Prevent garm db passphrase regeneration on redeployment

Changed default flavor to EU.small for edge

charts/garm/templates/_credentials.tpl

@@ -33,24 +33,21 @@ Get Gitea token - either user-provided or generated
 {{- end -}}
 {{- end -}}
 
-{{/*
-Get JWT secret - either user-provided or generated
-*/}}
 {{- define "garm.jwtSecret" -}}
-{{- if .Values.garm.jwtAuth.secret -}}
-{{- .Values.garm.jwtAuth.secret -}}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace (printf "%s-config" ( include "garm.fullname" . )) -}}
+{{- if and $secret ((fromToml (index $secret.data "config.toml" | b64dec)).jwt_auth.secret) -}}
+{{- $another := fromToml (index $secret.data "config.toml" | b64dec) -}}
+{{ $another.jwt_auth.secret }}
 {{- else -}}
 {{- include "garm.randomString" . -}}
 {{- end -}}
 {{- end -}}
 
-{{/*
-Get database passphrase - either user-provided or generated
-*/}}
 {{- define "garm.dbPassphrase" -}}
-{{- if .Values.garm.database.passphrase -}}
-{{- .Values.garm.database.passphrase -}}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace (printf "%s-db-credentials" ( include "garm.fullname" . )) -}}
+{{- if and $secret (index $secret.data "passphrase" | b64dec) -}}
+{{- (index $secret.data "passphrase" | b64dec) -}}
 {{- else -}}
 {{- include "garm.randomString" . -}}
 {{- end -}}
-{{- end -}}
+{{- end -}}

charts/garm/templates/deployment.yaml

@@ -55,7 +55,11 @@ spec:
           secretName: {{ include "garm.fullname" . }}-config
       - name: edge-connect-creds
         secret:
+        {{- if .Values.credentials.edgeConnect.existingSecretName }}
+          secretName: {{ .Values.credentials.edgeConnect.existingSecretName | quote }}
+        {{- else }}
           secretName: {{ include "garm.fullname" . }}-edge-connect-creds
+        {{- end }}
       - name: garm-data
         persistentVolumeClaim:
           claimName: {{ include "garm.fullname" . }}

charts/garm/templates/secrets.yaml

@@ -14,6 +14,22 @@ stringData:
   GARM_URL: {{ printf "https://%s" (index .Values.ingress.hosts 0).host | quote }}
   GIT_URL: {{ .Values.credentials.gitea.url | quote }}
 ---
+{{- $secretName := printf "%s%s" (include "garm.fullname" .)  "-db-credentials" -}}
+{{- $secretExists := lookup "v1" "Secret" .Release.Namespace $secretName -}}
+
+{{- if not $secretExists -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+stringData:
+  passphrase: {{- include "garm.randomString" . -}}
+{{- end -}}
+---
 apiVersion: v1
 kind: Secret
 metadata:
@@ -77,15 +93,19 @@ stringData:
       {{- toYaml .Values.providerConfig.k8s.flavors | nindent 6 }}
 
   edge-connect-provider-config.toml: |
-    organization = {{ .Values.providerConfig.edgeConnect.organization | quote }}
-    region = {{ .Values.providerConfig.edgeConnect.region | quote }}
-    edge_connect_url = {{ .Values.providerConfig.edgeConnect.edgeConnectUrl | quote }}
     log_file = "/garm/provider.log"
     credentials_file = "/etc/garm-creds/creds.toml"
 
-    [cloudlet]
+    [edge_connect]
+    organization = {{ .Values.providerConfig.edgeConnect.organization | quote }}
+    region = {{ .Values.providerConfig.edgeConnect.region | quote }}
+    url = {{ .Values.providerConfig.edgeConnect.edgeConnectUrl | quote }}
+    default_flavor = {{ .Values.providerConfig.edgeConnect.defaultFlavor | quote }}
+
+    [edge_connect.cloudlet]
     name = {{ .Values.providerConfig.edgeConnect.cloudlet.name | quote }}
     organization = {{ .Values.providerConfig.edgeConnect.cloudlet.organization | quote }}
+{{- if not .Values.credentials.edgeConnect.existingSecretName }}
 ---
 apiVersion: v1
 kind: Secret
@@ -98,4 +118,5 @@ metadata:
 stringData:
   creds.toml: |
     username = "{{ required "Edge Connect username is required" .Values.credentials.edgeConnect.username }}"
-    password = "{{ required "Edge Connect password is required" .Values.credentials.edgeConnect.password }}"
+    password = "{{ required "Edge Connect password is required" .Values.credentials.edgeConnect.password }}"
+{{- end }}

charts/garm/values.yaml

@@ -4,7 +4,7 @@ fullnameOverride: ""
 
 image:
   repository: edp.buildth.ing/devfw-cicd/garm
-  tag: provider-ec-40
+  tag: provider-ec-43
   pullPolicy: Always
 
 replicaCount: 1
@@ -52,8 +52,6 @@ garm:
     disableAuth: false
 
   jwtAuth:
-    # You should change this in production
-    # secret: "changeme-use-a-secure-random-string"
     timeToLive: "8760h"
 
   apiserver:
@@ -65,7 +63,6 @@ garm:
 
   database:
     backend: sqlite3
-    # passphrase: "changeme-use-a-secure-random-string"
     sqlite3:
       dbFile: "/garm/garm.db"
 
@@ -106,6 +103,7 @@ providerConfig:
     organization: "edp-developer-framework"
     region: "EU"
     edgeConnectUrl: "https://hub.apps.edge.platform.mg3.mdb.osc.live"
+    defaultFlavor: "EU.small"
     cloudlet:
       name: "Munich"
       organization: "TelekomOP"
@@ -118,8 +116,9 @@ credentials:
     # password: "changeme-generate-strong-password"
     email: "admin@example.com"
   edgeConnect:
-    username: "<insert username>"  # Required
-    password: "<insert password>"  # Required
+    existingSecretName: null
+    username: "<insert username>"  # Required if existingSecretName not specified
+    password: "<insert password>"  # Required if existingSecretName not specified
   gitea:
     url: "https://garm-provider-test.t09.de"  # Required