search

piiano / helm-charts

Helm charts for Piiano products
MIT License
2 stars 2 forks source link

Helm chart does not support environment variables #13

Closed blagerweij closed 1 year ago

blagerweij commented 1 year ago

We are using Hashicorp Vault to inject secrets into the deployment workloads. However, the current template does not support this.

What we would like is to configure something like this in values.yaml:

pvault:
  env:
  - name: PVAULT_DB_HOSTNAME
    value: ${vault:secrets/data/database/users/piianodb#database}
david-piiano commented 1 year ago

The helm chart supports injection of the following variables from Kubernetes secrets:

Specifically, the variables are:

  1. pvault.db.existingPasswordSecret
  2. pvault.app.existingAdminAPIKeySecret
  3. pvault.app.existingLicenseSecret

@blagerweij Can you map the hashicorp secrets into K8S secrets to leverage this functionality? We did it for AWS secrets in our case.

nirhaas commented 1 year ago

@blagerweij this is possible with https://external-secrets.io/v0.8.1/provider/hashicorp-vault

blagerweij commented 1 year ago

Thanks for your response. Your suggested workarounds probably works, but it would require that we create 3 new secrets, where we prefer not to use K8S secrets at all. We are using Hashicorp vault in combination with Banzaicloud mutating webhook. This allows us to inject secrets in Pods. The webhook also support secrets and configmaps, but then these resources would have to be annotated so that the webhook knows that the configmap or secret contain placeholder references. See https://banzaicloud.com/docs/bank-vaults/mutating-webhook/annotations/

The current helm-chart supports 'extraEnvVars', but these are not added as kubernetes environment variables on the pod, instead they are added to the TOML file in the configmap. We were expecting that this setting would allow us to add environment variables to the pod spec.

To support our deployment scenario, we would need one of the below: 1) Support for 'real' environment variables in the deployment podspec 2) Suport for custom annotations on the pvault configmap or secret.

I think both of the above changes would make the helm-chart more versatile to use.

nirhaas commented 1 year ago
  1. Support for 'real' environment variables in the deployment podspec

This is the case. The ConfigMap is defined here, and applied as environment ('real') here.

  1. Suport for custom annotations on the pvault configmap or secret.

Added by #18. According to this example, I think that podAnnotations can also be useful for your use case.

Thanks and please let us know if it worked out for you :)