Do not use secret from values file

nlamirault commented 9 months ago

I would like to store S3 credentials and PostgreSQL password into an external secret file and not use the values.yaml file.

We could do that like that:

# -- Specify an existing secret containing Quickwit configuration.
existingSecretForConfig: true

searcher:
  extraEnvFrom:
    - secretRef:
        name: quickwit-credentials

indexer:
  extraEnvFrom:
    - secretRef:
        name: quickwit-credentials

metastore:
  extraEnvFrom:
    - secretRef:
        name: quickwit-credentials

control_plane:
  extraEnvFrom:
    - secretRef:
        name: quickwit-credentials

janitor:
  extraEnvFrom:
    - secretRef:
        name: quickwit-credentials

bootstrap:
  extraEnvFrom:
    - secretRef:
        name: quickwit-credentials

and the outputs:

# Source: quickwit/templates/searcher-statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: release-name-quickwit-searcher
  labels:
    helm.sh/chart: quickwit-0.6.0
    app.kubernetes.io/name: quickwit
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/version: "v0.7.0"
    app.kubernetes.io/managed-by: Helm
spec:
  replicas: 3
  serviceName: release-name-quickwit-headless
  selector:
    matchLabels:
      app.kubernetes.io/name: quickwit
      app.kubernetes.io/instance: release-name
      app.kubernetes.io/component: searcher
  template:
    metadata:
      annotations:
        checksum/config: c6e241d5c75458b6f77c0e7d804947734cb320eb74667a4d795ba40c52a3392e
      labels:
        app.kubernetes.io/name: quickwit
        app.kubernetes.io/instance: release-name
        app.kubernetes.io/component: searcher
    spec:
      serviceAccountName: release-name-quickwit
      securityContext:
        fsGroup: 1005
      containers:
        - name: quickwit
          securityContext:
            runAsNonRoot: true
            runAsUser: 1005
          image: "quickwit/quickwit:v0.7.0"
          imagePullPolicy: IfNotPresent
          env:
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
            - name: QW_CONFIG
              value: node.yaml
            - name: QW_CLUSTER_ID
              value: default-release-name-quickwit
            - name: QW_NODE_ID
              value: "$(POD_NAME)"
            - name: QW_PEER_SEEDS
              value: release-name-quickwit-headless
            - name: QW_ADVERTISE_ADDRESS
              value: "$(POD_IP)"
          envFrom:
            - secretRef:
                name: quickwit-credentials
          args: ["run", "--service", "searcher"]
...

Linked to #48

fmassot commented 7 months ago

@nlamirault sorry for the delay, I'm on it.

nlamirault commented 7 months ago

First, thank you for this PR.

I have a few questions/remarks:

do you need a different secret file for each component?

No i use the same secret for all the Quickwit components.

I think we should also solve the issue Load secrets from an existing secret #48, I really don't like the current setup, just using envFrom looks like a good solution.

What do you think?

I don't like to set secrets in values file. But some charts do that and let the user to use "externalSecret" to by pass this behavior.

quickwit-oss / helm-charts

Do not use secret from values file #63