I've run into a problem when trying to implement combination of the following:
– managing the password.db file via an ExternalSecret (populated from Vault), which creates the secret that I pass as passwordAuthSecret in values.yaml
– implementing user groups
Without specifying auth: groups, everything is fine as the helm chart does not create a Secret on its own. In this case, we can use the Secret managed by ExternalSecret as passwordAuthSecret.
However, if there is a value for auth: groups, Helm attempts to create an additional secret of the same name, creating a conflict. A volume called file-authentication-volume is created from the secret, which expects both password.db and group.db to exist in it. However, as the secret managed by the ExternalSecret operator takes precedent, only password.db is found.
As it doesn't make a lot of sense to manage user groups via Vault in the same way we manage passwords, I believe the best approach would be to split password.db and group.db into separate secrets, volumes and volumemounts. file.group-file and file.password-file would have to be adjusted accordingly as well in the coordinator's configmap.
Let me know if that sounds reasonable and if yes, I will create a PR. Thanks.
I've run into a problem when trying to implement combination of the following: – managing the password.db file via an ExternalSecret (populated from Vault), which creates the secret that I pass as
passwordAuthSecret
in values.yaml – implementing user groupsWithout specifying
auth: groups
, everything is fine as the helm chart does not create a Secret on its own. In this case, we can use the Secret managed by ExternalSecret aspasswordAuthSecret
.However, if there is a value for
auth: groups
, Helm attempts to create an additional secret of the same name, creating a conflict. A volume calledfile-authentication-volume
is created from the secret, which expects bothpassword.db
andgroup.db
to exist in it. However, as the secret managed by the ExternalSecret operator takes precedent, onlypassword.db
is found.As it doesn't make a lot of sense to manage user groups via Vault in the same way we manage passwords, I believe the best approach would be to split
password.db
andgroup.db
into separate secrets, volumes and volumemounts.file.group-file
andfile.password-file
would have to be adjusted accordingly as well in the coordinator's configmap.Let me know if that sounds reasonable and if yes, I will create a PR. Thanks.