Add secrets volume

[pmarques]

Description

Add support to mount a Kubernetes secret in the pod with path /app/data/secret.yaml to support Advanced Configuration

Details

This is useful to configure secrets outside the chart which can be referenced in the zigbee configuration. For instance, to configure Front end OAuth Token we can:

1. Create the secret

   kubectl create secret generic zigbee2mqtt-secrets --from-file=secret.yaml=<(echo "auth_token: your-secret-token")

2. Configure chart

   statefulset:
   secrets:
   name: zigbee2mqtt-secrets
   
   zigbee2mqtt:
   frontend:
    auth_token: '!secret.yaml auth_token'

[pmarques]

@jlpedrosa let me know if this is something of interest.

[jlpedrosa]

Hey @pmarques Secrets is a dynamic file that mqtt is going to be updating dynamically no? If I recall correctly, Secrets and Configmaps when mounted as file system are read-only no?

[pmarques]

I'm currently using secrets for a few things and it is definitely true that they will be read only. The web interface supports configuration of most parameters and this is still a constraint. As an example, I'm using it for auth_token, mqtt_password, network_key, ext_pan_id, and pan_id. The server will try to write the last 3 if not set during the first start and tbh I don't have any suggestions but I believe it is the same limitation as using the config map. In my case I just used the values from an already running Zigbee Network.

Said that, I just added the secret as optional, and at the moment it is up to us to use it properly which is arguably far from perfect.

[Koenkk]

@jlpedrosa feel free to merge if OK

[jlpedrosa]

@pmarques If I understood you correctly, what you're saying is that is possible to configure all the values of secrets manually and Z2M won't try to upgrade it right?

[pmarques]

is possible to configure all the values of secrets manually and Z2M won't try to upgrade it right?

Indeed, if the values are configured it works / starts fine. That's how I migrated mine from a standalone rpi into the cluster.

[jlpedrosa]

Humm @pmarques this looks like the right direction to me. Do you think you could make an update to regenerate the docs? Also, I don't know if you could make the "API" (helm values) so it's not possible to specify both? I think due to the early stages is fine if we break the API.

[pmarques]

Also, I don't know if you could make the "API" (helm values) so it's not possible to specify both? I think due to the early stages is fine if we break the API.

This change is just to allow us to pass secrets and mount them as a file which we can reference. @jlpedrosa I'm not sure what you mean by so it's not possible to specify both in this case.

Which tool did you use to generate the doc?

[jlpedrosa]

@pmarques let me create a PR to add the doc generation tools.

[jlpedrosa]

Hi! I added https://github.com/Koenkk/zigbee2mqtt-chart/pull/6, as soon as it gets merged you can merge it here or rebase from master and regenerate tocs.

[pmarques]

@jlpedrosa Updated with the docs (and force pushed)

I also had to remove one of the README files since in case insensitive filesystems git was really confused. I left the one introduced in #6

on a case-insensitive filesystem) and only one from the same
colliding group is in the working tree:

  'README.MD'
  'README.md'

[jlpedrosa]

hey @pmarques could you rebase/fix so it can be merged? Thanks!

[pmarques]

@jlpedrosa done

[Koenkk]

@jlpedrosa feel free to merge if OK