From df025e08630fc7343f35a8fea675e046aaedc5b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81sta=20Bj=C3=B6rg=20Hansen?= <3628605+Astabh@users.noreply.github.com> Date: Fri, 12 Sep 2025 12:39:09 +0000 Subject: [PATCH 1/6] add descriptive comments and enable createsecrets for mssql --- charts/octopus-deploy/values.yaml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/charts/octopus-deploy/values.yaml b/charts/octopus-deploy/values.yaml index 59021da0..a214dda2 100644 --- a/charts/octopus-deploy/values.yaml +++ b/charts/octopus-deploy/values.yaml @@ -2,7 +2,16 @@ octopus: # Must be set to "Y" or true to accept the EULA at https://octopus.com/legal/customer-agreement acceptEula: "N" - ## Allows the secrets to be managed via an external secrets provider + # Allows secrets to be managed via an external secrets provider + # - true: Chart creates and manages secrets automatically, + # You can override individual secret values by using the fields below (masterKey, databaseConnectionString, username, password, licenseKeyBase64) + # - false: Use external secrets (e.g., from Vault, ESO etc) secret names must be + # {{ .Release.Name }}-adminusername + # {{ .Release.Name }}-adminpassword + # {{ .Release.Name }}-connectionstring + # {{ .Release.Name }}-masterkey + # {{ .Release.Name }}-licensekey + # createSecrets: true # The below 5 options are not required if createSecrets is false @@ -186,7 +195,8 @@ dockerHub: mssql: enabled: false ACCEPT_EULA: "Y" - SA_PASSWORD: "" + createSecrets: true # determines if the db password is auto generated should match octopus.createSecrets + SA_PASSWORD: "" # Will be ignored when createSecrets is false and will look for {{ .Release.Name }}-sapassword, You can override the password value here when createSecrets is true global: # Set the default storageClass to be used for all persistent volume claims From 1d414464d9906c13f479f0770a10aa57436b16e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81sta=20Bj=C3=B6rg=20Hansen?= <3628605+Astabh@users.noreply.github.com> Date: Fri, 12 Sep 2025 12:39:40 +0000 Subject: [PATCH 2/6] create mssql secret when createsecrets is true --- charts/octopus-deploy/charts/mssql/templates/secret.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/charts/octopus-deploy/charts/mssql/templates/secret.yaml b/charts/octopus-deploy/charts/mssql/templates/secret.yaml index be9c7e57..194a1a87 100644 --- a/charts/octopus-deploy/charts/mssql/templates/secret.yaml +++ b/charts/octopus-deploy/charts/mssql/templates/secret.yaml @@ -1,3 +1,4 @@ +{{- if .Values.createSecrets }} apiVersion: v1 kind: Secret metadata: @@ -6,4 +7,5 @@ metadata: {{- include "labels" . | nindent 4 }} type: Opaque data: - sa_password : {{ include "mssql.password" . | b64enc | quote}} \ No newline at end of file + sa_password : {{ include "mssql.password" . | b64enc | quote}} +{{- end }} \ No newline at end of file From a87b0c49d387aaa8db77d21af3a48e8f6b633a95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81sta=20Bj=C3=B6rg=20Hansen?= <3628605+Astabh@users.noreply.github.com> Date: Fri, 12 Sep 2025 12:40:32 +0000 Subject: [PATCH 3/6] Set sa password based on createsecrets --- .../charts/mssql/templates/statefulset.yaml | 37 +++++++++++-------- 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/charts/octopus-deploy/charts/mssql/templates/statefulset.yaml b/charts/octopus-deploy/charts/mssql/templates/statefulset.yaml index 70115c24..f1493b7e 100644 --- a/charts/octopus-deploy/charts/mssql/templates/statefulset.yaml +++ b/charts/octopus-deploy/charts/mssql/templates/statefulset.yaml @@ -32,26 +32,31 @@ spec: ports: - containerPort: {{ .Values.containers.ports.containerPort}} env: - - name: MSSQL_PID - value: "{{ .Values.MSSQL_PID}}" - - name: ACCEPT_EULA - value: "{{ .Values.ACCEPT_EULA | upper}}" - - name: MSSQL_AGENT_ENABLED - value: "{{ .Values.MSSQL_AGENT_ENABLED}}" - - name: SA_PASSWORD - valueFrom: - secretKeyRef: - name: {{ include "mssql.name" . }} - key: sa_password + - name: MSSQL_PID + value: "{{ .Values.MSSQL_PID}}" + - name: ACCEPT_EULA + value: "{{ .Values.ACCEPT_EULA | upper}}" + - name: MSSQL_AGENT_ENABLED + value: "{{ .Values.MSSQL_AGENT_ENABLED}}" + - name: SA_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.createSecrets }} + name: {{ include "mssql.name" . }} + key: sa_password + {{- else }} + name: {{ .Release.Name }}-sapassword + key: secret + {{- end }} volumeMounts: - - name: mssql - mountPath: "/var/opt/mssql" - - name: mssql-config-volume - mountPath: /var/opt/config + - name: mssql + mountPath: "/var/opt/mssql" + - name: mssql-config-volume + mountPath: /var/opt/config volumes: - name: mssql-config-volume configMap: - name: {{ include "mssql.name" . }} + name: {{ include "mssql.name" . }} volumeClaimTemplates: - metadata: name: mssql From 0b1f60fdd04fa7c2d068397b60c6a727891b3623 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81sta=20Bj=C3=B6rg=20Hansen?