search

cs3org / charts

Kubernetes Charts Repository for CS3ORG
https://cs3org.github.io/charts
Apache License 2.0
2 stars 13 forks source link

Do not regenerate the WOPI Server Secrets on 'helm upgrade' #20

Closed SamuAlfageme closed 1 year ago

SamuAlfageme commented 3 years ago

When no config.{wopisecret,iopsecret} value is provided when installing the wopiserver chart, a pair of random secrets is generated for convenience.

However, this does also happen across upgrades:

staging, iop-wopiserver-secrets, Secret (v1) has changed:
  # Source: iop/charts/wopiserver/templates/secrets.yaml
  apiVersion: v1
  kind: Secret
  metadata:
    labels:
      app.kubernetes.io/instance: iop
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/name: wopiserver
      app.kubernetes.io/version: v5.4
      helm.sh/chart: wopiserver-0.2.0
    name: iop-wopiserver-secrets
  data:
-   iopsecret: '-------- # (24 bytes)'
-   wopisecret: '-------- # (24 bytes)'
+   iopsecret: '++++++++ # (24 bytes)'
+   wopisecret: '++++++++ # (24 bytes)'
  type: Opaque

This behavior is not intended, as might require updating the IOP ConfigMap or reloading the IOP Deployment when using REVA_APPPROVIDER_IOPSECRET.

SamuAlfageme commented 3 years ago

linking https://github.com/helm/charts/issues/5167 for later ref.

wkloucek commented 1 year ago

As of now, Helm has no proper way to generate secrets ONCE (see also https://github.com/owncloud/ocis-charts/issues/50).

Therefore I would recommend to always use secretsRef for production deployments:

https://github.com/cs3org/charts/blob/f4c41b16dfec0d728a6b34f7308f3730ef61904c/wopiserver/values.yaml#L19-L23