Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow external secrets to potentially clobber other secrets if opted in #208

Merged
merged 1 commit into from
Jan 27, 2025

Conversation

JatinNanda
Copy link
Contributor

if external secrets are currently enabled, they don't let us specify the regular configuration secrets as a safeguard from clobbering.

this flag should let us both use an externalsecret for something like the postgres password and just use a regular secret for the other things like license key

charts/retool/values.yaml Outdated Show resolved Hide resolved
@JatinNanda JatinNanda force-pushed the jatin/allow-eso-to-specify-postgres-password branch 4 times, most recently from 4633878 to 6d7ddf2 Compare January 25, 2025 04:12
{{/*
Checks whether or not ExternalSecret definitions are enabled and can potentially clobber secrets or explicitly allow additional direct secret refs.
*/}}
{{- define "checkExternalSecretsClobbering" -}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would name this something a little more directly tied to what it gates, like shouldIncludeConfigSecretsEnvVars or smth

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree

@@ -95,6 +95,9 @@ externalSecrets:
# Support for legacy external secrets, note this is deprecated in favour of External Secrets Operator: https://github.com/godaddy/kubernetes-external-secrets
# This mode only allows a single secret name to be provided.
enabled: false
# If external secrets are currently enabled, it is disallowed to specify regular configuration secrets as a safeguard from clobbering.
# This flag allows bypassing that check and specifying both an ExternalSecret and a regular secret for different secrets.
allowOtherSecrets: false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thinking naming...maybe includeConfigSecrets?

also, do we want to doc a recommendation towards true/false? is the false default what we'd usually want or just for backcompat?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup, good idea. and yeah false the default just for backcompat

Verified

This commit was signed with the committer’s verified signature.
Excellify Excellify
@JatinNanda JatinNanda force-pushed the jatin/allow-eso-to-specify-postgres-password branch from 6d7ddf2 to 74430ae Compare January 27, 2025 22:50
@JatinNanda JatinNanda merged commit 2791c21 into main Jan 27, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants