Secrets consistency for the chart

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- Secrets consistency for the chart. Bugfixing [#1016](https://github.com/grafana/oncall/pull/1016)
 - Make it possible to completely delete a rotation oncall ([#1505](https://github.com/grafana/oncall/issues/1505))
 - Polish rotation modal form oncall ([#1506](https://github.com/grafana/oncall/issues/1506))
 - Quick actions when editing a schedule oncall ([#1507](https://github.com/grafana/oncall/issues/1507))

helm/oncall/README.md

@@ -86,6 +86,112 @@ helm upgrade \
     grafana/oncall
 ```
 
+### Passwords and external secrets
+
+As OnCall subcharts are Bitname charts, there is a common approach to secrets. Bundled charts allow specifying passwords
+in values.yaml explicitly or as K8s secret value. OnCall chart refers either to secret created in sub-chart or
+to specified external secret.
+Similarly, if component chart is disabled, the password(s) can be supplied in `external<Component>` value
+(e.g. externalMysql) explicitly or as K8s secret value. In the first case, the secret is created with the specified
+value. In the second case the external secret is used.
+
+- If `<subchart>.auth.existingSecret` is non-empty, then this secret is used. Secret keys are pre-defined by chart.
+- If subchart supports password files and `<subchart>.customPasswordFiles` dictionary is non-empty, then password files
+  are used. Dictionary keys are pre-defined per sub-chart. Password files are not supported by OnCall chart and should
+  not be used with bundled sub-charts.
+- Passwords are specified via `auth` section values, e.g. `auth.password`. K8s secret is created.
+  - If `<subchart>.auth.forcePassword` is `true`, then passwords MUST be specified. Otherwise, missing passwords
+  are generated.
+
+If external component is used instead of the bundled one:
+
+- If existingSecret within appropriate external component values is non-empty (e.g. `externalMysql.existingSecret`) then
+  it is used together with corresponding key names, e.g. `externalMysql.passwordKey`.
+- Otherwise, corresponding password values are used, e.g. `externalMysql.password`. K8s secret is created by OnCall chart.
+
+Below is the summary for the dependent charts.
+
+MySQL/MariaDB:
+
+```yaml
+database:
+  type: "mysql" # This is default
+mariaDB:
+  enabled: true # Default
+  auth:
+    existingSecret: ""
+    forcePassword: false
+    # Secret name: `<release>-mariadb`
+    rootPassword: "" # Secret key: mariadb-root-password
+    password: "" # Secret key: mariadb-password
+    replicationPassword: "" # Secret key: mariadb-replication-password
+externalMysql:
+  password: ""
+  existingSecret: ""
+  passwordKey: ""
+```
+
+Postgres:
+
+```yaml
+database:
+  type: postgresql
+mariadb:
+  enabled: false # Must be set to false for Postgres
+postgresql:
+  enabled: true # Must be set to true for bundled Postgres
+  auth:
+    existingSecret: ""
+    secretKeys:
+      adminPasswordKey: ""
+      userPasswordKey: "" # Not needed
+      replicationPasswordKey: "" # Not needed with disabled replication
+    # Secret name: `<release>-postgresql`
+    postgresPassword: "" # password for admin user postgres. As non-admin user is not created, only this one is relevant.
+    password: "" # Not needed
+    replicationPassword: "" # Not needed with disabled replication
+externalPostgresql:
+  user: ""
+  password: ""
+  existingSecret: ""
+  passwordKey: ""
+```
+
+Rabbitmq:
+
+```yaml
+rabbitmq:
+  enabled: true
+  auth:
+    existingPasswordSecret: "" # Must contain `rabbitmq-password` key
+    existingErlangSecret: "" # Must contain `rabbitmq-erlang-cookie` key
+    # Secret name: `<release>-rabbitmq`
+    password: ""
+    erlangCookie: ""
+externalRabbitmq:
+  user: ""
+  password: ""
+  existingSecret: ""
+  passwordKey: ""
+  usernameKey: ""
+```
+
+Redis:
+
+```yaml
+redis:
+  enabled: true
+  auth:
+    existingSecret: ""
+    existingSecretPasswordKey: ""
+    # Secret name: `<release>-redis`
+    password: ""
+externalRedis:
+  password: ""
+  existingSecret: ""
+  passwordKey: ""
+```
+
 ### Set up Slack and Telegram
 
 You can set up Slack connection via following variables: