feat: load secrets for OpenStack Helm via a values file #19
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I realize now this wouldn't work because the MariaDB and RabbitMQ operator need to read the secret. So we would need to still create the secret from this data. So still more to iterate here. |
|
https://github.com/jkroepke/helm-secrets can use sops and it can generate both plain values, Secrets or whatever else. The downside over sealed secrets is that whoever has the key can view the credentials locally. Can be partially mitigated if we use non-gpg backend |
|
Yeah maybe the docs give a couple of suggested options and that's one? |
cardoe
force-pushed
the
openstack-secrets
branch
from
2ff8e7f to
8cec26c
Compare
cardoe
changed the title
cardoe
force-pushed
the
openstack-secrets
branch
from
12c62a4 to
eb61015
Compare
|
The goal with this is to make it easier for folks to run the helm commands and to be less opinionated about the secrets storage. |
|
So to provide some more context:
This should make us less opinionated and easier to use. |
|
Ultimately the helm commands go from: helm --namespace openstack template \
ironic \
./openstack-helm/ironic/ \
-f components/13-ironic/aio-values.yaml \
--set endpoints.identity.auth.admin.password="$(kubectl --namespace openstack get secret keystone-admin -o jsonpath='{.data.password}' | base64 -d)" \
--set endpoints.oslo_db.auth.ironic.password="$(kubectl --namespace openstack get secret ironic-db-password -o jsonpath='{.data.password}' | base64 -d)" \
--set endpoints.oslo_messaging.auth.ironic.password="$(kubectl --namespace openstack get secret ironic-rabbitmq-password -o jsonpath='{.data.password}' | base64 -d)" \
--set endpoints.identity.auth.ironic.password="$(kubectl --namespace openstack get secret ironic-keystone-password -o jsonpath='{.data.password}' | base64 -d)" \
| kubectl -n openstack apply -f -to helm --namespace openstack template \
ironic \
./openstack-helm/ironic/ \
-f components/13-ironic/aio-values.yaml \
-f secret-openstack.yaml \
| kubectl -n openstack apply -f -I also wrapped up the helm call with |
cardoe
force-pushed
the
openstack-secrets
branch
from
eb61015 to
f143722
Compare
skrobul
requested changes
Mar 19, 2024
skrobul
approved these changes
Mar 19, 2024
Move the loading of the OpenStack secrets into populating a values file that can be supplied to the helm command. In theory now a user could supply this file separately and use GitOps to install the OpenStack Helm components.
Since we're applying this immediately and not storing it, we don't need to run this through sealed secrets.
Switched to the published helm chart repo for the OpenStack components and change to using kustomize to execute helm like the other components are.
Co-authored-by: Marek Skrobacki <[email protected]>
cardoe
force-pushed
the
openstack-secrets
branch
from
6ef39b3 to
0656c60
Compare
skrobul
approved these changes
Mar 20, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Generate a helm values file with the secrets in it. That can then be stored and used via tools like https://github.com/jkroepke/helm-secrets Then switch to using the OpenStack Helm charts via their repo so that we can execute their helm charts like we do the other components.