From e0fc4fb32f571531b453d6e0c92a744b3a0efb21 Mon Sep 17 00:00:00 2001
From: Christopher Tate <computate@computate.org>
Date: Mon, 27 Feb 2023 22:10:53 -0700
Subject: [PATCH] Adding features like serviceAccountName for OpenShift
 security constraints

parent 9cc554112c075c1a994205d50c08e0366afb00d7
author Christopher Tate <computate@computate.org> 1677561053 -0700
committer Christopher Tate <computate@computate.org> 1677684028 -0700

- fix a bug with postgresql.enabled value
- add docs for new serviceAccountName value for required security on OpenShift
- allow customizing the postgresqlDatabase value and PGDATABASE environment variable on the betydb container
- allow disabling the creation of a betydb Secret in order to use an ExternalSecret from a vault instead
---
 Chart.lock                |  4 ++--
 Chart.yaml                |  2 +-
 README.md                 |  6 ++++++
 templates/_helpers.tpl    |  2 ++
 templates/deployment.yaml |  3 +++
 templates/secrets.yaml    |  2 ++
 values.yaml               | 12 ++++++++++++
 7 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/Chart.lock b/Chart.lock
index 4d62d201..730362d4 100644
--- a/Chart.lock
+++ b/Chart.lock
@@ -2,5 +2,5 @@ dependencies:
 - name: postgresql
   repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
   version: 8.9.9
-digest: sha256:526629d1646df6a72d4414adc89f3728f0e97e37a4e8ac65036c51e06361c7bb
-generated: "2022-06-22T22:35:06.775527-05:00"
+digest: sha256:9bf0731393755a97be066c786f40dd92f7a640137658a129a37c29cedd7d6560
+generated: "2023-02-27T22:24:29.970340243-07:00"
diff --git a/Chart.yaml b/Chart.yaml
index 2a163901..b2819c47 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -36,7 +36,7 @@ dependencies:
 - name: postgresql
   version: ~8.9
   repository:  https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami
-  condition: postgres.enabled
+  condition: postgresql.enabled
 
 annotations:
   artifacthub.io/links: |
diff --git a/README.md b/README.md
index 32488c9e..68054c9b 100644
--- a/README.md
+++ b/README.md
@@ -86,6 +86,12 @@ The following table lists the configurable parameters of the Bety chart and thei
 | `betyPassword`                       | Password value for bety.password                                              | `bety`                                                  |
 | `betyDatabase`                       | Name of the database for bety.database                                        | `bety`                                                  |
 
+### OpenShift/Kubernetes parameters
+
+| Parameter                         | Description                                              | Default                        |
+|-----------------------------------|----------------------------------------------------------|--------------------------------|
+| `serviceAccountName`           | Add a serviceAccountName to the deployment               | ``                              |
+
 ### Ingress parameters
 
 | Parameter                         | Description                                              | Default                        |
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index e239785c..599683e1 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -74,6 +74,8 @@ Environment variables for PostgreSQL
   value: {{ include "betydb.postgresqlHost" . | quote }}
 - name: PGPORT
   value: {{ include "betydb.postgresqlPort" . | quote }}
+- name: PGDATABASE
+  value: {{ .Values.postgresql.postgresqlDatabase | default "postgres" | quote }}
 - name: PGUSER
   value: {{ .Values.postgresql.postgresqlUsername | default "postgres" | quote }}
 - name: PGPASSWORD
diff --git a/templates/deployment.yaml b/templates/deployment.yaml
index b9027786..5579b149 100644
--- a/templates/deployment.yaml
+++ b/templates/deployment.yaml
@@ -100,6 +100,9 @@ spec:
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.serviceAccountName }}
+      serviceAccountName: {{ . }}
+      {{- end }}
     {{- with .Values.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
diff --git a/templates/secrets.yaml b/templates/secrets.yaml
index 70d0e937..0fb1145e 100644
--- a/templates/secrets.yaml
+++ b/templates/secrets.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.externalSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -11,3 +12,4 @@ data:
 {{- end }}
   betyPassword:  {{ .Values.betyPassword | b64enc | quote }}
   secretKey:  {{ .Values.secretKey | b64enc | quote }}
+{{- end }}
diff --git a/values.yaml b/values.yaml
index 13d48931..fb6b1987 100644
--- a/values.yaml
+++ b/values.yaml
@@ -39,6 +39,11 @@ betyDatabase: bety
 ## changed users will not be able to login with their existing passwords.
 secretKey: thisisnotasecret
 
+## Set to true if you will be managing the `betydb` secret with external secrets. 
+## The `betydb` secret includes `betyPassword`, `postgresqlPassword`, 
+## and `secretKey`.
+externalSecret: false
+
 ## dbtag is the tag of the database to load. Normally will use latest to
 ## make sure latest tag is loaded, this might not work with an older database.
 ## set this to "" to not load the database
@@ -107,6 +112,9 @@ postgresql:
   ## not saved in the database.
   postgresqlPassword: supersecret
 
+  ## postgresqlDatabase postgresql database to connect to load the database
+  postgresqlDatabase: postgres
+
   # need more space
   persistence:
     size: 20Gi
@@ -169,6 +177,10 @@ resources: {}
 ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
 nodeSelector: {}
 
+## Service Account Name
+## ref: https://kubernetes.io/docs/concepts/security/service-accounts/
+serviceAccountName: ""
+
 ## Tolerations
 ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
 tolerations: []