stackstorm-k8s icon indicating copy to clipboard operation
stackstorm-k8s copied to clipboard

Published 20 hours ago verified publisher icon StackStorm

Use Secret for `st2.docker.conf` instead of ConfigMap

Open pshanoop opened this issue 1 year ago • 3 comments

Here all these credentials are stored in ConfigMap

Doesn't it make more sense to use Secret since this contains credentials.

pshanoop avatar Mar 27 '24 14:03 pshanoop

This is supported via st2.existingConfigSecret. You create a secret with your st2.conf contents, and then pass that secret name to the chart. It then gets mounted like this: https://github.com/StackStorm/stackstorm-k8s/blob/fabbea9fb89bce6d093ad718def3e28fcfc47c5e/templates/_helpers.tpl#L167-L171 https://github.com/StackStorm/stackstorm-k8s/blob/fabbea9fb89bce6d093ad718def3e28fcfc47c5e/templates/_helpers.tpl#L177-L181

The value is described here: https://github.com/StackStorm/stackstorm-k8s/blob/fabbea9fb89bce6d093ad718def3e28fcfc47c5e/values.yaml#L112-L116

Does that resolve your concerns?

cognifloyd avatar Apr 11 '24 23:04 cognifloyd

Can we add this to docs please?

akshat-rubrik avatar Aug 14 '24 19:08 akshat-rubrik

I'm using the existingConfig and now I have a secret called st2-secrets-conf that contains the DB / LDAP / RabbitMQ connection info and also a configMap called -st2-config that contains both st2.docker.conf that contains redis and rabbitMQ connection info in clear text.

And I think that the only reason I don't have Mongo connection info there as well is that I'm not using the mongo chart.

imo there should be a way to force the installation to only accept credentials from secrets.

fdrab avatar Aug 15 '24 12:08 fdrab