diff --git a/charts/risingwave/templates/_helpers.tpl b/charts/risingwave/templates/_helpers.tpl index c9a7604..61c88f8 100644 --- a/charts/risingwave/templates/_helpers.tpl +++ b/charts/risingwave/templates/_helpers.tpl @@ -601,7 +601,10 @@ Cloud related enviroments. {{/* Env vars for license key */}} {{- define "risingwave.licenseKeyEnv" }} -{{- if and .Values.license.secret.key .Values.license.secret.name }} +{{- if and .Values.license.passAsFile (or .Values.license.key (and .Values.license.secret.key .Values.license.secret.name)) }} +- name: RW_LICENSE_KEY_PATH + value: /license/license.jwt +{{- else if and .Values.license.secret.key .Values.license.secret.name }} - name: RW_LICENSE_KEY valueFrom: secretKeyRef: @@ -612,3 +615,42 @@ Cloud related enviroments. value: {{ .Values.license.key | quote }} {{- end }} {{- end }} + +{{/* Secret name to store license */}} +{{- define "risingwave.licenseKeySecretName" }} +{{- if and .Values.license.secret.key .Values.license.secret.name }} +{{- .Values.license.secret.name }} +{{- else }} +{{- printf "%s-license" (include "risingwave.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} + +{{/* Secret key to the license data*/}} +{{- define "risingwave.licenseKeySecretKey" }} +{{- if and .Values.license.secret.key .Values.license.secret.name }} +{{- .Values.license.secret.key }} +{{- else }} +{{- printf "license.jwt" }} +{{- end }} +{{- end }} + +{{/* Volume for license key */}} +{{- define "risingwave.licenseKeyVolume"}} +{{- if and .Values.license.passAsFile (or .Values.license.key (and .Values.license.secret.key .Values.license.secret.name)) }} +- name: license + secret: + secretName: {{ include "risingwave.licenseKeySecretName" . | quote }} + items: + - key: {{ include "risingwave.licenseKeySecretKey" . | quote }} + path: license.jwt +{{- end }} +{{- end }} + +{{/* Volume mount for license key */}} +{{- define "risingwave.licenseKeyVolumeMount"}} +{{- if and .Values.license.passAsFile (or .Values.license.key (and .Values.license.secret.key .Values.license.secret.name)) }} +- name: license + mountPath: /license + readOnly: true +{{- end }} +{{- end }} diff --git a/charts/risingwave/templates/license-secret.yaml b/charts/risingwave/templates/license-secret.yaml new file mode 100644 index 0000000..00c9de6 --- /dev/null +++ b/charts/risingwave/templates/license-secret.yaml @@ -0,0 +1,12 @@ +{{- $secretName := (include "risingwave.licenseKeySecretName" .) }} +{{- with .Values.license }} +{{/* passAsFile && key != "" && (secret.key == "" || secret.name == "") */}} +{{- if and .passAsFile .key (or (empty .secret.key) (empty .secret.name)) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} +stringData: + license.jwt: {{ .key }} +{{- end }} +{{- end }} diff --git a/charts/risingwave/templates/meta-sts.yaml b/charts/risingwave/templates/meta-sts.yaml index 19f394e..891c0b7 100644 --- a/charts/risingwave/templates/meta-sts.yaml +++ b/charts/risingwave/templates/meta-sts.yaml @@ -65,6 +65,7 @@ spec: {{- end }} {{- end }} volumes: + {{ include "risingwave.licenseKeyVolume" . | nindent 6 }} - name: config configMap: name: {{ include "risingwave.configurationConfigMapName" . }} @@ -327,6 +328,7 @@ spec: {{ toYaml .Values.metaComponent.resources.requests | nindent 12 }} {{- end }} volumeMounts: + {{ include "risingwave.licenseKeyVolumeMount" . | nindent 8 }} - mountPath: /risingwave/config name: config readOnly: true diff --git a/charts/risingwave/templates/standalone/standalone-sts.yaml b/charts/risingwave/templates/standalone/standalone-sts.yaml index b4d496c..5b5a2c1 100644 --- a/charts/risingwave/templates/standalone/standalone-sts.yaml +++ b/charts/risingwave/templates/standalone/standalone-sts.yaml @@ -64,6 +64,7 @@ spec: {{- end }} {{- end }} volumes: + {{ include "risingwave.licenseKeyVolume" . | nindent 6 }} - name: config configMap: name: {{ include "risingwave.configurationConfigMapName" . }} @@ -367,6 +368,7 @@ spec: {{ toYaml .Values.standalone.resources.requests | nindent 12 }} {{- end }} volumeMounts: + {{ include "risingwave.licenseKeyVolumeMount" . | nindent 8 }} - mountPath: /risingwave/config name: config readOnly: true diff --git a/charts/risingwave/tests/license_secret_test.yaml b/charts/risingwave/tests/license_secret_test.yaml new file mode 100644 index 0000000..57b40f1 --- /dev/null +++ b/charts/risingwave/tests/license_secret_test.yaml @@ -0,0 +1,56 @@ +suite: License secret test +templates: +- license-secret.yaml +chart: + appVersion: 1.0.0 + version: 0.0.1 +tests: +- it: no license key + asserts: + - hasDocuments: + count: 0 +- it: license key found with raw key and not passing by file + set: + license: + key: "ABC" + passAsFile: false + asserts: + - hasDocuments: + count: 0 +- it: license key found with secret