Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Allow users to inject credentials file separately #36

Open
brunoluiz opened this issue Jun 28, 2023 · 5 comments
Open

feat: Allow users to inject credentials file separately #36

brunoluiz opened this issue Jun 28, 2023 · 5 comments

Comments

@brunoluiz
Copy link

brunoluiz commented Jun 28, 2023
edited
Loading

Helm charts certainly make things easier and more standardised, so I am glad this exists. My suggestion/feature request would be to allow users to inject the credentials file from a secret value, as at the moment the only way to pass the tunnel secret is through setting .Values.cloudflare.secret.

This is not ideal because:

a. It requires the whole chart to be a secret, which in many cases it might not be (example: if it just lives in Github)
b. Doesn't give flexibility for users to use external secrets managers

A couple of solutions are possible:

1. Encoding the whole local values.yaml as a secret

Correct if I am wrong, but this seems to be the only solution with the current approach (raw secret in the values.yaml). ExternalSecrets users can leverage the templating engine to create a values.yaml that then is used by helm (well, at least with Flux it is possible to reference secrets as values).

If this is the way to go, perhaps might be good to leave some notes in the README on the safest way of doing this.

2. Change cloudflared to accept all credentials values via env variables and allow env injection in the chart

This is quite a common approach in other projects but probably would require refactoring not only this chart, but as well cloudflared. Possibly unlikely?

3. Chart accepts a credentialsSecretRef

In this case, users can map the credential file secret somewhere else and, the secrets.yaml shouldn't be used if this is set. Instead, the deployment.yaml would load the secret defined by the user.

This would be very handy, not attaching this project to any specific secret management solution, while still providing users standardisation through Helm.
@froblesmartin
Copy link
Contributor

Hi @brunoluiz ! I will work on the 3rd solution as is the simple and standard way. Probably will raise a PR later today.

In the end, there are many different ways of managing secrets in K8s, but the most standard way for a Helm chart to face this is to just allow referencing a secret, and then whoever uses the chart, can generate that secret however they want.

@froblesmartin froblesmartin mentioned this issue Jul 2, 2023
Merged
@uhthomas
Copy link
Member

I was going to suggest this could be closed, but the cloudflare-tunnel-remote chart needs this change too.

@brunoluiz
Copy link
Author

@uhthomas I guess it can be tracked separately

@uhthomas
Copy link
Member

@uhthomas I guess it can be tracked separately

It would probably be easier to keep this issue open.

@brunoluiz brunoluiz reopened this Aug 14, 2023
@uhthomas uhthomas mentioned this issue Aug 15, 2023
Closed
@devantler devantler mentioned this issue Sep 13, 2023
Closed
@hedgieinsocks hedgieinsocks mentioned this issue Mar 7, 2024
Open
@c0mponents
Copy link

@uhthomas could we get a review on @hedgieinsocks PR #68 ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update README.md with docs on how to properly use the cloudflare tunnel.
4 participants
@c0mponents @brunoluiz @uhthomas @froblesmartin