[prometheus-rabbitmq-exporter] Create secret to store credentials when provided #5099
Conversation
Signed-off-by: Julio Chana <[email protected]>
jchanam
requested review from
desaintmartin,
Juanchimienti and
monotek
as code owners
| @@ -0,0 +1,22 @@ | |||
| {{- if or (and (.Values.rabbitmq.password) (not .Values.rabbitmq.existingPasswordSecret)) (and (.Values.rabbitmq.user) (not .Values.rabbitmq.existingUserSecret)) }} | |||
There was a problem hiding this comment.
If .Values.rabbitmq.password is set but .Values.rabbitmq.existingPasswordSecret is set as well, secret will not be created and Pod will never start. We should have a solution. Maybe we should prevent the two being set at the same time, or we align the condition in the two files, or we simply "ignore" the latter like it's done before this PR.
There was a problem hiding this comment.
Hi!
Yes, you're right. If existing password secret is set, then we don't need to create the secret, as we'll be using the one provided in the values.
On that case, the secret where we're reading the value for the env is also the one provided, so I think the pod will be created and running.
This is an example of the env for the deployment on that case:
env:
- name: RABBIT_PASSWORD
valueFrom:
secretKeyRef:
name: "existingsecret"
key: "password"
- name: RABBIT_USER
valueFrom:
secretKeyRef:
name: "existingsecret"
key: "username"
- name: RABBIT_URL
value: my-url.comThere was a problem hiding this comment.
About the options you mentioned, I followed what it was done before. If the existing secret is given, the password or user is ignored and the secret used.
There was a problem hiding this comment.
I am sorry, the diff bugged me, you are right!
| @@ -0,0 +1,22 @@ | |||
| {{- if or (and (.Values.rabbitmq.password) (not .Values.rabbitmq.existingPasswordSecret)) (and (.Values.rabbitmq.user) (not .Values.rabbitmq.existingUserSecret)) }} | |||
There was a problem hiding this comment.
I am sorry, the diff bugged me, you are right!
What this PR does / why we need it
Connection credentials should be stored securely using secrets. Right now, the chart allows to provide your own secret, but if the credentials are given as values to the chart, they are exposed in the deployment env variables.
This PR adds a new secret, that will be created only if the user or password is provided and if the existing user/password secret is not given.
Special notes for your reviewer
Checklist
[prometheus-couchdb-exporter])