search

headlamp-k8s / headlamp

A Kubernetes web UI that is fully-featured, user-friendly and extensible
https://headlamp.dev
Apache License 2.0
2.22k stars 156 forks source link

[RFE] Consider to get config from environment variables #696

Closed blobor closed 2 years ago

blobor commented 2 years ago

Current situation

Headlamp backend service expects configuration to be passed through arguments to the container, which is mostly fine until we have a case for passing secrets. Specifically, I'm talking about the clientSecret parameter.

      containers:
        - name: {{ .Chart.Name }}
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
          image: "{{ .Values.image.registry}}/{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          args:
            - "-in-cluster"
            {{- with .Values.config.oidc.clientSecret }}
            - "-oidc-client-secret={{ . }}"

As a "workaround" (or a feature), we can pass arguments from environment variables, which could be loaded from secrets.

Ideal future situation

It would be great if we had an option to pass the configuration straight from environment variables or could be combined with arguments.

      containers:
        - name: {{ .Chart.Name }}
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
          image: "{{ .Values.image.registry}}/{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          args:
            - "-in-cluster"
          env:
            - name: OIDC_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
                   name: some-random-secure-store
                   key: headlampClientSecret

Implementation options

As I see from a code, Headlamp uses a built-in flags package. As an option, it could use github.com/jessevdk/go-flags package, which can load config from env variables and flags passed. Or, good old Viper package

illume commented 2 years ago

Yeah, good idea. I agree env vars would be nice to support... especially for secrets as you say.

illume commented 2 years ago

Hrmm.

I guess rather than redoing all the flags with environment variables and a different library, we could instead add that single clientSecret environment variable.

joaquimrocha commented 2 years ago

I think it's a good idea to use a different flags package that supports both params and env vars. Let's do this.