From ba497dcdf8c1e905bcd367337ed2bc2c9276dc1a Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 14 Feb 2025 11:25:37 -0800 Subject: [PATCH] Change defaults for secrets migration Change all of the application chart defaults to assume that the secrets migration has been done. Delete support for the old secrets structure everywhere that this is possible. Leave it in place for the few places that RoE or the USDF is still using the old secrets paths. --- applications/datalinker/README.md | 1 - applications/datalinker/templates/vault-secrets.yaml | 4 ---- applications/datalinker/values-ccin2p3.yaml | 1 - applications/datalinker/values-idfdemo.yaml | 1 - applications/datalinker/values-idfdev.yaml | 1 - applications/datalinker/values-idfint.yaml | 1 - applications/datalinker/values-idfprod.yaml | 1 - applications/datalinker/values-usdfdev.yaml | 2 -- applications/datalinker/values-usdfint.yaml | 2 -- applications/datalinker/values-usdfprod.yaml | 2 -- applications/datalinker/values.yaml | 3 --- applications/nightreport/README.md | 1 - applications/nightreport/templates/vault-secrets.yaml | 2 +- applications/nightreport/values-base.yaml | 2 -- applications/nightreport/values-summit.yaml | 2 -- applications/nightreport/values-tucson-teststand.yaml | 2 -- applications/nightreport/values.yaml | 3 --- applications/nublado/README.md | 4 ++-- applications/nublado/values-base.yaml | 6 ------ applications/nublado/values-ccin2p3.yaml | 4 ---- applications/nublado/values-idfdemo.yaml | 4 ---- applications/nublado/values-idfdev.yaml | 4 ---- applications/nublado/values-idfint.yaml | 4 ---- applications/nublado/values-idfprod.yaml | 5 ----- applications/nublado/values-roe.yaml | 6 ++++++ applications/nublado/values-summit.yaml | 6 ------ applications/nublado/values-tucson-teststand.yaml | 6 ------ applications/nublado/values-usdfdev.yaml | 3 --- applications/nublado/values-usdfint.yaml | 3 --- applications/nublado/values-usdfprod.yaml | 6 ++++++ applications/nublado/values.yaml | 4 ++-- applications/obsloctap/README.md | 2 +- applications/obsloctap/values-usdfdev.yaml | 2 +- applications/obsloctap/values.yaml | 2 +- applications/plot-navigator/README.md | 2 +- applications/plot-navigator/values-usdfdev.yaml | 1 + applications/plot-navigator/values-usdfint.yaml | 1 + applications/plot-navigator/values-usdfprod.yaml | 1 + applications/plot-navigator/values.yaml | 2 +- applications/production-tools/README.md | 1 - .../production-tools/templates/vault-secrets.yaml | 4 ---- applications/production-tools/values-idfint.yaml | 2 -- applications/production-tools/values.yaml | 4 ---- applications/rubintv-dev/README.md | 2 -- applications/rubintv-dev/values-summit.yaml | 5 ----- applications/rubintv-dev/values.yaml | 7 ------- applications/rubintv/README.md | 3 +-- applications/rubintv/values-base.yaml | 4 ---- applications/rubintv/values-summit.yaml | 5 ----- applications/rubintv/values-tucson-teststand.yaml | 4 ---- applications/rubintv/values-usdfdev.yaml | 1 + applications/rubintv/values-usdfprod.yaml | 1 + applications/rubintv/values.yaml | 6 +----- charts/rubintv/README.md | 3 +-- charts/rubintv/templates/vault-secrets.yaml | 2 +- charts/rubintv/values.yaml | 6 +----- docs/admin/migrating-secrets.rst | 8 ++------ 57 files changed, 34 insertions(+), 143 deletions(-) diff --git a/applications/datalinker/README.md b/applications/datalinker/README.md index 3d3be303c3..82e747435c 100644 --- a/applications/datalinker/README.md +++ b/applications/datalinker/README.md @@ -20,7 +20,6 @@ IVOA DataLink-based service and data discovery | config.pathPrefix | string | `"/api/datalink"` | URL path prefix for DataLink and related APIs | | config.pgUser | string | `"rubin"` | User to use from the PGPASSFILE if datalinker is using a direct Butler connection (`useButlerServer` is false) | | config.s3EndpointUrl | string | `"https://storage.googleapis.com"` | S3 endpoint URL (must be set if using S3) | -| config.separateSecrets | bool | `false` | Whether to use the new secrets management scheme | | config.slackAlerts | bool | `false` | Whether to send certain serious alerts to Slack. If `true`, the `slack-webhook` secret must also be set. | | config.storageBackend | string | `"GCS"` | Storage backend to use (either `GCS` or `S3`) | | config.tapMetadataUrl | string | `"https://github.com/lsst/sdm_schemas/releases/download/1.2.0/datalink-columns.zip"` | URL containing TAP schema metadata used to construct queries | diff --git a/applications/datalinker/templates/vault-secrets.yaml b/applications/datalinker/templates/vault-secrets.yaml index 82d31415f1..ca819cd4b3 100644 --- a/applications/datalinker/templates/vault-secrets.yaml +++ b/applications/datalinker/templates/vault-secrets.yaml @@ -5,9 +5,5 @@ metadata: labels: {{- include "datalinker.labels" . | nindent 4 }} spec: -{{- if .Values.config.separateSecrets }} path: "{{ .Values.global.vaultSecretsPath }}/datalinker" -{{- else }} - path: "{{ .Values.global.vaultSecretsPath }}/butler-secret" -{{- end }} type: Opaque diff --git a/applications/datalinker/values-ccin2p3.yaml b/applications/datalinker/values-ccin2p3.yaml index 7e77e21790..a5703d984c 100644 --- a/applications/datalinker/values-ccin2p3.yaml +++ b/applications/datalinker/values-ccin2p3.yaml @@ -1,3 +1,2 @@ config: - separateSecrets: true tapMetadataUrl: "https://github.com/gabrimaine/sdm_schemas/releases/download/2.4.1/datalink-columns.zip" diff --git a/applications/datalinker/values-idfdemo.yaml b/applications/datalinker/values-idfdemo.yaml index 06ff511651..1d9a3a2871 100644 --- a/applications/datalinker/values-idfdemo.yaml +++ b/applications/datalinker/values-idfdemo.yaml @@ -1,3 +1,2 @@ config: - separateSecrets: true slackAlerts: true diff --git a/applications/datalinker/values-idfdev.yaml b/applications/datalinker/values-idfdev.yaml index 06ff511651..1d9a3a2871 100644 --- a/applications/datalinker/values-idfdev.yaml +++ b/applications/datalinker/values-idfdev.yaml @@ -1,3 +1,2 @@ config: - separateSecrets: true slackAlerts: true diff --git a/applications/datalinker/values-idfint.yaml b/applications/datalinker/values-idfint.yaml index 06ff511651..1d9a3a2871 100644 --- a/applications/datalinker/values-idfint.yaml +++ b/applications/datalinker/values-idfint.yaml @@ -1,3 +1,2 @@ config: - separateSecrets: true slackAlerts: true diff --git a/applications/datalinker/values-idfprod.yaml b/applications/datalinker/values-idfprod.yaml index 06ff511651..1d9a3a2871 100644 --- a/applications/datalinker/values-idfprod.yaml +++ b/applications/datalinker/values-idfprod.yaml @@ -1,3 +1,2 @@ config: - separateSecrets: true slackAlerts: true diff --git a/applications/datalinker/values-usdfdev.yaml b/applications/datalinker/values-usdfdev.yaml index 288a3da54a..e69de29bb2 100644 --- a/applications/datalinker/values-usdfdev.yaml +++ b/applications/datalinker/values-usdfdev.yaml @@ -1,2 +0,0 @@ -config: - separateSecrets: true diff --git a/applications/datalinker/values-usdfint.yaml b/applications/datalinker/values-usdfint.yaml index 288a3da54a..e69de29bb2 100644 --- a/applications/datalinker/values-usdfint.yaml +++ b/applications/datalinker/values-usdfint.yaml @@ -1,2 +0,0 @@ -config: - separateSecrets: true diff --git a/applications/datalinker/values-usdfprod.yaml b/applications/datalinker/values-usdfprod.yaml index 288a3da54a..e69de29bb2 100644 --- a/applications/datalinker/values-usdfprod.yaml +++ b/applications/datalinker/values-usdfprod.yaml @@ -1,2 +0,0 @@ -config: - separateSecrets: true diff --git a/applications/datalinker/values.yaml b/applications/datalinker/values.yaml index c46802e2cc..ba1477287b 100644 --- a/applications/datalinker/values.yaml +++ b/applications/datalinker/values.yaml @@ -58,9 +58,6 @@ config: # -- S3 endpoint URL (must be set if using S3) s3EndpointUrl: "https://storage.googleapis.com" - # -- Whether to use the new secrets management scheme - separateSecrets: false - # -- User to use from the PGPASSFILE if datalinker is using a direct Butler # connection (`useButlerServer` is false) pgUser: "rubin" diff --git a/applications/nightreport/README.md b/applications/nightreport/README.md index 6adbda45d4..0a5a821dfa 100644 --- a/applications/nightreport/README.md +++ b/applications/nightreport/README.md @@ -26,7 +26,6 @@ Night report log service | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | -| global.tsVaultSecretsPath | string | `""` | Relative path for tsVault secrets | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | image.pullPolicy | string | `"Always"` | Pull policy for the nightreport image | | image.repository | string | `"lsstts/nightreport"` | nightreport image to use | diff --git a/applications/nightreport/templates/vault-secrets.yaml b/applications/nightreport/templates/vault-secrets.yaml index e1bea9c14f..47e6457a79 100644 --- a/applications/nightreport/templates/vault-secrets.yaml +++ b/applications/nightreport/templates/vault-secrets.yaml @@ -4,7 +4,7 @@ metadata: name: nightreport namespace: nightreport spec: - path: "{{- .Values.global.vaultSecretsPath }}{{ .Values.global.tsVaultSecretsPath }}/nightreport" + path: "{{- .Values.global.vaultSecretsPath }}/nightreport" type: Opaque --- apiVersion: ricoberger.de/v1alpha1 diff --git a/applications/nightreport/values-base.yaml b/applications/nightreport/values-base.yaml index 016db08136..1c163dc2e3 