-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the template to deploy extra objects #471
Merged
Merged
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
da2c647
Add the template to deploy extra objects
ubajze d736b45
Add the docs
ubajze 53e3d04
Update docs
ubajze c5c7ae8
Update docs
ubajze 917d9ad
Update docs/advanced-features/extra-objects.md
ubajze cbba3b7
Add description to schema
ubajze 665ec11
Merge branch 'develop' into f/issue_462
ubajze 72f5ac4
run 'helm dependency update' to pass ci
ubajze 20bb1bc
linting
ubajze File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| {{- range .Values.extraObjects }} | ||
| --- | ||
| {{- if typeIs "string" . }} | ||
| {{- tpl . $ }} | ||
| {{- else }} | ||
| {{- tpl (. | toYaml | nindent 0) $ }} | ||
| {{- end }} | ||
| {{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,216 @@ | ||
| # Applying Extra Kubernetes Objects | ||
|
|
||
| Certain deployments require additional Kubernetes objects that are not deployed | ||
| as a part of this Helm Chart. | ||
|
|
||
| The following are some of the use cases: | ||
|
|
||
| - Admin credentials are generated and stored in a secret manager such as | ||
| HashiCorp Vault or AWS Secrets Manager. These credentials must be injected | ||
| to Pods as a Kubernetes secret. | ||
| - Additional Ingresses must be deployed to expose Nautobot on a different hostname. | ||
| - Additional Kubernetes Jobs must be executed to perform additional checks or | ||
| to provision certain aspects of Nautobot deployment. | ||
|
|
||
| Let's focus on the use case for admin credentials. Once the credentials are | ||
| stored in HashiCorp Vault, for example, you can use the ExternalSecrets | ||
| operator to fetch those credentials and create the Kubernetes Secret object. | ||
| The following snippet shows an example: | ||
|
|
||
| ```yaml | ||
| apiVersion: external-secrets.io/v1beta1 | ||
| kind: ExternalSecret | ||
| metadata: | ||
| name: my-secret | ||
| namespace: nautobot | ||
| spec: | ||
| data: | ||
| - remoteRef: | ||
| conversionStrategy: Default | ||
| decodingStrategy: None | ||
| key: secrets/nautobot/superuser | ||
| metadataPolicy: None | ||
| property: SUPERUSER_PASSWORD | ||
| secretKey: SUPERUSER_PASSWORD | ||
| - remoteRef: | ||
| conversionStrategy: Default | ||
| decodingStrategy: None | ||
| key: secrets/nautobot/superuser | ||
| metadataPolicy: None | ||
| property: API_TOKEN | ||
| secretKey: API_TOKEN | ||
| refreshInterval: 1h | ||
| secretStoreRef: | ||
| kind: ClusterSecretStore | ||
| name: vault | ||
| target: | ||
| creationPolicy: Owner | ||
| deletionPolicy: Retain | ||
| name: my-secret | ||
| template: | ||
| data: | ||
| NAUTOBOT_SUPERUSER_PASSWORD: "{{ `{{ .SUPERUSER_PASSWORD | toString }}` }}" | ||
| NAUTOBOT_SUPERUSER_API_TOKEN: "{{ `{{ .API_TOKEN | toString }}` }}" | ||
| engineVersion: v2 | ||
| mergePolicy: Replace | ||
| ``` | ||
|
|
||
| The operator will fetch credentials from Vault and it will create a Kubernetes | ||
| Secret, after this object is deployed. The Helm Chart values will then specify | ||
| the existing secret name such as this: | ||
|
|
||
| ```yaml | ||
| nautobot: | ||
| superUser: | ||
| existingSecret: "my-secret" | ||
| ``` | ||
|
|
||
| To apply additional Kubernetes objects, such as the one above, you | ||
| must use an external tool, such as FluxCD, ArgoCD, Ansible, or something else. | ||
|
|
||
| To simplify this process, the Nautobot Helm Chart supports an additional | ||
| property called `extraObjects`. This property is a list of Kubernetes manifests | ||
| that must be deployed along to Nautobot objects generated from this Helm Chart. | ||
| This allows you to omit using external tools to deploy any extra Kubernetes | ||
| objects. | ||
|
|
||
| The following snippet shows how the Helm Chart values would look in this | ||
| case: | ||
|
|
||
| ```yaml | ||
| --- | ||
| nautobot: | ||
| superUser: | ||
| existingSecret: "my-secret" | ||
|
|
||
| extraObjects: | ||
| - | | ||
| apiVersion: external-secrets.io/v1beta1 | ||
| kind: ExternalSecret | ||
| metadata: | ||
| name: my-secret | ||
| namespace: nautobot | ||
| spec: | ||
| data: | ||