= <3628605+Astabh@users.noreply.github.com> Date: Fri, 12 Sep 2025 12:42:27 +0000 Subject: [PATCH 4/6] use init cont to generate conn string when createsecrets is true and mssql enabled --- .../octopus-deploy/templates/statefulset.yaml | 57 ++++++++++++++++++- 1 file changed, 56 insertions(+), 1 deletion(-) diff --git a/charts/octopus-deploy/templates/statefulset.yaml b/charts/octopus-deploy/templates/statefulset.yaml index 82d760a7..0905b8fa 100644 --- a/charts/octopus-deploy/templates/statefulset.yaml +++ b/charts/octopus-deploy/templates/statefulset.yaml @@ -51,9 +51,52 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + # Init container builds DB connection string if mssql enabled and createSecrets is false + {{- if and .Values.mssql.enabled (not .Values.octopus.createSecrets) }} + initContainers: + - name: init-connection-string + image: busybox:1.35 + securityContext: + runAsNonRoot: true + runAsUser: 65534 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + command: ["/bin/sh", "-c"] + args: + - | + echo "Starting init container to create DB connection string..." + echo "Server={{ include "octopus.mssql.server" . }};Initial Catalog=OctopusDeploy;Persist Security Info=False;User ID=SA;Password=${SA_PASSWORD};Encrypt=True;Connection Timeout=30;" > /shared/db_connection_string + chmod 600 /shared/db_connection_string + echo "DB connection string written to /shared/db_connection_string" + env: + - name: SA_PASSWORD + valueFrom: + secretKeyRef: + name: {{ printf "%s-sapassword" .Release.Name }} + key: secret + volumeMounts: + - name: connection-string-vol + mountPath: /shared + resources: + requests: + memory: "16Mi" + cpu: "10m" + limits: + memory: "32Mi" + cpu: "50m" + {{- end }} containers: - name: octopus image: "{{ .Values.octopus.image.repository }}:{{ default .Chart.AppVersion .Values.octopus.image.tag }}" + {{- if and .Values.mssql.enabled (not .Values.octopus.createSecrets) }} + command: ["/bin/bash", "-c"] + args: + - | + echo "Reading connection string from file..." + export DB_CONNECTION_STRING=$(cat /shared/db_connection_string) + echo "Connection string loaded successfully" + exec ./install.sh + {{- end }} securityContext: {{- with .Values.octopus.containerSecurityContext }} {{- toYaml . | nindent 10 }} @@ -75,11 +118,13 @@ spec: - name: USER value: octopus {{- end}} + {{- if and .Values.mssql.enabled .Values.octopus.createSecrets }} - name: DB_CONNECTION_STRING valueFrom: secretKeyRef: - name: {{printf "%s-%s" $.Release.Name "connectionstring"}} + name: {{ printf "%s-connectionstring" .Release.Name }} key: secret + {{- end }} - name: ADMIN_USERNAME valueFrom: secretKeyRef: @@ -146,6 +191,11 @@ spec: mountPath: /home/octopus/.octopus/OctopusServer/Server/Logs - name: audit-log-volume mountPath: /eventExports + {{- if and .Values.mssql.enabled (not .Values.octopus.createSecrets) }} + - name: connection-string-vol + mountPath: /shared + readOnly: true + {{- end }} {{- if .Values.octopus.resources }} resources: {{- toYaml .Values.octopus.resources | nindent 10 }} @@ -191,6 +241,11 @@ spec: - name: audit-log-volume persistentVolumeClaim: claimName: audit-log-claim + {{- if and .Values.mssql.enabled (not .Values.octopus.createSecrets) }} + - name: connection-string-vol + emptyDir: + sizeLimit: 1Mi + {{- end }} {{- if .Values.dockerHub.login }} imagePullSecrets: - name: dockerhubcreds From 705c06c5e55f24fefb635e4c23396ddc244f066c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81sta=20Bj=C3=B6rg=20Hansen?