-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix postgres and redis existing secrets and use secret for environment + add service account #47
Conversation
@davidspek Thank you for the PR. Let me test and get back to you. |
f9b74b6
to
7799a9c
Compare
Just rebased the PR to remove the conflict. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@davidspek Thank you for the awesome PR. Tested this as a fresh install and as an upgrade to an existing install. It's working fine.
This seems to have an issue when $(REDIS_PASSWORD)
substitution comes into the picture viz when using external Redis with or without TLS.
External redis
without TLS
$ helm install --debug --dry-run --generate-name . > /tmp/test.yaml
$ grep "REDIS_PASSWORD" /tmp/test.yaml | awk '{ $1=""; print}' | tr -d '"' | base64 -D
redis21212
$ grep "REDIS_URL" /tmp/test.yaml | awk '{ $1=""; print}' | tr -d '"' | base64 -D
redis://:$(REDIS_PASSWORD)@redis:6379%
External redis
with TLS
$ helm install --debug --dry-run --generate-name . > /tmp/test.yaml
$ grep "REDIS_PASSWORD" /tmp/test.yaml | awk '{ $1=""; print}' | tr -d '"' | base64 -D
redis21212
$ grep "REDIS_URL" /tmp/test.yaml | awk '{ $1=""; print}' | tr -d '"' | base64 -D
rediss://:$(REDIS_PASSWORD)@redis:6379%
Reminder |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@davidspek Could you please pull the changes from develop and also increment the chart version to 0.8.0
?
4a21215
to
0b9e731
Compare
@vishnu-narayanan sorry for the delay here, I've been very busy. I just rebased the PR on the latest main branch. |
@davidspek No worries. I was not able to push to this branch since maintainer edits are disabled. Since this is changing the chart behaviour(dropping configmaps in favour of secrets), could you please increment the chart version to |
@vishnu-narayanan I just bumped the chart version to 0.8.0. |
Thank you for the PR @davidspek @michaeljguarino 🙇 |
Solves: #46
The values.yaml indicates it should be possible to use an existing secret for the Postgres and Redis password. However, this functionality was missing in the templates. This PR add the ability to use an existing secret for the Postgres and Redis passwords.
Along with that, this PR replaces the configmap used to set the environment variables with a secret, since there were many credentials being set in the environment the configmap which isn't a good practice. Kubernetes variable replacement is used to overcome the issue of the
chatwoot.redis.url
template not having the redis password when an existing secret is used.Lastly, the missing service account was added to the job, web service and worker deployments. I can confirm IRSA works for access to AWS S3 when adding the annotation to the service account with the current chart.