodb.image.tag }}"
imagePullPolicy: {{ .Values.tangodb.image.pullPolicy }}
+{{ if ((.Values.tangodb.vault).useVault) }}
+ # Because we need to source the vault secret file, this disrupts the normal container startup.
+ # Because of this, after the source command, we need to run the normal container startup scripts / commands.
+ # This startup scripts/commands depend on the container application. In this example we are using a MariaDB application.
+ # Please read the vault section in the charts/README.md for more information.
+ command: ["sh", "-c", ". /vault/secrets/config || true && docker-entrypoint.sh mariadbd"]
+{{ end }}
env:
- name: MYSQL_ROOT_PASSWORD
value: "{{ .Values.tangodb.db.rootpw }}"
@@ -89,7 +108,11 @@ spec:
{{- if .Values.tangodb.livenessProbe.enabled }}
livenessProbe:
exec:
- command: ["sh", "-c", "exec mysqladmin status -uroot -p{{ .Values.tangodb.db.rootpw }}"]
+{{ if ((.Values.tangodb.vault).useVault) }}
+ command: ["sh", "-c", ". /vault/secrets/config || true && exec mysqladmin status -uroot -p${MYSQL_ROOT_PASSWORD}"]
+{{ else }}
+ command: ["exec mysqladmin status -uroot -p${MYSQL_ROOT_PASSWORD}"]
+{{ end }}
initialDelaySeconds: {{ .Values.tangodb.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.tangodb.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.tangodb.livenessProbe.timeoutSeconds }}
@@ -99,7 +122,11 @@ spec:
{{- if .Values.tangodb.readinessProbe.enabled }}
readinessProbe:
exec:
- command: ["sh", "-c", "exec mysqladmin status -uroot -p{{ .Values.tangodb.db.rootpw }}"]
+{{ if ((.Values.tangodb.vault).useVault) }}
+ command: ["sh", "-c", ". /vault/secrets/config || true && exec mysqladmin status -uroot -p${MYSQL_ROOT_PASSWORD}"]
+{{ else }}
+ command: ["exec mysqladmin status -uroot -p${MYSQL_ROOT_PASSWORD}"]
+{{ end }}
initialDelaySeconds: {{ .Values.tangodb.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.tangodb.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.tangodb.readinessProbe.timeoutSeconds }}
diff --git a/charts/ska-tango-base/values.yaml.sh b/charts/ska-tango-base/values.yaml.sh
index 6c66d96756162cc7d93e7633c2864abdde7968ef..596c4c49121d0f65558efd71067376ec65db4bc0 100644
--- a/charts/ska-tango-base/values.yaml.sh
+++ b/charts/ska-tango-base/values.yaml.sh
@@ -102,6 +102,10 @@ databaseds:
image: ska-tango-images-tango-cpp${IS_ALPINE}
tag: $(. ${RELEASE_SUPPORT}; RELEASE_CONTEXT_DIR=../../images/ska-tango-images-tango-cpp${IS_ALPINE} setContextHelper; getVersion)${SUFFIX}
pullPolicy: IfNotPresent
+ vault:
+ useVault: false
+ secretPath: stfc
+ role: kube-role
resources:
requests:
cpu: 100m # 100m = 0.1 CPU
@@ -188,6 +192,10 @@ tangodb:
db: tango
user: tango
password: tango
+ vault:
+ useVault: false
+ secretPath: stfc
+ role: kube-role
resources:
requests:
cpu: 100m # 100m = 0.1 CPU