issue #94 allow injecting arbitrary secrets into environment for conf…

…ig (#102)

* issue #94 allow injecting arbitrary secrets into environment for config

* tests for issue fix #94 inject arbitrary secrets

* docs for injecting arbitrary secrets

.circleci/config.yml

@@ -54,17 +54,17 @@ jobs:
           paths:
             - ~/.cache/npm
 
+      - run:
+          name: Lint
+          command: helm lint .    
+
       - run:
           name: GKE Setup / Auth
           command: |
              echo "GKE SETUP"
              export CLUSTER_NAME=$CLUSTER-$CIRCLE_BUILD_NUM
              ./tools/test/provision-k8s.sh $CLUSTER_NAME
       
-      - run:
-          name: Lint
-          command: helm lint . 
-
       - run:
           name: Create test namespace
           command: |
@@ -76,12 +76,18 @@ jobs:
             EOF
 
       - run:
-          name: Install service key secret for maintenance ops
+          name: Install secrets for maintenance ops and testing
           command: |
             NAMESPACE=ns-$CIRCLE_BUILD_NUM
             kubectl create secret generic neo4j-service-key \
               --namespace $NAMESPACE \
               --from-file=credentials.json=$SERVICE_KEY_FILE
+            # This secret is injected in the test process to demonstrate that
+            # config works.  This is just any valid config we can check inside of
+            # a running system.
+            kubectl create secret generic my-secret-config \
+              --namespace $NAMESPACE \
+              --from-literal=NEO4J_dbms_transaction_concurrent_maximum=0
 
       - run:
           name: Package and Install Neo4j-Helm Chart

README.md

@@ -79,7 +79,7 @@ Standalone forms faster so we can manually lower the liveness/readiness timeouts
 ```
 export NAME=a
 export NAMESPACE=default
-helm install $NAME . --set acceptLicenseAgreement=yes --set neo4jPassword=mySecretPassword --set core.standalone=true --set readinessProbe.initialDelaySeconds=20 --set livenessProbe.initialDelaySeconds=20 && \
+helm install $NAME . -f deployment-scenarios/ci/standalone.yaml && \
 kubectl rollout status --namespace $NAMESPACE StatefulSet/$NAME-neo4j-core --watch && \
 helm test $NAME --logs | tee testlog.txt
 helm uninstall $NAME
@@ -94,7 +94,7 @@ done
 ```
 export NAME=a
 export NAMESPACE=default
-helm install $NAME . --set acceptLicenseAgreement=yes --set neo4jPassword=mySecretPassword --set readReplica.numberOfServers=1 && \
+helm install $NAME . -f deployment-scenarios/ci/cluster.yaml && \
 kubectl rollout status --namespace $NAMESPACE StatefulSet/$NAME-neo4j-core --watch && \
 helm test $NAME --logs | tee testlog.txt
 helm uninstall $NAME

deployment-scenarios/ci/cluster.yaml

@@ -3,14 +3,28 @@ neo4jPassword: mySecretPassword
 
 readReplica:
     numberOfServers: 1
+    envFrom: 
+        - secretRef:
+            name: my-secret-config
 
 core:
     numberOfServers: 3
+    envFrom: 
+        - secretRef:
+            name: my-secret-config
 
 podAnnotations:
     ci-test: "true"
 
 podLabels:
     ci-test: "true"
     hello: world
-
+
+metrics:
+    prometheus:
+        enabled: true
+        endpoint: 0.0.0.0:2004
+
+    graphite:
+        enabled: true
+        endpoint: 0.0.0.0:2003

deployment-scenarios/ci/standalone.yaml

@@ -9,6 +9,9 @@ livenessProbe:
 
 core:
     standalone: true
+    envFrom: 
+        - secretRef:
+            name: my-secret-config
 
 podAnnotations:
     ci-test: "true"

doc/docs/modules/ROOT/pages/configreference.adoc

@@ -72,6 +72,10 @@ Reference tables with a list of all configurable parameters and their defaults.
 | Configmap providing configuration for core cluster members.  If not specified, defaults that come with the chart will be used.
 | `$NAME-neo4j-core-config`
 
+| `core.envFrom`
+| YAML list of `envFrom` entries, permitting config for pods to be set from any number of ConfigMaps and secrets.
+| `[]`
+
 | `core.standalone`
 | Whether to run in single-server STANDALONE mode.   When using standalone mode, core.numberOfServers is *ignored* and you will only get 1 Neo4j Pod.  The remainder of core configuration applies. 
 | false 
@@ -166,6 +170,10 @@ Reference tables with a list of all configurable parameters and their defaults.
 | Configmap providing configuration for RR cluster members.  If not specified, defaults that come with the chart will be used. 
 | `$NAME-neo4j-replica-config`
 
+| `readReplica.envFrom`
+| YAML list of `envFrom` entries, permitting config for pods to be set from any number of ConfigMaps and secrets.
+| `[]`
+
 | `readReplica.numberOfServers`
 | Number of machines in READ_REPLICA. May not be used with core.standalone=true mode
 | `0`

doc/docs/modules/ROOT/pages/operations.adoc

@@ -93,7 +93,11 @@ What fabric needs to work are 3 things:
 
 Custom configmaps (which are discussed in this section) cover #3. Your security configuration (whatever you choose) would cover #1 and isn’t kubernetes specific. And #2 is where kubernetes networking may or may not come in, depending on your deployment topology. In the simplest single DBMS configurations, I think it will work out of the box.
 
