eldada · hagzag · Apr 5, 2021 · Apr 6, 2021 · Apr 7, 2021 · eldada
diff --git a/README.md b/README.md
@@ -1,14 +1,18 @@
 # Postfix relay running in Kubernetes
-This repository has an example of a postfix relay running in Kubernetes using a helm chart.
 
+This repository has an example of a postfix relay running in Kubernetes using a helm chart.
 ## Build Docker image
+
 You can build the Docker image locally
+
 ```bash
 docker build -t eldada-docker-examples.bintray.io/postfix-relay:0.6 Docker/
 ```
 
 ## Run locally with Docker
+
 Run the postfix relay locally for testing
+
 ```bash
 # Need to set SMTP connection details
 export SMTP="[smtp.mailgun.org]:587"
@@ -32,12 +36,15 @@ docker run --rm -d --name postfix-relay -p 2525:25 \
 ```
 
 ### Test sending mail
+
 1. Connect to running container on port 2525
+
 ```bash
 telnet localhost 2525
 ```
 
-2. Edit the following with your details and paste in your terminal
+1. Edit the following with your details and paste in your terminal
+
 ```bash
 helo localhost
 mail from: noreply@yourhost.com
@@ -49,7 +56,8 @@ The true story of swans singing Pink Floyd.
 quit
 ```
 
-3. You should see the following
+1. You should see the following:
+
 ```bash
 220 tx-smtp-relay.yourhost.com ESMTP Postfix
 helo localhost
@@ -68,14 +76,14 @@ quit
 221 2.0.0 Bye
 Connection closed by foreign host
 ```
-
 4. Check the inbox of `you@your.co` and see you got the email.
 
-
 ## Deploy Helm Chart
+
 The Helm Chart in [helm/postfix](helm/postfix) directory can be used to deploy the postfix-relay into your Kubernetes cluster.
 
 The Chart will deploy 2 pods (for high availability), load balanced with a service, exposing port 25.
+
 ```bash
 # Need to set SMTP connection details
 export SMTP="[smtp.mailgun.org]:587"
@@ -89,8 +97,41 @@ helm upgrade --install postfix-relay \
         --set smtp.relayPassword=${PASSWORD} \ 
         helm/postfix
 
+```
+
+## Chart Options for Managing Secrets
+
+1. Use existing secret:
+
+Use Other options such as [kubernetes external secrets](https://github.com/external-secrets/kubernetes-external-secrets) (see below) or [sealedSecrets](https://github.com/bitnami-labs/sealed-secrets)
+create the smtp password kubernetes secret then just reference it.
+
+```bash
+helm upgrade --install postfix-relay \
+        --set smtp.relayHost=${SMTP} \
+        --set smtp.relayMyhostname=my.local \
+        --set smtp.relayUsername=${USERNAME} \
+        --set smtp.relayPassword=${PASSWORD} \ 
+        --set useExistingSecret=true \
+        --set existingSecretName=postfix \
+        helm/postfix
+```
+
+            1. Use [kubernetes external secrets](https://github.com/external-secrets/kubernetes-external-secrets/blob/master/charts/kubernetes-external-secrets/crds/kubernetes-client.io_externalsecrets_crd.yaml)
+
+- have the chart generate the smtp-password from `externalSecrets` in this case you should update your backend secret to have the required key named `tx-smtp-relay-password` with your SMTP password so it can be set into the postfix config at runtime.
 
+```bash
+helm upgrade --install postfix-relay \
+        --set smtp.relayHost=${SMTP} \
+        --set smtp.relayMyhostname=my.local \
+        --set smtp.relayUsername=${USERNAME} \
+        --set useExternalSecrets=true \
+        --set ExternalSecretsBackendType=secretsManager \
+        --set ExternalSecretsKey=infra/postfix \
+        helm/postfix
 ```
 
 ## Thanks
+
 This work is based on examples from https://github.com/applariat/kubernetes-postfix-relay-host 
diff --git a/helm/postfix/Chart.yaml b/helm/postfix/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v1
-version: 0.1.5
+version: 0.1.6
 appVersion: 0.5
 description: A Helm chart for a highly available postfix relay in Kubernetes
 name: postfix

diff --git a/helm/postfix/templates/deployment.yaml b/helm/postfix/templates/deployment.yaml
@@ -45,16 +45,20 @@ spec:
             configMapKeyRef:
               name: {{ template "postfix.fullname" . }}
               key: tx-smtp-relay-username
-        - name: TX_SMTP_RELAY_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: {{ template "postfix.fullname" . }}
-              key: tx-smtp-relay-password
         - name: POSTFIX_CUSTOM_CONFIG
           valueFrom:
             configMapKeyRef:
               name: {{ template "postfix.fullname" . }}
               key: postfix-custom-config
+        - name: TX_SMTP_RELAY_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              {{- if .Values.useExistingSecret }}
+              name: {{ .Values.existingSecretName }}
+              {{- else }}
+              name: {{ template "postfix.fullname" . }}-secret
+              {{- end }}
+              key: tx-smtp-relay-password
         ports:
           - name: smtp
             containerPort: 25

diff --git a/helm/postfix/templates/external-secret.yaml b/helm/postfix/templates/external-secret.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.externalSecret.enabled }}
+apiVersion: kubernetes-client.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ template "postfix.fullname" . }}-secret
+spec:
+  backendType: {{ .Values.externalSecret.secretsBackendType }}
+  dataFrom:
+  - {{ .Values.externalSecret.secretsKey }}
+{{- end -}}
diff --git a/helm/postfix/templates/secret.yaml b/helm/postfix/templates/secret.yaml
@@ -1,7 +1,8 @@
+{{- if and ( not .Values.externalSecret.enabled ) (not .Values.useExistingSecret)  }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ template "postfix.fullname" . }}
+  name: {{ template "postfix.fullname" . }}-secret
   labels:
     app: {{ template "postfix.name" . }}
     chart: {{ template "postfix.chart" . }}
@@ -10,3 +11,4 @@ metadata:
 type: Opaque
 data:
   tx-smtp-relay-password: {{ .Values.smtp.relayPassword | b64enc }}
+{{- end -}}
diff --git a/helm/postfix/values.yaml b/helm/postfix/values.yaml
@@ -45,13 +45,25 @@ service:
 # SMTP server details
 # Used by postfix to connect to SMTP server
 smtp:
+
+  existingSecretName: postfix
   # Example with mailgun
   relayHost: "[smtp.mailgun.org]:587"
   relayMyhostname: my.host.local
   relayUsername: relayuser
   relayPassword: relaypassword
   relayNetworks: '10.0.0.0/8,127.0.0.0/8,172.17.0.0/16,192.0.0.0/8'
 
+externalSecret:
+  enabled: false
+  secretsBackendType: secretsManager
+  secretsKey: infra/postfix
+
+# Use Externaly manages secrets
+useExistingSecret: false
+existingSecretName: postfix
+
+
 # Optional extra configuration to add or edit in /etc/postfix/main.cf
 # A single string with key=value separated by a semicolon char (;)
 # Example: postfixCustomConfig: "key1 = value1; key2 = value2; key3 = value3"