search

authelia / chartrepo

Authelia Helm Charts
https://charts.authelia.com
Apache License 2.0
72 stars 52 forks source link

existingConfigMap still includes secrets #210

Closed eloo closed 6 months ago

eloo commented 1 year ago

Hi,

i was just about to move my configuration file into an own configmap in kubernetes using the existingConfigMap key.

But i have encountered a lot of issue while doing this and it looks like currently the existingConfigMap can not be used as expected because some values of configMap are used during the helm chart rendering.

For example what kind of storage is configured is determined based on a value in configMap.storage but this whole key is going to be migrated into the configmap mentioned in existingConfigMap

Here is an example of the key i am talking about: https://github.com/authelia/chartrepo/blob/master/charts/authelia/templates/deployment.yaml#L129C16-L129C16

Maybe in the future the storage type itself should be a higher level.

Thanks

james-d-elliott commented 1 year ago

Only the password which we would recommend using the secret kind for regardless of the configMap source, and this behavior can be disabled by setting the disabled value. We would however welcome a PR which disables all secret functionality however.

eloo commented 1 year ago

the problem is that one can not see easily what depends on the configMap stuff.. because also some parts of the OIDC config is used there. So no.. its not only the postgres secret. further my problem was that i had disabled postgres (set to false) but with existingConfigMap in use and the rest "not" set its using the default which is "postgres.enabled=true"

james-d-elliott commented 1 year ago

the problem is that one can not see easily what depends on the configMap stuff..

Yep a PR would be welcome. Everyone in the community is encouraged to contribute. Same as above regarding disabling the secret functionality entirely with an explicitly clear option (must include unsupported, and terminology similar to insecure or badPractice in its name).

So no.. its not only the postgres secret.

I was specifically replying to the specific example you mentioned which is exactly the postgres password included in the secret. But I can see how that may have been confusing.

further my problem was that i had disabled postgres (set to false) but with existingConfigMap in use and the rest "not" set its using the default which is "postgres.enabled=true"

Ah yea I forgot helm does that.. it treats false as a zero value so chart values files override it.

james-d-elliott commented 6 months ago

Think this is fixed in 0.9.0-beta releases.