-## Custom Neo4j Configuration with ConfigMaps
+## Custom Neo4j Configuration
+
+Because neo4j-helm runs Neo4j as a docker container, make sure you understand the link:https://neo4j.com/docs/operations-manual/current/docker/configuration/[Neo4j Docker configuration reference] for environment variable naming, and how environment variables turn into configuration.
+
+### With ConfigMaps
 
 Neo4j cluster pods are divided into two groups: cores and replicas. Those pods can be configured with ConfigMaps, which contain environment variables. Those environment variables, in turn, are used as configuration settings to the underlying Neo4j Docker Container, according to the Neo4j environment variable configuration.
 
@@ -106,6 +110,25 @@ As a result, you can set any custom Neo4j configuration by creating your own Kub
 [NOTE]
 Configuration of some networking specific settings is still done at container start time, and this very small set of variables may still be overridden by the helm chart, in particular advertised addresses & hostnames for the containers.
 
+### With Secrets
+
+You may also specify `envFrom` within the core set or read replica set to use any number
+of additional config maps and secrets as well to inject additional configuration, which is
+applied last, after the other layers of configuration.
+
+As an example of a values file that accomplishes this:
+
+```
+core:
+    standalone: true
+    envFrom: 
+        - secretRef:
+            name: my-secret-config
+```
+
+Whichever keys and values are in my-secret-config will be injected as envirionment variables.  Using kubernetes secrets injected in configuration this way is a good option for specifying
+passwords.
+
 ## Scaling
 
 The following section describes considerations about changing the size of a cluster at runtime to handle more requests. Scaling only applies to causal cluster, and standalone instances cannot be scaled in this way.

templates/core-statefulset.yaml

@@ -55,6 +55,7 @@ spec:
           - configMapRef:
               name: "{{ .Values.core.configMap }}"
           {{- end }}
+          {{- if .Values.core.envFrom }}{{ toYaml .Values.core.envFrom | nindent 10 }}{{- end }}
         env:
           {{- if .Values.authEnabled }}
           - name: NEO4J_SECRETS_PASSWORD

templates/readreplicas-statefulset.yaml

@@ -56,6 +56,7 @@ spec:
           - configMapRef:
               name: "{{ .Values.readReplica.configMap }}"
           {{- end }}
+          {{- if .Values.readReplica.envFrom }}{{ toYaml .Values.readReplica.envFrom | nindent 10 }}{{- end }}
         env:
           {{- if .Values.authEnabled }}
           - name: NEO4J_SECRETS_PASSWORD

templates/tests/test-script.yaml

@@ -100,6 +100,19 @@ data:
       fi
     }
 
+    function check_secret_config_test {
+       ENDPOINT=$1
+       getconfig="call dbms.listConfig() yield name, value where name='dbms.transaction.concurrent.maximum' return value;"
+       res=$(cypher "$getconfig" $ENDPOINT)
+
+       echo $res | grep '"0"'
+       if [ $? -eq 0 ] ; then
+         succeed "$test"
+       else
+         fail "$test" "Expected it to be set to 0 - Output of config was $res"
+       fi
+    }
+
     # At this point the service endpoint proves that at least one host is up.
     # Provide just a bit more time for all of them to finish coming up because we'll
     # be testing them individually.
@@ -215,6 +228,9 @@ data:
       else
         fail "$test" "Canary read failed to execute -- exit code $exit_code / RESULT -- $result"
       fi
+
+      test="Core host $id has the k8s secret configuration key"
+      check_secret_config_test "$core_endpoint"
     done
 
     echo "Now testing read replicas"
@@ -240,6 +256,9 @@ data:
 
       test="Replica host $id of $READ_REPLICAS -- $replica_ep has APOC installed correctly"
       runtest "$test" "RETURN apoc.version();" "$replica_ep"
+
+      test="Replica host $id of $READ_REPLICAS has the k8s secret config key"
+      check_secret_config_test "$replica_ep"
     done
     {{- end }}
 

tools/test/Dockerfile

@@ -7,6 +7,6 @@ RUN apt-get install -y ca-certificates ca-certificates-java
 RUN curl https://debian.neo4j.com/neotechnology.gpg.key | apt-key add -
 RUN echo 'deb http://debian.neo4j.com stable latest' | tee -a /etc/apt/sources.list.d/neo4j.list
 RUN apt-get update
-RUN apt-get install -y cypher-shell=4.0.0
+RUN apt-get install -y cypher-shell=4.1.1
 
 CMD ["/bin/bash"]

values.yaml

@@ -63,6 +63,7 @@ defaultDatabase: "neo4j"
 # Cores
 core:
   # configMap: "my-custom-configmap"
+  envFrom: []
   standalone: false
   numberOfServers: 3
   persistentVolume:
@@ -148,6 +149,7 @@ core:
 # Read Replicas
 readReplica:
   # configMap: "my-custom-configmap"
+  envFrom: []
 
   resources: {}
   # limits: