Passwords not stored in secrets

[gansb]

Secrets should be storable in existing Kubernetes secrets so that they don't have to be passed directly to helm. This is possible for certificates, but not for:

• External DB password
• SMTP user password
• Licence file

This is important when using tools like helmfile, for instance, because then the configuration values are checked into source control, and it's important that there is an alternative way of handling secret values. Referencing existing secrets is a flexible way to do this.

[Sadzeih]

Would love this too!

[rissson]

This. So much this.

[cpanato]

@gansb are you willing to propose a PR to fix this?

[ruckc]

@cpanato - i'm willing to PR this, but given you shove the dataSource value into the config json, there isn't much we can do. To wire secrets like username/password into a container, we need to either pass them as environment variables or a secret mounted as a directory. Given the dataSource with username/passwords are stored in a configmap (not even a secret) this makes this impossible to properly store as a secret.

[ruckc]

Ideally, the config json should be stored a secret since it stores sensitive information, or some way of Mattermost picking up environment variables to specify specific values... i.e. MM_SERVICESETTINGS_SQLSETTINGS_DATASOURCE.

[ruckc]

It appears, since you pass the dataSource directly into gorm, that it would support libpq environment variables with a standard 'postgres://` DSN, but that would only be supported on PostgreSQL, not mysql, which would make the deployment yamls even more complicated.

[cpanato]

@ruckc I'm no longer at Mattermost, but you can discuss this with the team, tagging @jasonblais and @spirosoik that can help you