[utils] add helper to resolve secrets that need urlquery function

openstack/utils/Chart.yaml

@@ -1,4 +1,4 @@
 apiVersion: v1
 description: A Helm chart for Kubernetes
 name: utils
-version: 0.16.2
+version: 0.17.0

openstack/utils/templates/_hosts.tpl

@@ -6,6 +6,24 @@
 {{ .Release.Namespace }}.svc.kubernetes.{{ include "host_fqdn" . }}
 {{- end }}
 
+{{- define "_resolve_secret" -}}
+    {{- $str := index . 0 -}}
+    {{- $add_urlquery := index . 1 -}}
+    {{- if (hasPrefix "vault+kvv2" $str) -}}
+        {{"{{"}} resolve "{{ $str }}" {{ if $add_urlquery }}| urlquery {{ end }}{{"}}"}}
+    {{- else -}}
+        {{ $str }}
+{{- end -}}
+{{- end -}}
+
+{{- define "resolve_secret" -}}
+{{ include "_resolve_secret" (tuple . false) }}
+{{- end -}}
+
+{{- define "resolve_secret_urlquery" -}}
+{{ include "_resolve_secret" (tuple . true) }}
+{{- end -}}
+
 {{define "db_url" }}
     {{- if kindIs "map" . -}}
 postgresql+psycopg2://{{default .Values.dbUser .Values.global.dbUser}}:{{(default .Values.dbPassword .Values.global.dbPassword) | default (tuple . (default .Values.dbUser .Values.global.dbUser) | include "postgres.password_for_user")}}@{{.Chart.Name}}-postgresql.{{ include "svc_fqdn" . }}:5432/{{.Values.postgresql.postgresDatabase}}
@@ -33,7 +51,7 @@ postgresql+psycopg2://{{$user}}:{{$password | urlquery}}@{{.Chart.Name}}-postgre
     {{- else }}
         {{- $user := index . 2 }}
         {{- $password := index . 3 }}
-        {{- $user }}:{{ $password }}
+        {{- $user }}:{{ include "resolve_secret_urlquery" $password }}
     {{- end }}
 {{- end }}
 
@@ -57,7 +75,7 @@ postgresql+psycopg2://{{$user}}:{{$password | urlquery}}@{{.Chart.Name}}-postgre
             {{- $user := get .Values.mariadb.users $db | required (printf ".Values.mariadb.%v.name & .password are required (key comes from first database in .Values.mariadb.databases)" $db) }}
             {{- tuple . $db $user.name (required (printf "User with key %v requires password" $db) $user.password) | include "db_url_mysql" }}
         {{- else }}
-            {{- tuple . (coalesce .Values.dbName .Values.db_name) (coalesce .Values.dbUser .Values.global.dbUser "root") (coalesce .Values.dbPassword .Values.global.dbPassword .Values.mariadb.root_password | required ".Values.mariadb.root_password is required!") .Values.mariadb.name | include "db_url_mysql" }}
+            {{- tuple . (coalesce .Values.dbName .Values.db_name) (coalesce .Values.dbUser .Values.global.dbUser "root") (coalesce .Values.dbPassword .Values.global.dbPassword .Values.mariadb.root_password | include "resolve_secret_urlquery" | required ".Values.mariadb.root_password is required!") .Values.mariadb.name | include "db_url_mysql" }}
         {{- end }}
     {{- else -}}
 mysql+pymysql://{{ include "db_credentials" . }}@
@@ -187,7 +205,7 @@ mysql+pymysql://{{ include "db_credentials" . }}@
     {{- $host := index . 0 }}
     {{- $user := index . 1 }}
     {{- $password := index . 2 -}}
-https://{{ $user }}:{{ $password }}@{{ $host }}
+https://{{ $user }}:{{ include "resolve_secret_urlquery" $password }}@{{ $host }}
 {{- end }}
 
 {{- define "utils.bigip_url" }}

openstack/utils/templates/_ini_sections.tpl

@@ -6,9 +6,23 @@ heartbeat_in_pthread = False
 {{- end }}
 
 {{- define "ini_sections.default_transport_url" }}
-transport_url = {{ include "rabbitmq.transport_url" . }}
+{{- $data := merge (pick .Values.rabbitmq "port" "virtual_host") .Values.rabbitmq.users.default }}
+{{- $_ := required ".Values.rabbitmq.users.default.user is required" .Values.rabbitmq.users.default.user }}
+{{- $_ := required ".Values.rabbitmq.users.default.password is required" .Values.rabbitmq.users.default.password }}
+{{- include "ini_sections._transport_url" (tuple . $data) }}
 {{- end }}
 
