OPSEXP-2242: add support for existing secret in search service

charts/alfresco-search-service/Chart.yaml

@@ -15,7 +15,7 @@ keywords:
 name: alfresco-search-service
 sources:
   - https://github.com/Alfresco/alfresco-helm-charts
-version: 2.0.0-alpha.1
+version: 2.0.0-alpha.2
 appVersion: 2.0.8
 dependencies:
   - name: alfresco-insight-zeppelin

charts/alfresco-search-service/README.md

@@ -1,6 +1,6 @@
 # alfresco-search-service
 
-![Version: 2.0.0-alpha.1](https://img.shields.io/badge/Version-2.0.0--alpha.1-informational?style=flat-square) ![AppVersion: 2.0.8](https://img.shields.io/badge/AppVersion-2.0.8-informational?style=flat-square)
+![Version: 2.0.0-alpha.2](https://img.shields.io/badge/Version-2.0.0--alpha.2-informational?style=flat-square) ![AppVersion: 2.0.8](https://img.shields.io/badge/AppVersion-2.0.8-informational?style=flat-square)
 
 A Helm chart for deploying Alfresco Search Service
 
@@ -23,13 +23,9 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| PvNodeAffinity | string | `nil` | Define PVNodeAffinity for scheduling SOLR |
-| affinity | string | `nil` | Define Affinity for scheduling SOLR |
 | alfresco-insight-zeppelin.enabled | bool | `false` |  |
 | environment.SOLR_CREATE_ALFRESCO_DEFAULTS | string | `"alfresco,archive"` |  |
 | global.alfrescoRegistryPullSecrets | string | `"quay-registry-secret"` |  |
-| global.tracking.auth | string | `"secret"` | Select how solr and repo authenticate to each other none: work only prior to acs 7.2 (and was the default) secret: use a shared secret (to specify using `tracking.sharedsecret`) https: to use mTLS auth (require appropriate certificate configuration) |
-| global.tracking.sharedsecret | string | `nil` | Shared secret to authenticate repo/solr traffic |
 | ingress.annotations | object | `{"nginx.ingress.kubernetes.io/auth-realm":"Authentication Required - Alfresco Search Services","nginx.ingress.kubernetes.io/auth-type":"basic","nginx.ingress.kubernetes.io/whitelist-source-range":"0.0.0.0/0"}` | nginx ingress annotations (see https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations) |
 | ingress.basicAuth | string | `nil` | Default solr basic auth user/password: admin / admin You can create your own with htpasswd utilility & encode it with base640. Example: `echo -n "$(htpasswd -nbm admin admin)" | base64 | tr -d '\n'` basicAuth: YWRtaW46JGFwcjEkVVJqb29uS00kSEMuS1EwVkRScFpwSHB2a3JwTDd1Lg== |
 | ingress.enabled | bool | `false` | Expose the solr admin console behind basic auth |
@@ -61,10 +57,12 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b
 | readinessProbe.timeoutSeconds | int | `10` |  |
 | repository.existingConfigMap.keys.host | string | `"SOLR_ALFRESCO_HOST"` | Key within the configmap holding the repository hostname |
 | repository.existingConfigMap.keys.port | string | `"SOLR_ALFRESCO_PORT"` | Key within the configmap holding the repository port |
-| repository.existingConfigMap.keys.securecomms | string | `"SOLR_ALFRESCO_SECURE_COMMS"` | Key within the configmap holding the repository seucirty level |
+| repository.existingConfigMap.keys.securecomms | string | `"SOLR_ALFRESCO_SECURE_COMMS"` | Key within the configmap holding the repository security level |
 | repository.existingConfigMap.name | string | `nil` | Name of a pre-existing configmap containing Alfresco repository URL In addition to tjhe keys mentionned bellow the configMap may contain any solr property translated as an env variable (e.g SOLR_ALFRESCO_BASEURL). |
-| repository.existingSecret.keys.password | string | `"SOLR_SECRET"` | Key within the secret holding the repository shared secret |
+| repository.existingSecret.keys.sharedSecret | string | `"SOLR_ALFRESCO_SECURECOMMS_SECRET"` | Key within the secret holding the repository shared secret |
 | repository.existingSecret.name | string | `nil` | Name of a pre-existing secret containing message broker credentials |
+| repository.securecomms | string | `"secret"` | repository security level to use when tracking the repo ('none' or 'secret') |
+| repository.sharedSecret | string | `nil` | Secret shared with the repository when securecomms is set to 'secret' |
 | repository.url | string | `"http://alfresco-search-service/solr"` | Alfresco repository URL |
 | resources.limits.cpu | string | `"4"` |  |
 | resources.limits.memory | string | `"2000Mi"` |  |
@@ -76,5 +74,4 @@ Please refer to the [documentation](https://github.com/Alfresco/acs-deployment/b
 | searchServicesImage.tag | string | `"2.0.8"` |  |
 | service.name | string | `"solr"` |  |
 | service.type | string | `"ClusterIP"` |  |
-| tolerations | string | `nil` | Define Tolerations for scheduling SOLR |
 | type | string | `"search-services"` | set alfresco-insight-zeppelin.enabled=true As the Docker Image for Insight Engine is not publicly available the alfrescoRegistryPullSecrets has to be set More information can be found on https://github.com/Alfresco/acs-deployment/blob/master/docs/helm/registry-authentication.md |

