fix api variables

Author: Anadris

charts/bunkerweb/templates/api-deployment.yaml

@@ -48,40 +48,39 @@ spec:
               {{- else }}
               value: "{{ include "bunkerweb.databaseUri" . }}"
               {{- end }}
+            {{- if or (and .Values.settings.api.useBearerToken.fromExistingSecret (not (empty .Values.settings.existingSecret))) (and (not .Values.settings.api.useBearerToken.fromExistingSecret) (not (empty .Values.settings.api.useBearerToken.token))) }}
             - name: API_TOKEN
-              {{- if not (empty .Values.settings.existingSecret) }}
+              {{- if and .Values.settings.api.useBearerToken.fromExistingSecret (not (empty .Values.settings.existingSecret)) }}
               valueFrom:
                 secretKeyRef:
                   name: "{{ .Values.settings.existingSecret }}"
                   key: api-token
               {{- else }}
-              value: "{{ .Values.settings.api.apiToken }}"
+              value: "{{ .Values.settings.api.useBearerToken.token }}"
               {{- end }}
+            {{- end }}
+            {{- if or (and .Values.settings.api.useUserPass.fromExistingSecret (not (empty .Values.settings.existingSecret))) (and (not .Values.settings.api.useUserPass.fromExistingSecret) (not (empty .Values.settings.api.useUserPass.apiUsername)) (not (empty .Values.settings.api.useUserPass.apiPassword))) }}
             - name: API_USERNAME
-              {{- if not (empty .Values.settings.existingSecret) }}
+              {{- if and .Values.settings.api.useUserPass.fromExistingSecret (not (empty .Values.settings.existingSecret)) }}
               valueFrom:
                 secretKeyRef:
                   name: "{{ .Values.settings.existingSecret }}"
                   key: api-username
               {{- else }}
-              value: "{{ .Values.settings.api.apiUsername }}"
+              value: "{{ .Values.settings.api.useUserPass.apiUsername }}"
               {{- end }}
             - name: API_PASSWORD
-              {{- if not (empty .Values.settings.existingSecret) }}
+              {{- if and .Values.settings.api.useUserPass.fromExistingSecret (not (empty .Values.settings.existingSecret)) }}
               valueFrom:
                 secretKeyRef:
                   name: "{{ .Values.settings.existingSecret }}"
                   key: api-password
               {{- else }}
-              value: "{{ .Values.settings.api.apiPassword }}"
+              value: "{{ .Values.settings.api.useUserPass.apiPassword }}"
               {{- end }}
+            {{- end }}
+              {{- if not (empty .Values.settings.api.apiAclBootstrapFile) }}
             - name: API_ACL_BOOTSTRAP_FILE
-              {{- if not (empty .Values.settings.existingSecret) }}
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ .Values.settings.existingSecret }}"
-                  key: api-acl-json-file-path
-              {{- else }}
               value: "{{ .Values.settings.api.apiAclBootstrapFile }}"
               {{- end }}
             - name: API_WHITELIST_ENABLED

charts/bunkerweb/values.yaml

@@ -53,6 +53,7 @@ settings:
   #   - totp-secrets      : TOTP secrets for 2FA
   #   - mariadb-user      : MariaDB username
   #   - mariadb-password  : MariaDB password
+  #   - pro-license-key   : BunkerWeb Pro license key
   #   - api-token         : API Bearer token
   #   - api-username      : API username, also require api-password
   #   - api-password      : API password, also require api-username
@@ -147,13 +148,20 @@ settings:
   api:
     # Authentication settings
     # https://docs.bunkerweb.io/latest/api/#authentication
+    # Choose at least one method of authentication
     # API Bearer Token
-    # Leave Empty if using settings.existingSecret
-    apiToken: ""
-    # OR/AND API Username and Password
-    # Leave Empty if using settings.existingSecret
-    apiUsername: ""
-    apiPassword: ""
+    useBearerToken:
+      # If enable, it will use settings.existingSecret
+      fromExistingSecret: false
+      # If not using existingSecret, set the token here
+      token: ""
+    # Username and Password
+    useUserPass:
+      # If enable, it will use settings.existingSecret
+      fromExistingSecret: false
+      # If not using existingSecret, set the credentials here
+      apiUsername: ""
+      apiPassword: ""
     # OR/AND ConfigMap name that includes ACL based JSON File
     # https://docs.bunkerweb.io/latest/api/#permissions-acl
     apiAclBootstrapFile: ""

docs/values.md

@@ -613,16 +613,15 @@ Configuration for BunkerWeb behavior in Kubernetes environment
 | `settings.redis` | Configuration for redis | `object` | See nested values |
 | `settings.ui` | Configuration for ui | `object` | See nested values |
 | `settings.api.apiAclBootstrapFile` | OR/AND ConfigMap name that includes ACL based JSON File https://docs.bunkerweb.io/latest/api/#permis... | `string` | `""` |
-| `settings.api.apiPassword` | Configuration for apiPassword | `string` | `""` |
-| `settings.api.apiToken` | Authentication settings https://docs.bunkerweb.io/latest/api/#authentication API Bearer Token Leave ... | `string` | `""` |
-| `settings.api.apiUsername` | OR/AND API Username and Password Leave Empty if using settings.existingSecret | `string` | `""` |
 | `settings.api.docsUrl` | URL for API documentation, set to an empty value to disable | `string` | `"/docs"` |
 | `settings.api.forwardedAllowIps` | Forwarded allow IPs for correct client IP detection | `string` | `"*"` |
 | `settings.api.ingress` | Ingress configuration for UI access | `object` | See nested values |
 | `settings.api.openApiUrl` | URL for OpenAPI specification, set to an empty value to disable | `string` | `"/openapi.json"` |
 | `settings.api.rateLimit` | Rate limiting configuration for API access https://docs.bunkerweb.io/latest/api/#rate-limiting | `object` | See nested values |
 | `settings.api.redocUrl` | URL for ReDoc API documentation, set to an empty value to disable | `string` | `"/redoc"` |
 | `settings.api.rootPath` | API Configuration https://docs.bunkerweb.io/latest/api/#configuration Root path for the API | `string` | `""` |
+| `settings.api.useBearerToken` | Authentication settings https://docs.bunkerweb.io/latest/api/#authentication Choose at least one met... | `object` | See nested values |
+| `settings.api.useUserPass` | Username and Password | `object` | See nested values |
 | `settings.api.whitelist` | Whitelist configuration for API access | `object` | See nested values |
 | `settings.kubernetes.domainName` | Kubernetes cluster domain name for service discovery | `string` | `"cluster.local"` |
 | `settings.kubernetes.ignoreAnnotations` | Annotations to be ignored by bunkerweb-controller when multiple ingress controllers (comma-separated... | `string` | `""` |
@@ -651,6 +650,11 @@ Configuration for BunkerWeb behavior in Kubernetes environment
 | `settings.api.rateLimit.defaults` | Rate limit per period, Supported formats: "[10/seconde]", "[100/minute]", "[1000/day]" https://limit... | `list` | `['100/minute']` |
 | `settings.api.rateLimit.enabled` | Set to true to create an Ingress resource for the UI | `bool` | `true` |
 | `settings.api.rateLimit.strategy` | Strategy: "fixed-window" or "moving-window" or "sliding-window" https://limits.readthedocs.io/en/sta... | `string` | `"fixed-window"` |
+| `settings.api.useBearerToken.fromExistingSecret` | If enable, it will use settings.existingSecret | `bool` | `false` |
+| `settings.api.useBearerToken.token` | If not using existingSecret, set the token here | `string` | `""` |
+| `settings.api.useUserPass.apiPassword` | Configuration for apiPassword | `string` | `""` |
+| `settings.api.useUserPass.apiUsername` | If not using existingSecret, set the credentials here | `string` | `""` |
+| `settings.api.useUserPass.fromExistingSecret` | If enable, it will use settings.existingSecret | `bool` | `false` |
 | `settings.api.whitelist.enabled` | Set to true to create an Ingress resource for the UI | `bool` | `true` |
 | `settings.api.whitelist.whitelistIps` | space-separated list of IPs/CIDR allowed to access the API | `string` | `"10.0.0.0/8"` |
 | `settings.ui.ingress.enabled` | Set to true to create an Ingress resource for the UI | `bool` | `false` |

examples/README.md

@@ -8,6 +8,7 @@ This directory contains example configurations for common BunkerWeb deployment s
 
 ### Basic Configurations
 
+- [`bunkerweb-settings-secret.yaml`](bunkerweb-settings-secret.yaml) - Secret with all sensitive variables example
 - [`all-in-one.yaml`](all-in-one.yaml) - Full stack configuration for testing
 - [`production.yaml`](production.yaml) - Production-ready setup with persistence and external services
 

examples/bunkerweb-settings-secret.yaml

@@ -0,0 +1,36 @@
+# BunkerWeb Settings Secret
+# This Secret contains sensitive configuration settings for BunkerWeb.
+# Modify the values as needed for your deployment
+# Make sure to reference this secret in your Helm values under settings.existingSecret
+apiVersion: v1
+kind: Secret
+metadata:
+  name: bunkerweb-settings-secret
+  namespace: bunkerweb
+type: Opaque
+stringData:
+  # Database URI for BunkerWeb (SQLAlchemy/PyMySQL format)
+  database-uri: "mysql+pymysql://bunkerweb:changeme@mariadb-bunkerweb.bunkerweb.svc.cluster.local:3306/db?ssl_verify_cert=False"
+  # Redis username (if authentication enabled)
+  redis-username: ""
+  # Redis password (required for Redis and Scheduler)
+  redis-password: "changeme"
+  # UI Admin credentials
+  admin-username: "admin"
+  admin-password: "changeMe123!"
+  # Flask secret key for UI sessions (generate a random string)
+  flask-secret: "flask-secret-of-the-titans"
+  # TOTP secrets for 2FA (generate a random string)
+  totp-secrets: "totp-secrets-of-the-gods"
+  # BunkerWeb database user
+  mariadb-user: "bunkerweb"
+  # BunkerWeb database password
+  mariadb-password: "changeme"
+  # BunkerWeb Pro license key
+  pro-license-key: "bw-pro-license-key-goes-here"
+  # API token for accessing BunkerWeb API
+  api-token: ""
+  # api username
+  api-username: "admin"
+  # api password
+  api-password: "changeMe123!"