Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change the order of extraEnvxironmentVars and extraSecretEnvironmentVars evaluation in server-statefulset.yaml to provide flexibility #37

Open
vijaySamanuri opened this issue Feb 7, 2025 · 0 comments
Open

Change the order of extraEnvxironmentVars and extraSecretEnvironmentVars evaluation in server-statefulset.yaml to provide flexibility #37

vijaySamanuri opened this issue Feb 7, 2025 · 0 comments

Comments

@vijaySamanuri
Copy link

Currently, in OpenBao's Helm chart, extraEnvironmentVars are evaluated before extraSecretEnvironmentVars as seen in the StatefulSet template:

https://github.com/openbao/openbao-helm/blob/main/charts/openbao/templates/server-statefulset.yaml#L141-L142

           {{- include "openbao.extraEnvironmentVars" .Values.server | nindent 12 }}
           {{- include "openbao.extraSecretEnvironmentVars" .Values.server | nindent 12 }}

However, it would be better to include extraSecretEnvironmentVars first, allowing extraEnvironmentVars to reference them for variable substitution.

Example Problem:

If the following configuration is defined in values.yaml openbao.server section:

extraSecretEnvironmentVars:
- envName: PG_OB_USERNAME
  secretName: openbao-pg-secret
  secretKey: username
- envName: PG_OB_PASSWORD
  secretName: openbao-pg-secret
  secretKey: password
- envName: PG_OB_DATABASE
  secretName: openbao-pg-secret
  secretKey: dbname

extraEnvironmentVars:
  BAO_PG_CONNECTION_URL: "postgresql://$(PG_OB_USERNAME):$(PG_OB_PASSWORD)@postgres.$(BAO_K8S_NAMESPACE).svc.cluster.local:5432/$(PG_OB_DATABASE)?sslmode=disable"

Since extraEnvironmentVars are evaluated before extraSecretEnvironmentVars, variable substitution does not occur for BAO_PG_CONNECTION_URL.

Suggested Improvement:

Reversing the order of inclusion in the StatefulSet template:

          {{- include "openbao.extraSecretEnvironmentVars" .Values.server | nindent 12 }}
          {{- include "openbao.extraEnvironmentVars" .Values.server | nindent 12 }}

This change provides greater flexibility, allowing extraEnvironmentVars to reference environment variables derived from secrets.

for my use-case i know we can directly have postgresql connection-string in the secret instead to make it work.

However, modifying the order of evaluation offers a more general and flexible approach, benefiting other use cases as well.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vijaySamanuri