100644 --- a/applications/nightreport/values-base.yaml +++ b/applications/nightreport/values-base.yaml @@ -6,5 +6,3 @@ config: site_id: base db: host: postgresdb01.ls.lsst.org -global: - tsVaultSecretsPath: "" diff --git a/applications/nightreport/values-summit.yaml b/applications/nightreport/values-summit.yaml index 970bdd4807..00a71d190d 100644 --- a/applications/nightreport/values-summit.yaml +++ b/applications/nightreport/values-summit.yaml @@ -6,5 +6,3 @@ config: site_id: summit db: host: postgresdb01.cp.lsst.org -global: - tsVaultSecretsPath: "" diff --git a/applications/nightreport/values-tucson-teststand.yaml b/applications/nightreport/values-tucson-teststand.yaml index 35eb66a939..04606dd3e3 100644 --- a/applications/nightreport/values-tucson-teststand.yaml +++ b/applications/nightreport/values-tucson-teststand.yaml @@ -6,5 +6,3 @@ config: site_id: tucson db: host: postgresdb01.tu.lsst.org -global: - tsVaultSecretsPath: "" diff --git a/applications/nightreport/values.yaml b/applications/nightreport/values.yaml index 87d725b6e0..d717ff6597 100644 --- a/applications/nightreport/values.yaml +++ b/applications/nightreport/values.yaml @@ -108,6 +108,3 @@ global: # -- Base path for Vault secrets # @default -- Set by Argo CD vaultSecretsPath: "" - - # -- Relative path for tsVault secrets - tsVaultSecretsPath: "" diff --git a/applications/nublado/README.md b/applications/nublado/README.md index 82ec2b0a60..98fdcd093b 100644 --- a/applications/nublado/README.md +++ b/applications/nublado/README.md @@ -93,7 +93,7 @@ JupyterHub and custom spawner for the Rubin Science Platform | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | -| hub.internalDatabase | bool | `true` | Whether to use the cluster-internal PostgreSQL server instead of an external server. This is not used directly by the Nublado chart, but controls how the database password is managed. | +| hub.internalDatabase | bool | `false` | Whether to use the cluster-internal PostgreSQL server instead of an external server. This is not used directly by the Nublado chart, but controls how the database password is managed. | | hub.minimumTokenLifetime | string | `jupyterhub.cull.maxAge` if lab culling is enabled, else none | Minimum remaining token lifetime when spawning a lab. The token cannot be renewed, so it should ideally live as long as the lab does. If the token has less remaining lifetime, the user will be redirected to reauthenticate before spawning a lab. | | hub.resources | object | See `values.yaml` | Resource limits and requests for the Hub | | hub.timeout.startup | int | `90` | Timeout for JupyterLab to start in seconds. Currently this sometimes takes over 60 seconds for reasons we don't understand. | @@ -128,4 +128,4 @@ JupyterHub and custom spawner for the Rubin Science Platform | jupyterhub.scheduling.userPlaceholder.enabled | bool | `false` | Whether to spawn placeholder pods representing fake users to force autoscaling in advance of running out of resources | | jupyterhub.scheduling.userScheduler.enabled | bool | `false` | Whether the user scheduler should be enabled | | proxy.ingress.annotations | object | See `values.yaml` | Additional annotations to add to the proxy ingress (also used to talk to JupyterHub and all user labs) | -| secrets.templateSecrets | bool | `false` | Whether to use the new secrets management mechanism. If enabled, the Vault nublado secret will be split into a nublado secret for JupyterHub and a nublado-lab-secret secret used as a source for secret values for the user's lab. | +| secrets.templateSecrets | bool | `true` | Whether to use the new secrets management mechanism. If enabled, the Vault nublado secret will be split into a nublado secret for JupyterHub and a nublado-lab-secret secret used as a source for secret values for the user's lab. | diff --git a/applications/nublado/values-base.yaml b/applications/nublado/values-base.yaml index 842c73f4cd..475235d626 100644 --- a/applications/nublado/values-base.yaml +++ b/applications/nublado/values-base.yaml @@ -97,14 +97,8 @@ controller: - containerPath: "/data/lsstdata/BTS/auxtel" volumeName: "auxtel" -hub: - internalDatabase: false - jupyterhub: hub: db: upgrade: true url: "postgresql://nublado3@postgresdb01.ls.lsst.org/nublado3" - -secrets: - templateSecrets: true diff --git a/applications/nublado/values-ccin2p3.yaml b/applications/nublado/values-ccin2p3.yaml index 0049311064..3e77080dd4 100644 --- a/applications/nublado/values-ccin2p3.yaml +++ b/applications/nublado/values-ccin2p3.yaml @@ -81,7 +81,3 @@ jupyterhub: timeout: 432000 every: 300 maxAge: 604800 -hub: - internalDatabase: false -secrets: - templateSecrets: true diff --git a/applications/nublado/values-idfdemo.yaml b/applications/nublado/values-idfdemo.yaml index 87047b47db..134b601516 100644 --- a/applications/nublado/values-idfdemo.yaml +++ b/applications/nublado/values-idfdemo.yaml @@ -69,11 +69,7 @@ jupyterhub: hub: db: url: "postgresql://nublado@cloud-sql-proxy.nublado/nublado" -hub: - internalDatabase: false cloudsql: enabled: true instanceConnectionName: "science-platform-demo-9e05:us-central1:science-platform-demo-a4dbbf96" serviceAccount: "nublado@science-platform-demo-9e05.iam.gserviceaccount.com" -secrets: - templateSecrets: true diff --git a/applications/nublado/values-idfdev.yaml b/applications/nublado/values-idfdev.yaml index 1e2b9dbf40..b859fc8bd2 100644 --- a/applications/nublado/values-idfdev.yaml +++ b/applications/nublado/values-idfdev.yaml @@ -84,11 +84,7 @@ jupyterhub: db: upgrade: true url: "postgresql://nublado@cloud-sql-proxy.nublado/nublado" -hub: - internalDatabase: false cloudsql: enabled: true instanceConnectionName: "science-platform-dev-7696:us-central1:science-platform-dev-e9e11de2" serviceAccount: "nublado@science-platform-dev-7696.iam.gserviceaccount.com" -secrets: - templateSecrets: true diff --git a/applications/nublado/values-idfint.yaml b/applications/nublado/values-idfint.yaml index 51d93f6616..0fa1a629a3 100644 --- a/applications/nublado/values-idfint.yaml +++ b/applications/nublado/values-idfint.yaml @@ -109,11 +109,7 @@ jupyterhub: url: "postgresql://nublado@cloud-sql-proxy.nublado/nublado" upgrade: true -hub: - internalDatabase: false cloudsql: enabled: true instanceConnectionName: "science-platform-int-dc5d:us-central1:science-platform-int-8f439af2" serviceAccount: "nublado@science-platform-int-dc5d.iam.gserviceaccount.com" -secrets: - templateSecrets: true diff --git a/applications/nublado/values-idfprod.yaml b/applications/nublado/values-idfprod.yaml index 31199dacce..eb10b011cb 100644 --- a/applications/nublado/values-idfprod.yaml +++ b/applications/nublado/values-idfprod.yaml @@ -88,12 +88,7 @@ jupyterhub: url: "postgresql://nublado@cloud-sql-proxy.nublado/nublado" upgrade: true -hub: - internalDatabase: false - cloudsql: enabled: true instanceConnectionName: "science-platform-stable-6994:us-central1:science-platform-stable-0c29612b" serviceAccount: "nublado@science-platform-stable-6994.iam.gserviceaccount.com" -secrets: - templateSecrets: true diff --git a/applications/nublado/values-roe.yaml b/applications/nublado/values-roe.yaml index 12452f8d1b..becb842dab 100644 --- a/applications/nublado/values-roe.yaml +++ b/applications/nublado/values-roe.yaml @@ -51,7 +51,13 @@ proxy: nginx.ingress.kubernetes.io/proxy-read-timeout: "50s" nginx.ingress.kubernetes.io/client-max-body-size: "50m" +hub: + internalDatabase: true + jupyterhub: hub: db: upgrade: true + +secrets: + templateSecrets: false diff --git a/applications/nublado/values-summit.yaml b/applications/nublado/values-summit.yaml index 283ca60893..4191968de4 100644 --- a/applications/nublado/values-summit.yaml +++ b/applications/nublado/values-summit.yaml @@ -137,14 +137,8 @@ controller: - containerPath: "/data/lsstdata/base/maintel" volumeName: "lsstdata-base-lsstcam" -hub: - internalDatabase: false - jupyterhub: hub: db: upgrade: true url: "postgresql://nublado3@postgresdb01.cp.lsst.org/nublado3" - -secrets: - templateSecrets: true diff --git a/applications/nublado/values-tucson-teststand.yaml b/applications/nublado/values-tucson-teststand.yaml index ae8aea0456..e70b9eda2f 100644 --- a/applications/nublado/values-tucson-teststand.yaml +++ b/applications/nublado/values-tucson-teststand.yaml @@ -100,14 +100,8 @@ controller: - containerPath: "/data/lsstdata/TTS/comcam" volumeName: "comcam" -hub: - internalDatabase: false - jupyterhub: hub: db: upgrade: true url: "postgresql://nublado3@postgresdb01.tu.lsst.org/nublado3" - -secrets: - templateSecrets: true diff --git a/applications/nublado/values-usdfdev.yaml b/applications/nublado/values-usdfdev.yaml index 0e680ff040..4e9871eb16 100644 --- a/applications/nublado/values-usdfdev.yaml +++ b/applications/nublado/values-usdfdev.yaml @@ -140,6 +140,3 @@ jupyterhub: hub: internalDatabase: true - -secrets: - templateSecrets: true diff --git a/applications/nublado/values-usdfint.yaml b/applications/nublado/values-usdfint.yaml index 0e680ff040..4e9871eb16 100644 --- a/applications/nublado/values-usdfint.yaml +++ b/applications/nublado/values-usdfint.yaml @@ -140,6 +140,3 @@ jupyterhub: hub: internalDatabase: true - -secrets: - templateSecrets: true diff --git a/applications/nublado/values-usdfprod.yaml b/applications/nublado/values-usdfprod.yaml index 262bd7f70f..a2708e8da9 100644 --- a/applications/nublado/values-usdfprod.yaml +++ b/applications/nublado/values-usdfprod.yaml @@ -136,3 +136,9 @@ jupyterhub: cull: timeout: 432000 # 5 days maxAge: 691200 # 8 days + +hub: + internalDatabase: true + +secrets: + templateSecrets: false diff --git a/applications/nublado/values.yaml b/applications/nublado/values.yaml index 93ada6f95e..8f0fcd8315 100644 --- a/applications/nublado/values.yaml +++ b/applications/nublado/values.yaml @@ -399,7 +399,7 @@ hub: # -- Whether to use the cluster-internal PostgreSQL server instead of an # external server. This is not used directly by the Nublado chart, but # controls how the database password is managed. - internalDatabase: true + internalDatabase: false # -- Minimum remaining token lifetime when spawning a lab. The token cannot # be renewed, so it should ideally live as long as the lab does. If the @@ -658,7 +658,7 @@ secrets: # Vault nublado secret will be split into a nublado secret for JupyterHub # and a nublado-lab-secret secret used as a source for secret values for the # user's lab. - templateSecrets: false + templateSecrets: true # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. diff --git a/applications/obsloctap/README.md b/applications/obsloctap/README.md index 2bb43ad218..3706f43804 100644 --- a/applications/obsloctap/README.md +++ b/applications/obsloctap/README.md @@ -13,7 +13,7 @@ Publish observing schedule | config.obsplanLimit | int | `1000` | limit for obsplan query | | config.obsplanTimeSpan | int | `24` | time span, if a time is provided in the query how man hours to look back | | config.persistentVolumeClaims | list | `[]` | PersistentVolumeClaims to create. | -| config.separateSecrets | bool | `false` | Whether to use the new secrets management scheme | +| config.separateSecrets | bool | `true` | Whether to use the new secrets management scheme | | config.volume_mounts | list | `[]` | Mount points for additional volumes | | config.volumes | list | `[]` | Additional volumes to attach | | environment | object | `{}` | Environment variables (e.g. butler configuration/auth parms) for panel | diff --git a/applications/obsloctap/values-usdfdev.yaml b/applications/obsloctap/values-usdfdev.yaml index 156197392e..923fdc19cc 100644 --- a/applications/obsloctap/values-usdfdev.yaml +++ b/applications/obsloctap/values-usdfdev.yaml @@ -11,6 +11,7 @@ environment: obsloctapVaultPrefix: secret/rubin/usdf-butler/postgres config: + separateSecrets: false volumes: - name: sdf-group-rubin persistentVolumeClaim: @@ -32,7 +33,6 @@ config: image: pullPolicy: Always - controller: config: safir: diff --git a/applications/obsloctap/values.yaml b/applications/obsloctap/values.yaml index f550bf248b..30aab5d576 100644 --- a/applications/obsloctap/values.yaml +++ b/applications/obsloctap/values.yaml @@ -27,7 +27,7 @@ config: persistentVolumeClaims: [] # -- Whether to use the new secrets management scheme - separateSecrets: false + separateSecrets: true # -- limit for obsplan query obsplanLimit: 1000 diff --git a/applications/plot-navigator/README.md b/applications/plot-navigator/README.md index 7bb6496183..635e50d4a7 100644 --- a/applications/plot-navigator/README.md +++ b/applications/plot-navigator/README.md @@ -11,7 +11,7 @@ Plot-navigator | Key | Type | Default | Description | |-----|------|---------|-------------| | config.persistentVolumeClaims | list | `[]` | PersistentVolumeClaims to create. | -| config.separateSecrets | bool | `false` | Whether to use the new secrets management scheme | +| config.separateSecrets | bool | `true` | Whether to use the new secrets management scheme | | config.volume_mounts | list | `[]` | Mount points for additional volumes | | config.volumes | list | `[]` | Additional volumes to attach | | environment | object | `{}` | Environment variables (e.g. butler configuration/auth parms) for the nextjs server | diff --git a/applications/plot-navigator/values-usdfdev.yaml b/applications/plot-navigator/values-usdfdev.yaml index 5af84b8757..aeb7fab6e1 100644 --- a/applications/plot-navigator/values-usdfdev.yaml +++ b/applications/plot-navigator/values-usdfdev.yaml @@ -5,6 +5,7 @@ environment: BUCKET_URL: "https://s3dfrgw.slac.stanford.edu/" config: + separateSecrets: false persistentVolumeClaims: - name: sdf-group-rubin storageClassName: sdf-group-rubin diff --git a/applications/plot-navigator/values-usdfint.yaml b/applications/plot-navigator/values-usdfint.yaml index 5af84b8757..aeb7fab6e1 100644 --- a/applications/plot-navigator/values-usdfint.yaml +++ b/applications/plot-navigator/values-usdfint.yaml @@ -5,6 +5,7 @@ environment: BUCKET_URL: "https://s3dfrgw.slac.stanford.edu/" config: + separateSecrets: false persistentVolumeClaims: - name: sdf-group-rubin storageClassName: sdf-group-rubin diff --git a/applications/plot-navigator/values-usdfprod.yaml b/applications/plot-navigator/values-usdfprod.yaml index 5af84b8757..aeb7fab6e1 100644 --- a/applications/plot-navigator/values-usdfprod.yaml +++ b/applications/plot-navigator/values-usdfprod.yaml @@ -5,6 +5,7 @@ environment: BUCKET_URL: "https://s3dfrgw.slac.stanford.edu/" config: + separateSecrets: false persistentVolumeClaims: - name: sdf-group-rubin storageClassName: sdf-group-rubin diff --git a/applications/plot-navigator/values.yaml b/applications/plot-navigator/values.yaml index 9a69783083..a32e50e8da 100644 --- a/applications/plot-navigator/values.yaml +++ b/applications/plot-navigator/values.yaml @@ -24,7 +24,7 @@ config: persistentVolumeClaims: [] # -- Whether to use the new secrets management scheme - separateSecrets: false + separateSecrets: true # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. diff --git a/applications/production-tools/README.md b/applications/production-tools/README.md index f2d753296d..03b5917173 100644 --- a/applications/production-tools/README.md +++ b/applications/production-tools/README.md @@ -11,7 +11,6 @@ A collection of utility pages for monitoring data processing. | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Affinity rules for the production-tools deployment pod | -| config.separateSecrets | bool | `false` | Whether to use the new secrets management scheme | | environment | object | `{}` | | | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | diff --git a/applications/production-tools/templates/vault-secrets.yaml b/applications/production-tools/templates/vault-secrets.yaml index e93329880b..aaf5ee95a2 100644 --- a/applications/production-tools/templates/vault-secrets.yaml +++ b/applications/production-tools/templates/vault-secrets.yaml @@ -5,11 +5,7 @@ metadata: labels: {{- include "production-tools.labels" . | nindent 4 }} spec: -{{- if .Values.config.separateSecrets }} path: "{{ .Values.global.vaultSecretsPath }}/production-tools" -{{- else }} - path: "{{ .Values.global.vaultSecretsPath }}/butler-secret" -{{- end }} type: Opaque --- apiVersion: ricoberger.de/v1alpha1 diff --git a/applications/production-tools/values-idfint.yaml b/applications/production-tools/values-idfint.yaml index c846f462a2..b89176b204 100644 --- a/applications/production-tools/values-idfint.yaml +++ b/applications/production-tools/values-idfint.yaml @@ -3,5 +3,3 @@ environment: LOG_BUCKET: "drp-us-central1-logging" LOG_PREFIX: "Panda-RubinLog" WEB_CONCURRENCY: "4" -config: - separateSecrets: true diff --git a/applications/production-tools/values.yaml b/applications/production-tools/values.yaml index a405a3726f..3982236b52 100644 --- a/applications/production-tools/values.yaml +++ b/applications/production-tools/values.yaml @@ -32,10 +32,6 @@ ingress: # -- Additional annotations for the ingress rule annotations: {} -config: - # -- Whether to use the new secrets management scheme - separateSecrets: false - # -- Resource limits and requests for the production-tools deployment pod resources: {} diff --git a/applications/rubintv-dev/README.md b/applications/rubintv-dev/README.md index ba7a7b94b0..a808d9eef1 100644 --- a/applications/rubintv-dev/README.md +++ b/applications/rubintv-dev/README.md @@ -12,7 +12,6 @@ Real-time display front end development application |-----|------|---------|-------------| | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | -| global.tsVaultSecretsPath | string | `""` | Relative path for tsVault secrets | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.config.secretKey | string | `"redis-password"` | Key inside secret from which to get the Redis password (do not change) | @@ -41,7 +40,6 @@ Real-time display front end development application | rubintv.imagePullSecrets | list | See `values.yaml` | Image pull secrets. | | rubintv.ingress.annotations | object | `{}` | Additional annotations to add to the ingress | | rubintv.nameOverride | string | `""` | Override the base name for resources | -| rubintv.separateSecrets | bool | `false` | Whether to use the new secrets management scheme | | rubintv.siteTag | string | `""` | A special tag for letting the scripts know where they are running. Must be overridden at each site | | rubintv.workers.affinity | object | `{}` | Affinity rules for the rubintv-dev worker pods | | rubintv.workers.debug | bool | `false` | If set to true, enable more verbose logging. | diff --git a/applications/rubintv-dev/values-summit.yaml b/applications/rubintv-dev/values-summit.yaml index 95fa42519f..b7b1a01d27 100644 --- a/applications/rubintv-dev/values-summit.yaml +++ b/applications/rubintv-dev/values-summit.yaml @@ -4,8 +4,6 @@ rubintv: imagePullSecrets: - name: pull-secret - separateSecrets: true - frontend: debug: true env: @@ -56,6 +54,3 @@ rubintv: limits: cpu: 1.0 memory: 2.5G - -global: - tsVaultSecretsPath: "" diff --git a/applications/rubintv-dev/values.yaml b/applications/rubintv-dev/values.yaml index e6aaeaf3f1..94dc6b961a 100644 --- a/applications/rubintv-dev/values.yaml +++ b/applications/rubintv-dev/values.yaml @@ -14,9 +14,6 @@ rubintv: imagePullSecrets: [] # Each entry is of the form: { name: pull-secret-name } - # -- Whether to use the new secrets management scheme - separateSecrets: false - frontend: # -- If set to true, enable more verbose logging. debug: false @@ -188,7 +185,6 @@ redis: # -- Affinity rules for the Redis pod affinity: {} - # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. global: @@ -203,6 +199,3 @@ global: # -- Base path for Vault secrets # @default -- Set by Argo CD vaultSecretsPath: "" - - # -- Relative path for tsVault secrets - tsVaultSecretsPath: "" diff --git a/applications/rubintv/README.md b/applications/rubintv/README.md index 9caeed997e..f5a6ce31b8 100644 --- a/applications/rubintv/README.md +++ b/applications/rubintv/README.md @@ -12,7 +12,6 @@ Real-time display front end |-----|------|---------|-------------| | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | -| global.tsVaultSecretsPath | string | `""` | Relative path for tsVault secrets | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | redis.affinity | object | `{}` | Affinity rules for the Redis pod | | redis.config.secretKey | string | `"redis-password"` | Key inside secret from which to get the Redis password (do not change) | @@ -41,7 +40,7 @@ Real-time display front end | rubintv.imagePullSecrets | list | See `values.yaml` | Image pull secrets. | | rubintv.ingress.annotations | object | `{}` | Additional annotations to add to the ingress | | rubintv.nameOverride | string | `""` | Override the base name for resources | -| rubintv.separateSecrets | bool | `false` | Whether to use the new secrets management scheme | +| rubintv.separateSecrets | bool | `true` | Whether to use the new secrets management scheme | | rubintv.siteTag | string | `""` | A special tag for letting the scripts know where they are running. Must be overridden at each site | | rubintv.workers.affinity | object | `{}` | Affinity rules for the rubintv worker pods | | rubintv.workers.debug | bool | `false` | If set to true, enable more verbose logging. | diff --git a/applications/rubintv/values-base.yaml b/applications/rubintv/values-base.yaml index 26ff9e0d99..c206a2da66 100644 --- a/applications/rubintv/values-base.yaml +++ b/applications/rubintv/values-base.yaml @@ -1,6 +1,5 @@ rubintv: siteTag: "base" - separateSecrets: true imagePullSecrets: - name: pull-secret @@ -37,6 +36,3 @@ rubintv: limits: cpu: 2.0 memory: "8Gi" - -global: - tsVaultSecretsPath: "" diff --git a/applications/rubintv/values-summit.yaml b/applications/rubintv/values-summit.yaml index 843481f45d..54dc1d4bb4 100644 --- a/applications/rubintv/values-summit.yaml +++ b/applications/rubintv/values-summit.yaml @@ -4,8 +4,6 @@ rubintv: imagePullSecrets: - name: pull-secret - separateSecrets: true - frontend: debug: true env: @@ -55,6 +53,3 @@ rubintv: limits: cpu: 1.0 memory: 2.5G - -global: - tsVaultSecretsPath: "" diff --git a/applications/rubintv/values-tucson-teststand.yaml b/applications/rubintv/values-tucson-teststand.yaml index 64526e159d..a721e4036c 100644 --- a/applications/rubintv/values-tucson-teststand.yaml +++ b/applications/rubintv/values-tucson-teststand.yaml @@ -1,6 +1,5 @@ rubintv: siteTag: "tucson" - separateSecrets: true imagePullSecrets: - name: pull-secret @@ -37,6 +36,3 @@ rubintv: limits: cpu: 2.0 memory: "8Gi" - -global: - tsVaultSecretsPath: "" diff --git a/applications/rubintv/values-usdfdev.yaml b/applications/rubintv/values-usdfdev.yaml index 907b56f2ea..de92343b46 100644 --- a/applications/rubintv/values-usdfdev.yaml +++ b/applications/rubintv/values-usdfdev.yaml @@ -1,5 +1,6 @@ rubintv: siteTag: "usdf-dev" + separateSecrets: false imagePullSecrets: - name: pull-secret diff --git a/applications/rubintv/values-usdfprod.yaml b/applications/rubintv/values-usdfprod.yaml index c7b625adfd..9fe5bec0a1 100644 --- a/applications/rubintv/values-usdfprod.yaml +++ b/applications/rubintv/values-usdfprod.yaml @@ -1,5 +1,6 @@ rubintv: siteTag: "usdf-prod" + separateSecrets: false imagePullSecrets: - name: pull-secret diff --git a/applications/rubintv/values.yaml b/applications/rubintv/values.yaml index 6d754d0153..32a2922993 100644 --- a/applications/rubintv/values.yaml +++ b/applications/rubintv/values.yaml @@ -15,7 +15,7 @@ rubintv: # Each entry is of the form: { name: pull-secret-name } # -- Whether to use the new secrets management scheme - separateSecrets: false + separateSecrets: true frontend: # -- If set to true, enable more verbose logging. @@ -197,7 +197,6 @@ redis: # -- Affinity rules for the Redis pod affinity: {} - # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. global: @@ -212,6 +211,3 @@ global: # -- Base path for Vault secrets # @default -- Set by Argo CD vaultSecretsPath: "" - - # -- Relative path for tsVault secrets - tsVaultSecretsPath: "" diff --git a/charts/rubintv/README.md b/charts/rubintv/README.md index 72573843c6..9b64d3d027 100644 --- a/charts/rubintv/README.md +++ b/charts/rubintv/README.md @@ -24,7 +24,6 @@ Real-time display front end | fullnameOverride | string | `""` | Override the full name for resources (includes the release name) | | global.baseUrl | string | Set by Argo CD | Base URL for the environment | | global.host | string | Set by Argo CD | Host name for ingress | -| global.tsVaultSecretsPath | string | `""` | Relative path for tsVault secrets | | global.vaultSecretsPath | string | Set by Argo CD | Base path for Vault secrets | | imagePullSecrets | list | See `values.yaml` | Image pull secrets. | | ingress.annotations | object | `{}` | Additional annotations to add to the ingress | @@ -41,7 +40,7 @@ Real-time display front end | redis.podAnnotations | object | `{}` | Pod annotations for the Redis pod | | redis.resources | object | See `values.yaml` | Resource limits and requests for the Redis pod | | redis.tolerations | list | `[]` | Tolerations for the Redis pod | -| separateSecrets | bool | `false` | Whether to use the new secrets management scheme | +| separateSecrets | bool | `true` | Whether to use the new secrets management scheme | | siteTag | string | `""` | A special tag for letting the scripts know where they are running. Must be overridden at each site | | workers.affinity | object | `{}` | Affinity rules for the rubintv worker pods | | workers.debug | bool | `false` | If set to true, enable more verbose logging. | diff --git a/charts/rubintv/templates/vault-secrets.yaml b/charts/rubintv/templates/vault-secrets.yaml index 030ced1e5f..5ea8069a7c 100644 --- a/charts/rubintv/templates/vault-secrets.yaml +++ b/charts/rubintv/templates/vault-secrets.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "rubintv.labels" . | nindent 4 }} spec: - path: "{{ .Values.global.vaultSecretsPath }}{{ .Values.global.tsVaultSecretsPath }}/rubintv" + path: "{{ .Values.global.vaultSecretsPath }}/rubintv" type: "Opaque" --- {{- if (not .Values.separateSecrets) }} diff --git a/charts/rubintv/values.yaml b/charts/rubintv/values.yaml index 7d6dc9e185..0a40b4d216 100644 --- a/charts/rubintv/values.yaml +++ b/charts/rubintv/values.yaml @@ -16,7 +16,7 @@ imagePullSecrets: [] # Each entry is of the form: { name: pull-secret-name } # -- Whether to use the new secrets management scheme -separateSecrets: false +separateSecrets: true frontend: # -- If set to true, enable more verbose logging. @@ -202,7 +202,6 @@ redis: # -- Affinity rules for the Redis pod affinity: {} - # The following will be set by parameters injected by Argo CD and should not # be set in the individual environment values files. global: @@ -217,6 +216,3 @@ global: # -- Base path for Vault secrets # @default -- Set by Argo CD vaultSecretsPath: "" - - # -- Relative path for tsVault secrets - tsVaultSecretsPath: "" diff --git a/docs/admin/migrating-secrets.rst b/docs/admin/migrating-secrets.rst index d4b123a4d1..727f1742fb 100644 --- a/docs/admin/migrating-secrets.rst +++ b/docs/admin/migrating-secrets.rst @@ -176,14 +176,10 @@ Switch to the new secrets tree On your working branch, add the necessary settings for those applications to their :file:`values-{environment}.yaml` files for your environment. Applications to review: - - :px-app:`datalinker` (``config.separateSecrets``) - - :px-app:`nightreport` (``global.tsVaultSecretsPath``) - - :px-app:`nublado` (``hub.internalDatabase``, ``secrets.templateSecrets``) + - :px-app:`nublado` (``secrets.templateSecrets``) - :px-app:`obsloctap` (``config.separateSecrets``) - :px-app:`plot-navigator` (``config.separateSecrets``) - - :px-app:`production-tools` (``config.separateSecrets``) - - :px-app:`rubintv` (``rubintv.separateSecrets``, ``global.tsVaultSecretsPath``) - - :px-app:`rubintv-dev` (``rubintv.separateSecrets``, ``global.tsVaultSecretsPath``) + - :px-app:`rubintv` (``rubintv.separateSecrets``) #. You're now ready to test the new secrets tree. You can do this on a branch that contains the changes you made above.