Support pre-existing kubernetes secrets

sonatype / nxrm3-ha-repository

Repository for YAML configuration files for Nexus Repository Manager High Availability Feature

23 stars 25 forks source link

Support pre-existing kubernetes secrets #61

Open renesch-de opened 9 months ago

renesch-de commented 9 months ago

Currently, two option exist for referencing the License-File and DB-/Admin-credentials:

Via the secrets-store.csi.x-k8s.io/v1 API.
As a Kubernetes secret, directly created by the Helm-Chart.

It would be helpful to introduce a third option where a pre-existing Kubernetes secret can be referenced. This would be beneficial when other Azure Key-Vault synchronization mechanisms are in use, like akv2k8s (https://akv2k8s.io/).

snakebyte91 commented 9 months ago

We use the external secrets operator to manage our kubernetes secrets. The reference of existing secrets would help us.

snakebyte91 commented 9 months ago

Workaround for pre-existing secrets:

nameOverride: nexus-ha
secret:
  license:
    name: license.lic
    licenseSecret:
      mountPath: /etc/nexus-license/
statefulset:
  additionalVolumes:
    - name: nexus-pro-license
      secret:
        secretName: nexus-pro-license
  additionalVolumeMounts:
    - name: nexus-pro-license
      mountPath: /etc/nexus-license/
      readOnly: true

Create the secrets nexus-ha-adminsecret and nexus-ha-dbsecret. This could be done by a tool of your choice or manually. The prefix nexus-ha is taken from nameOverride.

bobotimi commented 8 months ago

We have some work in progress to support external-secret operator: https://github.com/sonatype/nxrm3-ha-repository/pull/66

mpsOxygen commented 3 months ago

This is of great interest to me as well. Also it would be really useful to just specify a preexisting secret name for DB creds, as we have an operator that spins up the DB and creates a secret with all the necessary creds.

sinaure commented 2 months ago

I agree to support preexisting secret names is a real need we use bitnami sealed secrets and install a secret store is not an urgent need so this is a complete blockage from chart adoption. As it is the options available are between:

use a secret store (Via the secrets-store.csi.x-k8s.io/v1 API.)
have zero protection exposing secrets in values : complete non sense in my opinion (As a Kubernetes secret, directly created by the Helm-Chart.)

mpsOxygen commented 2 months ago

If you keep you values files in git for ArgoCD to consume, you cannot have any secret in the values files.

mpsOxygen commented 2 months ago

I've opened this PR to fix these problems: https://github.com/sonatype/nxrm3-ha-repository/pull/99