= <3628605+Astabh@users.noreply.github.com> Date: Fri, 12 Sep 2025 13:00:38 +0000 Subject: [PATCH 5/6] update readme with instructions and amend comments --- charts/octopus-deploy/README.md | 51 +++++++++++++++++++++++++++++++ charts/octopus-deploy/values.yaml | 7 +---- 2 files changed, 52 insertions(+), 6 deletions(-) diff --git a/charts/octopus-deploy/README.md b/charts/octopus-deploy/README.md index 62edfdff..6fe10d92 100644 --- a/charts/octopus-deploy/README.md +++ b/charts/octopus-deploy/README.md @@ -165,3 +165,54 @@ The resulting endpoints will be: Your Octopus Kubernetes Agents and Virtual Machine Polling Tentacles must be configured to poll every Octopus server node. Documentation for configuring this can be found below: - [Kubernetes Agent](https://octopus.com/docs/infrastructure/deployment-targets/kubernetes/kubernetes-agent/ha-cluster-support#octopus-deploy-ha-cluster) - [Virtual Machine Polling Tentacles](https://octopus.com/docs/administration/high-availability/maintain/polling-tentacles-with-ha) + + +### External Secrets Management + +By default, this chart creates and manages Kubernetes secrets automatically. However, you can configure it to use external secrets management systems like HashiCorp Vault, Azure Key Vault, AWS Secrets Manager, or External Secrets Operator (ESO). + +#### Using External Secrets + +To use external secrets, set `createSecrets: false` in your values: + +```yaml +octopus: + createSecrets: false + # When createSecrets is false, the following fields are ignored + # masterKey: "" + # databaseConnectionString: "" + # username: "" + # password: "" + # licenseKeyBase64: "" + +mssql: + enabled: true + createSecrets: false # Must match octopus.createSecrets when using built-in SQL Server +``` + +#### Required External Secret Names + +When `createSecrets: false`, you must provide the following secrets in your cluster before deploying: + +| Secret Name | Key | Description | +|-------------|-----|-------------| +| `{{ .Release.Name }}-adminusername` | `secret` | Octopus admin username | +| `{{ .Release.Name }}-adminpassword` | `secret` | Octopus admin password | +| `{{ .Release.Name }}-masterkey` | `secret` | Master key for encrypting sensitive data | +| `{{ .Release.Name }}-licensekey` | `secret` | Base64-encoded Octopus license key | + +##### When Using Built-in SQL Server (`mssql.enabled: true`) + +Additionally provide: +| Secret Name | Key | Description | +|-------------|-----|-------------| +| `{{ .Release.Name }}-sapassword` | `secret` | SQL Server SA user password | + +The database connection string will be automatically constructed using the SA password. + +##### When Using External SQL Server + +Additionally provide: +| Secret Name | Key | Description | +|-------------|-----|-------------| +| `{{ .Release.Name }}-connectionstring` | `secret` | Complete SQL Server connection string | diff --git a/charts/octopus-deploy/values.yaml b/charts/octopus-deploy/values.yaml index a214dda2..7a61e909 100644 --- a/charts/octopus-deploy/values.yaml +++ b/charts/octopus-deploy/values.yaml @@ -6,12 +6,7 @@ octopus: # - true: Chart creates and manages secrets automatically, # You can override individual secret values by using the fields below (masterKey, databaseConnectionString, username, password, licenseKeyBase64) # - false: Use external secrets (e.g., from Vault, ESO etc) secret names must be - # {{ .Release.Name }}-adminusername - # {{ .Release.Name }}-adminpassword - # {{ .Release.Name }}-connectionstring - # {{ .Release.Name }}-masterkey - # {{ .Release.Name }}-licensekey - # + # Required secret names are documented in README.md createSecrets: true # The below 5 options are not required if createSecrets is false From 2e5ec62a00ce06b4eddf670a32fc67f0675a23b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81sta=20Bj=C3=B6rg=20Hansen?= <3628605+Astabh@users.noreply.github.com> Date: Fri, 12 Sep 2025 13:17:28 +0000 Subject: [PATCH 6/6] change expression back for consistency --- charts/octopus-deploy/templates/statefulset.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/octopus-deploy/templates/statefulset.yaml b/charts/octopus-deploy/templates/statefulset.yaml index 0905b8fa..e9d7d966 100644 --- a/charts/octopus-deploy/templates/statefulset.yaml +++ b/charts/octopus-deploy/templates/statefulset.yaml @@ -122,7 +122,7 @@ spec: - name: DB_CONNECTION_STRING valueFrom: secretKeyRef: - name: {{ printf "%s-connectionstring" .Release.Name }} + name: {{printf "%s-%s" $.Release.Name "connectionstring"}} key: secret {{- end }} - name: ADMIN_USERNAME