search

loft-sh / vcluster

vCluster - Create fully functional virtual Kubernetes clusters - Each vcluster runs inside a namespace of the underlying k8s cluster. It's cheaper than creating separate full-blown clusters and it offers better multi-tenancy and isolation than regular namespaces.
https://www.vcluster.com
Apache License 2.0
6.31k stars 402 forks source link

controlPlane.backingStore.database.external.dataSource should be able to be read from a Secret #1755

Open virtualdxs opened 4 months ago

virtualdxs commented 4 months ago

Is your feature request related to a problem?

I use the cloudnative-pg operator to deploy Postgres databases in my Kubernetes host cluster. It automatically creates a Secret with the credentials and endpoint information of how to connect to the Postgres database, as is common. I would like to be able to tell vCluster to get its database connection information from that secret.

This allows me to never need to store the database password in my configuration repository. As it stands, I must store the database password unencrypted in the values.yaml for the Helm release.

Which solution do you suggest?

Support specifying an existingSecret to retrieve this information from. To use the Nextcloud helm chart as an example:

existingSecret:
  enabled: false
  # secretName: nameofsecret
  usernameKey: db-username
  passwordKey: db-password
  # hostKey: db-hostname-or-ip
  # databaseKey: db-name

This example uses separate keys for username, password, etc. but just being able to retrieve the uri from a secret would be sufficient

Which alternative solutions exist?

Allow in the Helm chart for a custom config-secret to be specified so I can use SOPS to securely store it encrypted in my configuration repository

Additional context

No response

heiko-braun commented 4 months ago

Thanks, it's a reasonable request and we are already looking into it. Unfortunately, I don't have any concrete dates yet.