github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/pkg/scanners/helm/test/mysql/charts/common/templates/_secrets.tpl (about) 1 {{/* vim: set filetype=mustache: */}} 2 {{/* 3 Generate secret name. 4 5 Usage: 6 {{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} 7 8 Params: 9 - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user 10 to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. 11 +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret 12 - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. 13 - context - Dict - Required. The context for the template evaluation. 14 */}} 15 {{- define "common.secrets.name" -}} 16 {{- $name := (include "common.names.fullname" .context) -}} 17 18 {{- if .defaultNameSuffix -}} 19 {{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} 20 {{- end -}} 21 22 {{- with .existingSecret -}} 23 {{- if not (typeIs "string" .) -}} 24 {{- with .name -}} 25 {{- $name = . -}} 26 {{- end -}} 27 {{- else -}} 28 {{- $name = . -}} 29 {{- end -}} 30 {{- end -}} 31 32 {{- printf "%s" $name -}} 33 {{- end -}} 34 35 {{/* 36 Generate secret key. 37 38 Usage: 39 {{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} 40 41 Params: 42 - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user 43 to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. 44 +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret 45 - key - String - Required. Name of the key in the secret. 46 */}} 47 {{- define "common.secrets.key" -}} 48 {{- $key := .key -}} 49 50 {{- if .existingSecret -}} 51 {{- if not (typeIs "string" .existingSecret) -}} 52 {{- if .existingSecret.keyMapping -}} 53 {{- $key = index .existingSecret.keyMapping $.key -}} 54 {{- end -}} 55 {{- end }} 56 {{- end -}} 57 58 {{- printf "%s" $key -}} 59 {{- end -}} 60 61 {{/* 62 Generate secret password or retrieve one if already created. 63 64 Usage: 65 {{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} 66 67 Params: 68 - secret - String - Required - Name of the 'Secret' resource where the password is stored. 69 - key - String - Required - Name of the key in the secret. 70 - providedValues - List<String> - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. 71 - length - int - Optional - Length of the generated random password. 72 - strong - Boolean - Optional - Whether to add symbols to the generated random password. 73 - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. 74 - context - Context - Required - Parent context. 75 */}} 76 {{- define "common.secrets.passwords.manage" -}} 77 78 {{- $password := "" }} 79 {{- $subchart := "" }} 80 {{- $chartName := default "" .chartName }} 81 {{- $passwordLength := default 10 .length }} 82 {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} 83 {{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} 84 {{- $secretData := (lookup "v1" "Secret" $.context.Release.Namespace .secret).data }} 85 {{- if $secretData }} 86 {{- if hasKey $secretData .key }} 87 {{- $password = index $secretData .key }} 88 {{- else }} 89 {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} 90 {{- end -}} 91 {{- else if $providedPasswordValue }} 92 {{- $password = $providedPasswordValue | toString | b64enc | quote }} 93 {{- else }} 94 95 {{- if .context.Values.enabled }} 96 {{- $subchart = $chartName }} 97 {{- end -}} 98 99 {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} 100 {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} 101 {{- $passwordValidationErrors := list $requiredPasswordError -}} 102 {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} 103 104 {{- if .strong }} 105 {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} 106 {{- $password = randAscii $passwordLength }} 107 {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} 108 {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} 109 {{- else }} 110 {{- $password = randAlphaNum $passwordLength | b64enc | quote }} 111 {{- end }} 112 {{- end -}} 113 {{- printf "%s" $password -}} 114 {{- end -}} 115 116 {{/* 117 Returns whether a previous generated secret already exists 118 119 Usage: 120 {{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} 121 122 Params: 123 - secret - String - Required - Name of the 'Secret' resource where the password is stored. 124 - context - Context - Required - Parent context. 125 */}} 126 {{- define "common.secrets.exists" -}} 127 {{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} 128 {{- if $secret }} 129 {{- true -}} 130 {{- end -}} 131 {{- end -}}