Skip to content

make k8s secret optional #331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
asokolsky4clari opened this issue Apr 14, 2025 · 3 comments
Open

make k8s secret optional #331

asokolsky4clari opened this issue Apr 14, 2025 · 3 comments

Comments

@asokolsky4clari
Copy link

trino-gateway helm chart unconditionally generates secret.yaml.

k8s secrets are not secure and in our deployments we do not allow for applications to rely on k8s sercets.

Instead we:

  • store secrets in vault
  • pass these to applications using environment variables

This issue requests:

  • make generation os k8s secret optional
  • allow for the secrets to be passed to trino-gateway via environment variables
@kumiDa
Copy link

kumiDa commented Apr 17, 2025

I would like to work on this issue, please assign this to me.

@sdaberdaku
Copy link
Member

sdaberdaku commented May 2, 2025

Maybe you are not aware of this, but you can declare other secrets as env variables and then reference them in the config like so:

...
envFrom:
  - secretRef:
      name: postgres-credentials

config:
  serverConfig:
    node.environment: production
    http-server.http.port: 8080
    http-server.http.enabled: true
    http-server.process-forwarded: true
  dataStore:
    jdbcUrl: ${ENV:DB_JDBC_URL}
    user: ${ENV:DB_USERNAME}
    password: ${ENV:DB_PASSWORD}
    driver: org.postgresql.Driver
    queryHistoryHoursRetention: 48
...

Here postgres-credentials can be created using Vault Secrets Operator and will contain the following keys:
DB_JDBC_URL, DB_USERNAME, and DB_PASSWORD which are mounted as env variables.

apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
  name: postgres-credentials
spec:
  type: Opaque
  path: trino/trino_gateway_postgres_credentials
  keys:
    - db_name
    - db_host
    - db_port
    - db_username
    - db_password
  templates:
    DB_JDBC_URL: "jdbc:postgresql://{% .Secrets.db_host %}:{% .Secrets.db_port %}/{% .Secrets.db_name %}"
    DB_USERNAME: "{% .Secrets.db_username %}"
    DB_PASSWORD: "{% .Secrets.db_password %}"

@sdaberdaku
Copy link
Member

Thinking about this, I believe this configuration could be a ConfigMap instead of a Secret, and we should be able to disable it if needed (e.g. if we provide an empty configuration config: {}).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants