Update Chart to 0.68.2 and enhance SQL secret management.

charts/temporal/Chart.yaml

@@ -39,7 +39,7 @@ dependencies:
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.72.0
+version: 0.73.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
 appVersion: 1.29.1

charts/temporal/templates/_admintools-env.yaml

@@ -34,45 +34,129 @@
     {{- end }}
   {{- end }}
 {{- else if eq $driver "sql" -}}
+  {{- if eq (include "temporal.persistence.sql.hasSecretRef" (list $global $store)) "true" }}
 - name: SQL_PLUGIN
   value: {{ include "temporal.persistence.sql.driver" (list $global $store) }}
+    {{- if eq (include "temporal.persistence.sql.hasHostKey" (list $global $store)) "true" }}
+- name: SQL_HOST
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "temporal.persistence.sql.secretRefName" (list $global $store) }}
+      key: {{ $driverConfig.secretRef.hostKey }}
+    {{- else }}
 - name: SQL_HOST
   value: {{ include "temporal.persistence.sql.host" (list $global $store) }}
+    {{- end }}
+    {{- if eq (include "temporal.persistence.sql.hasPortKey" (list $global $store)) "true" }}
+- name: SQL_PORT
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "temporal.persistence.sql.secretRefName" (list $global $store) }}
+      key: {{ $driverConfig.secretRef.portKey }}
+    {{- else }}
 - name: SQL_PORT
   value: {{ include "temporal.persistence.sql.port" (list $global $store) | quote }}
+    {{- end }}
+    {{- if eq (include "temporal.persistence.sql.hasDatabaseKey" (list $global $store)) "true" }}
+- name: SQL_DATABASE
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "temporal.persistence.sql.secretRefName" (list $global $store) }}
+      key: {{ $driverConfig.secretRef.databaseKey }}
+    {{- else }}
 - name: SQL_DATABASE
   value: {{ include "temporal.persistence.sql.database" (list $global $store) }}
+    {{- end }}
+    {{- if eq (include "temporal.persistence.sql.hasUserKey" (list $global $store)) "true" }}
+- name: SQL_USER
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "temporal.persistence.sql.secretRefName" (list $global $store) }}
+      key: {{ $driverConfig.secretRef.userKey }}
+    {{- else }}
 - name: SQL_USER
   value: {{ $driverConfig.user }}
+    {{- end }}
+    {{- if eq (include "temporal.persistence.sql.hasPasswordKey" (list $global $store)) "true" }}
+- name: SQL_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "temporal.persistence.sql.secretRefName" (list $global $store) }}
+      key: {{ $driverConfig.secretRef.passwordKey }}
+    {{- else }}
 - name: SQL_PASSWORD
   valueFrom:
     secretKeyRef:
       name: {{ include "temporal.persistence.secretName" (list $global $store) }}
       key: {{ include "temporal.persistence.secretKey" (list $global $store) }}
-  {{- with $driverConfig.connectAttributes }}
+    {{- end }}
+    {{- with $driverConfig.connectAttributes }}
 - name: SQL_CONNECT_ATTRIBUTES
   value: {{ include "temporal.persistence.sql.connectAttributes" (list $global $store) | quote }}
-  {{- end }}
-  {{- with $driverConfig.tls }}
+    {{- end }}
+    {{- with $driverConfig.tls }}
 - name: SQL_TLS
   value: {{ .enabled | quote }}
-    {{- with .caFile }}
+      {{- with .caFile }}
 - name: SQL_TLS_CA_FILE
   value: {{ . }}
-    {{- end }}
-    {{- if and .certFile .keyFile }}
+      {{- end }}
+      {{- if and .certFile .keyFile }}
 - name: SQL_TLS_CERT_FILE
   value: {{ .certFile }}
 - name: SQL_TLS_KEY_FILE
   value: {{ .keyFile }}
-    {{- end }}
-    {{- with .serverName }}
+      {{- end }}
+      {{- with .serverName }}
 - name: SQL_TLS_SERVER_NAME
   value: {{ . }}
+      {{- end }}
+      {{- if hasKey . "enableHostVerification" }}
+- name: SQL_TLS_DISABLE_HOST_VERIFICATION
+  value: {{ not .enableHostVerification | quote }}
+      {{- end }}
     {{- end }}
-    {{- if hasKey . "enableHostVerification" }}
+  {{- else }}
+- name: SQL_PLUGIN
+  value: {{ include "temporal.persistence.sql.driver" (list $global $store) }}
+- name: SQL_HOST
+  value: {{ include "temporal.persistence.sql.host" (list $global $store) }}
+- name: SQL_PORT
+  value: {{ include "temporal.persistence.sql.port" (list $global $store) | quote }}
+- name: SQL_DATABASE
+  value: {{ include "temporal.persistence.sql.database" (list $global $store) }}
+- name: SQL_USER
+  value: {{ $driverConfig.user }}
+- name: SQL_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "temporal.persistence.secretName" (list $global $store) }}
+      key: {{ include "temporal.persistence.secretKey" (list $global $store) }}
+    {{- with $driverConfig.connectAttributes }}
+- name: SQL_CONNECT_ATTRIBUTES
+  value: {{ include "temporal.persistence.sql.connectAttributes" (list $global $store) | quote }}
+    {{- end }}
+    {{- with $driverConfig.tls }}
+- name: SQL_TLS
+  value: {{ .enabled | quote }}
+      {{- with .caFile }}
+- name: SQL_TLS_CA_FILE
+  value: {{ . }}
+      {{- end }}
+      {{- if and .certFile .keyFile }}
+- name: SQL_TLS_CERT_FILE
+  value: {{ .certFile }}
+- name: SQL_TLS_KEY_FILE
+  value: {{ .keyFile }}
+      {{- end }}
+      {{- with .serverName }}
+- name: SQL_TLS_SERVER_NAME
+  value: {{ . }}
+      {{- end }}
+      {{- if hasKey . "enableHostVerification" }}
 - name: SQL_TLS_DISABLE_HOST_VERIFICATION
   value: {{ not .enableHostVerification | quote }}
+      {{- end }}
     {{- end }}
   {{- end }}
 {{- else if eq $driver "elasticsearch" -}}