+{{- define "ini_sections._transport_url" }}
+transport_url = {{ include "utils.rabbitmq_url" . }}
+{{- end }}
+
+
+{{- define "utils.rabbitmq_url" -}}
+{{- $envAll := index . 0 -}}
+{{- $data := index . 1 -}}
+rabbit://{{ include "resolve_secret_urlquery" $data.user }}:{{ include "resolve_secret_urlquery" $data.password }}@{{ $data.host | default (print $envAll.Release.Name "-rabbitmq") }}:{{ $data.port | default 5672 }}/{{ $data.virtual_host | default "" }}
+{{- end -}}
+
 {{- define "ini_sections.database_options_mysql" }}
 max_pool_size = {{ .Values.max_pool_size | default .Values.global.max_pool_size | default 50 }}
 max_overflow = {{ .Values.max_overflow | default .Values.global.max_overflow | default 5 }}
@@ -49,10 +63,17 @@ enabled = true
 # topics = notifications
 driver = messagingv2
             {{- if .Values.audit.central_service }}
-transport_url = rabbit://{{ .Values.audit.central_service.user | required "Please set audit.central_service.user" }}:{{ .Values.audit.central_service.password | required "Please set audit.central_service.password" }}@{{ .Values.audit.central_service.host | default "hermes-rabbitmq-notifications.hermes" }}:{{.Values.audit.central_service.port | default 5672 }}/
+                {{- $data := pick .Values.audit.central_service "user" "password" "host" "port" }}
+                {{- $_ := required ".Values.audit.central_service.user is required" $data.user }}
+                {{- $_ := required ".Values.audit.central_service.password is required" $data.password }}
+                {{- $_ := set $data "host" ($data.host | default "hermes-rabbitmq-notifications.hermes") }}
+                {{- include "ini_sections._transport_url" (tuple . $data) }}
             {{- else if .Values.rabbitmq_notifications }}
                 {{- if and .Values.rabbitmq_notifications.ports .Values.rabbitmq_notifications.users }}
-transport_url = rabbit://{{ .Values.rabbitmq_notifications.users.default.user }}:{{ required ".Values.rabbitmq_notifications.users.default.password missing" .Values.rabbitmq_notifications.users.default.password }}@{{ .Chart.Name }}-rabbitmq-notifications:{{ .Values.rabbitmq_notifications.ports.public }}/
+                    {{- $data := dict "user" .Values.rabbitmq_notifications.users.default.user "password" .Values.rabbitmq_notifications.users.default.password "host" (print .Release.Name "-rabbitmq-notifications") "port" .Values.rabbitmq_notifications.ports.public }}
+                    {{- $_ := required ".Values.rabbitmq_notifications.users.default.user is required" $data.user }}
+                    {{- $_ := required ".Values.rabbitmq_notifications.users.default.password is required" $data.password }}
+                    {{- include "ini_sections._transport_url" (tuple . $data) }}
                 {{- end }}
             {{- end }}
 mem_queue_size = {{ .Values.audit.mem_queue_size }}

openstack/utils/templates/snippets/_proxysql.cfg.tpl

@@ -30,8 +30,8 @@ mysql_variables =
             {{- end }}
         {{- end }}
     monitor_enabled = true
-    monitor_username = "{{ .global.Values.mariadb.users.proxysql_monitor.name | required ".global.Values.mariadb.users.proxysql_monitor.name is required!" }}"
-    monitor_password = "{{ .global.Values.mariadb.users.proxysql_monitor.password | required ".global.Values.mariadb.users.proxysql_monitor.password is required!" }}"
+    monitor_username = "{{ include "resolve_secret" .global.Values.mariadb.users.proxysql_monitor.name | required ".global.Values.mariadb.users.proxysql_monitor.name is required!" }}"
+    monitor_password = "{{ include "resolve_secret" .global.Values.mariadb.users.proxysql_monitor.password | required ".global.Values.mariadb.users.proxysql_monitor.password is required!" }}"
     {{- end }}
     connect_retries_on_failure = {{ default 1000 .global.Values.proxysql.connect_retries_on_failure }}
     connect_retries_delay = {{ default 100 .global.Values.proxysql.connect_retries_delay }} {{- /* The default is 1ms, and that means we will run through the retries on failure in no time */}}
@@ -57,8 +57,8 @@ mysql_users =
   {{- range $userKey, $user := $db.users }}
     {{- if ne $userKey "proxysql_monitor"  }}
     {
-        username = "{{ $user.name | required (print "user name needs to be set for " $dbKey " and user " $userKey) }}"
-        password = "{{ $user.password | required (print "password needs to be set for " $dbKey " and user " $userKey)  }}"
+        username = "{{ include "resolve_secret" $user.name | required (print "user name needs to be set for " $dbKey " and user " $userKey) }}"
+        password = "{{ include "resolve_secret" $user.password | required (print "password needs to be set for " $dbKey " and user " $userKey)  }}"
         default_hostgroup = {{ $index }}
     },
     {{- end }}