Added support for reading apiKey and readOnlyApiKey from external sec…

…rets. (#230) * added support for reading apiKey and readOnlyApiKey from external secrets. Also added support for valueFrom convention in container secrets * flattened _helpers.tpl to maintain existing convention * fixed logic issue with apiKey and readOnlyApiKey primitive values introduced in last commit * changed helper if from a typeOf check to a kindOf check and added a BATS test for new functionality * fixed test config error
qdrant · Aug 30, 2024 · ae1d0fb · ae1d0fb
1 parent 6d2d7cc
commit ae1d0fb
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 5 deletions.
diff --git a/charts/qdrant/templates/_helpers.tpl b/charts/qdrant/templates/_helpers.tpl
@@ -68,15 +68,33 @@ Create secret
 {{- define "qdrant.secret" -}}
 {{- $readOnlyApiKey := false }}
 {{- $apiKey := false }}
-{{- if eq (.Values.apiKey | toJson) "true" -}}
-{{- /* retrieve existing randomly generated api key or create new one */ -}}
+{{- if kindIs "map" .Values.apiKey -}}
+{{- if .Values.apiKey.valueFrom -}}
+{{- /* Retrieve the value from the secret as specified in valueFrom */ -}}
+{{- $secretName := .Values.apiKey.valueFrom.secretKeyRef.name -}}
+{{- $secretKey := .Values.apiKey.valueFrom.secretKeyRef.key -}}
+{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace $secretName) | default dict -}}
+{{- $secretData := (get $secretObj "data") | default dict -}}
+{{- $apiKey = (get $secretData $secretKey | b64dec) -}}
+{{- end -}}
+{{- else if .Values.apiKey | toJson | eq "true" -}}
+{{- /* Retrieve existing randomly generated api key or create a new one */ -}}
 {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace (printf "%s-apikey" (include "qdrant.fullname" . ))) | default dict -}}
 {{- $secretData := (get $secretObj "data") | default dict -}}
 {{- $apiKey = (get $secretData "api-key" | b64dec) | default (randAlphaNum 32) -}}
 {{- else if .Values.apiKey -}}
 {{- $apiKey = .Values.apiKey -}}
 {{- end -}}
-{{- if eq (.Values.readOnlyApiKey | toJson) "true" -}}
+{{- if kindIs "map" .Values.apiKey -}}
+{{- if .Values.readOnlyApiKey.valueFrom -}}
+{{- /* Retrieve the value from the secret as specified in valueFrom */ -}}
+{{- $secretName := .Values.readOnlyApiKey.valueFrom.secretKeyRef.name -}}
+{{- $secretKey := .Values.readOnlyApiKey.valueFrom.secretKeyRef.key -}}
+{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace $secretName) | default dict -}}
+{{- $secretData := (get $secretObj "data") | default dict -}}
+{{- $readOnlyApiKey = (get $secretData $secretKey | b64dec) -}}
+{{- end -}}
+{{- else if eq (.Values.readOnlyApiKey | toJson) "true" -}}
 {{- /* retrieve existing randomly generated api key or create new one */ -}}
 {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace (printf "%s-apikey" (include "qdrant.fullname" . ))) | default dict -}}
 {{- $secretData := (get $secretObj "data") | default dict -}}

diff --git a/charts/qdrant/templates/statefulset.yaml b/charts/qdrant/templates/statefulset.yaml
@@ -77,7 +77,11 @@ spec:
               value: /qdrant/init/.qdrant-initialized
           {{- range .Values.env }}
             - name: {{ .name }}
+              {{- if .valueFrom }}
+              valueFrom: {{- toYaml .valueFrom | nindent 16 }}
+              {{- else }}
               value: {{ .value | quote }}
+              {{- end }}
           {{- end }}
           command: ["/bin/bash", "-c"]
           {{- with .Values.args }}

diff --git a/charts/qdrant/values.yaml b/charts/qdrant/values.yaml
@@ -232,12 +232,23 @@ podDisruptionBudget:
 # false: no api key will be configured
 # true: an api key will be auto-generated
 # string: the given string will be set as an apikey
-apiKey: false
+# Also supports reading in from an external secret using
+# valueFrom:
+#   secretKeyRef:
+#     name:
+#     key:
+# apiKey: false
+
 # read-only api key for authentication at qdrant
 # false: no read-only api key will be configured
 # true: an read-only api key will be auto-generated
 # string: the given string will be set as a read-only apikey
-readOnlyApiKey: false
+# Also supports reading in from an external secret using
+# valueFrom:
+#   secretKeyRef:
+#     name:
+#     key:
+# readOnlyApiKey: false
 
 additionalVolumes: []
 # - name: volumeName

diff --git a/test/integration/external_api_key.bats b/test/integration/external_api_key.bats
@@ -0,0 +1,17 @@
+setup_file() {
+    kubectl -n qdrant-helm-integration create secret generic qdrant-external-apikey --from-literal=apiKey=test-api-key --from-literal=readOnlyApiKey=test-read-only-api-key
+    helm upgrade --install qdrant charts/qdrant --set apiKey.valueFrom.secretKeyRef.name=qdrant-external-apikey,apiKey.valueFrom.secretKeyRef.key=apiKey,readOnlyApiKey.valueFrom.secretKeyRef.name=qdrant-external-apikey,readOnlyApiKey.valueFrom.secretKeyRef.key=readOnlyApiKey -n qdrant-helm-integration --wait
+    kubectl rollout status statefulset qdrant -n qdrant-helm-integration
+}
+
+@test "external api key works" {
+    run kubectl exec -n default curl -- curl -s http://qdrant.qdrant-helm-integration:6333/collections -H "api-key: test-api-key" --fail-with-body
+    [ $status -eq 0 ]
+    [[ "${output}" =~ .*\"status\":\"ok\".* ]]
+}
+
+@test "external read only api key works" {
+    run kubectl exec -n default curl -- curl -s http://qdrant.qdrant-helm-integration:6333/collections -H "api-key: test-read-only-api-key" --fail-with-body
+    [ $status -eq 0 ]
+    [[ "${output}" =~ .*\"status\":\"ok\".* ]]
+}