add envFromSecrets for action, sensor, client, jobs pods

CHANGELOG.md

@@ -10,6 +10,7 @@
 * New feature: Add `extra_volumes` to `st2actionrunner`, `st2client`, `st2sensorcontainer`. This is useful for loading volumes to be used by actions or sensors. This might include secrets (like ssl certificates) and configuration (like system-wide ansible.cfg). (#254) (by @cognifloyd)
 * Some `helm upgrades` do not need to run all the jobs. An upgrade that only touches RBAC config, for example, does not need to run the register-content job. Use `--set 'jobs.skip={apikey_load,key_load,register_content}'` to skip the other jobs. (#255) (by @cognifloyd)
 * Refactor deployments/jobs to inject st2 username/password via `envFrom` instead of via `env`. (#257) (by @cognifloyd)
+* New feature: Add `envFromSecrets` to `st2actionrunner`, `st2client`, `st2sensorcontainer`, and jobs. This is useful for adding custom secrets to the environment. This complements the `extra_volumes` feature (loading secrets as files) to facilitate loading secrets that are not easily injected via the filesystem. (#259) (by @cognifloyd)
 
 ## v0.70.0
 * New feature: Shared packs volumes `st2.packs.volumes`. Allow using cluster-specific persistent volumes to store packs, virtualenvs, and (optionally) configs. This enables using `st2 pack install`. It even works with `st2packs` images in `st2.packs.images`. (#199) (by @cognifloyd)

templates/deployments.yaml

@@ -1116,6 +1116,10 @@ spec:
         envFrom:
         - configMapRef:
             name: {{ $.Release.Name }}-st2-urls
+        {{- range $sensor.envFromSecrets }}
+        - secretRef:
+            name: {{ . }}
+        {{- end }}
         volumeMounts:
         {{- include "st2-config-volume-mounts" $ | nindent 8 }}
         {{- include "packs-volume-mounts" $ | nindent 8 }}
@@ -1250,6 +1254,10 @@ spec:
         envFrom:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
+        {{- range .Values.st2actionrunner.envFromSecrets }}
+        - secretRef:
+            name: {{ . }}
+        {{- end }}
         volumeMounts:
         {{- include "st2-config-volume-mounts" . | nindent 8 }}
         - name: st2-ssh-key-vol
@@ -1506,6 +1514,10 @@ spec:
         envFrom:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
+        {{- range .Values.st2client.envFromSecrets }}
+        - secretRef:
+            name: {{ . }}
+        {{- end }}
         volumeMounts:
         {{- include "st2-config-volume-mounts" . | nindent 8 }}
         {{- if .Values.st2.rbac.enabled }}

templates/jobs.yaml

@@ -51,6 +51,13 @@ spec:
         {{- if .Values.jobs.env }}
         env: {{- include "stackstorm-ha.customEnv" .Values.jobs | nindent 8 }}
         {{- end }}
+        {{- if .Values.jobs.envFromSecrets }}
+        envFrom:
+        {{- range .Values.jobs.envFromSecrets }}
+        - secretRef:
+            name: {{ . }}
+        {{- end }}
+        {{- end }}
         volumeMounts:
         {{- include "st2-config-volume-mounts" . | nindent 8 }}
         - name: st2-rbac-roles-vol
@@ -178,6 +185,10 @@ spec:
         envFrom:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
+        {{- range .Values.jobs.envFromSecrets }}
+        - secretRef:
+            name: {{ . }}
+        {{- end }}
         volumeMounts:
         - name: st2client-config-vol
           mountPath: /root/.st2/
@@ -291,6 +302,10 @@ spec:
         envFrom:
         - configMapRef:
             name: {{ .Release.Name }}-st2-urls
+        {{- range .Values.jobs.envFromSecrets }}
+        - secretRef:
+            name: {{ . }}
+        {{- end }}
         volumeMounts:
         {{- include "st2-config-volume-mounts" . | nindent 8 }}
         - name: st2client-config-vol
@@ -402,6 +417,13 @@ spec:
         {{- if .Values.jobs.env }}
         env: {{- include "stackstorm-ha.customEnv" .Values.jobs | nindent 8 }}
         {{- end }}
+        {{- if .Values.jobs.envFromSecrets }}
+        envFrom:
+        {{- range .Values.jobs.envFromSecrets }}
+        - secretRef:
+            name: {{ . }}
+        {{- end }}
+        {{- end }}
         volumeMounts:
         {{- include "st2-config-volume-mounts" . | nindent 8 }}
         {{- include "packs-volume-mounts-for-register-job" . | nindent 8 }}

values.yaml

@@ -546,6 +546,8 @@ st2actionrunner:
   #   ip: 8.8.8.8
   env: {}
   # HTTP_PROXY: http://proxy:1234
+  ## These named secrets (managed outside this chart) will be added to envFrom.
+  envFromSecrets: []
   serviceAccount:
     attach: false
   # postStartScript is optional. It has the contents of a bash script.
@@ -604,6 +606,8 @@ st2sensorcontainer:
   tolerations: []
   env: {}
   # HTTP_PROXY: http://proxy:1234
+  ## These named secrets (managed outside this chart) will be added to envFrom.
+  envFromSecrets: []
   serviceAccount:
     attach: false
   # postStartScript is optional. It has the contents of a bash script.
@@ -621,6 +625,8 @@ st2sensorcontainer:
 st2client:
   env: {}
   # HTTP_PROXY: http://proxy:1234
+  ## These named secrets (managed outside this chart) will be added to envFrom.
+  envFromSecrets: []
   annotations: {}
   # Override default image settings (for now, only tag can be overridden)
   image: {}
@@ -673,6 +679,7 @@ st2chatops:
   # Enable st2chatops (default: false)
   enabled: false
   # Custom hubot adapter ENV variables to pass through which will override st2chatops.env defaults.
+  # These env vars get stored in a k8s secret loaded using envFrom.
   # See https://github.com/StackStorm/st2chatops/blob/master/st2chatops.env
   # for the full list of supported adapters and example ENV variables.
   # Note that Helm templating is supported for env values in this block!
@@ -741,6 +748,8 @@ jobs:
   affinity: {}
   env: {}
   # HTTP_PROXY: http://proxy:1234
+  ## These named secrets (managed outside this chart) will be added to envFrom.
+  envFromSecrets: []
   #
   # Advanced controls to skip creating jobs.
   # This is useful in targeted upgrades with `--set`. Do not set this in values files.