Secrets consistency for the chart (#1016)

- Enabling existing secrets for external MySQL and Redis
- Tolerate existing secrets for bundled charts.
- README.md: secrets handling explained.
- Fixed multiple bugs where missing required field was replaced with
default instead of failing.
- PHONE_NOTIFICATIONS_LIMIT was on the wrong level: it was not set if
existingSecret was true.

Next are the cosmetic changes. They improve chart consistency, e.g.
prevent generation of multiple new lines in certain cases:
- Common approach to spaces trimming. This typically allows curly blocks
and actual strings indentation and nice `nindent` usage:
- Two curly blocks should not trim the same space. I.e. "{{ ... -}} {{-
... }}" shouldn't happen.
- Template generates either single line or multiline string. In both
cases, no new line appears on both sides of the output string. So we
delete unnecessary new lines inside and at the end of string with
"trim-to-left" (`{{-` ) and the leading new line using "trim-to-right"
(`-}}`).
Note that trimming both leading and trailing new line is not always
easily possible: Masterminds/sprig#357

    Example.

    ```
    {{- define "mytemplate" -}}
    {{ if someBoolean -}}
      {{ .Value.some }}
    {{- else -}}
      some string
    {{- end }}
    {{- end }}
    ```

- `template` replaced with `include`. It is often recommended to use
`include` by default, as it allows pipelining.

## Checklist

- [ ] Tests updated - No tests for Helm chart
- [X] Documentation added
- [x] `CHANGELOG.md` updated

Co-authored-by: Ildar Iskhakov <Ildar.iskhakov@grafana.com>

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- Secrets consistency for the chart. Bugfixing [#1016](https://github.com/grafana/oncall/pull/1016)
 - Make it possible to completely delete a rotation oncall ([#1505](https://github.com/grafana/oncall/issues/1505))
 - Polish rotation modal form oncall ([#1506](https://github.com/grafana/oncall/issues/1506))
 - Quick actions when editing a schedule oncall ([#1507](https://github.com/grafana/oncall/issues/1507))

helm/oncall/README.md

@@ -86,6 +86,112 @@ helm upgrade \
     grafana/oncall
 ```
 
+### Passwords and external secrets
+
+As OnCall subcharts are Bitname charts, there is a common approach to secrets. Bundled charts allow specifying passwords
+in values.yaml explicitly or as K8s secret value. OnCall chart refers either to secret created in sub-chart or
+to specified external secret.
+Similarly, if component chart is disabled, the password(s) can be supplied in `external<Component>` value
+(e.g. externalMysql) explicitly or as K8s secret value. In the first case, the secret is created with the specified
+value. In the second case the external secret is used.
+
+- If `<subchart>.auth.existingSecret` is non-empty, then this secret is used. Secret keys are pre-defined by chart.
+- If subchart supports password files and `<subchart>.customPasswordFiles` dictionary is non-empty, then password files
+  are used. Dictionary keys are pre-defined per sub-chart. Password files are not supported by OnCall chart and should
+  not be used with bundled sub-charts.
+- Passwords are specified via `auth` section values, e.g. `auth.password`. K8s secret is created.
+  - If `<subchart>.auth.forcePassword` is `true`, then passwords MUST be specified. Otherwise, missing passwords
+  are generated.
+
+If external component is used instead of the bundled one:
+
+- If existingSecret within appropriate external component values is non-empty (e.g. `externalMysql.existingSecret`) then
+  it is used together with corresponding key names, e.g. `externalMysql.passwordKey`.
+- Otherwise, corresponding password values are used, e.g. `externalMysql.password`. K8s secret is created by OnCall chart.
+
+Below is the summary for the dependent charts.
+
+MySQL/MariaDB:
+
+```yaml
+database:
+  type: "mysql" # This is default
+mariaDB:
+  enabled: true # Default
+  auth:
+    existingSecret: ""
+    forcePassword: false
+    # Secret name: `<release>-mariadb`
+    rootPassword: "" # Secret key: mariadb-root-password
+    password: "" # Secret key: mariadb-password
+    replicationPassword: "" # Secret key: mariadb-replication-password
+externalMysql:
+  password: ""
+  existingSecret: ""
+  passwordKey: ""
+```
+
+Postgres:
+
+```yaml
+database:
+  type: postgresql
+mariadb:
+  enabled: false # Must be set to false for Postgres
+postgresql:
+  enabled: true # Must be set to true for bundled Postgres
+  auth:
+    existingSecret: ""
+    secretKeys:
+      adminPasswordKey: ""
+      userPasswordKey: "" # Not needed
+      replicationPasswordKey: "" # Not needed with disabled replication
+    # Secret name: `<release>-postgresql`
+    postgresPassword: "" # password for admin user postgres. As non-admin user is not created, only this one is relevant.
+    password: "" # Not needed
+    replicationPassword: "" # Not needed with disabled replication
+externalPostgresql:
+  user: ""
+  password: ""
+  existingSecret: ""
+  passwordKey: ""
+```
+
+Rabbitmq:
+
+```yaml
+rabbitmq:
+  enabled: true
+  auth:
+    existingPasswordSecret: "" # Must contain `rabbitmq-password` key
+    existingErlangSecret: "" # Must contain `rabbitmq-erlang-cookie` key
+    # Secret name: `<release>-rabbitmq`
+    password: ""
+    erlangCookie: ""
+externalRabbitmq:
+  user: ""
+  password: ""
+  existingSecret: ""
+  passwordKey: ""
+  usernameKey: ""
+```
+
+Redis:
+
+```yaml
+redis:
+  enabled: true
+  auth:
+    existingSecret: ""
+    existingSecretPasswordKey: ""
+    # Secret name: `<release>-redis`
+    password: ""
+externalRedis:
+  password: ""
+  existingSecret: ""
+  passwordKey: ""
+```
+
 ### Set up Slack and Telegram
 
 You can set up Slack connection via following variables: