trinodb / charts

Apache License 2.0
151 stars 173 forks source link

Conflicting secrets when specifying both `passwordAuthSecret` and authentication groups + using ExternalSecret operator #188

Closed robertpikmets closed 5 days ago

robertpikmets commented 4 months ago

I've run into a problem when trying to implement combination of the following: – managing the password.db file via an ExternalSecret (populated from Vault), which creates the secret that I pass as passwordAuthSecret in values.yaml – implementing user groups

Without specifying auth: groups, everything is fine as the helm chart does not create a Secret on its own. In this case, we can use the Secret managed by ExternalSecret as passwordAuthSecret.

However, if there is a value for auth: groups, Helm attempts to create an additional secret of the same name, creating a conflict. A volume called file-authentication-volume is created from the secret, which expects both password.db and group.db to exist in it. However, as the secret managed by the ExternalSecret operator takes precedent, only password.db is found.

As it doesn't make a lot of sense to manage user groups via Vault in the same way we manage passwords, I believe the best approach would be to split password.db and group.db into separate secrets, volumes and volumemounts. file.group-file and file.password-file would have to be adjusted accordingly as well in the coordinator's configmap.

Let me know if that sounds reasonable and if yes, I will create a PR. Thanks.

nineinchnick commented 4 months ago

If groups can be managed without passwords, then it makes sense to have separate secrets. A PR would be great, thank you!

nineinchnick commented 5 days ago

This should be fixed by #231