helm3-charts
helm3-charts copied to clipboard
sonatype
Use existing secrets
I use helmfile to deploy this chart, and need to be able to do this without checking in the licence and other sensitive information. Being able to use an existing secret for the licence and config.yml would help very much.
the config.yml is already in the config map and the secret is available for what you want to use it for unless I'M MISSING SOMETHING
To use the chart at the moment it's necessary to pass the encoded licence as a value and the chart creates the secret for you. But this means that whatever deploys the chart has to have access to the licence.
I would like to provision the secret separately, without this chart, and then just specify which existing secret should be used for the licence. This makes it easier to handle secrets like licences securely.
I have a use-case as well. We want to store the license in something external, and use the CSI Secrets-Store driver to map that secret into Kubernetes. The Nexus application charts would just need to cater for user-defined volume mounts and volumes.
An example of how this is implemented is on the SonarQube helm chart: Values file: https://github.com/SonarSource/helm-chart-sonarqube/blob/master/charts/sonarqube/values.yaml#L345 Deployment template: https://github.com/SonarSource/helm-chart-sonarqube/blob/master/charts/sonarqube/templates/deployment.yaml#L281
The way this works (using the CSI secrets store driver as an example) from a user's perspective is to define a SecretProviderClass, and then define volume a mount like so:
volumes:
- name: sonarqube-sonarqube
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "sonarqube-deployment"
mounts:
- name: sonarqube-sonarqube
mountPath: "/mnt/secrets-store"
readOnly: true
