make k8s secret optional #331
Comments
|
I would like to work on this issue, please assign this to me. |
|
Maybe you are not aware of this, but you can declare other secrets as env variables and then reference them in the config like so: ...
envFrom:
- secretRef:
name: postgres-credentials
config:
serverConfig:
node.environment: production
http-server.http.port: 8080
http-server.http.enabled: true
http-server.process-forwarded: true
dataStore:
jdbcUrl: ${ENV:DB_JDBC_URL}
user: ${ENV:DB_USERNAME}
password: ${ENV:DB_PASSWORD}
driver: org.postgresql.Driver
queryHistoryHoursRetention: 48
...Here apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
name: postgres-credentials
spec:
type: Opaque
path: trino/trino_gateway_postgres_credentials
keys:
- db_name
- db_host
- db_port
- db_username
- db_password
templates:
DB_JDBC_URL: "jdbc:postgresql://{% .Secrets.db_host %}:{% .Secrets.db_port %}/{% .Secrets.db_name %}"
DB_USERNAME: "{% .Secrets.db_username %}"
DB_PASSWORD: "{% .Secrets.db_password %}" |
|
Thinking about this, I believe this configuration could be a ConfigMap instead of a Secret, and we should be able to disable it if needed (e.g. if we provide an empty configuration |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
trino-gateway helm chart unconditionally generates secret.yaml.
k8s secrets are not secure and in our deployments we do not allow for applications to rely on k8s sercets.
Instead we:
This issue requests:
The text was updated successfully, but these errors were encountered: