You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR add support for using existing secret references #53, instead of exposing sensitive values in values.yaml. The user can also modify the secretRefKey should their existing secrets use different keys from the default values in the chart.
TLDR
Add support for existing secret references
User can modify secret key input name
Known issues
db password may not be correctly encoded. To ensure compatibility, use password that are URL-safe (not using characters that can be URL-encoded like &, % etc.)
dashboard password may not contain / character, otherwise kong may crash due to sed
Testing existing refs in CI/CD is not possible for now due to symlink to values.example.yaml
* referenced secrets take precedence over supplied values in `value.yaml`
* test existing secrets by setting `debug.secretRef` to `true`
* this is a temporary solution as `ct install` doesn't have pre-install step
4, due to the extensive changes across multiple files and the complexity introduced by handling secret references conditionally. The PR modifies deployment configurations in various services, which requires careful review to ensure that secret management is handled securely and correctly.
🧪 Relevant tests
No
🔍 Possible issues
Possible Bug: The conditional checks for secret references might lead to misconfigurations if not properly set in values.yaml, leading to potential runtime errors or misrouted secret values.
Security Concern: There's a risk of exposing sensitive information if the conditional logic fails or if there are misconfigurations in the secret references.
🔒 Security concerns
No explicit vulnerabilities introduced, but the complexity of the changes requires careful validation to ensure that secrets are managed securely.
Code feedback:
relevant file
charts/supabase/templates/secrets/_helpers.tpl
suggestion
Consider adding error logging or warnings when .Values.secret.s3.keyId or .Values.secret.s3.accessKey are not set, as the current implementation silently fails by returning "false". This could help in debugging configuration issues. [important]
To improve code readability and reduce duplication, consider creating a helper template function for generating the secretKeyRef block since it is repeated with slight variations across multiple deployment files. [important]
Ensure that the default values for secretRefKey (like "username", "password", "database") are documented clearly in the values.yaml to avoid configuration errors by the users. [medium]
Add validation in the Helm chart to check if the necessary keys (username, password, database) are provided when secretRef is used. This prevents deployment issues due to missing keys in the referenced secrets. [important]
Overview:
The review tool scans the PR code changes, and generates a PR review which includes several types of feedbacks, such as possible PR issues, security threats and relevant test in the PR. More feedbacks can be added by configuring the tool.
The tool can be triggered automatically every time a new PR is opened, or can be invoked manually by commenting on any PR.
When commenting, to edit configurations related to the review tool (pr_reviewer section), use the following template:
Add validation in the Helm chart to check if the necessary keys (username, password, database) are provided when secretRef is used. This prevents deployment issues due to missing keys in the referenced secrets. [important]
Yeah, I think this can be improved by adding checks and error handling in the _helpers.tpl for affected deployments. @arpagon Should I add it in this PR or in the next one?
Add validation in the Helm chart to check if the necessary keys (username, password, database) are provided when secretRef is used. This prevents deployment issues due to missing keys in the referenced secrets. [important]
Yeah, I think this can be improved by adding checks and error handling in the _helpers.tpl for affected deployments. @arpagon Should I add it in this PR or in the next one?
In the next one. We should discuss the release process, but I am considering this chart as non-production ready so we can streamline the process.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
This PR add support for using existing secret references #53, instead of exposing sensitive values in
values.yaml. The user can also modify thesecretRefKeyshould their existing secrets use different keys from the default values in the chart.TLDR
Known issues
dbpassword may not be correctly encoded. To ensure compatibility, use password that are URL-safe (not using characters that can be URL-encoded like&,%etc.)dashboardpassword may not contain/character, otherwisekongmay crash due tosedvalues.example.yaml