feat(pgadmin): manage passfiles

SocialGouv · May 3, 2024 · 3f91cd8 · 3f91cd8
1 parent bb9bb59
commit 3f91cd8
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 3 deletions.
diff --git a/charts/pgadmin/templates/deployment.yaml b/charts/pgadmin/templates/deployment.yaml
@@ -25,15 +25,28 @@ spec:
         {{- range .Values.secrets }}
         - name: {{ .name }}
           secret:
-            secretName: {{ .name }}
+            secretName: passfile-{{ .name }}
             items:
-            - key: {{ .keys.password }}
+            - key: passfile
               path: "password"
         {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          lifecycle:
+            postStart:
+              exec:
+                command: # See the following issue: https://github.com/pgadmin-org/pgadmin4/issues/6741
+                - /bin/sh
+                - -c
+                - |
+                  for d in /secrets/servers/* ; do
+                    mkdir -p /tmp/passfiles/$(basename $d)
+                    cp $d/password /tmp/passfiles/$(basename $d)/password;
+                    chown pgadmin:root /tmp/passfiles/$(basename $d)/password;
+                    chmod 600 /tmp/passfiles/$(basename $d)/password;
+                  done
           ports:
             - name: http
               containerPort: 8080

diff --git a/charts/pgadmin/templates/kyverno.policy.yaml b/charts/pgadmin/templates/kyverno.policy.yaml
@@ -56,9 +56,36 @@ spec:
                     "MaintenanceDB": "{{ if hasSuffix "-superuser" $secret.name }}postgres{{else}}{{`{{`}}base64_decode({{ $secret.name | replace "-" "_" }}_database){{`}}`}}{{ end }}",
                     "Host": "{{`{{`}}base64_decode({{ $secret.name | replace "-" "_" }}_host){{`}}`}}",
                     "Port": {{`{{`}}base64_decode({{ $secret.name | replace "-" "_" }}_port){{`}}`}},
-                    "PassFile": "/secrets/servers/{{ $secret.name }}/password",
+                    "PassFile": "/tmp/passfiles/{{ $secret.name }}/password",
                     "Name": "{{`{{`}}base64_decode({{ $secret.name | replace "-" "_" }}_host){{`}}`}}"
                   }{{ if ne (len $.Values.secrets) (add1 $key) }},{{ end }}
                   {{- end }}
                 }
               }
+    {{- range $key, $secret := .Values.secrets }}
+    - name: gensecret-filepass-{{ add1 $key }}
+      match:
+        any:
+        - resources:
+            kinds:
+              - Secret
+            names:
+              - {{ $secret.name }}
+      context:
+      - name: password
+        apiCall:
+          urlPath: "/api/v1/namespaces/{{`{{`}}request.namespace{{`}}`}}/secrets/{{ $secret.name }}"
+          jmesPath: 'data."{{ $secret.keys.password }}"'
+      - name: user
+        apiCall:
+          urlPath: "/api/v1/namespaces/{{`{{`}}request.namespace{{`}}`}}/secrets/{{ $secret.name }}"
+          jmesPath: 'data."{{ $secret.keys.user }}"'
+      generate:
+        apiVersion: v1
+        kind: Secret
+        name: passfile-{{ $secret.name }}
+        namespace: "{{ or $.Values.namespace $.Values.global.namespace .Release.Namespace }}"
+        data:
+          stringData:
+            passfile: "*:*:*:{{`{{`}}base64_decode(user){{`}}`}}:{{`{{`}}base64_decode(password){{`}}`}}"
+    {{- end }}