Remove pkcs configuration from plex chart

0cf46c64 · Waqar Ahmed · 769b45d4 · 769b45d4 · 769b45d4 · 0cf46c64
Commit 0cf46c64 authored Dec 07, 2020 by Waqar Ahmed
6 changed files
--- a/test/plex/2.1.0/configs/42-pkcs-mangler
+++ b/test/plex/2.1.0/configs/42-pkcs-mangler
-#!/usr/bin/with-contenv bash
-
-# This file contains part of the official PLEX 40-plex-first-run
-# Here: https://github.com/plexinc/pms-docker/blob/master/root/etc/cont-init.d/40-plex-first-run
-# It should live in /etc/cont-init.d/
-
-# If we are debugging, enable trace
-if [ "${DEBUG,,}" = "true" ]; then
-  set -x
-fi
-
-function setPref {
-  local key="$1"
-  local value="$2"
-
-  count="$(xmlstarlet sel -t -v "count(/Preferences/@${key})" "${prefFile}")"
-  count=$(($count + 0))
-  if [[ $count > 0 ]]; then
-    xmlstarlet ed --inplace --update "/Preferences/@${key}" -v "${value}" "${prefFile}"
-  else
-    xmlstarlet ed --inplace --insert "/Preferences"  --type attr -n "${key}" -v "${value}" "${prefFile}"
-  fi
-}
-
-home="$(echo ~plex)"
-pmsApplicationSupportDir="${PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR:-${home}/Library/Application Support}"
-prefFile="${pmsApplicationSupportDir}/Plex Media Server/Preferences.xml"
-
-# If PKCSMANGLER__PFXINCONTAINERPATH is set, then assume we want to move the PFX Cert to that location
-if [ ! -z "${PKCSMANGLER_PFXINCONTAINERPATH}" ]; then
-  # If it ends up a problem, we may need to set some kind of "don't replace existing PFX cert"
-  cp -f /shared/cert.pfx "${PKCSMANGLER_PFXINCONTAINERPATH}"
-  # If PKCSMANGLER__CUSTOMCERTDOMAIN is set, then assume we want to set the PLEX Preference customCertificatePath because we enabled setting PLEX Preferences
-  if [ ! -z "${PKCSMANGLER_CUSTOMCERTDOMAIN}" ]; then
-    setPref "customCertificatePath" "${PKCSMANGLER_PFXINCONTAINERPATH}"
-  fi
-fi
-
-# If PKCSMANGLER_PFXPASSWORD is set, then assume we want to set the PLEX Preference customCertificateKey
-if [ ! -z "${PKCSMANGLER_PFXPASSWORD}" ]; then
-  setPref "customCertificateKey" "${PKCSMANGLER_PFXPASSWORD}"
-fi
-
-# If PKCSMANGLER__CUSTOMCERTDOMAIN is set, then assume we want to set the PLEX Preference customCertificateDomain
-if [ ! -z "${PKCSMANGLER_CUSTOMCERTDOMAIN}" ]; then
-  PreferenceValue=${PKCSMANGLER_CUSTOMCERTDOMAIN#*=}
-  PreferenceKey=${PKCSMANGLER_CUSTOMCERTDOMAIN%=*}
-  setPref $PreferenceKey $PreferenceValue
-fi
-
-# touch /.firstRunComplete
-# echo "Plex Media Server first run setup complete"
-echo "PKCS Mangler run complete"
\ No newline at end of file
--- a/test/plex/2.1.0/templates/configmap.yaml
+++ b/test/plex/2.1.0/templates/configmap.yaml
-{{- if .Values.plexPreferences.enabled -}}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ .Values.plexPreferences.configmap.name }}
-  labels:
-    {{- include "plex.labels" . | nindent 4 }}
-{{- if .Values.plexPreferences.configmap.labels }}
-{{ toYaml .Values.plexPreferences.configmap.labels | indent 4 }}
-{{- end }}
-{{- with .Values.plexPreferences.configmap.annotations }}
-  annotations:
-{{ toYaml . | indent 4 }}
-{{- end }}
-
-data:
-# At some point figure out how to use a value/Variable here to be able to specify
-# a different file or something.
-{{ (tpl (.Files.Glob "configs/41-plex-preferences").AsConfig . ) | indent 2 }}
-{{- end -}}
-
-{{- if .Values.certificate.pkcsMangler.enabled }}
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ .Values.certificate.pkcsMangler.configmap.name }}
-  labels:
-    {{- include "plex.labels" . | nindent 4 }}
-{{- if .Values.certificate.pkcsMangler.configmap.labels }}
-{{ toYaml .Values.certificate.pkcsMangler.configmap.labels | indent 4 }}
-{{- end }}
-{{- with .Values.certificate.pkcsMangler.configmap.annotations }}
-  annotations:
-{{ toYaml . | indent 4 }}
-{{- end }}
-
-data:
-# At some point figure out how to use a value/Variable here to be able to specify
-# a different file or something.
-{{ (tpl (.Files.Glob "configs/42-pkcs-mangler").AsConfig . ) | indent 2 }}
-{{- end -}}
\ No newline at end of file
--- a/test/plex/2.1.0/templates/deployment.yaml
+++ b/test/plex/2.1.0/templates/deployment.yaml
@@ -257,24 +257,4 @@ spec:
          name: {{ .Values.plexPreferences.configmap.name }}
          defaultMode: {{ .Values.plexPreferences.volume.defaultMode }}
      {{- end }}
-      {{- if .Values.certificate.pkcsMangler.enabled }}
-      - name: {{ .Values.certificate.pkcsMangler.volume.name }}
-        configMap:
-          name: {{ .Values.certificate.pkcsMangler.configmap.name }}
-          defaultMode: {{ .Values.certificate.pkcsMangler.volume.defaultMode }}
-      - name: {{ .Values.certificate.pkcsMangler.certificateSecret.volume.name }}
-        secret:
-          secretName: {{ .Values.certificate.pkcsMangler.certificateSecret.name }}
-      {{- end }}
-      {{- if .Values.logging.promtail.enabled }}
-      - name: promtail-config
-        projected:
-          defaultMode: 0444
-          sources:
-          - configMap:
-              name: {{ template "plex.fullname" . }}-promtail
-              items:
-                - key: promtail.yaml
-                  path: promtail.yaml
-      {{- end }}
 ##### VOLUMES END #####
--- a/test/plex/2.1.0/templates/promtail-configmap.yaml
+++ b/test/plex/2.1.0/templates/promtail-configmap.yaml
-{{- if .Values.logging.promtail.enabled }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ template "plex.fullname" . }}-promtail
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "plex.name" . }}
-    helm.sh/chart: {{ include "plex.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-data:
-  promtail.yaml: |
-    server:
-      http_listen_port: 9080
-      grpc_listen_port: 0
-    positions:
-      filename: /tmp/positions.yaml
-    clients:
-    - url: {{ .Values.logging.promtail.loki.url }}
-    scrape_configs:
-    - job_name: plex-logs
-      static_configs:
-      - targets:
-          - localhost
-        labels:
-          job: plex-logs
-          __path__: "/plex-logs/*.log"
-    - job_name: plex-plugin-logs
-      static_configs:
-      - targets:
-          - localhost
-        labels:
-          job: plex-plugin-logs
-          __path__: "/plex-logs/PMS Plugin Logs/*.log"
-{{- end }}
--- a/test/plex/2.1.0/templates/secrets.yaml
+++ b/test/plex/2.1.0/templates/secrets.yaml
-{{- if .Values.certificate.pkcsMangler.enabled -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Values.certificate.pkcsMangler.pfxPassword.secretName }}
-  labels:
-    {{- include "plex.labels" . | nindent 4 }}
-{{- if .Values.certificate.pkcsMangler.pfxPassword.labels }}
-{{ toYaml .Values.certificate.pkcsMangler.pfxPassword.labels | indent 4 }}
-{{- end }}
-{{- with .Values.certificate.pkcsMangler.pfxPassword.annotations }}
-  annotations:
-{{ toYaml . | indent 4 }}
-{{- end }}
-type: Opaque
-stringData:
-  {{ .Values.certificate.pkcsMangler.pfxPassword.passwordKey }}: {{ .Values.certificate.pkcsMangler.pfxPassword.value }}
-{{- end -}}
\ No newline at end of file
--- a/test/plex/2.1.0/values.yaml
+++ b/test/plex/2.1.0/values.yaml
@@ -220,61 +220,6 @@ persistence:
    # Access mode for this volume
    accessMode: ReadWriteOnce

-# Certificate(s) in Plex
-certificate:
-  # Assuming you have a kubernetes certificate secret (say from cert-manager) that has a tls.crt and tls.key but NO PFX!
