Use secrets instead of hardcoding credentials in the values.yaml file

Question

Use secrets instead of hardcoding credentials in the values.yaml file

johanneskastl opened this issue a year ago · comments

Many other charts are not allowing usernames/passwords in the values.yaml file due to security considerations. Think of a GitOps approach where the values.yaml file is stored in Git. In this case it would be nice to have an alternative way.

Those charts use environment variables from secrets or are mounting the secrets into the pod, so the pod has access to the credentials. Then the values.yaml only needs to contain the references to those secrets, i.e. the secret names.

Example from the Bitnami-postgresql chart:
https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml#L35

Are there any plans to allow this for the openproject chart?

Oliver Günther · Answer 1 · Thu Dec 14 2023 00:13:15 GMT+0800 (China Standard Time)

I suppose this can be closed with the changes in #46, / version 4.0.0.

Johannes Kastl · Answer 2 · Sun Dec 17 2023 22:34:24 GMT+0800 (China Standard Time)

I can confirm that it works! At least for the postgreSQL database.

I do not use the bundled one, so I need the following settings:

postgresql:
  bundled: false
  connection:
    host: <service-name-here>
    port: 5432
  auth:
    existingSecret: my-postgresql-credentials-secret
    secretKeys:
      userPasswordKey: "password"

As soon as I set the auth.existingSecret, I need to add the secretKeys. But that is to be expected, as it is commented out in the chart's values.yaml and hence there is no default value for this.

Thanks for the work @oliverguenther @machisuji