[stable/Influxdb] make mounting of GSA key optional for backups to GCS (#20780)

* influxdb-fix-labels Signed-off-by: Naseem <naseem@transit.app> * Fix labels Signed-off-by: Naseem <naseem@transit.app> * Allow use of workload identity to auth to GCS By making the mounting of a GSA key optional, it give the option of using workload identity to provide the backup with access to GCS. For more info on workload identity please see https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identitySigned-off-by: Naseem <naseem@transit.app>

[stable/Influxdb] make mounting of GSA key optional for backups to GCS (#20780)
a4ecbfbd · Naseem · GitHub · 12ae9f17 · a4ecbfbd · a4ecbfbd
Commit a4ecbfbd authored Feb 15, 2020 by Naseem Committed by GitHub Feb 15, 2020
Show whitespace changes
Inline Side-by-side

Showing with 15 additions and 3 deletions

Chart.yaml stable/influxdb/Chart.yaml +3 -1

OWNERS stable/influxdb/OWNERS +2 -0

backup-cronjob.yaml stable/influxdb/templates/backup-cronjob.yaml +10 -2

No files found.
--- a/stable/influxdb/Chart.yaml
+++ b/stable/influxdb/Chart.yaml
 apiVersion: v1
 name: influxdb
-version: 4.0.1
+version: 4.1.0
 appVersion: 1.7.6
 description: Scalable datastore for metrics, events, and real-time analytics.
 keywords:
@@ -15,4 +15,6 @@ maintainers:
  email: jack@influxdb.com
 - name: aisuko
  email: urakiny@gmail.com
+- name: naseemkullah
+  email: naseem@transit.app
 engine: gotpl
--- a/stable/influxdb/OWNERS
+++ b/stable/influxdb/OWNERS
 approvers:
 - jackzampolin
 - aisuko
+- naseemkullah
 reviewers:
 - jackzampolin
 - aisuko
+- naseemkullah
--- a/stable/influxdb/templates/backup-cronjob.yaml
+++ b/stable/influxdb/templates/backup-cronjob.yaml
@@ -22,11 +22,13 @@ spec:
          volumes:
          - name: backups
            emptyDir: {}
-          {{- if and .Values.backup.gcs }}
+          {{- if .Values.backup.gcs }}
+          {{- if .Values.backup.gcs.serviceAccountSecret }}
          - name: google-cloud-key
            secret:
              secretName: {{ .Values.backup.gcs.serviceAccountSecret | quote }}
          {{- end }}
+          {{- end }}
          serviceAccountName: {{ include "influxdb.serviceAccountName" . }}
          initContainers:
          - name: influxdb-backup
@@ -41,7 +43,7 @@ spec:
            - |
              influxd backup -host {{ template "influxdb.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.config.rpc.bind_address }} -portable /backups/backup_$(date +%Y%m%d_%H%M%S)
          containers:
-          {{- if .Values.backup.gcs}}
+          {{- if .Values.backup.gcs }}
          - name: gsutil-cp
            image: google/cloud-sdk:alpine
            command:
@@ -49,21 +51,27 @@ spec:
            args:
            - '-c'
            - |
+              if [ -n "$KEY_FILE" ]; then
                gcloud auth activate-service-account --key-file $KEY_FILE
+              fi
              gsutil -m cp -r "$SRC_URL" "$DST_URL"
            volumeMounts:
            - name: backups
              mountPath: /backups
+            {{- if .Values.backup.gcs.serviceAccountSecretKey}}
            - name: google-cloud-key
              mountPath: /var/secrets/google/
+            {{- end }}
            env:
              - name: SRC_URL
                value: /backups
              - name: DST_URL
                value: {{ .Values.backup.gcs.destination}}
+              {{- if .Values.backup.gcs.serviceAccountSecretKey}}
              - name: KEY_FILE
                value: /var/secrets/google/{{ .Values.backup.gcs.serviceAccountSecretKey }}
              {{- end }}
+          {{- end }}
          {{- if .Values.backup.azure }}
          - name: azure-cli
            image: microsoft/azure-cli