search

quickwit-oss / helm-charts

Helm charts for Quickwit
https://helm.quickwit.io
MIT License
22 stars 28 forks source link

Load secrets from an existing secret #48

Closed fmassot closed 4 months ago

fmassot commented 1 year ago

I really don't like having to define secrets in the yaml file values.yaml.

Bitnami charts solve this issue by defining an optional existingSecret variable.

Let's do that.

networkhermit commented 1 year ago

I am trying to setup quickwit using fluxcd gitops, but the helm chart secret encapsulation concerns me.

I see that only postgres.password, s3.secret_key and azure_blob.access_key are treated as secret:

https://github.com/quickwit-oss/helm-charts/blob/dab71b141e2afef2e70db2369631f2876f4d1630/charts/quickwit/templates/secret.yaml#L9-L17

While QW_S3_ENDPOINT / AWS_REGION / AWS_ACCESS_KEY_ID, QW_AZURE_STORAGE_ACCOUNT and POSTGRES_HOST / POSTGRES_PORT / POSTGRES_DATABASE / POSTGRES_USERNAME are all derived from plain text in helm values:

https://github.com/quickwit-oss/helm-charts/blob/dab71b141e2afef2e70db2369631f2876f4d1630/charts/quickwit/templates/_helpers.tpl#L143-L172

https://github.com/quickwit-oss/helm-charts/blob/dab71b141e2afef2e70db2369631f2876f4d1630/charts/quickwit/templates/_helpers.tpl#L188-L210

More often these external credentials are stored together and separating external credentials from helm values is a huge gain in terms of security.

Maybe we could also consider utilizing k8s envFrom in future implemention and keep credential envVars in k8s secret.

P.S.

I think keys in secret could just use their corresponding ENV_VAR as key name.

idrissneumann commented 4 months ago

Solved by #85