Closed fmassot closed 4 months ago
I am trying to setup quickwit using fluxcd gitops, but the helm chart secret encapsulation concerns me.
I see that only postgres.password
, s3.secret_key
and azure_blob.access_key
are treated as secret:
While QW_S3_ENDPOINT
/ AWS_REGION
/ AWS_ACCESS_KEY_ID
, QW_AZURE_STORAGE_ACCOUNT
and POSTGRES_HOST
/ POSTGRES_PORT
/ POSTGRES_DATABASE
/ POSTGRES_USERNAME
are all derived from plain text in helm values:
More often these external credentials are stored together and separating external credentials from helm values is a huge gain in terms of security.
Maybe we could also consider utilizing k8s envFrom
in future implemention and keep credential envVars in k8s secret.
P.S.
I think keys in secret could just use their corresponding ENV_VAR as key name.
Solved by #85
I really don't like having to define secrets in the yaml file
values.yaml
.Bitnami charts solve this issue by defining an optional
existingSecret
variable.Let's do that.