Add support of sensitive data for external Database #279
No reviewers
Labels
No Label
has
backport
in progress
invalid
kind
breaking
kind
bug
kind
build
kind
dependency
kind
deployment
kind
docs
kind
enhancement
kind
feature
kind
lint
kind
proposal
kind
question
kind
refactor
kind
security
kind
testing
kind
translation
kind
ui
need
backport
priority
critical
priority
low
priority
maybe
priority
medium
reviewed
duplicate
reviewed
invalid
reviewed
wontfix
skip-changelog
status
blocked
status
needs-feedback
status
needs-reviews
status
wip
upstream
gitea
upstream
other
No Milestone
No Assignees
4 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: gitea/helm-chart#279
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "fkocik/gitea-helm-chart:feature/external-database"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Hi,
When using Gitea with an external database instance, it may be necessary to manipulate sensitive data that should not appear in the
values.yaml
file.The purpose of this PR is to allow
externalDatabase
configuration injection in a secure way.For each token, it will be possible to use a literal value (directly readable from the
values.yaml
file) or a secret reference (usingname
andkey
) in order to reuse existing data from Kubernetes engine.Regards.
WIP: Add support of sensitive data for external Databaseto Add support of sensitive data for external Databaseimho it would be better to allow using secrets for values without changing existing structure
It still remains possible through
additionalConfigSources
.Yet, when using Kubernetes native approach (such as database operators) : it requires to synchronize data between database secrets and Gitea secrets.
The idea here is to reuse the same secrets using SecretKeySelector yaml style notation in
values.yaml
.I understand but why we could not extend it to support such syntax:
while still supporting also
As far as I see this whole litetal vs. Kubernetes resource distinction is already possible through
additionalConfigSources
. I understand your idea to reuse such secrets and appreciate your invested time to contribute this. But implementing it that way seems like stepping back to previous configurations which were eliminated byadditionalConfigSources
. Is there a need for a more fine grained mapping of such additional sources to fit your need?Thanks all for your feedback.
I did not succeed to perform such configuration using
additionalConfigSources
. Perhaps caused by my misunderstanding of the existing mechanisms.My need is to avoid intermediate process that generate a secret from another existing secret and only describe the desired system state. So, I agree with @justusbunsi that more fine grained mapping of
additionalConfigSources
could be the solution.I can try to review my PR in order to see if it is possible to use thoses resources.
It might not that easy to reuse an existing Kubernetes secret storing data for another application, e.g. database. The data structure necessary for
additionalConfigSources
is more or less an app.ini that got cut into pieces allowing to store settings from one section as Kubernetes Secret or ConfigMap or both. The keys for each entry in such Kubernetes resource must be the section name. Otherwise the data collecting won't work.But I could be wrong and you find a neat way to achieve it. ?
Hi, this solution would really help. I'm using postgres operator that creates DB connect info as secret. To use them I have used
But still everything is in crashloop because scipts and other things don't get this envs into consideration. This PR would really help with that.
Hey 👋. This PR got stuck in our heads and with the next release the Helm Chart respects specific environment variables during app.ini creation (see #298). This allows to reuse existing secrets from other applications and much more. Feel free to check it out and give us feedback.
Considering that, this PR is not necessary anymore. Right?
Closing with regards to this comment.
Feel free to reopen this PR if necessary.
Pull request closed