Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

document using existing secrets for the subcharts #223

Merged
merged 4 commits into from
Nov 3, 2023
Merged

document using existing secrets for the subcharts #223

merged 4 commits into from
Nov 3, 2023

Conversation

johanneskastl
Copy link
Contributor

What this PR does / why we need it

Using the secrets: section the user can use existing secrets with the zammad chart. But the credentials for the subcharts are still in plaintext in the values.yaml file.

This PR adds commented examples on how to configure the subcharts to use the existing secrets.

Which issue this PR fixes

None. It could have been part of #76 that fixes #73

Special notes for your reviewer

  1. Authentication for the memcached subchart is currently not being used at all, it seems. So I did not document anything there.

  2. I am a little fishy on the details regarding the elasticsearch subchart. Enabling the secrets.elasticsearch.useExisting value leads to the secret being mounted in the zammad pod. However I have not found the secret being used in the elasticsearch part at all. But: The elasticsearch section did not contain any credentials, so it might well be that the elasticsearch credential just isn't used at all?

Checklist

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]

  • Chart Version bumped
  • Upgrading instructions are documented in the README.md Not necessary, no code changes.

@mgruner
Copy link
Collaborator

mgruner commented Nov 3, 2023

@johanneskastl thanks for your proposal, this looks really nice. Can you please point me to the Helm/Kubernetes documentation that talks about existingSecret? So far I was not able to find it.

@johanneskastl
Copy link
Contributor Author

@johanneskastl thanks for your proposal, this looks really nice. Can you please point me to the Helm/Kubernetes documentation that talks about existingSecret? So far I was not able to find it.

This is not a helm or Kubernetes specific key. It is something that must be supported by the chart, in this case the subcharts:
https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml#L25
https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml#L137
https://github.com/bitnami/charts/blob/main/bitnami/elasticsearch/values.yaml#L224

@mgruner
Copy link
Collaborator

mgruner commented Nov 3, 2023

So that's why I didn't find it. Thanks!

@johanneskastl
Copy link
Contributor Author

Please check out bitnami/charts#20545 for questions on what exactly needs to go into the elasticsearch secret. This is in addition to the question above, whether elasticsearch in Zammad actually uses the password...

@mgruner
Copy link
Collaborator

mgruner commented Nov 3, 2023

Would you be so kind to rebase please, f41b98d should hopefully fix the failing chart linting checks.

@johanneskastl johanneskastl force-pushed the 20231031_subchart_secrets branch from 186b473 to 8c5a37e Compare November 3, 2023 10:57
@johanneskastl
Copy link
Contributor Author

Would you be so kind to rebase please, f41b98d should hopefully fix the failing chart linting checks.

Done

@mgruner
Copy link
Collaborator

mgruner commented Nov 3, 2023

The elasticsearch credentials are saved into the Zammad database by the elasticsearch-init container here:

zammad-helm/zammad/templates/configmap-init.yaml

Line 12 in f41b98d

bundle exec rails r 'Setting.set("es_url", "{{ .Values.zammadConfig.elasticsearch.schema }}://{{ if .Values.zammadConfig.elasticsearch.enabled }}{{ .Release.Name }}-elasticsearch{{ else }}{{ .Values.zammadConfig.elasticsearch.host }}{{ end }}:{{ .Values.zammadConfig.elasticsearch.port }}")'

In the regular zammad containers, the configuration is used straight from the database. It's not consistent with other parts of the system, but that's how it works at present.

@johanneskastl
Copy link
Contributor Author 

 >>> helm lint zammad --timeout 900s
Error: failed linting charts: failed processing charts
Error: unknown flag: --timeout

This does not look like an error I introduced?

@mgruner
Copy link
Collaborator

mgruner commented Nov 3, 2023

Certainly not. Not sure what's going on yet.

@mgruner
Copy link
Collaborator

mgruner commented Nov 3, 2023

Can you try again please? aa05fbb should fix the linter.

Johannes Kastl added 4 commits November 3, 2023 14:14
@mgruner
zammad/values.yaml: postgresql subchart now mentions how to use an ex…
a1a7eb2 
…isting Kubernetes secret instead of specifying passwords in the values.yaml

The example is using the secret and key names from the `secrets` section
in the values.yaml
@mgruner
zammad/values.yaml: redis subchart now mentions how to use an existin…
f4deb93 
…g Kubernetes secret instead of specifying passwords in the values.yaml

The example is using the secret and key names from the `secrets` section
in the values.yaml
@mgruner
zammad/values.yaml: elasticsearch subchart now mentions how to use an…
8e32824 
… existing Kubernetes secret
@mgruner
zammad/Chart.yaml: increase version to 10.0.3
a65fba9
@mgruner mgruner force-pushed the 20231031_subchart_secrets branch from 8c5a37e to a65fba9 Compare November 3, 2023 13:14
@mgruner mgruner merged commit 5fbca0a into zammad:main Nov 3, 2023
@mgruner
Copy link
Collaborator

mgruner commented Nov 3, 2023

Thanks again @johanneskastl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mgruner mgruner mgruner approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature Request: use existing secret
2 participants
@johanneskastl @mgruner