Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support the configuration of sensitive data using existing Kubernetes secrets #90

Closed
rszamszur opened this issue Apr 8, 2024 · 4 comments
Closed

Support the configuration of sensitive data using existing Kubernetes secrets #90

rszamszur opened this issue Apr 8, 2024 · 4 comments

Comments

@rszamszur
Copy link
Contributor

Hello BuildBuddy Team,

I am reaching out to discuss an enhancement proposal for the Helm charts. Currently, these charts require secrets to be provided within the values.yaml file. This approach, while functional, it adds an extra layer of complexity and maintenance overhead. This complexity becomes particularly evident in situations such as:

  • When an organization has specific requirements or methods for managing secrets.
  • When there are limitations or issues with third-party solutions, for instance: ArgoCD + helm-secrets.
  • When applying GitOps practices - ensuring data is encrypted at rest but still accessible by the GitOps controller.

I would like to propose a feature request to enhance the Helm charts to support the use of existing Kubernetes secrets. The ideal implementation of this feature would cater to any sensitive information that can currently be configured through value files.

I am keen to contribute to the development of this feature if it aligns with your project's goals. Could you please share any specific guidelines or requirements for such contributions? I would greatly appreciate any feedback or direction you could provide to help me proceed with this implementation.

For reference, I have included links to example open-source charts that support using existing k8s secrets to some extent:

Have a good one!
@siggisim
Copy link
Member

siggisim commented Apr 8, 2024

Hey @rszamszur!

Thanks for the proposal - would specifying our config options as environment variables work for your use-case? https://www.buildbuddy.io/docs/config#environment-variables

You can specify environment variables in your BuildBuddy config.yaml (which maps to the config: block of the helm values.yaml) and then populate those environment variables using whatever secrets management tool you'd like.

For example a bring-your-own-runners values.yaml might look like this:

config:
  executor:
    app_target: "grpcs://remote.buildbuddy.io:443"
    local_cache_size_bytes: 50000000000 # 50GB
    api_key: "${API_KEY}"

And then you can populate the API_KEY environment variable using Kubernetes secrets: https://kubernetes.io/docs/concepts/configuration/secret/#using-a-secret

@rszamszur
Copy link
Contributor Author

Thanks for the proposal - would specifying our config options as environment variables work for your use-case? https://www.buildbuddy.io/docs/config#environment-variables

I must have overlooked that bit of documentation. At the first glance, seems like it could be sufficient. I'll test it tomorrow and update you on the results.

@siggisim
Copy link
Member

siggisim commented Apr 8, 2024

Great, let us know if you run into any issues. We're happy to help!

@siggisim
Copy link
Member

Feel free to re-open if you run into any issues with this approach!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@siggisim @rszamszur