Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support existingSecret for bundled redis and postgres databases #420

Closed
miriamstreit opened this issue Nov 22, 2024 · 4 comments
Closed

Support existingSecret for bundled redis and postgres databases #420

miriamstreit opened this issue Nov 22, 2024 · 4 comments
Labels
enhancement New feature or request

Comments

@miriamstreit
Copy link

Proposed functionality

As of today, using existingSecrets with the bundled database variations is not possible (see

netbox-chart/charts/netbox/templates/secret.yaml

Line 38 in 73cc21e

{{- if not (or .Values.postgresql.enabled .Values.externalDatabase.existingSecretName) }}
)

Our suggestion would be to remove the check for .Values.postgresql.enabled for the postgres and for the redis secret so users can use their own secrets for the bundled databases.

Use case

We are trying to set up Netbox on Kubernetes as a proof of concept. For this reason we're using the bundled chart and do not have any external databases yet. Due to the issue of the database passwords being reset when certain components restart (see #36) we are forced to pass fixed passwords to the helm chart. Even though it is just a proof of concept we don't want any passwords in our Git, which would be necessary since we're using ArgoCD to deploy the chart.

We are aware that for production environments it is recommended to use external databases. We believe that removing this limitation would make it easier to get started with a simple proof of concept without going against any other standards such as storing passwords in Git or deploying from local machines.
@miriamstreit miriamstreit added the enhancement New feature or request label Nov 22, 2024
@LeoColomb
Copy link
Member

Thanks for filing this issue, @miriamstreit.
As described by the secret template you're referring to, this is only valid for external database.
For "bundled" Bitnami PostgreSQL/Redis charts, all the upstream values can be used accordingly.
For instance:

@LeoColomb LeoColomb closed this as not planned Won't fix, can't repro, duplicate, stale Nov 24, 2024
@miriamstreit
Copy link
Author

@LeoColomb
My bad, I completely missed that! I got it to work the way you described 🙂 Thanks!

@salcinad
Copy link

We are facing here somehow with same issue, we are using ArgoCD and have this netbox als Application. But every time we do an change, the ArgoCD would also try to sync the postgres and redis password to (I geuss it will be regenerated). What are we missing here, any hint is welcome.

Chart version: 5.0.0-beta.154 (found on artifacthub)
Bundled postgresql and redis
existingSecret (applyed before ArgoCD deployes application) for both postgresql and redis. the netbox-config and netbox-superuser existingSecret are working fine.

in helm values:

        superuser:
          name: admin
          email: example@example.com
          existingSecret: "netbox-superuser"
        existingSecret: "netbox-config"
        postgresql:
          auth:
            existingSecret: "netbox-postgresql"
        redis:
          auth:
            existingSecret: "netbox-redis"

Plan is to use sealed-secrets to seal the secrets and push them to our git which acts as single source of truth. This currently works only for "netbox-config" and "netbox-supervisor".

@LeoColomb
Copy link
Member

ArgoCD would also try to sync the postgres and redis password to (I geuss it will be regenerated).

This is not the case since some versions for bundled Bitnami PostgreSQL & Redis. If a previously auto-generated password is created, it will try to keep it at the upgrade. ArgoCD does not alter anything in here.

This currently works only for "netbox-config" and "netbox-supervisor".

Have you enforced the correct secret keys as expected by the subcharts?
For instance, for PostgreSQL, under .postgresql namespace:

name description default
auth.existingSecret Name of existing secret to use for PostgreSQL credentials. auth.postgresPassword, auth.password, and auth.replicationPassword will be ignored and picked up from this secret. The secret might also contains the key ldap-password if LDAP is enabled. ldap.bind_password will be ignored and picked from this secret in this case. ""
auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when auth.existingSecret is set. postgres-password
auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when auth.existingSecret is set. password

For Redis, under .redis namespace:

name description default
auth.existingSecret The name of an existing secret with Redis® credentials ""
auth.existingSecretPasswordKey Password key to be retrieved from existing secret redis-password

@LeoColomb LeoColomb mentioned this issue Dec 16, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@LeoColomb @miriamstreit @salcinad