Skip to content

[Helm chart] Configuring sensitive values via secrets #3094

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cyrilcros opened this issue Feb 3, 2021 · 3 comments
Closed

[Helm chart] Configuring sensitive values via secrets #3094

cyrilcros opened this issue Feb 3, 2021 · 3 comments
Labels
component: install Terraform installation scripts, helm charts, installer images meta: stale This issue/PR is stale and will be closed soon priority: 💪 stretch goal This issue is a stretch goal within an iteration. self-hosted type: feature request New feature or request

Comments

@cyrilcros
Copy link

cyrilcros commented Feb 3, 2021
edited
Loading

Hi,
Would it be possible to set the sensitive values in the Helm chart (like components.server.sessionSecret for ex., but also db password and oauth info) via either an existingSecret secret reference or setting an environment variable?
Right now the values.yaml has sensitive information in it which is an issue for “gitops-style” management of Kubernetes.
Thanks!
@csweichel csweichel added component: install Terraform installation scripts, helm charts, installer images type: feature request New feature or request labels Feb 4, 2021
@csweichel csweichel added this to the March 2021 milestone Feb 4, 2021
@csweichel
Copy link
Contributor

That makes perfect sense. We could adopt a pattern akin to how we handle the HTTPS certificates, except that one could still provide the value directly if necessary, e.g.:

server:
  sessionSecret:
    secretName: some-preexisting-secret
    key: data-in-the-secret

but also:

server:
  sessionSecret:
    value: "enter value here directly"

We would do that for:

  • db.password
  • messagebus.password
  • minio.accessKey
  • minio.secretKey
  • server.sessionSecret

@cyrilcros
Copy link
Author

cyrilcros commented Feb 8, 2021
edited
Loading

Thanks you for considering this feature! You can even autogenerate those if you are willing to drop / have dropped Helm 2 support: https://github.com/helm/charts/issues/5167#issuecomment-619137759
I would say the OAuth also needs it, but it might be more complicated if you have a list of possible clients rather than a single one.

@csweichel csweichel modified the milestones: [backlog] March 2021, [do-not-add-issues] March 2021 Mar 1, 2021
@csweichel csweichel added the priority: 💪 stretch goal This issue is a stretch goal within an iteration. label Mar 1, 2021
@svenefftinge svenefftinge modified the milestones: March 2021, April 2021 Apr 12, 2021
@geropl geropl modified the milestones: April 2021, May 2021 (backlog) Apr 13, 2021
@cyrilcros cyrilcros mentioned this issue Apr 13, 2021
Closed
10 tasks
cyrilcros pushed a commit to cyrilcros/gitpod that referenced this issue Apr 21, 2021
[self-hosted] Set sensitive values via secrets - fixes gitpod-io#3094
d318a89 
- I fetch values via Helm `lookup` calls. This is Helm 3 only compatible.
- I do not alter the templates to use the existing secrets, I fetch from them and let gitpod create (possibly redundant) secrets
- serverProxyApiKey / db.password / components.server.sessionSecret can be set, added via secret with arbitrary key and are autogenerated otherwise
- rabbitmq secret can be set, assuming username and password are keys in the secret
- nothing is done for minio secrets because it is a subchart with a April 2021 deprecation warning
@cyrilcros cyrilcros mentioned this issue Apr 21, 2021
Closed
@csweichel csweichel removed this from the May 2021 (backlog) milestone May 6, 2021
@stale
Copy link

stale bot commented Aug 4, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the meta: stale This issue/PR is stale and will be closed soon label Aug 4, 2021
@stale stale bot closed this as completed Aug 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: install Terraform installation scripts, helm charts, installer images meta: stale This issue/PR is stale and will be closed soon priority: 💪 stretch goal This issue is a stretch goal within an iteration. self-hosted type: feature request New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[self-hosted] Set sensitive values via secrets - fixes #3094 cyrilcros/gitpod
4 participants
@svenefftinge @csweichel @cyrilcros @geropl