diff --git a/charts/octopus-deploy/README.md b/charts/octopus-deploy/README.md index 62edfdff..6fe10d92 100644 --- a/charts/octopus-deploy/README.md +++ b/charts/octopus-deploy/README.md @@ -165,3 +165,54 @@ The resulting endpoints will be: Your Octopus Kubernetes Agents and Virtual Machine Polling Tentacles must be configured to poll every Octopus server node. Documentation for configuring this can be found below: - [Kubernetes Agent](https://octopus.com/docs/infrastructure/deployment-targets/kubernetes/kubernetes-agent/ha-cluster-support#octopus-deploy-ha-cluster) - [Virtual Machine Polling Tentacles](https://octopus.com/docs/administration/high-availability/maintain/polling-tentacles-with-ha) + + +### External Secrets Management + +By default, this chart creates and manages Kubernetes secrets automatically. However, you can configure it to use external secrets management systems like HashiCorp Vault, Azure Key Vault, AWS Secrets Manager, or External Secrets Operator (ESO). + +#### Using External Secrets + +To use external secrets, set `createSecrets: false` in your values: + +```yaml +octopus: + createSecrets: false + # When createSecrets is false, the following fields are ignored + # masterKey: "" + # databaseConnectionString: "" + # username: "" + # password: "" + # licenseKeyBase64: "" + +mssql: + enabled: true + createSecrets: false # Must match octopus.createSecrets when using built-in SQL Server +``` + +#### Required External Secret Names + +When `createSecrets: false`, you must provide the following secrets in your cluster before deploying: + +| Secret Name | Key | Description | +|-------------|-----|-------------| +| `{{ .Release.Name }}-adminusername` | `secret` | Octopus admin username | +| `{{ .Release.Name }}-adminpassword` | `secret` | Octopus admin password | +| `{{ .Release.Name }}-masterkey` | `secret` | Master key for encrypting sensitive data | +| `{{ .Release.Name }}-licensekey` | `secret` | Base64-encoded Octopus license key | + +##### When Using Built-in SQL Server (`mssql.enabled: true`) + +Additionally provide: +| Secret Name | Key | Description | +|-------------|-----|-------------| +| `{{ .Release.Name }}-sapassword` | `secret` | SQL Server SA user password | + +The database connection string will be automatically constructed using the SA password. + +##### When Using External SQL Server + +Additionally provide: +| Secret Name | Key | Description | +|-------------|-----|-------------| +| `{{ .Release.Name }}-connectionstring` | `secret` | Complete SQL Server connection string | diff --git a/charts/octopus-deploy/charts/mssql/templates/secret.yaml b/charts/octopus-deploy/charts/mssql/templates/secret.yaml index be9c7e57..194a1a87 100644 --- a/charts/octopus-deploy/charts/mssql/templates/secret.yaml +++ b/charts/octopus-deploy/charts/mssql/templates/secret.yaml @@ -1,3 +1,4 @@ +{{- if .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -6,4 +7,5 @@ metadata: {{- include "labels" . | nindent 4 }} type: Opaque data: - sa_password : {{ include "mssql.password" . | b64enc | quote}} \ No newline at end of file + sa_password : {{ include "mssql.password" . | b64enc | quote}} +{{- end }} \ No newline at end of file diff --git a/charts/octopus-deploy/charts/mssql/templates/statefulset.yaml b/charts/octopus-deploy/charts/mssql/templates/statefulset.yaml index 70115c24..f1493b7e 100644 --- a/charts/octopus-deploy/charts/mssql/templates/statefulset.yaml +++ b/charts/octopus-deploy/charts/mssql/templates/statefulset.yaml @@ -32,26 +32,31 @@ spec: ports: - containerPort: {{ .Values.containers.ports.containerPort}} env: - - name: MSSQL_PID - value: "{{ .Values.MSSQL_PID}}" - - name: ACCEPT_EULA - value: "{{ .Values.ACCEPT_EULA | upper}}" - - name: MSSQL_AGENT_ENABLED - value: "{{ .Values.MSSQL_AGENT_ENABLED}}" - - name: SA_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "mssql.name" . }} - key: sa_password + - name: MSSQL_PID + value: "{{ .Values.MSSQL_PID}}" + - name: ACCEPT_EULA + value: "{{ .Values.ACCEPT_EULA | upper}}" + - name: MSSQL_AGENT_ENABLED + value: "{{ .Values.MSSQL_AGENT_ENABLED}}" + - name: SA_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.createSecrets }} + name: {{ include "mssql.name" . }} + key: sa_password + {{- else }} + name: {{ .Release.Name }}-sapassword + key: secret + {{- end }} volumeMounts: - - name: mssql - mountPath: "/var/opt/mssql" - - name: mssql-config-volume - mountPath: /var/opt/config + - name: mssql + mountPath: "/var/opt/mssql" + - name: mssql-config-volume + mountPath: /var/opt/config