[bitnami/apisix] Add support for usePasswordFiles (#32077)

* [bitnami/apisix] Add support for `usePasswordFiles` Signed-off-by: Miguel Ruiz <miguel.ruiz@broadcom.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Fix typo Signed-off-by: Miguel Ruiz <miguel.ruiz@broadcom.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Fix deployments Signed-off-by: Miguel Ruiz <miguel.ruiz@broadcom.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Miguel Ruiz <miguel.ruiz@broadcom.com> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
2026-02-19 19:47:22 +08:00 · 2025-02-24 14:52:49 +01:00
parent 82d4893118
commit cb5df90595
9 changed files with 124 additions and 3 deletions
--- a/bitnami/apisix/CHANGELOG.md
+++ b/bitnami/apisix/CHANGELOG.md
@@ -1,8 +1,12 @@
 # Changelog

+## 4.2.0 (2025-02-24)
+
+* [bitnami/apisix] Add support for `usePasswordFiles` ([#32077](https://github.com/bitnami/charts/pull/32077))
+
 ## 4.1.0 (2025-02-20)

-* [bitnami/apisix] feat: use new helper for checking API versions ([#32045](https://github.com/bitnami/charts/pull/32045))
+* [bitnami/apisix] feat: use new helper for checking API versions (#32045) ([c327f4b](https://github.com/bitnami/charts/commit/c327f4ba9cf6889d452e0f3fce495c10c6d1c106)), closes [#32045](https://github.com/bitnami/charts/issues/32045)

 ## <small>4.0.2 (2025-02-18)</small>

--- a/bitnami/apisix/Chart.yaml
+++ b/bitnami/apisix/Chart.yaml
@@ -45,4 +45,4 @@ sources:
  - https://github.com/bitnami/charts/tree/main/bitnami/apisix
  - https://github.com/bitnami/charts/tree/main/bitnami/apisix-dashboard
  - https://github.com/bitnami/charts/tree/main/bitnami/apisix-ingress-controller
-version: 4.1.0
+version: 4.2.0
--- a/bitnami/apisix/README.md
+++ b/bitnami/apisix/README.md
@@ -301,6 +301,7 @@ As an alternative, use one of the preset configurations for pod affinity, pod an
 | `commonAnnotations`      | Annotations to add to all deployed objects                                                                                                        | `{}`                     |
 | `clusterDomain`          | Kubernetes cluster domain name                                                                                                                    | `cluster.local`          |
 | `extraDeploy`            | Array of extra objects to deploy with the release                                                                                                 | `[]`                     |
+| `usePasswordFiles`       | Mount credentials as files instead of using environment variables                                                                                 | `true`                   |
 | `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden)                                                           | `false`                  |
 | `diagnosticMode.command` | Command to override all containers in the deployment                                                                                              | `["sleep"]`              |
 | `diagnosticMode.args`    | Args to override all containers in the deployment                                                                                                 | `["infinity"]`           |
--- a/bitnami/apisix/templates/_helpers.tpl
+++ b/bitnami/apisix/templates/_helpers.tpl
@@ -336,6 +336,18 @@ Init container definition for waiting for the database to be ready
      ln -sf /opt/bitnami/apisix/deps /usr/local/apisix
      ln -sf /opt/bitnami/apisix/openresty/luajit/share/lua/*/apisix /usr/local/apisix
      mkdir -p /usr/local/apisix/logs
+    {{- if .context.Values.usePasswordFiles }}
+      {{- if .context.Values.controlPlane.enabled }}
+      export APISIX_ADMIN_API_TOKEN="$(< $APISIX_ADMIN_API_TOKEN_FILE)"