charts/temporal/templates/_helpers.tpl

@@ -372,6 +372,94 @@ Source: https://stackoverflow.com/a/52024583/3027614
 {{- join "&" $result -}}
 {{- end -}}
 
+{{- define "temporal.persistence.sql.hasSecretRef" -}}
+{{- $global := index . 0 -}}
+{{- $store := index . 1 -}}
+{{- $storeConfig := index $global.Values.server.config.persistence $store -}}
+{{- $driverConfig := $storeConfig.sql -}}
+{{- if and $driverConfig.secretRef $driverConfig.secretRef.name -}}
+  {{- $hasAtLeastOneKey := or $driverConfig.secretRef.hostKey $driverConfig.secretRef.portKey $driverConfig.secretRef.databaseKey $driverConfig.secretRef.userKey $driverConfig.secretRef.passwordKey -}}
+  {{- if not $hasAtLeastOneKey -}}
+    {{- fail (printf "secretRef.name is set for %s store but no keys are specified. At least one of hostKey, portKey, databaseKey, userKey, or passwordKey must be specified" $store) -}}
+  {{- end -}}
+  {{- print "true" -}}
+{{- else -}}
+{{- print "false" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "temporal.persistence.sql.secretRefName" -}}
+{{- $global := index . 0 -}}
+{{- $store := index . 1 -}}
+{{- $storeConfig := index $global.Values.server.config.persistence $store -}}
+{{- $driverConfig := $storeConfig.sql -}}
+{{- if and $driverConfig.secretRef $driverConfig.secretRef.name -}}
+{{- print $driverConfig.secretRef.name -}}
+{{- else -}}
+{{- fail (printf "Please specify secretRef.name for %s store" $store) -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "temporal.persistence.sql.hasHostKey" -}}
+{{- $global := index . 0 -}}
+{{- $store := index . 1 -}}
+{{- $storeConfig := index $global.Values.server.config.persistence $store -}}
+{{- $driverConfig := $storeConfig.sql -}}
+{{- if and $driverConfig.secretRef $driverConfig.secretRef.hostKey -}}
+{{- print "true" -}}
+{{- else -}}
+{{- print "false" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "temporal.persistence.sql.hasPortKey" -}}
+{{- $global := index . 0 -}}
+{{- $store := index . 1 -}}
+{{- $storeConfig := index $global.Values.server.config.persistence $store -}}
+{{- $driverConfig := $storeConfig.sql -}}
+{{- if and $driverConfig.secretRef $driverConfig.secretRef.portKey -}}
+{{- print "true" -}}
+{{- else -}}
+{{- print "false" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "temporal.persistence.sql.hasDatabaseKey" -}}
+{{- $global := index . 0 -}}
+{{- $store := index . 1 -}}
+{{- $storeConfig := index $global.Values.server.config.persistence $store -}}
+{{- $driverConfig := $storeConfig.sql -}}
+{{- if and $driverConfig.secretRef $driverConfig.secretRef.databaseKey -}}
+{{- print "true" -}}
+{{- else -}}
+{{- print "false" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "temporal.persistence.sql.hasUserKey" -}}
+{{- $global := index . 0 -}}
+{{- $store := index . 1 -}}
+{{- $storeConfig := index $global.Values.server.config.persistence $store -}}
+{{- $driverConfig := $storeConfig.sql -}}
+{{- if and $driverConfig.secretRef $driverConfig.secretRef.userKey -}}
+{{- print "true" -}}
+{{- else -}}
+{{- print "false" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "temporal.persistence.sql.hasPasswordKey" -}}
+{{- $global := index . 0 -}}
+{{- $store := index . 1 -}}
+{{- $storeConfig := index $global.Values.server.config.persistence $store -}}
+{{- $driverConfig := $storeConfig.sql -}}
+{{- if and $driverConfig.secretRef $driverConfig.secretRef.passwordKey -}}
+{{- print "true" -}}
+{{- else -}}
+{{- print "false" -}}
+{{- end -}}
+{{- end -}}
+
 {{- define "temporal.persistence.elasticsearch.secretName" -}}
 {{- $global := index . 0 -}}
 {{- $store := index . 1 -}}

