-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secret handling - where should passwords, etc. be added #117
Comments
Relates to #112 (comment) |
One area where I would like to see some improved secrets management is for providing custom environment variables to Invenio. Today, custom environment variables can be added via a ConfigMap helm-invenio/charts/invenio/templates/web-deployment.yaml Lines 28 to 30 in eb6544f
But there's no way to add custom values via a Secret instead. I see no reason to keep the ConfigMap, I think that it can be replaced by a secret altogether (replacing EDIT: Scratch that! There's already a mechanism for that!! Just implemented a bit differently… helm-invenio/charts/invenio/templates/web-deployment.yaml Lines 83 to 89 in eb6544f
|
I absolutely agree with you. To make the whole thing even more flexible for the user, you could also implement it in this way: values.yaml ## @param invenio.envFrom Load environment variables from kubernetes secret or config map to each invenio pod (web. worker, worker-beat)
##
envFrom: []
# - secretRef:
# name: env-secret
# - configMapRef:
# name: config-map web-deployment.yaml command:...
envFrom:
{{- with .Values.invenio.envFrom }}
{{- toYaml . | nindent 12 }}
{{- end }}
env:... This means that the user is completely free to decide what he wants to add to the pod as env vars and from where. |
I think that sounds great. Are we also aiming to distinguish between the envs for web and worker containers? Because today, it seems like both containers get the same variables added to them. Not sure if it's a big problem, just that it feels like an uncommon pattern and tight coupling. |
Yes, I think it makes sense to implement this for the individual pods and to separate it. However, I am not yet familiar enough with the software to be able to say which env vars are necessary in the web and which in the worker or whether both always need the same ones. |
* Deprecates non camelcase sentry variables. * Addresses secret handling as described in inveniosoftware#117.
* Deprecates non-camelcase sentry variables. * Addresses secret handling as described in inveniosoftware#117.
* Deprecates non-camelcase sentry variables. * Addresses secret handling as described in inveniosoftware#117.
* Deprecates non-camelcase sentry variables. * Addresses secret handling as described in inveniosoftware#117.
* Deprecates non-camelcase sentry variables. * Addresses secret handling as described in inveniosoftware#117.
* Deprecates non-camelcase sentry variables. * Addresses secret handling as described in inveniosoftware#117.
* Deprecates non-camelcase sentry variables. * Addresses secret handling as described in inveniosoftware#117.
* Deprecates non-camelcase sentry variables. * Addresses secret handling as described in inveniosoftware#117.
I think the best way to handle this is to leave it up to the user whether he enters the password as plaintext in the values.yaml or integrates it via an existing secret. Here bitnami also has good examples. This procedure could also be useful for all backend service connection strings like postgresql.
Example:
The text was updated successfully, but these errors were encountered: