Sadzeih
commented
4 years ago Would love this too!
Open gansb opened 4 years ago
Sadzeih
commented
4 years ago Would love this too!
rissson
commented
3 years ago This. So much this.
cpanato
commented
3 years ago @gansb are you willing to propose a PR to fix this?
ruckc
commented
2 years ago @cpanato - i'm willing to PR this, but given you shove the dataSource value into the config json, there isn't much we can do. To wire secrets like username/password into a container, we need to either pass them as environment variables or a secret mounted as a directory. Given the dataSource with username/passwords are stored in a configmap (not even a secret) this makes this impossible to properly store as a secret.
ruckc
commented
2 years ago Ideally, the config json should be stored a secret since it stores sensitive information, or some way of Mattermost picking up environment variables to specify specific values... i.e. MM_SERVICESETTINGS_SQLSETTINGS_DATASOURCE.
ruckc
commented
2 years ago It appears, since you pass the dataSource directly into gorm, that it would support libpq environment variables with a standard 'postgres://` DSN, but that would only be supported on PostgreSQL, not mysql, which would make the deployment yamls even more complicated.
cpanato
commented
2 years ago @ruckc I'm no longer at Mattermost, but you can discuss this with the team, tagging @jasonblais and @spirosoik that can help you
Secrets should be storable in existing Kubernetes secrets so that they don't have to be passed directly to helm. This is possible for certificates, but not for:
This is important when using tools like helmfile, for instance, because then the configuration values are checked into source control, and it's important that there is an alternative way of handling secret values. Referencing existing secrets is a flexible way to do this.