[pomerium] redis: update to v16 and respect existing authentication s…

…ecret (#261)
pomerium · Feb 4, 2022 · f87ce2f · f87ce2f
1 parent 3ca19f0
commit f87ce2f
Show file tree

Hide file tree

Showing 8 changed files with 21 additions and 9 deletions.
diff --git a/charts/pomerium/Chart.lock b/charts/pomerium/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: redis
   repository: https://charts.bitnami.com/bitnami
-  version: 14.7.2
-digest: sha256:05306359e271d1c4c5d965697c1d7fccc72d3cad665dc0d244b934c5546e4bf9
-generated: "2021-07-21T11:09:08.054969-04:00"
+  version: 16.3.0
+digest: sha256:52f8acb6cf93adf2fe5b4191793a15d81fbd5532cf30327a1a3c3b451567fb85
+generated: "2022-02-03T17:26:28.423235-05:00"
diff --git a/charts/pomerium/Chart.yaml b/charts/pomerium/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: pomerium
-version: 28.0.2
+version: 29.0.0
 appVersion: 0.16.2
 home: http://www.pomerium.com/
 icon: https://www.pomerium.com/img/icon.svg
@@ -23,7 +23,7 @@ sources:
 engine: gotpl
 dependencies:
   - name: redis
-    version: '~14'
+    version: '~16'
     repository: https://charts.bitnami.com/bitnami
     condition: redis.enabled
 

diff --git a/charts/pomerium/README.md b/charts/pomerium/README.md
@@ -20,6 +20,7 @@
   - [Redis Subchart](#redis-subchart)
   - [Configuration](#configuration)
   - [Changelog](#changelog)
+    - [29.0.0](#2900)
     - [28.0.0](#2800)
     - [27.0.0](#2700)
     - [26.0.0](#2600)
@@ -57,6 +58,7 @@
     - [3.0.0](#300)
     - [2.0.0](#200)
   - [Upgrading](#upgrading)
+    - [29.0.0](#2900-1)
     - [28.0.0](#2800-1)
     - [27.0.0](#2700-1)
     - [25.0.0](#2500-1)
@@ -415,8 +417,9 @@ A full listing of Pomerium's configuration variables can be found on the [config
 | `operator.serviceAccount.nameOverride`                       | Override the name of the operator pod service account                                                                                                                                                                                                                                                                                                                 | `pomerium-operator`                                                         |
 | `redis.cluster.slaveCount`                                   | Number of slave replicas to run. [More](https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters)                                                                                                                                                                                                                                                       | `1`                                                                         |
 | `redis.enabled`                                              | Enable a redis master-slave subchart deployment based on https://github.com/bitnami/charts/tree/master/bitnami/redis                                                                                                                                                                                                                                                  | `false`                                                                     |
-| `redis.auth.existingSecret`                                  | Secret used to store authentication password for redis.  This is shared between Pomerium and redis.  [More](https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters)                                                                                                                                                                                   | `pomerium-redis-password`                                                   |
+| `redis.auth.existingSecret`                                  | Specify an existing secret containing the authentication password for redis.  This is shared between Pomerium and redis.  [More](https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters)                                                                                                                                                              | ``                                                                          |
 | `redis.auth.existingSecretPasswordKey`                       | Name of key containing password in `redis.existingSecret`. [More](https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters)                                                                                                                                                                                                                             | `password`                                                                  |
+| `redis.auth.secret`                                          | Default secret to store authentication password for redis.  This is shared between Pomerium and redis.  [More](https://github.com/bitnami/charts/tree/master/bitnami/                                                                                                                                                                                                 | `pomerium-redis-password`                                                   |
 | `redis.forceGenerateTLS`                                     | Force re-generation of TLS certificates used to communicate with redis                                                                                                                                                                                                                                                                                                | `false`                                                                     |
 | `redis.generateTLS`                                          | Automatically generate a new CA and certificate pair to communicate with redis                                                                                                                                                                                                                                                                                        | `true`                                                                      |
 | `redis.tls.certCAFilename`                                   | Name of secret key containing CA certificate for verify TLS certificates. [More](https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters)                                                                                                                                                                                                              | `ca.crt`                                                                    |
@@ -442,6 +445,10 @@ A full listing of Pomerium's configuration variables can be found on the [config
 
 ## Changelog
 
+### 29.0.0
+- Allow specifying an existing secret for redis authentication
+- Update redis subchart from v14 to v16
+
 ### 28.0.0
 
 - A previous breaking change from 25.0.0 was fully completed.
@@ -601,6 +608,10 @@ A full listing of Pomerium's configuration variables can be found on the [config
 
 ## Upgrading
 
+### 29.0.0
+
+- Rename `redis.auth.existingSecret` to `redis.auth.secret` in your values file
+- Follow the [upstream guide](https://github.com/bitnami/charts/tree/master/bitnami/redis#to-1600) for redis
 ### 28.0.0
 
 - Users should ensure they no longer depend on the `pomerium-cache` service name for telemetry or other operations.  Migrate any configuration referencing the `pomerium-cache` service to consume the `pomerium-databroker` service.  `pomerium-cache` has been deprecated since (#2000-1)

diff --git a/charts/pomerium/charts/redis-14.7.2.tgz b/charts/pomerium/charts/redis-14.7.2.tgz
diff --git a/charts/pomerium/charts/redis-16.3.0.tgz b/charts/pomerium/charts/redis-16.3.0.tgz
diff --git a/charts/pomerium/templates/_helpers.tpl b/charts/pomerium/templates/_helpers.tpl
@@ -710,7 +710,7 @@ true
 {{/* Render secret name for databroker storage secret */}}
 {{- define "pomerium.databroker.storage.secret" }}
 {{- if .Values.redis.enabled -}}
-{{ .Values.redis.auth.existingSecret }}
+{{ default .Values.redis.auth.secret .Values.redis.auth.existingSecret }}
 {{- else -}}
 {{- printf "%s-storage" (include "pomerium.databroker.name" .) -}}
 {{- end -}}

diff --git a/charts/pomerium/templates/redis/password-secret.yaml b/charts/pomerium/templates/redis/password-secret.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.redis.enabled -}}
+{{- if and .Values.redis.enabled (not .Values.redis.auth.existingSecret) -}}
 {{- $redisPassword := coalesce .Values.redis.password (randAlphaNum 32 | b64enc) }}
 {{- $databrokerSecretData := (lookup "v1" "Secret" .Release.Namespace (include "pomerium.databroker.storage.secret" .) ).data }}
 {{- if and $databrokerSecretData (not .Values.config.forceGenerateServiceSecrets) }}

diff --git a/charts/pomerium/values.yaml b/charts/pomerium/values.yaml
@@ -330,7 +330,8 @@ rbac:
 redis:
   enabled: false
   auth:
-    existingSecret: pomerium-redis-password
+    secret: pomerium-redis-password
+    existingSecret: ""
     existingSecretPasswordKey: password
   generateTLS: true
   forceGenerateTLS: false