search

bitnami / charts

Bitnami Helm Charts
https://bitnami.com
Other
8.6k stars 8.98k forks source link

[bitnami/postgresql] Support for External Secrets in values.yaml #27056

Closed Abderrahman-byte closed 1 day ago

Abderrahman-byte commented 3 weeks ago

Name and Version

bitnami/postgresql 16.3.0

What is the problem this feature will solve?

I'm using the Bitnami PostgreSQL Helm chart and managing my deployments using GitOps. Currently, my values.yaml contains sensitive credentials, which I want to avoid storing in my Git repository. Here is an example of my current values.yaml:

global:
  postgresql:
    enabled: true

    auth:
      postgresPassword: "postgresPassword"
      username: "username"
      password: "password"
      database: "database"

I would like to use external secrets management solutions instead of writing credentials directly in values.yaml. However, I couldn't find any way to configure the chart to use external secrets. also, the existingSecret parameter works only on postgresPassword.

can you help figure this out ?

Thank you for your attention to this matter.

What is the feature you are proposing to solve the problem?

Please consider adding support for external secrets to the Bitnami PostgreSQL Helm chart. This feature would greatly enhance the security and flexibility of managing sensitive information in a GitOps workflow.

What alternatives have you considered?

No response

javsalgar commented 3 weeks ago

Hi,

Checking the values, I see that it supports more passwords:

  ## @param auth.existingSecret Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case.
  ##
  existingSecret: ""
  ## @param auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set.
  ## @param auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set.
  ## @param auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set.
  ##
  secretKeys:
    adminPasswordKey: postgres-password
    userPasswordKey: password
    replicationPasswordKey: replication-password

Wouldn't this work on your use case?

Abderrahman-byte commented 3 weeks ago

Thank you for your response and the helpful information. This is very useful.

However, I noticed that there are no keys to specify the database and username values from the secret. Including these options would greatly enhance our setup.

I also wanted to share that I found a solution by including the following in my configuration:

primary:
  extraEnvVarsSecret: "postgresql-auth"
auth:
  existingSecret: "postgresql-auth"

Thanks again for your assistance!

javsalgar commented 3 weeks ago

Hi,

Thanks for the input! Indeed, this has been an ongoing debate for a long time, whether to add username and database as part of the secret. For the time being, we did not reach to a consensus. However, as a dirty workaround, you could include the username and database in the secret and then set these two values via extraEnvVars. Setting POSTGRES_USER and POSTGRES_DATABASE via env var could potentially override the default values rendered by the chart. Not the best solution but it could help for your use case.

primary:
  extraEnvVars:
    - name: POSTGRES_USER
       valueFrom:
         secretKeyRef:
           name: postgresql-auth
           key: user
    - name: POSTGRES_DATABASE
       valueFrom:
         secretKeyRef:
           name: postgresql-auth
           key: db
readReplicas:
  extraEnvVars:
    - name: POSTGRES_USER
       valueFrom:
         secretKeyRef:
           name: postgresql-auth
           key: user
    - name: POSTGRES_DATABASE
       valueFrom:
         secretKeyRef:
           name: postgresql-auth
           key: db

Replace the keys user and db with the proper ones

github-actions[bot] commented 6 days ago

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions[bot] commented 1 day ago

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.