+      export APISIX_VIEWER_API_TOKEN="$(< $APISIX_VIEWER_API_TOKEN_FILE)"
+      {{- end }}
+      {{- if (include "apisix.etcd.authEnabled" .context) }}
+      export APISIX_ETCD_PASSWORD="$(< $APISIX_ETCD_PASSWORD_FILE)"
+      {{- end}}
+      {{- if eq .component "dashboard" }}
+      export APISIX_DASHBOARD_PASSWORD="$(< $APISIX_DASHBOARD_PASSWORD_FILE)"
+      {{- end }}
+    {{- end }}
      # Build final config.yaml with the sections of the different files
      cp /bitnami/apisix/rendered-conf/config.yaml /usr/local/apisix/conf/
      chmod 644 /usr/local/apisix/conf/config.yaml
@@ -352,6 +364,12 @@ Init container definition for waiting for the database to be ready
    - name: BITNAMI_DEBUG
      value: {{ ternary "true" "false" (or .context.Values.image.debug .context.Values.diagnosticMode.enabled) | quote }}
    {{- if .context.Values.controlPlane.enabled }}
+    {{- if .context.Values.usePasswordFiles }}
+    - name: APISIX_ADMIN_API_TOKEN_FILE
+      value: {{ printf "/opt/bitnami/apisix/secrets/%s" (include "apisix.control-plane.adminTokenKey" .context) }}
+    - name: APISIX_VIEWER_API_TOKEN_FILE
+      value: {{ printf "/opt/bitnami/apisix/secrets/%s" (include "apisix.control-plane.viewerTokenKey" .context) }}
+    {{- else }}
    - name: APISIX_ADMIN_API_TOKEN
      valueFrom:
        secretKeyRef:
@@ -363,15 +381,21 @@ Init container definition for waiting for the database to be ready
          name: {{ include "apisix.control-plane.secretName" .context }}
          key: {{ include "apisix.control-plane.viewerTokenKey" .context }}
    {{- end }}
+    {{- end }}
    {{- if (include "apisix.etcd.authEnabled" .context) }}
    - name: APISIX_ETCD_USER
      value: {{ include "apisix.etcd.user" .context }}
+    {{- if .context.Values.usePasswordFiles }}
+    - name: APISIX_ETCD_PASSWORD_FILE
+      value: {{ printf "/opt/bitnami/apisix/secrets/%s" (include "apisix.etcd.secretPasswordKey" .context) }}
+    {{- else }}
    - name: APISIX_ETCD_PASSWORD
      valueFrom:
        secretKeyRef:
          name: {{ include "apisix.etcd.secretName" .context }}
          key: {{ include "apisix.etcd.secretPasswordKey" .context }}
    {{- end }}
+    {{- end }}
    {{- if $block.extraEnvVars }}
    {{- include "common.tplvalues.render" (dict "value" $block.extraEnvVars "context" .context) | nindent 4 }}
    {{- end }}
@@ -394,6 +418,10 @@ Init container definition for waiting for the database to be ready
    - name: empty-dir
      mountPath: /tmp
      subPath: tmp-dir
+    {{- if and .context.Values.usePasswordFiles (or (eq .component "dashboard") .context.Values.controlPlane.enabled (include "apisix.etcd.authEnabled" .)) }}
+    - name: apisix-secrets
+      mountPath: /opt/bitnami/apisix/secrets
+    {{- end }}
    {{- if $block.tls.enabled }}
    - name: certs
      mountPath: /bitnami/certs
@@ -559,6 +587,18 @@ Render configuration for the dashboard and ingress-controller components
    - |
      #!/bin/bash
      # Build final config.yaml with the sections of the different files
+    {{- if .context.Values.usePasswordFiles }}
+      {{- if .context.Values.controlPlane.enabled }}
+      export APISIX_ADMIN_API_TOKEN="$(< $APISIX_ADMIN_API_TOKEN_FILE)"
+      export APISIX_VIEWER_API_TOKEN="$(< $APISIX_VIEWER_API_TOKEN_FILE)"
+      {{- end }}
+      {{- if (include "apisix.etcd.authEnabled" .context) }}
+      export APISIX_ETCD_PASSWORD="$(< $APISIX_ETCD_PASSWORD_FILE)"
+      {{- end}}
+      {{- if eq .component "dashboard" }}
+      export APISIX_DASHBOARD_PASSWORD="$(< $APISIX_DASHBOARD_PASSWORD_FILE)"
+      {{- end }}
+    {{- end }}
      find /bitnami/apisix/conf -type f -name *.yaml -print0 | sort -z | xargs -0 yq eval-all '. as $item ireduce ({}; . * $item )' > /bitnami/apisix/rendered-conf/pre-render-config.yaml
