Load secrets from an existing secret

[fmassot]

I really don't like having to define secrets in the yaml file values.yaml.

Bitnami charts solve this issue by defining an optional existingSecret variable.

Let's do that.

[networkhermit]

I am trying to setup quickwit using fluxcd gitops, but the helm chart secret encapsulation concerns me.

I see that only postgres.password, s3.secret_key and azure_blob.access_key are treated as secret:

helm-charts/charts/quickwit/templates/secret.yaml

Lines 9 to 17 in dab71b1

	{{- if .Values.config.postgres }}
	postgres.password: {{ required "A valid config.postgres.password is required!" .Values.config.postgres.password | b64enc | quote }}
	{{- end }}
	{{- if .Values.config.s3.secret_key }}
	s3.secret_key: {{ .Values.config.s3.secret_key | b64enc | quote }}
	{{- end }}
	{{- if .Values.config.azure_blob.access_key }}
	azure_blob.access_key: {{ .Values.config.azure_blob.access_key | b64enc | quote }}
	{{- end }}

While QW_S3_ENDPOINT / AWS_REGION / AWS_ACCESS_KEY_ID, QW_AZURE_STORAGE_ACCOUNT and POSTGRES_HOST / POSTGRES_PORT / POSTGRES_DATABASE / POSTGRES_USERNAME are all derived from plain text in helm values:

helm-charts/charts/quickwit/templates/_helpers.tpl

Lines 143 to 172 in dab71b1

	{{- with .Values.config.s3 }}
	{{- if .endpoint }}
	- name: QW_S3_ENDPOINT
	value: {{ .endpoint }}
	{{- end }}
	{{- if .region }}
	- name: AWS_REGION
	value: {{ .region }}
	{{- end }}
	{{- if and .secret_key .access_key }}
	- name: AWS_ACCESS_KEY_ID
	value: {{ .access_key }}
	- name: AWS_SECRET_ACCESS_KEY
	valueFrom:
	secretKeyRef:
	name: {{ include "quickwit.fullname" $ }}
	key: s3.secret_key
	{{- end }}
	{{- end }}
	{{- if .Values.config.azure_blob.account_name }}
	- name: QW_AZURE_STORAGE_ACCOUNT
	value: {{ .Values.config.azure_blob.account_name }}
	{{- end }}
	{{- if .Values.config.azure_blob.access_key }}
	- name: QW_AZURE_STORAGE_ACCESS_KEY
	valueFrom:
	secretKeyRef:
	name: {{ include "quickwit.fullname" $ }}
	key: azure_blob.access_key
	{{- end }}

helm-charts/charts/quickwit/templates/_helpers.tpl

Lines 188 to 210 in dab71b1

	{{- define "quickwit.metastore.environment" -}}
	{{ include "quickwit.environment" . }}
	{{- if .Values.config.metastore_uri }}
	- name: QW_METASTORE_URI
	value: {{ .Values.config.metastore_uri }}
	{{- else if .Values.config.postgres }}
	- name: POSTGRES_HOST
	value: {{ required "A valid config.postgres.host is required!" .Values.config.postgres.host }}
	- name: POSTGRES_PORT
	value: {{ .Values.config.postgres.port | default 5432 | quote }}
	- name: POSTGRES_DATABASE
	value: {{ .Values.config.postgres.database | default "metastore" }}
	- name: POSTGRES_USERNAME
	value: {{ .Values.config.postgres.username | default "quickwit" }}
	- name: POSTGRES_PASSWORD
	valueFrom:
	secretKeyRef:
	name: {{ include "quickwit.fullname" . }}
	key: postgres.password
	- name: QW_METASTORE_URI
	value: "postgres://$(POSTGRES_USERNAME):$(POSTGRES_PASSWORD)@$(POSTGRES_HOST):$(POSTGRES_PORT)/$(POSTGRES_DATABASE)"
	{{- end }}
	{{- end }}

More often these external credentials are stored together and separating external credentials from helm values is a huge gain in terms of security.

Maybe we could also consider utilizing k8s envFrom in future implemention and keep credential envVars in k8s secret.

P.S.

I think keys in secret could just use their corresponding ENV_VAR as key name.

[idrissneumann]

Solved by #85