Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integration with External Secrets Operator #170

Open
jan94 opened this issue Feb 20, 2024 · 1 comment
Open

Integration with External Secrets Operator #170

jan94 opened this issue Feb 20, 2024 · 1 comment
Labels
good first issue Good for newcomers

Comments

@jan94
Copy link
Contributor

jan94 commented Feb 20, 2024

As we want to define the admin credentials for the OpenZiti controller in AWS Secret Manager and sync them to EKS using the ESO, we need an option to specify the name of the secret, which the helm chart should refer to for the admin credentials - instead of creating the secret on its own.

In general we favor the approach of generating secrets out of the cluster with cryptographically secure password generators - like using the AWS Secret Managers https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetRandomPassword.html method :)

@qrkourier qrkourier added the good first issue Good for newcomers label Feb 29, 2024
@qrkourier
Copy link
Member

Solution sketch:

In the template that creates the Secret resource for the admin password (templates/secrets.yaml) , enclose the template with a conditional, like this: https://github.com/openziti/helm-charts/blob/main/charts/ziti-host/templates/secrets.yaml#L1

That way, the generated Secret is only created if the existing secret isn't defined.

In the controller chart's values.yaml file, add an empty value like https://github.com/openziti/helm-charts/blob/main/charts/ziti-host/values.yaml#L25 with a documentation comment above it like # -- use an existing secret instead of generating the admin password with Sprig library (link to Sprig function ref).

Finally, wrap each reference to the Secret resource with an "-admin-secret" suffix in the same conditional, using the existing secret if defined, else the generate secret. The only template that contains this string is the deployment: https://github.com/openziti/helm-charts/blob/main/charts/ziti-controller/templates/deployment.yaml#L41

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for newcomers
Projects
None yet
Development

No branches or pull requests

2 participants