Giters

cockroachdb / helm-charts

Helm charts for cockroachdb

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Support existing secrets

ErikLundJensen opened this issue · comments

commented

Real secrets should never be in clear text in value.yaml files. Therefore it would be preferrable if existing secrets could be used in the helm chart.

For example using existing imagePullSecrets instead of the secrets generated by the chart:

helm-charts/cockroachdb/templates/statefulset.yaml

Line 46 in 2ee4799

{{- if .Values.image.credentials }}

commented

@ErikLundJensen I support to not have secrets in plaintext in yaml files in repository.

This can be fixed with using helm secrets plugin. This allows to use yaml files with encrypted values and keep encrypted files in repositories and only decrypt when running helm install.

See: https://github.com/jkroepke/helm-secrets

Maybe this fixes the problem for you.

commented

I have an in-house CRD for pulling secrets from AWS SSM into namespaces, and as I'm trying to go to production with this chart I'm hitting similar issues. I want to use this chart as a dependency and then bring my own templates for secrets.

Is there any interest in taking PR's that loosen some of the constraints where secrets come from?

commented

The fix would be to add:

The following snippet in values.yaml

  repository: cockroachdb/cockroach
  tag: v22.1.4
  pullPolicy: IfNotPresent
  credentials: []

The following snippet in templates/statefulset.yaml under spec.template.spec

      {{- with $pullSecrets := .Values.image.pullSecrets }}
      imagePullSecrets: {{- range $k, $secretName := $pullSecrets }}
      - name: {{ $secretName }}
      {{- end }}
      {{- end }}

And just eliminate the file templates/secret.registry.yaml .
It would way easier for the developers to create their own docker registry secret from their terraform configuration or else where. We cannot ask them to write the clear text of username and password and encrypt ourselves.

commented

I know this hasn't been touched in about a year, but I would still really like an existing secret for the initially provisioned users, as right now, you have to pass in plain text passwords for users, which makes the cockroachdb helm chart unusable for me at this time. This would be a good feature for those who cannot pass in plain text passwords to any repos. This is required for some security compliance.

It looks like the work was already started here: https://github.com/cockroachdb/helm-charts/pull/272/files