helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard
verified publisher icon temporalio

Add auth and database features

Open dcaputo-harmoni opened this issue 1 year ago • 1 comments

What was changed

This PR includes two primary functionality enhancements to the helm chart:

  • Addition of Auth settings to both server and web
  • Allowing database username to optionally be specified in a secret alongside the password

Why?

I'll address each area separately:

Auth - production environments need some form of authentication. To use authentication, it was required to be enabled in both the server and web components. Additionally, an internal-frontend service was added (per the v1.20.0 release) to allow the workflow service to function. This also addresses an open issue (#304).

Database Creds - many dynamic database creds generation systems (such as hashicorp vault) generate both the username and password dynamically, which is more secure than just rotating the password. The functionality has been updated to allow either or both of these to be optionally set via a secret with any or both of username and password keys.

Checklist

  1. Closes #304

  2. How was this tested:

Tested a number of times using various alternatives of the configurations.

  1. Any docs updates needed?

Included documentation via commented out items in values.yaml

dcaputo-harmoni avatar May 20 '24 19:05 dcaputo-harmoni

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar May 20 '24 19:05 CLAassistant

Thank you for your contribution :)

Please don't mix concerns in the same PR, split out: 1. database credentials 2. internal-frontend support

For the auth config side, I'm not sure about proxying all of the values this way. Web can be configured via additionalEnv and for server auth I think maybe just have a auth: { enabled: true, config: { ... } } that gets copied as well.

robholland avatar Jun 08 '24 16:06 robholland