      render-template /bitnami/apisix/rendered-conf/pre-render-config.yaml > /bitnami/apisix/rendered-conf/config.yaml
      chmod 644 /bitnami/apisix/rendered-conf/config.yaml
@@ -567,6 +607,12 @@ Render configuration for the dashboard and ingress-controller components
    - name: BITNAMI_DEBUG
      value: {{ ternary "true" "false" (or .context.Values.image.debug .context.Values.diagnosticMode.enabled) | quote }}
    {{- if .context.Values.controlPlane.enabled }}
+    {{- if .context.Values.usePasswordFiles }}
+    - name: APISIX_ADMIN_API_TOKEN_FILE
+      value: {{ printf "/opt/bitnami/apisix/secrets/%s" (include "apisix.control-plane.adminTokenKey" .context) }}
+    - name: APISIX_VIEWER_API_TOKEN_FILE
+      value: {{ printf "/opt/bitnami/apisix/secrets/%s" (include "apisix.control-plane.viewerTokenKey" .context) }}
+    {{- else }}
    - name: APISIX_ADMIN_API_TOKEN
      valueFrom:
        secretKeyRef:
@@ -578,24 +624,35 @@ Render configuration for the dashboard and ingress-controller components
          name: {{ include "apisix.control-plane.secretName" .context }}
          key: {{ include "apisix.control-plane.viewerTokenKey" .context }}
    {{- end }}
+    {{- end }}
    {{- if (include "apisix.etcd.authEnabled" .context) }}
    - name: APISIX_ETCD_USER
      value: {{ include "apisix.etcd.user" .context }}
+    {{- if .context.Values.usePasswordFiles }}
+    - name: APISIX_ETCD_PASSWORD_FILE
+      value: {{ printf "/opt/bitnami/apisix/secrets/%s" (include "apisix.etcd.secretPasswordKey" .context) }}
+    {{- else }}
    - name: APISIX_ETCD_PASSWORD
      valueFrom:
        secretKeyRef:
          name: {{ include "apisix.etcd.secretName" .context }}
          key: {{ include "apisix.etcd.secretPasswordKey" .context }}
    {{- end }}
+    {{- end }}
    {{- if eq .component "dashboard" }}
    - name: APISIX_DASHBOARD_USER
      value: {{ $block.username | quote }}
+    {{- if .context.Values.usePasswordFiles }}
+    - name: APISIX_DASHBOARD_PASSWORD_FILE
+      value: {{ printf "/opt/bitnami/apisix/secrets/%s" (include "apisix.dashboard.secretPasswordKey" .context) }}
+    {{- else }}
    - name: APISIX_DASHBOARD_PASSWORD
      valueFrom:
        secretKeyRef:
          name: {{ include "apisix.dashboard.secretName" .context }}
          key: {{ include "apisix.dashboard.secretPasswordKey" .context }}
    {{- end }}
+    {{- end }}
    {{- if $block.extraEnvVars }}
    {{- include "common.tplvalues.render" (dict "value" $block.extraEnvVars "context" $) | nindent 4 }}
    {{- end }}
@@ -614,6 +671,10 @@ Render configuration for the dashboard and ingress-controller components
      subPath: app-conf-dir
    - name: config
      mountPath: /bitnami/apisix/conf/00_default
+    {{- if and .context.Values.usePasswordFiles (or (eq .component "dashboard") .context.Values.controlPlane.enabled (include "apisix.etcd.authEnabled" .)) }}
+    - name: apisix-secrets
+      mountPath: /opt/bitnami/apisix/secrets
+    {{- end }}
    {{- if or $block.extraConfig $block.extraConfigExistingConfigMap }}
    - name: extra-config
      mountPath: /bitnami/apisix/conf/01_extra
--- a/bitnami/apisix/templates/control-plane/dep-ds.yaml
+++ b/bitnami/apisix/templates/control-plane/dep-ds.yaml
@@ -192,6 +192,17 @@ spec:
        - name: config
          configMap:
            name: {{ include "apisix.control-plane.defaultConfigmapName" . }}
+        {{- if .Values.usePasswordFiles }}
+        - name: apisix-secrets
+          projected:
+            sources:
+              - secret:
+                  name: {{ include "apisix.control-plane.secretName" . }}
+              {{- if (include "apisix.etcd.authEnabled" .) }}
+              - secret:
+                  name:  {{ include "apisix.etcd.secretName" . }}
+              {{- end }}
