Move the postgres password into a secret and allow for passing an existing secret #206
Conversation
| @@ -0,0 +1,14 @@ | |||
| {{- if .Values.postgresPassword -}} | |||
There was a problem hiding this comment.
We could make this as a define, and add the needed values (pwd, existing secret name, key and env name, etc) in the dict params. And then we have the one for OAPI too ^_^
There was a problem hiding this comment.
Sorry, I don't follow. Could you provide a code example?
There was a problem hiding this comment.
Basically my Mistral secret is:
{{- include "lumigator.mistral-default-secret" . -}}
{{- if .Values.mistralAPIKey -}}
{{- if .Values.existingMistralAPISecret -}}
{{- fail "A Mistral key and an existing Mistral Secret name cannot be provided at the same time" -}}
{{- end -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "lumigator.mistral-secret-name" . }}
labels:
{{- include "lumigator.labels" . | nindent 4 }}
type: Opaque
data:
{{ .Consts.mistralSecretKey }}: {{ .Values.mistralAPIKey | b64enc | quote }}
{{- end -}}
Which is quite similar. Maybe we could make a template like this...
{{ define "lumigator-secret" }}
{{- if .secretToken -}}
{{- if .existingSecretName -}}
{{- fail .onlyOneMsg -}}
{{- end -}}
apiVersion: v1
kind: Secret
metadata:
name: .secretName
labels:
{{- include "lumigator.labels" . | nindent 4 }}
type: Opaque
data:
{{ .secretTokenKey }}: {{ .secretTokenValue | b64enc | quote }}
{{- end -}}
And then use it like...
{{- include lumigator-secret (dict "secretToken" .Values.postgresPassword ".existingSecretName" .Values.existingPostgresPasswordSecretName "secretTokenKey" .Values.postgresPasswordSecretKey "secretTokenValue" .Values.mistralAPIKey "secretName" (include "lumigator.postgresqlPasswordSecretName" .) ) -}}
(Fixing details, I'd need to check the includes there). As I mentioned, one could also do:
{{ define "postgress-data" }}
secretToken: {{ .Values.postgresPassword }}
existingSecretName: {{ .Values.existingPostgresPasswordSecretName }}
secretTokenKey: {{ .Values.postgresPasswordSecretKey }}
secretTokenValue: {{ .Values.mistralAPIKey }}
secretName: {{ include "lumigator.postgresqlPasswordSecretName" . }}
{{ end }}
{{ $params := fromYaml (include "postgress-data" .) }}
{{- include lumigator-secret $params }}
Of course, this depends on how much we want to keep templates consistent. Maybe the secrets will not be homogeneous, maybe they will so we'd need to make the same changes across all secrets.
There was a problem hiding this comment.
If you see this as too complicated, then just resolve the issue and keep the secret as it is 👍
| postgresPassword: "" | ||
|
|
||
| # Use an existing secret, set this value OR use 'postgresPassword' | ||
| existingPostgresPasswordSecretName: "" |
There was a problem hiding this comment.
We should clarify that the user has to use only of the two options (provide the key or the secret), like we did with the keys
No description provided.