Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve secret management #46

Merged
merged 30 commits into from
Dec 13, 2023
Merged

Improve secret management #46

merged 30 commits into from
Dec 13, 2023

Conversation

machisuji
Copy link
Member

@machisuji machisuji commented Dec 12, 2023
edited

Takes the changes from #8 and #20, adapts them and unifies them.
Thanks to @johanneskastl and @pitwegner for the PRs!

In the course of this process the following changes were made as well.

  • introduce an existingSecret option for S3 credentials (secret access key and access key id)
  • change s3.accessKeyId and s3.secretAccessKeyId to s3.auth.accessKeyId and s3.auth.secretAccessKey

Moreover, installations or upgrades will fail if no postgres password is provided.

Error: INSTALLATION FAILED: execution error at (openproject/templates/worker-deployment.yaml:80:14): Database password is required. Please set postgresql.auth.existingSecret (recommended) or postgresql.auth.password

Important

For this to work it needs the latest OpenProject 13.1 images (to be released tomorrow, 13th Dec 2023).
For the released images to work correctly, the database.yml bug has to be fixed as well. Working on that. Until this is released the test will fail with the following.

connection to server at "10.96.170.25", port 5432 failed: fe_sendauth: no password supplied (ActiveRecord::ConnectionNotEstablished)

So this PR will only go green once 13.1 is released including that bug fix which is when this will be merged.

pitwegner and others added 27 commits February 24, 2023 14:55
@pitwegner
add secret references
058663c
@pitwegner
Update secrets.yaml
e0067f2 
exclude memcache and Postgres secret var
@pitwegner
enter Postgres password secret
413655c
@pitwegner
remove memcached secret conditions
e14fd87
@pitwegner
remove memcached auth
086ebb8
@pitwegner
remove global option
414e4c7
@pitwegner
move env key
a617e9c
fix deployment
342b53f
revert image version
9060d45
@pitwegner
Merge branch 'main' into main
77d86c1
ADD templates/secret_environment.yaml: move environment variables fro…
8b415a5 
…m .Values.environment to a separate secret
templates/deployment.yaml: mount environment secret, if .Values.envir…
f05db4f 
…onment is non-empty
templates/secrets.yaml: remove environment variables from .Values.env…
05aae07 
…ironment, as those now live in a separate secret
ADD templates/secret_oidc.yaml: new secret for oidc variables
c40c5be
templates/secrets.yaml: remove OIDC variables, as those are now in a …
13cd914 
…separate secret
templates/deployment.yaml: use oidc secret, if .Values.openproject.oi…
2c55716 
…dc.enabled is true
ADD templates/secret_memcached.yaml: move memcached variables to sepa…
6d16c49 
…rate secret
templates/secrets.yaml: remove memcached settings, that are now store…
e103176 
…d in a separate secret
templates/deployment.yaml: use memcached secret, if memcache is to be…
2a03eb2 
… used (.Values.openproject.cache.store equals memcache)
values.yaml: add keys and explanation for using an existing secret wi…
0f974cf 
…th the postgresql chart
values.yaml: comment out auth.password and auth.postgresPassword and …
aecb1cf 
…add explanation
RENAME templates/secrets.yaml TO templates/secret_openproject.yaml
b3dc642
templates/secret_openproject.yaml: remove postgresql password from DA…
1b6d4e9 
…TABASE_URL, needs to be set in another environment variable from e.g. the existing secret
FIXME: create new environment variable, either from postgresql secret…
40d466e 
… or from .Values.postgresql.auth.password
@machisuji
Merge remote-tracking branch 'pitwegner/main' into secrets
cdca916
@machisuji
Merge remote-tracking branch 'johanneskastl/20230805_refactor_secret_…
609b310 
…handling' into secrets
@machisuji
adapt and unify secret changes
c54db1d
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Dec 12, 2023
edited

🦋 Changeset detected

Latest commit: 33c7ab0

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@openproject/helm-charts Major

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@machisuji machisuji mentioned this pull request Dec 12, 2023
Closed
@machisuji machisuji mentioned this pull request Dec 12, 2023
Closed
oliverguenther
oliverguenther approved these changes Dec 13, 2023
View reviewed changes
Copy link
Member

@oliverguenther oliverguenther left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent, thank you for consolidating the two issues 💙

@oliverguenther oliverguenther merged commit 5f4bce6 into main Dec 13, 2023
1 check passed
This was referenced Dec 13, 2023
Closed
Closed
Closed
@machisuji machisuji deleted the secrets branch December 13, 2023 16:34
@webnotesweb webnotesweb mentioned this pull request Jan 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oliverguenther oliverguenther oliverguenther approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@machisuji @oliverguenther @pitwegner