-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow external secrets to potentially clobber other secrets if opted in #208
Conversation
4633878
to
6d7ddf2
Compare
charts/retool/templates/_helpers.tpl
Outdated
{{/* | ||
Checks whether or not ExternalSecret definitions are enabled and can potentially clobber secrets or explicitly allow additional direct secret refs. | ||
*/}} | ||
{{- define "checkExternalSecretsClobbering" -}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would name this something a little more directly tied to what it gates, like shouldIncludeConfigSecretsEnvVars
or smth
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree
charts/retool/values.yaml
Outdated
@@ -95,6 +95,9 @@ externalSecrets: | |||
# Support for legacy external secrets, note this is deprecated in favour of External Secrets Operator: https://github.com/godaddy/kubernetes-external-secrets | |||
# This mode only allows a single secret name to be provided. | |||
enabled: false | |||
# If external secrets are currently enabled, it is disallowed to specify regular configuration secrets as a safeguard from clobbering. | |||
# This flag allows bypassing that check and specifying both an ExternalSecret and a regular secret for different secrets. | |||
allowOtherSecrets: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thinking naming...maybe includeConfigSecrets
?
also, do we want to doc a recommendation towards true/false? is the false
default what we'd usually want or just for backcompat?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yup, good idea. and yeah false the default just for backcompat
6d7ddf2
to
74430ae
Compare
if external secrets are currently enabled, they don't let us specify the regular configuration secrets as a safeguard from clobbering.
this flag should let us both use an externalsecret for something like the postgres password and just use a regular secret for the other things like license key