and not passing by file + set: + license: + secret: + name: a + key: b + passAsFile: false + asserts: + - hasDocuments: + count: 0 +- it: license key found with raw key and passing by file + set: + license: + key: "ABC" + passAsFile: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + apiVersion: v1 + kind: Secret + - equal: + path: metadata.name + value: RELEASE-NAME-risingwave-license + - equal: + path: stringData["license.jwt"] + value: "ABC" +- it: license key found with secret and passing by file + set: + license: + secret: + name: a + key: b + passAsFile: true + asserts: + - hasDocuments: + count: 0 diff --git a/charts/risingwave/tests/license_standalone_test.yaml b/charts/risingwave/tests/license_standalone_test.yaml index f583a1b..51e9cfa 100644 --- a/charts/risingwave/tests/license_standalone_test.yaml +++ b/charts/risingwave/tests/license_standalone_test.yaml @@ -15,7 +15,47 @@ tests: content: name: RW_LICENSE_KEY any: true -- it: license key found with raw key + - notContains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY_PATH + any: true + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: license + any: true + - notContains: + path: spec.template.spec.volumes + content: + name: license + any: true +- it: no license key and passing as file + set: + license: + passAsFile: true + asserts: + - notContains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY + any: true + - notContains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY_PATH + any: true + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: license + any: true + - notContains: + path: spec.template.spec.volumes + content: + name: license + any: true +- it: license key found with raw key and not passing by file set: license: key: "ABC" @@ -25,7 +65,53 @@ tests: content: name: RW_LICENSE_KEY value: "ABC" -- it: license key found with secret ref + - notContains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY_PATH + any: true + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: license + any: true + - notContains: + path: spec.template.spec.volumes + content: + name: license + any: true +- it: license key found with raw key and passing by file + set: + license: + key: "ABC" + passAsFile: true + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY_PATH + value: /license/license.jwt + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: license + mountPath: /license + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: license + secret: + secretName: RELEASE-NAME-risingwave-license + items: + - key: license.jwt + path: license.jwt + - notContains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY + any: true +- it: license key found with secret ref and not passing by file set: license: secret: @@ -40,7 +126,55 @@ tests: secretKeyRef: name: LICENSE-SECRET key: LICENSE-KEY -- it: license key found with secret ref and key + - notContains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY_PATH + any: true + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: license + any: true + - notContains: + path: spec.template.spec.volumes + content: + name: license + any: true +- it: license key found with secret ref and passing by file + set: + license: + secret: + name: LICENSE-SECRET + key: LICENSE-KEY + passAsFile: true + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY_PATH + value: /license/license.jwt + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: license + mountPath: /license + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: license + secret: + secretName: LICENSE-SECRET + items: + - key: LICENSE-KEY + path: license.jwt + - notContains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY + any: true +- it: license key found with secret ref and key and not passing by file set: license: key: "ABC" @@ -56,3 +190,52 @@ tests: secretKeyRef: name: LICENSE-SECRET key: LICENSE-KEY + - notContains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY_PATH + any: true + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: license + any: true + - notContains: + path: spec.template.spec.volumes + content: + name: license + any: true +- it: license key found with secret ref and key and passing by file + set: + license: + key: "ABC" + secret: + name: LICENSE-SECRET + key: LICENSE-KEY + passAsFile: true + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY_PATH + value: /license/license.jwt + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: license + mountPath: /license + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: license + secret: + secretName: LICENSE-SECRET + items: + - key: LICENSE-KEY + path: license.jwt + - notContains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY + any: true diff --git a/charts/risingwave/tests/license_test.yaml b/charts/risingwave/tests/license_test.yaml index caf737a..e65e159 100644 --- a/charts/risingwave/tests/license_test.yaml +++ b/charts/risingwave/tests/license_test.yaml @@ -12,7 +12,47 @@ tests: content: name: RW_LICENSE_KEY any: true -- it: license key found with raw key + - notContains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY_PATH + any: true + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: license + any: true + - notContains: + path: spec.template.spec.volumes + content: + name: license + any: true +- it: no license key and passing as file + set: + license: + passAsFile: true + asserts: + - notContains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY + any: true + - notContains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY_PATH + any: true + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: license + any: true + - notContains: + path: spec.template.spec.volumes + content: + name: license + any: true +- it: license key found with raw key and not passing by file set: license: key: "ABC" @@ -22,7 +62,53 @@ tests: content: name: RW_LICENSE_KEY value: "ABC" -- it: license key found with secret ref + - notContains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY_PATH + any: true + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: license + any: true + - notContains: + path: spec.template.spec.volumes + content: + name: license + any: true +- it: license key found with raw key and passing by file + set: + license: + key: "ABC" + passAsFile: true + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY_PATH + value: /license/license.jwt + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: license + mountPath: /license + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: license + secret: + secretName: RELEASE-NAME-risingwave-license + items: + - key: license.jwt + path: license.jwt + - notContains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY + any: true +- it: license key found with secret ref and not passing by file set: license: secret: @@ -37,7 +123,55 @@ tests: secretKeyRef: name: LICENSE-SECRET key: LICENSE-KEY -- it: license key found with secret ref and key + - notContains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY_PATH + any: true + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: license + any: true + - notContains: + path: spec.template.spec.volumes + content: + name: license + any: true +- it: license key found with secret ref and passing by file + set: + license: + secret: + name: LICENSE-SECRET + key: LICENSE-KEY + passAsFile: true + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY_PATH + value: /license/license.jwt + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: license + mountPath: /license + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: license + secret: + secretName: LICENSE-SECRET + items: + - key: LICENSE-KEY + path: license.jwt + - notContains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY + any: true +- it: license key found with secret ref and key and not passing by file set: license: key: "ABC" @@ -53,3 +187,52 @@ tests: secretKeyRef: name: LICENSE-SECRET key: LICENSE-KEY + - notContains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY_PATH + any: true + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: license + any: true + - notContains: + path: spec.template.spec.volumes + content: + name: license + any: true +- it: license key found with secret ref and key and passing by file + set: + license: + key: "ABC" + secret: + name: LICENSE-SECRET + key: LICENSE-KEY + passAsFile: true + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY_PATH + value: /license/license.jwt + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: license + mountPath: /license + readOnly: true + - contains: + path: spec.template.spec.volumes + content: + name: license + secret: + secretName: LICENSE-SECRET + items: + - key: LICENSE-KEY + path: license.jwt + - notContains: + path: spec.template.spec.containers[0].env + content: + name: RW_LICENSE_KEY + any: true diff --git a/charts/risingwave/values.yaml b/charts/risingwave/values.yaml index 27cf487..7704935 100644 --- a/charts/risingwave/values.yaml +++ b/charts/risingwave/values.yaml @@ -1401,9 +1401,14 @@ license: ## @param secret Use existing Secret to provide license key. ## If set, value of key will be ignored. secret: - ## @param name Name of the existing Secret. + ## @param name of the existing Secret. ## name: "" - ## @param key Key in the Secret. Defaults to "licenseKey". + ## @param key in the Secret. Defaults to "licenseKey". ## key: "licenseKey" + + ## @param passAsFile Pass the license key as a file. Defaults to false. + ## Will be removed once RisingWave v2.1 is released. + ## + passAsFile: false