-  # pkcsMangler to the rescue. The pkcsMangler part will add the supplied pfxPassword to a kubernetes secret
-  # This is so it's not in the clear in the YAML of the deployment in the kubernetes api.
-  # We will then use an OpenSSL init container to create a pfx file using the supplied secret (only available in container)
-  # Then we will use an init script (via configMap) to move the pfx file out of /shared (it's temporary storage) to
-  # the location specified in pfxInContainerPath.
-  pkcsMangler:
-    enabled: false
-    # The Image to use for pkcsMangler
-    image:
-      repository: tlsprint/openssl
-      tag: 1.1.1f
-    configmap:
-      labels: {}
-      annotations: {}
-      # Right now you can't really change this, additionally the configmap data is
-      # not configurable.
-      name: 42-pkcs-mangler
-    volume:
-      name: 42-pkcs-mangler
-      defaultMode: 493  # 0755 in octal permission notation
-      # Using mountPath & SubPath allow you to volume mount a configMap AS A FILE
-      # Unfortunately this also means that updates to the configMap are not automtically
-      # propagated to the file contents. But it's better then replacing the entire
-      # /etc/cont-init.d/ directory which is the "normal" behavior when doing volume
-      # mounts.
-      mountPath: /etc/cont-init.d/42-pkcs-mangler
-      subPath: 42-pkcs-mangler
-    setPlexPreferences:
-      enabled: true  # Set Plex Preferences related to Certificates
-      customCertificateDomain: ""  # If not empty, Set the Plex Preference customCertificateDomain
-      # Use spec.certificate.pkcsMangler.pfxPassword.value to Set the Plex Preference customCertificateKey
-      # Use spec.certificate.pkcsMangler.pfxInContainerPath to Set the Plex Preference customCertificatePath
-    pfxPassword:
-      value: "setpassword"
-      # We wlll create a Kubernetes Secret for spec.certificate.pkcsMangler.pfxPassword.value
-      # These are your options.
-      secretName: "plex-media-server-pfx-password"
-      passwordKey: "pfx-password"
-      labels: {}
-      annotations: {}
-    pfxInContainerPath: "/config/plex.pfx"  # This is full path in the container pkcsMangler will copy the pfx file to
-    # This is the SSL Certificate Secret that will provide our crt and key file.  If you used cert-manager to create
-    # the certificate, these defaults should work for you.  This Secret (and volume details) are only used by the
-    # pkcsMangler Init Container.
-    certificateSecret:
-      name: ""
-      keyName: "tls.key"
-      crtName: "tls.crt"
-      volume:
-        name: plex-certs
-        mountPath: /etc/plex-certs
-
 # Probes configuration
 probes:
  liveness:
@@ -288,28 +233,6 @@ probes:
    failureThreshold: 30
    periodSeconds: 10

-resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
-
-podAnnotations: {}
-
-deploymentAnnotations: {}
-
 proxy:
  # This allows to set a proxy environment variable, which PMS uses to fetch the token and assets like movie cover
  enabled: false