[stable/atlantis] Make secret-webhook optional (helm#13667)

* Make the template secret-webhook optional People might want to manage secrets on their own Signed-off-by: Wilfrido Vidana <wvidanas@gmail.com> * Bump chart version Signed-off-by: Wilfrido Vidana <wvidanas@gmail.com> * Using a variable to define the reference to the secret Signed-off-by: Wilfrido Vidana <wvidanas@gmail.com> * Renaming secretWebhookName to vcsSecretsName Signed-off-by: Wilfrido Vidana <wvidanas@gmail.com> * New feature version Signed-off-by: Wilfrido Vidana <wvidanas@gmail.com>
amine7536 · May 21, 2019 · 4e66d75 · 4e66d75
1 parent c441ee3
commit 4e66d75
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 7 deletions.
diff --git a/stable/atlantis/Chart.yaml b/stable/atlantis/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "v0.7.1"
 description: A Helm chart for Atlantis https://www.runatlantis.io
 name: atlantis
-version: 3.2.0
+version: 3.3.0
 keywords:
 - terraform
 home: https://www.runatlantis.io

diff --git a/stable/atlantis/README.md b/stable/atlantis/README.md
@@ -16,6 +16,7 @@ In order for Atlantis to start and run successfully:
     -  `bitbucket`
 
     Refer to [values.yaml](values.yaml) for detailed examples.
+    They can also be provided directly through a Kubernetes `Secret`, use the variable `vcsSecretsName` to reference it.
 
 1. Supply a value for `orgWhitelist`, e.g. `github.org/myorg/*`.
 
@@ -42,6 +43,7 @@ The following options are supported.  See [values.yaml](values.yaml) for more de
 | `gitlab.token`                              | Personal access token for the Atlantis GitLab user.                                                                                                                                                                                                                                                       | n/a     |
 | `gitlab.secret`                             | Webhook secret for the Atlantis GitLab integration. All repositories in GitLab that are to be integrated with Atlantis must share the same value.                                                                                                                                                         | n/a     |
 | `gitlab.hostname`                           | Hostname of your GitLab Enterprise installation.                                                                                                                                                                                                                                                          | n/a     |
+| `vcsSecretsName` | Name of a pre-existing Kubernetes `Secret` containing `token` and `secret` keys set to your VCS provider's API token and webhook secret, respectively. Use this instead of `github.token`/`github.secret`, etc. (optional) | n/a |
 | `podTemplate.annotations`                   | Additional annotations to use for the StatefulSet.                                                                                                                                                                                                                                                        | n/a     |
 | `logLevel`                                  | Level to use for logging. Either debug, info, warn, or error.                                                                                                                                                                                                                                             | n/a     |
 | `orgWhiteList`                              | Whitelist of repositories from which Atlantis will accept webhooks. **This value must be set for Atlantis to function correctly.** Accepts wildcard characters (`*`). Multiple values may be comma-separated.                                                                                             | none    |

diff --git a/stable/atlantis/templates/_helpers.tpl b/stable/atlantis/templates/_helpers.tpl
@@ -59,3 +59,14 @@ Defines the internal kubernetes address to Atlantis
 {{- define "atlantis.url" -}}
 {{ template "atlantis.url.scheme" . }}://{{ template "atlantis.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.port }}
 {{- end -}}
+
+{{/*
+Generates secret-webhook name
+*/}}
+{{- define "atlantis.vcsSecretsName" -}}
+{{- if .Values.vcsSecretsName -}}
+    {{ .Values.vcsSecretsName }}
+{{- else -}}
+    {{ template "atlantis.fullname" . }}-webhook
+{{- end -}}
+{{- end -}}
diff --git a/stable/atlantis/templates/secret-webhook.yaml b/stable/atlantis/templates/secret-webhook.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.vcsSecretsName }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -22,3 +23,4 @@ data:
   bitbucket_secret: {{ required "bitbucket.secret is required if bitbucket.baseurl is specified." .Values.bitbucket.secret | b64enc }}
   {{- end}}
   {{- end }}
+{{- end }}
diff --git a/stable/atlantis/templates/statefulset.yaml b/stable/atlantis/templates/statefulset.yaml
@@ -123,12 +123,12 @@ spec:
           - name: ATLANTIS_GH_TOKEN
             valueFrom:
               secretKeyRef:
-                name: {{ template "atlantis.fullname" . }}-webhook
+                name: {{ template "atlantis.vcsSecretsName" . }}
                 key: github_token
           - name: ATLANTIS_GH_WEBHOOK_SECRET
             valueFrom:
               secretKeyRef:
-                name: {{ template "atlantis.fullname" . }}-webhook
+                name: {{ template "atlantis.vcsSecretsName" . }}
                 key: github_secret
           {{- if .Values.github.hostname }}
           - name: ATLANTIS_GH_HOSTNAME
@@ -141,12 +141,12 @@ spec:
           - name: ATLANTIS_GITLAB_TOKEN
             valueFrom:
               secretKeyRef:
-                name: {{ template "atlantis.fullname" . }}-webhook
+                name: {{ template "atlantis.vcsSecretsName" . }}
                 key: gitlab_token
           - name: ATLANTIS_GITLAB_WEBHOOK_SECRET
             valueFrom:
               secretKeyRef:
-                name: {{ template "atlantis.fullname" . }}-webhook
+                name: {{ template "atlantis.vcsSecretsName" . }}
                 key: gitlab_secret
           {{- if .Values.gitlab.hostname }}
           - name: ATLANTIS_GITLAB_HOSTNAME
@@ -159,15 +159,15 @@ spec:
           - name: ATLANTIS_BITBUCKET_TOKEN
             valueFrom:
               secretKeyRef:
-                name: {{ template "atlantis.fullname" . }}-webhook
+                name: {{ template "atlantis.vcsSecretsName" . }}
                 key: bitbucket_token
           {{- if .Values.bitbucket.baseURL }}
           - name: ATLANTIS_BITBUCKET_BASE_URL
             value: {{ .Values.bitbucket.baseURL }}
           - name: ATLANTIS_BITBUCKET_WEBHOOK_SECRET
             valueFrom:
               secretKeyRef:
-                name: {{ template "atlantis.fullname" . }}-webhook
+                name: {{ template "atlantis.vcsSecretsName" . }}
                 key: bitbucket_secret
           {{- end }}
           {{- end }}

diff --git a/stable/atlantis/values.yaml b/stable/atlantis/values.yaml
@@ -37,6 +37,8 @@ orgWhitelist: <replace-me>
 #   base_url: https://bitbucket.yourorganization.com
 # (The chart will perform the base64 encoding for you for values that are stored in secrets.)
 
+# If managing secrets outside the chart for the webhook, use this variable to reference the secret name
+# vcsSecretsName: 'mysecret'
 
 # When referencing Terraform modules in private repositories, it may be helpful
 # (necessary?) to use redirection in a .gitconfig like so: