Secure handling of secrets

[alecor191]

I understand that the Helm chart takes secrets, like the DB password, and stores them in a K8S secret. However, as we have to pass it to the chart as value, users can call helm get values langfuse to retrieve all values provided at the time of installation.

Here what I get when running the mentioned command on a langfuse Helm release:

❯ helm get values langfuse

USER-SUPPLIED VALUES:
ingress:
  enabled: false
langfuse:
  nextauth:
    secret: 1234                          // <----- secret
    url: https://langfuse.example.org/
  salt: 5678                              // <----- secret
  telemetryEnabled: true
postgresql:
  auth:
    database: langfuse
    password: dbpassword                  // <----- secret
    username: archlet
  deploy: false
  host: langfuse.postgres.database.azure.com
service:
  type: ClusterIP

Do you have any thoughts on the topic resp. are there other ways that could be considered to provide secrets (e.g. by providing name/key of a secret in an existing K8S Secret)?

[mautini]

Hi @alecor191,

I think there are two solutions (that are not exclusive):

• Modify the deployment and do not create secrets to allow usage of existing secrets in the cluster. This way you create your secrets on one hand and then reference them in the helm chart values.yaml
• Use Helm Secrets Plugin:
  • Encrypt your passwords (with SOPS for example) in a values-secret.yaml file
  • helm secrets install langfuse ./langfuse -f values.yaml -f values-secret.yaml

[alecor191]

Thanks @mautini! For the first option the Helm chart would have to be updated, right? As I believe currently it doesn't support providing references to K8S secrets.

The second recommendation is for sure a viable option. For us it's just a bit overkill to set up Helm secrets plugin just for Langfuse (we don't have the need for it on any other Helm chart we use in our clusters).

[mautini]

Yes, the first option needs an MR. Actually if you keep the same name for the secrets you just have an option to not generate the secrets via the helm chart, no need to set up custom ref.

[japan4415]

I encountered the same issue. I will create a PR, could you please review it?