auto-generate the erlangCookie variable

related to apache#78, apache#88. We auto-generate the secret if it is not provided, and then continue to use that value on upgrades rather than auto-generating fresh each time.
colearendt · Jun 20, 2022 · e5f4fb7 · e5f4fb7
1 parent 78eff8c
commit e5f4fb7
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/couchdb/templates/_helpers.tpl b/couchdb/templates/_helpers.tpl
@@ -43,6 +43,29 @@ Create a random string if the supplied key does not exist
 {{- end -}}
 {{- end -}}
 
+{{- /*
+Create a random string if the supplied "secret" key does not exist. Otherwise create the key in a persistent fashion
+using `lookup` and `get`. The "key", "ns", and "secretName" keys need to be provided for this to work
+*/ -}}
+{{- define "couchdb.defaultsecret-stateful" -}}
+ {{- if .secret -}}
+ {{- .secret | b64enc | quote -}}
+ {{- else -}}
+ {{- /* generate secret, which will be overwritten if already exists */ -}}
+ {{- $autoSecret := randAlphaNum 20 | b64enc -}}
+ {{- if and (not (empty .key)) (not (empty .secretName)) }}
+ {{- $currentSecret := lookup "v1" "Secret" .ns .secretName }}
+ {{- if $currentSecret }}
+ {{- /* already exists, looking up */ -}}
+ {{- $autoSecret = get $currentSecret.data .key | b64dec -}}
+ {{- end }}
+ {{- end }}
+ {{- print $autoSecret | quote -}}
+ {{- end -}}
+{{- end -}}
+
+
+
 {{/*
 Labels used to define Pods in the CouchDB statefulset
 */}}
@@ -78,4 +101,4 @@ Fail if couchdbConfig.couchdb.uuid is undefined
 */}}
 {{- define "couchdb.uuid" -}}
 {{- required "A value for couchdbConfig.couchdb.uuid must be set" (.Values.couchdbConfig.couchdb | default dict).uuid -}}
-{{- end -}} 
+{{- end -}}
diff --git a/couchdb/templates/secrets.yaml b/couchdb/templates/secrets.yaml
@@ -12,7 +12,8 @@ type: Opaque
 data:
  adminUsername: {{ template "couchdb.defaultsecret" .Values.adminUsername }}
  adminPassword: {{ template "couchdb.defaultsecret" .Values.adminPassword }}
- erlangCookie: {{ template "couchdb.defaultsecret" .Values.erlangFlags.setcookie }}
+ {{- $erlangCookieArgs := dict "key" "erlangCookie" "ns" $.Release.Namespace "secretName" (include "couchdb.fullname" .) "secret" .Values.erlangFlags.setcookie }}
+ erlangCookie: {{ template "couchdb.defaultsecret-stateful" $erlangCookieArgs }}
  cookieAuthSecret: {{ template "couchdb.defaultsecret" .Values.cookieAuthSecret }}
 {{- if .Values.adminHash }}
  password.ini: {{ tpl (.Files.Get "password.ini") . | b64enc }}