New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[workbench] support Sealed Secrets #384
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this! It looks awesome! I'll try to get a chance to play with this in the next few days so we can get it merged 😄
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: {{ include "rstudio-workbench.fullname" . }}-secret | ||
namespace: {{ $.Release.Namespace }} | ||
stringData: | ||
{{ include "rstudio-library.config.ini" .Values.config.secret | indent 2 }} | ||
{{- include "rstudio-library.config.ini" .Values.config.secret | nindent 2 }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for fixing these!
@@ -318,6 +318,19 @@ config: | |||
- "two-image:tag | |||
``` | |||
|
|||
## Sealed Secrets |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the thorough explanation!
@wmcdona89 I know it can be a bit tedious - are you up for signing the CLA? It looks like there is a disconnect from the email used for your commits (work) and the one on your GitHub account. Feel free to refactor / rebase / re-author the commits if you want! Otherwise I think we are good to merge! |
Fixes #374
Support Sealed Secrets in the
rstudio/workbench
chart to allow for storing secrets in SCM and to ensure secrets are never leaked via helm.Changes
SealedSecret
templates alongside existingSecret
templates in theconfigmap-secret
andconfigmap-session
template filesSealedSecret
templates instead ofSecret
templates to deploy secretsconfig.secret."database.conf"
now defaults to null instead of{}
to allow it to be set to a stringSample values
Design Considerations
Separate
SealedSecret
andSecret
templates in a single helm template file is proposed over...SealedSecret
values orSecret
values as theSealedSecret
andSecret
templates have a number of syntax differences and this approach would arguably make the helm template file less readable. For example:SealedSecret
templates andSecret
templates in separate helm template files. TheSealedSecret
templates will need to stay in sync with theSecret
templates to some extent and the templates are small enough to manage together in a single file. While separate files would allow for a file diff, the relationship between the files may not be obvious.