Kubeapps: chart values: one has to provide `existingSecret` to create one on the fly

Created on 16 Feb 2021  路  3Comments  路  Source: kubeapps/kubeapps

Description:

In order to provide passwords so that those do not get re-generated every time, it is now needed to provide postgresql .existingSecret which, according to the docs, should point to a pre-deployed secret, when in fact it is being used to create a secret on the fly.

Sample values:

authProxy:
  enabled: false
  external: true
postgresql:
  existingSecret: zoomazumzum
  postgresqlPassword: duzzitmadda
  replication:
    password: agennoshomo
securityContext:
  enabled: true

Steps to reproduce the issue:

  1. install the chart with the above values
  2. observe the creation of the secret zoomazumzum with the intended creds
  3. remove the existingSecret: zoomazumzum part and install the chart again
  4. observe that new credentials get generated

Describe the results you expected:

No existingSecret to be needed for provisioning precreated passwords.

Additional information you deem important (e.g. issue happens only occasionally):

I addressed this downstream with bitnami but they told me to take it here. That closed issue can be found here: https://github.com/bitnami/charts/issues/5463

componenhelm-chart kinbug sizS

Most helpful comment

Ah, okay, you are right. In the chart, we make several assumptions that .existingSecret exists while that can be disabled. Marking this as a bug.

All 3 comments

I am not sure I follow your issue. You have two options:

  • Either set existingSecret and the password will be auto-generated (so you don't need to set postgresqlPassword)
  • Manually set the password (postgresqlPassword, replication.password). If you do so, you need to remove existingSecret.

The existingSecret is generated (if specified) when first installing Kubeapps, using helm-hooks. This means that it's management is no longer handled by helm. Modifying that value when upgrading the application is not supported.

The point is, as I tried to show in the reproduction steps, when I don't provide existingSecret, but do provide postgresqlPassword and replication.password, the chart will still generate passwords, and not use the ones provided.

Ah, okay, you are right. In the chart, we make several assumptions that .existingSecret exists while that can be disabled. Marking this as a bug.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

rarick picture rarick  路  7Comments

migmartri picture migmartri  路  4Comments

migmartri picture migmartri  路  8Comments

andresmgot picture andresmgot  路  8Comments

absoludity picture absoludity  路  8Comments