-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a new value neo4j.passwordFromSecret
#118
Conversation
…sswordFromSecret Remove password failure test as it cannot be checked when user provides the secret
017d527
to
ab81ac0
Compare
neo4j.passwordFromSecret
remove PVC patching as it logs an error
neo4j/templates/_helpers.tpl
Outdated
{{- if .Values.neo4j.passwordFromSecret -}} | ||
{{- printf "$(kubectl get secret %s -o go-template='{{.data.NEO4J_AUTH | base64decode }}' | cut -d '/' -f2) " .Values.neo4j.passwordFromSecret -}} | ||
{{- end -}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Considering this was provided independently, do we really want to print it, and risk having it exposed in logs for example ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good point. This only prints the command to run, not the actual value eg;
Your release "server1" has been installed in namespace "neo4j".
The neo4j user's password has been set to "$(kubectl get secret test-auth -o go-template='{{.data.NEO4J_AUTH | base64decode }}' | cut -d '/' -f2) ".To view the progress of the rollout try:
$ kubectl --namespace "neo4j" rollout status --watch --timeout=600s statefulset/server1
Once rollout is complete you can log in to Neo4j at "neo4j://server1.neo4j.svc.cluster.local:7687". Try:
$ kubectl run --rm -it --namespace "neo4j" --image "neo4j:5.1.0-enterprise" cypher-shell \
-- cypher-shell -a "neo4j://server1.neo4j.svc.cluster.local:7687" -u neo4j -p "$(kubectl get secret test-auth -o go-template='{{.data.NEO4J_AUTH | base64decode }}' | cut -d '/' -f2) "
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed I read a bit fast the templating and got tricked by the comment in the description. Thanks !
@harshitsinghvi22 thanks for the review, I made a few changes in response. |
hi colleagues, when can we get this on 4.4? |
Deploying a cluster using tools such as Terraform or Argo leads to a data race where the Helm chart creates a secret for Neo4j auth. Add a new value
neo4j.passwordFromSecret
so the user can provide the auth secret to be used. This is more secure and avoids the secret creation data race