helm: Add support for mounting config from secret

This change allows for config files to be sourced from a secret
rather than a config map as these configs may have sensitive data.

In addition to being able to source the config from a secret,
the `extraContainerVolumeMounts` option was added which allows
for mounting additional volumes defined in `extraContainerVolumes`,
such mounting a passkey file secret.

This also solves the same issue in a slightly different way from pr matrix-org#962

Signed-off-by: Mike Mason <[email protected]>

helm/hookshot/README.md

@@ -1,6 +1,6 @@
 # hookshot
 
-![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.2.0](https://img.shields.io/badge/AppVersion-3.2.0-informational?style=flat-square)
+![Version: 0.1.15](https://img.shields.io/badge/Version-0.1.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0-replaced-by-ci](https://img.shields.io/badge/AppVersion-0.0.0--replaced--by--ci-informational?style=flat-square)
 Deploy a Matrix Hookshot instance to Kubernetes
 
 Status: Beta
@@ -39,7 +39,7 @@ To configure Hookshot-specific parameters, the value `.Values.hookshot.config` a
 
 ## Existing configuration
 
-If you have an existing configuration file for Hookshot, you can create a configmap like so:
+If you have an existing configuration file for hookshot, you can create a configmap like so:
 
 ``` bash
 kubectl create --namespace "your hookshot namespace" configmap hookshot-custom-config --from-file=config.yml --from-file=registration.yml --from-file=passkey.pem
@@ -74,8 +74,9 @@ You'll need to configure your Ingress connectivity according to your environment
 | affinity | object | `{}` | Affinity settings for deployment |
 | autoscaling.enabled | bool | `false` |  |
 | fullnameOverride | string | `""` | Full name override for helm chart |
-| hookshot.config | object | `{"bridge":{"bindAddress":"0.0.0.0","domain":"example.com","port":9002,"url":"https://example.com"},"generic":{"allowJsTransformationFunctions":true,"enableHttpGet":false,"enabled":true,"urlPrefix":"https://example.com/","userIdPrefix":"_webhooks_","waitForComplete":false},"listeners":[{"bindAddress":"0.0.0.0","port":9000,"resources":["webhooks","widgets"]},{"bindAddress":"0.0.0.0","port":9001,"resources":["metrics"]}],"logging":{"colorize":false,"json":false,"level":"info","timestampFormat":"HH:mm:ss:SSS"},"metrics":{"enabled":true},"passFile":"/data/passkey.pem","widgets":{"addToAdminRooms":false,"branding":{"widgetTitle":"Hookshot Configuration"},"publicUrl":"https://webhook-hookshot.example.com/widgetapi/v1/static","roomSetupWidget":{"addOnInvite":false},"setRoomName":false}}` | Raw Hookshot configuration. Gets templated into a YAML file and then loaded unless an existingConfigMap is specified. |
+| hookshot.config | object | `{"bridge":{"bindAddress":"127.0.0.1","domain":"example.com","mediaUrl":"https://example.com","port":9993,"url":"http://localhost:8008"},"listeners":[{"bindAddress":"0.0.0.0","port":9000,"resources":["webhooks"]},{"bindAddress":"127.0.0.1","port":9001,"resources":["metrics","provisioning"]},{"bindAddress":"0.0.0.0","port":9002,"resources":["widgets"]}],"logging":{"colorize":true,"json":false,"level":"info","timestampFormat":"HH:mm:ss:SSS"},"passFile":"passkey.pem"}` | Raw Hookshot configuration. Gets templated into a YAML file and then loaded unless an existingConfigMap is specified. |
 | hookshot.existingConfigMap | string | `nil` | Name of existing ConfigMap with valid Hookshot configuration |
+| hookshot.existingConfigSecretName | string | `nil` | Name of existing config Secret with valid Hookshot configuration |
 | hookshot.passkey | string | `""` |  |
 | hookshot.registration.as_token | string | `""` |  |
 | hookshot.registration.hs_token | string | `""` |  |
@@ -119,4 +120,4 @@ You'll need to configure your Ingress connectivity according to your environment
 | tolerations | list | `[]` | Tolerations for deployment |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

helm/hookshot/templates/_pod.tpl

@@ -43,9 +43,10 @@ containers:
 {{- toYaml .Values.containerSecurityContext | nindent 6 }}
 {{- end }}
     volumeMounts:
-{{- if or (and (not .Values.hookshot.existingConfigMap) (.Values.hookshot.config)) (.Values.hookshot.existingConfigMap) }}
       - name: config
         mountPath: "/data"
+{{- if .Values.extraContainerVolumeMounts }}
+{{ tpl (toYaml .Values.extraContainerVolumeMounts) . | indent 6 }}
 {{- end }}
     ports:
       - name: webhook
@@ -108,9 +109,15 @@ tolerations:
 {{ toYaml . | indent 2 }}
 {{- end }}
 volumes:
+{{- if .Values.hookshot.existingConfigSecretName }}
+  - name: config
+    secret:
+      secretName: {{ .Values.hookshot.existingConfigSecretName }}
+{{- else }}
   - name: config
     configMap:
       name: {{ template "hookshot.configMapName" . }}
+{{- end }}
 {{- $root := . }}
 {{- range .Values.extraConfigmapMounts }}
   - name: {{ tpl .name $root }}

helm/hookshot/templates/configmap.yaml

@@ -1,5 +1,5 @@
 ---
-{{- if not .Values.hookshot.existingConfigMap }}
+{{- if not (or .Values.hookshot.existingConfigMap .Values.hookshot.existingConfigSecretName) }}
 apiVersion: v1
 kind: ConfigMap
 metadata:

helm/hookshot/values.yaml

@@ -101,6 +101,8 @@ tolerations: []
 # -- Affinity settings for deployment
 affinity: {}
 hookshot:
+  # -- Name of existing config Secret with valid Hookshot configuration
+  existingConfigSecretName:
   # -- Name of existing ConfigMap with valid Hookshot configuration
   existingConfigMap:
   # -- Raw Hookshot configuration. Gets templated into a YAML file and then loaded unless an existingConfigMap is specified.