Open slint opened 6 months ago
Ah, yes! This is an important improvement, in my opinion!
An adjacent topic to this is if we can provide credentials using secrets! It would be a great improvement on security if we could set all credentials using secrets (which is not possible today, if I recall correctly). We may also want to consider using credentials from the secrets generated by our chart dependencies.
I think these topics should be part of this issue, but if you think otherwise I can create a separate issue for them.
@lindhe exactly, I tried to (badly 😅) summarize this in:
placing only sensitive information of the config in a secret and exposing as an env var
We touched a bit on this on Discord, and I brought it up at the InvenioRDM workshop last week, where people agreed based on their experience with other Helm Charts approach to secrets.
It's common practice to be able to configure services that rely on connection strings/URIs (e.g. DB, OpenSearch, RabbitMQ, Redis) by individually setting parts of the string via env variables. This allows:
RABBITMQ_USER
to both theweb
/worker
config, but also the RabbitMQ sub-chart)On the application-side building the
SQLALCHEMY_DATABASE_URI
config would look something like: