feat: deploy secrets as secretRef in chart values #2805
Conversation
ElderMatt
requested review from
Ani1357,
j-zimnowoda and
merll
as code owners
values/loki/loki-raw.gotmpl
Outdated
| {{- if eq $obj.type "linode" }} | ||
| S3_URL: "https://{{ $obj.linode.accessKeyId }}:{{ $obj.linode.secretAccessKey }}@{{ $obj.linode.region }}.linodeobjects.com/{{ $obj.linode.buckets.loki }}" | ||
| {{- end }} | ||
| {{- if eq $obj.type "minioLocal" }} | ||
| S3_URL: "http://otomi-admin:{{ $v.otomi.adminPassword }}@minio.minio.svc.cluster.local:9000/loki" | ||
| {{- end }} |
There was a problem hiding this comment.
As the main objective is delegating this to Sealed Secrets, the templating would be better left in the loki.gotmpl. Therefore, accessKey and secretAccessKey / adminPassword (for minio) should be stored in one variable each. region and the bucket name are not sensitive values.
values/loki/loki.gotmpl
Outdated
| aws: | ||
| {{- if eq $obj.type "minioLocal" }} | ||
| s3: http://otomi-admin:{{ $v.otomi.adminPassword }}@minio.minio.svc.cluster.local.:9000/loki | ||
| s3: ${S3_URL} |
There was a problem hiding this comment.
As mentioned above, probably something like
s3: http://otomi-admin:${OTOMI_ADMIN_PASSWORD}@minio.minio.svc.cluster.local.:9000/loki
and
s3: https://${S3_ACCESS_KEY_ID}:${S3_ACCESS_KEY_SECRET}@{{ $obj.linode.region }}.linodeobjects.com/{{ $obj.linode.buckets.loki }}
merll
left a comment
merll
left a comment
There was a problem hiding this comment.
Requested changes as current implementation does not seem to work well when moving on to sealed secrets.
|
|
||
| resources: {{- $h.resources.core | toYaml | nindent 4 }} | ||
| secret: {{ $h | get "core.secret" nil | quote }} | ||
| existingSecretKey: harbor-core-secret-key |
There was a problem hiding this comment.
core.existingSecretKey does not exist in the Harbor helm chart. Did you mean core.secretName?
We have not set it before because we are relying on istio mTLS. What is the reason you decided to se it now?
j-zimnowoda
left a comment
j-zimnowoda
left a comment
There was a problem hiding this comment.
I left one inline comment.
While running bin/compare.sh script I noticed that few Loki secretRefs are set to null which does not seem to be right.
spec.template.spec.containers.compactor
+ one map entry added:
envFrom:
- name: loki-s3-linode-credentials
│ secretRef: null
data.config.yaml
± value change in multiline text (one insert, one deletion)
- s3: https://someaccessKeyId:[email protected]/my-clusterid-loki
+ s3: https://${S3_ACCESS_KEY_ID}:${S3_ACCESS_KEY_SECRET}@nl-ams-1.linodeobjects.com/my-clusterid-loki
spec.template.spec.containers.distributor
+ one map entry added:
envFrom:
- name: loki-s3-linode-credentials
│ secretRef: null
spec.template.spec.containers.ingester
+ one map entry added:
envFrom:
- name: loki-s3-linode-credentials
│ secretRef: null
spec.template.spec.containers.querier
+ one map entry added:
envFrom:
- name: loki-s3-linode-credentials
│ secretRef: null
spec.template.spec.containers.query-frontend
+ one map entry added:
envFrom:
- name: loki-s3-linode-credentials
│ secretRef: null
📌 Summary
Replaces secrets withs secretRefs for Harbor and Oauth2-Proxy.
Uses environment Variables for Loki.