volumes: - name: mssql-config-volume configMap: - name: {{ include "mssql.name" . }} + name: {{ include "mssql.name" . }} volumeClaimTemplates: - metadata: name: mssql diff --git a/charts/octopus-deploy/templates/statefulset.yaml b/charts/octopus-deploy/templates/statefulset.yaml index 82d760a7..e9d7d966 100644 --- a/charts/octopus-deploy/templates/statefulset.yaml +++ b/charts/octopus-deploy/templates/statefulset.yaml @@ -51,9 +51,52 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + # Init container builds DB connection string if mssql enabled and createSecrets is false + {{- if and .Values.mssql.enabled (not .Values.octopus.createSecrets) }} + initContainers: + - name: init-connection-string + image: busybox:1.35 + securityContext: + runAsNonRoot: true + runAsUser: 65534 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + command: ["/bin/sh", "-c"] + args: + - | + echo "Starting init container to create DB connection string..." + echo "Server={{ include "octopus.mssql.server" . }};Initial Catalog=OctopusDeploy;Persist Security Info=False;User ID=SA;Password=${SA_PASSWORD};Encrypt=True;Connection Timeout=30;" > /shared/db_connection_string + chmod 600 /shared/db_connection_string + echo "DB connection string written to /shared/db_connection_string" + env: + - name: SA_PASSWORD + valueFrom: + secretKeyRef: + name: {{ printf "%s-sapassword" .Release.Name }} + key: secret + volumeMounts: + - name: connection-string-vol + mountPath: /shared + resources: + requests: + memory: "16Mi" + cpu: "10m" + limits: + memory: "32Mi" + cpu: "50m" + {{- end }} containers: - name: octopus image: "{{ .Values.octopus.image.repository }}:{{ default .Chart.AppVersion .Values.octopus.image.tag }}" + {{- if and .Values.mssql.enabled (not .Values.octopus.createSecrets) }} + command: ["/bin/bash", "-c"] + args: + - | + echo "Reading connection string from file..." + export DB_CONNECTION_STRING=$(cat /shared/db_connection_string) + echo "Connection string loaded successfully" + exec ./install.sh + {{- end }} securityContext: {{- with .Values.octopus.containerSecurityContext }} {{- toYaml . | nindent 10 }} @@ -75,11 +118,13 @@ spec: - name: USER value: octopus {{- end}} + {{- if and .Values.mssql.enabled .Values.octopus.createSecrets }} - name: DB_CONNECTION_STRING valueFrom: secretKeyRef: name: {{printf "%s-%s" $.Release.Name "connectionstring"}} key: secret + {{- end }} - name: ADMIN_USERNAME valueFrom: secretKeyRef: @@ -146,6 +191,11 @@ spec: mountPath: /home/octopus/.octopus/OctopusServer/Server/Logs - name: audit-log-volume mountPath: /eventExports + {{- if and .Values.mssql.enabled (not .Values.octopus.createSecrets) }} + - name: connection-string-vol + mountPath: /shared + readOnly: true + {{- end }} {{- if .Values.octopus.resources }} resources: {{- toYaml .Values.octopus.resources | nindent 10 }} @@ -191,6 +241,11 @@ spec: - name: audit-log-volume persistentVolumeClaim: claimName: audit-log-claim + {{- if and .Values.mssql.enabled (not .Values.octopus.createSecrets) }} + - name: connection-string-vol + emptyDir: + sizeLimit: 1Mi + {{- end }} {{- if .Values.dockerHub.login }} imagePullSecrets: - name: dockerhubcreds diff --git a/charts/octopus-deploy/values.yaml b/charts/octopus-deploy/values.yaml index 59021da0..7a61e909 100644 --- a/charts/octopus-deploy/values.yaml +++ b/charts/octopus-deploy/values.yaml @@ -2,7 +2,11 @@ octopus: # Must be set to "Y" or true to accept the EULA at https://octopus.com/legal/customer-agreement acceptEula: "N" - ## Allows the secrets to be managed via an external secrets provider + # Allows secrets to be managed via an external secrets provider + # - true: Chart creates and manages secrets automatically, + # You can override individual secret values by using the fields below (masterKey, databaseConnectionString, username, password, licenseKeyBase64) + # - false: Use external secrets (e.g., from Vault, ESO etc) secret names must be + # Required secret names are documented in README.md createSecrets: true # The below 5 options are not required if createSecrets is false @@ -186,7 +190,8 @@ dockerHub: mssql: enabled: false ACCEPT_EULA: "Y" - SA_PASSWORD: "" + createSecrets: true # determines if the db password is auto generated should match octopus.createSecrets + SA_PASSWORD: "" # Will be ignored when createSecrets is false and will look for {{ .Release.Name }}-sapassword, You can override the password value here when createSecrets is true global: # Set the default storageClass to be used for all persistent volume claims