+        {{- end }}
        {{- if or .Values.controlPlane.extraConfig .Values.controlPlane.extraConfigExistingConfigMap }}
        - name: extra-config
          configMap:
--- a/bitnami/apisix/templates/dashboard/deployment.yaml
+++ b/bitnami/apisix/templates/dashboard/deployment.yaml
@@ -181,6 +181,21 @@ spec:
        - name: config
          configMap:
            name: {{ include "apisix.dashboard.defaultConfigmapName" . }}
+        {{- if .Values.usePasswordFiles }}
+        - name: apisix-secrets
+          projected:
+            sources:
+              - secret:
+                  name:  {{ include "apisix.dashboard.secretName" . }}
+              {{- if (include "apisix.etcd.authEnabled" .) }}
+              - secret:
+                  name:  {{ include "apisix.etcd.secretName" . }}
+              {{- end }}
+              {{- if .Values.controlPlane.enabled }}
+              - secret:
+                  name: {{ include "apisix.control-plane.secretName" . }}
+              {{- end }}
+        {{- end }}
        {{- if or .Values.dashboard.extraConfig .Values.dashboard.extraConfigExistingConfigMap }}
        - name: extra-config
          configMap:
--- a/bitnami/apisix/templates/data-plane/dep-ds.yaml
+++ b/bitnami/apisix/templates/data-plane/dep-ds.yaml
@@ -196,6 +196,19 @@ spec:
        {{- include "common.tplvalues.render" ( dict "value" .Values.dataPlane.sidecars "context" $) | nindent 8 }}
        {{- end }}
      volumes:
+        {{- if and .Values.usePasswordFiles (or .Values.controlPlane.enabled (include "apisix.etcd.authEnabled" .)) }}
+        - name: apisix-secrets
+          projected:
+            sources:
+              {{- if (include "apisix.etcd.authEnabled" .) }}
+              - secret:
+                  name:  {{ include "apisix.etcd.secretName" . }}
+              {{- end }}
+              {{- if .Values.controlPlane.enabled }}
+              - secret:
+                  name: {{ include "apisix.control-plane.secretName" . }}
+              {{- end }}
+        {{- end }}
        - name: config
          configMap:
            name: {{ include "apisix.data-plane.defaultConfigmapName" . }}
--- a/bitnami/apisix/templates/ingress-controller/deployment.yaml
+++ b/bitnami/apisix/templates/ingress-controller/deployment.yaml
@@ -187,6 +187,19 @@ spec:
        - name: config
          configMap:
            name: {{ include "apisix.ingress-controller.defaultConfigmapName" . }}
+        {{- if and .Values.usePasswordFiles (or .Values.controlPlane.enabled (include "apisix.etcd.authEnabled" .)) }}
+        - name: apisix-secrets
+          projected:
+            sources:
+              {{- if (include "apisix.etcd.authEnabled" .) }}
+              - secret:
+                  name:  {{ include "apisix.etcd.secretName" . }}
+              {{- end }}
+              {{- if .Values.controlPlane.enabled }}
+              - secret:
+                  name: {{ include "apisix.control-plane.secretName" . }}
+              {{- end }}
+        {{- end }}
        {{- if or .Values.ingressController.extraConfig .Values.ingressController.extraConfigExistingConfigMap }}
        - name: extra-config
          configMap:
--- a/bitnami/apisix/values.yaml
+++ b/bitnami/apisix/values.yaml
@@ -65,6 +65,9 @@ clusterDomain: cluster.local
 ## @param extraDeploy Array of extra objects to deploy with the release
 ##
 extraDeploy: []
+## @param usePasswordFiles Mount credentials as files instead of using environment variables
+##
+usePasswordFiles: true
 ## Enable diagnostic mode in the deployment
 ##
 diagnosticMode:
@@ -1845,7 +1848,7 @@ dashboard:
      - ai
      - cas-auth
      - multi-auth
-      
+
  ## @param dashboard.extraConfig extra configuration settings for APISIX Dashboard
  ##
  extraConfig: {}