| - remoteRef: | ||
| conversionStrategy: Default | ||
| decodingStrategy: None | ||
| key: secrets/nautobot/superuser | ||
| metadataPolicy: None | ||
| property: SUPERUSER_PASSWORD | ||
| secretKey: SUPERUSER_PASSWORD | ||
| - remoteRef: | ||
| conversionStrategy: Default | ||
| decodingStrategy: None | ||
| key: secrets/nautobot/superuser | ||
| metadataPolicy: None | ||
| property: API_TOKEN | ||
| secretKey: API_TOKEN | ||
| refreshInterval: 1h | ||
| secretStoreRef: | ||
| kind: ClusterSecretStore | ||
| name: vault | ||
| target: | ||
| creationPolicy: Owner | ||
| deletionPolicy: Retain | ||
| name: my-secret | ||
| template: | ||
| data: | ||
| NAUTOBOT_SUPERUSER_PASSWORD: "{{ `{{ .SUPERUSER_PASSWORD | toString }}` }}" | ||
| NAUTOBOT_SUPERUSER_API_TOKEN: "{{ `{{ .API_TOKEN | toString }}` }}" | ||
| engineVersion: v2 | ||
| mergePolicy: Replace | ||
| ``` | ||
|
|
||
| Helm will also deploy the `ExternalSecret` object when the release with these | ||
| values is deployed. The Nautobot Pods require the `my-secret` Secret, | ||
| so they will not start until the ExternalSecrets operator creates the Secret. | ||
|
|
||
| You must be aware that these manifests are deployed in order defined by Helm. | ||
| So, there is no guarantee, that certain manifests will be deployed before others. | ||
| In cases where you need certain manifests (such as a Job for example), you | ||
| will still need a third-party tool. | ||
|
|
||
| The manifests can be defined as a string or as a dictionary, as shown in the | ||
| following example: | ||
|
|
||
| ```yaml | ||
| extraObjects: | ||
| - apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: database-host | ||
| namespace: nautobot | ||
| data: | ||
| DATABASE_HOST: database.example.com | ||
| - | | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: database-user | ||
| namespace: nautobot | ||
| data: | ||
| DATABASE_USER: db-admin | ||
| ``` | ||
|
|
||
| You can also use Go templating language to define certain parts of a manifest. | ||
| All variables from the Helm Chart values file are available. You can also | ||
| use functions that are available in Go templating language. | ||
|
|
||
| The following example shows how you can specify namespace dynamically, and | ||
| how to define the secret name on a single place. | ||
|
|
||
| ```yaml | ||
| --- | ||
| nautobot: | ||
| superUser: | ||
| existingSecret: "my-secret" | ||
|
|
||
| extraObjects: | ||
| - | | ||
| apiVersion: external-secrets.io/v1beta1 | ||
| kind: ExternalSecret | ||
| metadata: | ||
| name: {{ .Values.nautobot.superUser.existingSecret }} | ||
| namespace: {{ .Release.Namespace }} | ||
| spec: | ||
| data: | ||
| - remoteRef: | ||
| conversionStrategy: Default | ||
| decodingStrategy: None | ||
| key: secrets/nautobot/superuser | ||
| metadataPolicy: None | ||
| property: SUPERUSER_PASSWORD | ||
| secretKey: SUPERUSER_PASSWORD | ||
| - remoteRef: | ||
| conversionStrategy: Default | ||
| decodingStrategy: None | ||
| key: secrets/nautobot/superuser | ||
| metadataPolicy: None | ||
| property: API_TOKEN | ||
| secretKey: API_TOKEN | ||
| refreshInterval: 1h | ||
| secretStoreRef: | ||
| kind: ClusterSecretStore | ||
| name: vault | ||
| target: | ||
| creationPolicy: Owner | ||
| deletionPolicy: Retain | ||
| name: {{ .Values.nautobot.superUser.existingSecret }} | ||
| template: | ||
| data: | ||
| NAUTOBOT_SUPERUSER_PASSWORD: "{{ `{{ .SUPERUSER_PASSWORD | toString }}` }}" | ||
| NAUTOBOT_SUPERUSER_API_TOKEN: "{{ `{{ .API_TOKEN | toString }}` }}" | ||
| engineVersion: v2 | ||
| mergePolicy: Replace | ||
| ``` | ||
|
|
||
| Please note that these objects are processed in a template. So make sure that | ||
| you don't use the same syntax as used for Go templating. You can use back quotes | ||
| to "escape" strings in those cases. The following is an example: | ||
|
|
||
| ```yaml | ||
| NAUTOBOT_SUPERUSER_PASSWORD: "{{ `{{ .SUPERUSER_PASSWORD | toString }}` }}" | ||
| ``` | ||
|
|
||
| The resulting manifest will be: `NAUTOBOT_SUPERUSER_PASSWORD: {{ .SUPERUSER_PASSWORD | toString }}` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you also add
descriptionkey as we have in the other ones?