charts/alfresco-search-service/ci/default-values.yaml

@@ -2,6 +2,5 @@
 alfresco-insight-zeppelin:
   nameOverride: zeppelin
   enabled: true
-global:
-  tracking:
-    sharedsecret: dummy
+repository:
+  sharedSecret: dummy

charts/alfresco-search-service/templates/_helpers.tpl

@@ -1,3 +1,10 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "alfresco-search-service.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
@@ -67,3 +74,41 @@ Get Alfresco Search Docker Image
   {{- printf "%s:%s" .Values.searchServicesImage.repository .Values.searchServicesImage.tag }}
 {{- end }}
 {{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "alfresco-search-service.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "alfresco-search-service.labels" -}}
+helm.sh/chart: {{ include "alfresco-search-service.chart" . }}
+{{ include "alfresco-search-service.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "alfresco-search-service.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "alfresco-search-service.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "alfresco-search-service.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "alfresco-search-service.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/alfresco-search-service/templates/config.yaml

@@ -17,5 +17,5 @@ data:
     {{ template "alfresco-common.url.port" .url }}
   {{- end }}
   SOLR_ALFRESCO_SECURE_COMMS: >-
-    {{ .Values.global.tracking.auth | default "secret" }}
+    {{ .Values.repository.securecomms }}
 {{- end }}

charts/alfresco-search-service/templates/deployment.yaml

@@ -43,10 +43,18 @@ spec:
           image: {{ template "alfresco-search.dockerImage" . }}
           imagePullPolicy: {{ template "alfresco-search.pullPolicy" . }}
           {{- include "component-security-context" .Values | indent 8 }}
-          {{- $cmCtx := dict "Values" (dict "nameOverride" (printf "%s-repository" $.Chart.Name )) "Chart" $.Chart "Release" $.Release }}
-          {{- $cm := coalesce .Values.repository.existingConfigMap.name (include "alfresco-search-service.fullname" $cmCtx) }}
+          {{- $repoCtx := dict "Values" (dict "nameOverride" (printf "%s-repository" $.Chart.Name )) "Chart" $.Chart "Release" $.Release }}
+          {{- $cm := coalesce .Values.repository.existingConfigMap.name (include "alfresco-search-service.fullname" $repoCtx) }}
+          {{- $secret := coalesce .Values.repository.existingSecret.name (include "alfresco-search-service.fullname" $repoCtx) }}
           env:
             {{- with .Values.repository }}
+              {{- if eq .securecomms "secret" }}
+            - name: SOLR_ALFRESCO_SECURECOMMS_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $secret }}
+                  key: {{ index .existingSecret.keys "sharedSecret" }}
+              {{- end }}
             - name: SOLR_ALFRESCO_HOST
               valueFrom:
                 configMapKeyRef:
@@ -77,10 +85,6 @@ spec:
           envFrom:
           - configMapRef:
               name: {{ $cm }}
-          {{- if eq .Values.global.tracking.auth "secret" }}
-          - secretRef:
-              name: {{ template "alfresco-search-service.fullname" . }}-solr-jtoolopts
-          {{- end }}
           ports:
             - containerPort: {{ template "alfresco-search.containerPort" . }}
           resources: {{- toYaml .Values.resources | nindent 12 }}
@@ -89,26 +93,32 @@ spec:
             mountPath: {{ .Values.persistence.search.data.mountPath }}
             subPath: {{ .Values.persistence.search.data.subPath }}
           readinessProbe:
-            httpGet:
-              path: /solr/alfresco/admin/ping
-              port: {{ template "alfresco-search.containerPort" . }}
-              {{- if eq .Values.global.tracking.auth "secret" }}
-              httpHeaders:
-              - name: X-Alfresco-Search-Secret
-                value: "{{ .Values.global.tracking.sharedsecret }}"
-              {{- end }}
+            exec:
+              command:
+                - sh
+                - -c
+                - >-
+                  [
+                  $(
+                  curl -sH "X-Alfresco-Search-Secret: $SOLR_ALFRESCO_SECURECOMMS_SECRET" http://localhost:{{ template "alfresco-search.containerPort" . }}/solr/alfresco/admin/ping
+                  | xmllint --xpath '/response/str[@name="status"]/text()' -
+                  )
+                  = "OK" ]
             initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
             timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
           livenessProbe:
-            httpGet:
-              path: /solr/admin/info/system
-              port: {{ template "alfresco-search.containerPort" . }}
-              {{- if eq .Values.global.tracking.auth "secret" }}
-              httpHeaders:
-              - name: X-Alfresco-Search-Secret
-                value: "{{ .Values.global.tracking.sharedsecret }}"
-              {{- end }}
+            exec:
+              command:
+                - sh
+                - -c
+                - >-
+                  [
+                  $(
+                  curl -sH "X-Alfresco-Search-Secret: $SOLR_ALFRESCO_SECURECOMMS_SECRET" http://localhost:{{ template "alfresco-search.containerPort" . }}/solr/admin/info/system
+                  | xmllint --xpath '/response/lst/int[@name="status"]/text()' -
+                  )
+                  -eq 0 ]
             initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
             failureThreshold: 1

charts/alfresco-search-service/templates/secret-repository.yaml

@@ -0,0 +1,15 @@
+{{- if (not .Values.repository.existingSecret.name) }}
+{{- if and (eq "secret" .Values.repository.securecomms) (not .Values.repository.existingConfigMap.name) }}
+apiVersion: v1
+kind: Secret
+metadata: {{- $ctx := dict "Values" (dict "nameOverride" (printf "%s-repository" $.Chart.Name )) "Chart" $.Chart "Release" $.Release }}
+  name: {{ template "alfresco-search-service.fullname" $ctx }}
+  labels:
+    {{ template "alfresco-search-service.labels" . }}
+type: Opaque
+data:
+  {{- $reqmsg := "Please provide a shared secret for solr and repository in value repository.sharedSecret" }}
+  {{- $shared_secret := required $reqmsg (index .Values.repository "sharedSecret") }}
+  SOLR_ALFRESCO_SECURECOMMS_SECRET: {{ $shared_secret | b64enc | quote }}
+{{- end }}
+{{- end }}

charts/alfresco-search-service/tests/secrets_test.yaml

@@ -0,0 +1,66 @@
+---
+suite: test solr secrets
+templates:
+  - secret-ingress.yaml
+  - secret-repository.yaml
+tests:
+  - it: should have credentials in the default ingress secret
+    values: &testvalues
+      - values/test_values.yaml
+      - values/ingress.yaml
+    set:
+      ingress.existingSecretName: null
+    template: secret-ingress.yaml
+    asserts:
+      - equal:
+          path: data.auth
+          value: YWRtaW46JGFwcjEkVVJqb29uS00kSEMuS1EwVkRScFpwSHB2a3JwTDd1Lg==
+
+  - it: should not render ingress secret when ingress is disabled
+    values: *testvalues
+    set:
+      ingress:
+        enabled: false
+    template: secret-ingress.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should not render ingress secret when and existing secret name is set
+    values: *testvalues
+    set:
+      ingress:
+        existingSecretName: my-custom-secret
+    template: secret-ingress.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should render the shared secret from values
+    values: *testvalues
+    template: secret-repository.yaml
+    asserts:
+      - equal:
+          path: data.SOLR_ALFRESCO_SECURECOMMS_SECRET
+          value: "ZHVtbXk="
+
+  - it: should not render a shared secret if securecomms is not set to "secret"
+    values: *testvalues
+    set:
+      repository:
+        securecomms: none
+    template: secret-repository.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: should not render a shared secret if securecomms is not set to "secret"
+    values: *testvalues
+    set:
+      repository:
+        securecomms: secret
+        existingSecret:
+          name: mysecret
+    template: secret-repository.yaml
+    asserts:
+      - hasDocuments:
+          count: 0

charts/alfresco-search-service/tests/values/test_values.yaml

@@ -1,5 +1,3 @@
 ---
-global:
-  tracking:
-    sharedsecret: dummy
-  alfrescoRegistryPullSecrets: secretsecret
+repository:
+  sharedSecret: dummy