charts/temporal/templates/server-configmap.yaml

@@ -32,12 +32,42 @@ data:
           sql:
             pluginName: "{{ include "temporal.persistence.sql.driver" (list $ "default") }}"
             driverName: "{{ include "temporal.persistence.sql.driver" (list $ "default") }}"
+            {{- if eq (include "temporal.persistence.sql.hasSecretRef" (list $ "default")) "true" }}
+              {{- if eq (include "temporal.persistence.sql.hasDatabaseKey" (list $ "default")) "true" }}
+            databaseName: {{ `{{ .Env.TEMPORAL_STORE_DATABASE }}` }}
+              {{- else }}
             databaseName: "{{ $server.config.persistence.default.sql.database }}"
+              {{- end }}
+              {{- $useHostFromSecret := eq (include "temporal.persistence.sql.hasHostKey" (list $ "default")) "true" -}}
+              {{- $usePortFromSecret := eq (include "temporal.persistence.sql.hasPortKey" (list $ "default")) "true" -}}
+              {{- if and $useHostFromSecret $usePortFromSecret }}
+            connectAddr: {{ `{{ .Env.TEMPORAL_STORE_HOST }}` }}:{{ `{{ .Env.TEMPORAL_STORE_PORT }}` }}
+              {{- else if $useHostFromSecret }}
+            connectAddr: {{ `{{ .Env.TEMPORAL_STORE_HOST }}` }}:{{ include "temporal.persistence.sql.port" (list $ "default") }}
+              {{- else if $usePortFromSecret }}
+            connectAddr: {{ include "temporal.persistence.sql.host" (list $ "default") }}:{{ `{{ .Env.TEMPORAL_STORE_PORT }}` }}
+              {{- else }}
             connectAddr: "{{ include "temporal.persistence.sql.host" (list $ "default") }}:{{ include "temporal.persistence.sql.port" (list $ "default") }}"
+              {{- end }}
             connectProtocol: "tcp"
+              {{- if eq (include "temporal.persistence.sql.hasUserKey" (list $ "default")) "true" }}
+            user: {{ `{{ .Env.TEMPORAL_STORE_USER }}` }}
+              {{- else }}
             user: {{ include "temporal.persistence.sql.user" (list $ "default") }}
+              {{- end }}
+              {{- if eq (include "temporal.persistence.sql.hasPasswordKey" (list $ "default")) "true" }}
             password: {{ `{{ .Env.TEMPORAL_STORE_PASSWORD | quote }}` }}
-            {{- with (omit $server.config.persistence.default.sql "driver" "driverName" "host" "port" "connectAddr" "connectProtocol" "database" "databaseName" "user" "password" "existingSecret") }}
+              {{- else }}
+            password: {{ `{{ .Env.TEMPORAL_STORE_PASSWORD | quote }}` }}
+              {{- end }}
+            {{- else }}
+            databaseName: "{{ $server.config.persistence.default.sql.database }}"
+            connectAddr: "{{ include "temporal.persistence.sql.host" (list $ "default") }}:{{ include "temporal.persistence.sql.port" (list $ "default") }}"
+            connectProtocol: "tcp"
+            user: {{ include "temporal.persistence.sql.user" (list $ "default") }}
+            password: {{ `{{ .Env.TEMPORAL_STORE_PASSWORD | quote }}` }}
+            {{- end }}
+            {{- with (omit $server.config.persistence.default.sql "driver" "driverName" "host" "port" "connectAddr" "connectProtocol" "database" "databaseName" "user" "password" "existingSecret" "secretName" "secretRef") }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
           {{- end }}
@@ -69,12 +99,42 @@ data:
           sql:
             pluginName: "{{ include "temporal.persistence.sql.driver" (list $ "visibility") }}"
             driverName: "{{ include "temporal.persistence.sql.driver" (list $ "visibility") }}"
+            {{- if eq (include "temporal.persistence.sql.hasSecretRef" (list $ "visibility")) "true" }}
+              {{- if eq (include "temporal.persistence.sql.hasDatabaseKey" (list $ "visibility")) "true" }}
+            databaseName: {{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_DATABASE }}` }}
+              {{- else }}
             databaseName: "{{ $server.config.persistence.visibility.sql.database }}"
+              {{- end }}
+              {{- $useHostFromSecret := eq (include "temporal.persistence.sql.hasHostKey" (list $ "visibility")) "true" -}}
+              {{- $usePortFromSecret := eq (include "temporal.persistence.sql.hasPortKey" (list $ "visibility")) "true" -}}
+              {{- if and $useHostFromSecret $usePortFromSecret }}
+            connectAddr: {{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_HOST }}` }}:{{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_PORT }}` }}
+              {{- else if $useHostFromSecret }}
+            connectAddr: {{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_HOST }}` }}:{{ include "temporal.persistence.sql.port" (list $ "visibility") }}
+              {{- else if $usePortFromSecret }}
+            connectAddr: {{ include "temporal.persistence.sql.host" (list $ "visibility") }}:{{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_PORT }}` }}
+              {{- else }}
             connectAddr: "{{ include "temporal.persistence.sql.host" (list $ "visibility") }}:{{ include "temporal.persistence.sql.port" (list $ "visibility") }}"
+              {{- end }}
             connectProtocol: "tcp"
+              {{- if eq (include "temporal.persistence.sql.hasUserKey" (list $ "visibility")) "true" }}
+            user: {{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_USER }}` }}
+              {{- else }}
             user: "{{ include "temporal.persistence.sql.user" (list $ "visibility") }}"
+              {{- end }}
+              {{- if eq (include "temporal.persistence.sql.hasPasswordKey" (list $ "visibility")) "true" }}
             password: {{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_PASSWORD  | quote }}` }}
-            {{- with (omit $server.config.persistence.visibility.sql "driver" "driverName" "host" "port" "connectAddr" "connectProtocol" "database" "databaseName" "user" "password" "existingSecret") }}
+              {{- else }}
+            password: {{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_PASSWORD  | quote }}` }}
+              {{- end }}
+            {{- else }}
+            databaseName: "{{ $server.config.persistence.visibility.sql.database }}"
+            connectAddr: "{{ include "temporal.persistence.sql.host" (list $ "visibility") }}:{{ include "temporal.persistence.sql.port" (list $ "visibility") }}"
+            connectProtocol: "tcp"
+            user: "{{ include "temporal.persistence.sql.user" (list $ "visibility") }}"
+            password: {{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_PASSWORD  | quote }}` }}
+            {{- end }}
+            {{- with (omit $server.config.persistence.visibility.sql "driver" "driverName" "host" "port" "connectAddr" "connectProtocol" "database" "databaseName" "user" "password" "existingSecret" "secretName" "secretRef") }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
         {{- end }}