Conversation
|
@Cogitri if you are fine with a breaking change, then I would drop the "existingSecret" field and simplify the helper accordingly. |
|
btw I haven't fully tested this yet |
If we were to drop Right? That'd also be fine by me. |
pschichtel
force-pushed
the
feature/db-operator-support
branch
from
508cfd9 to
cecbd2b
Compare
|
I've added a README section. The last commit removes the existingSecret values for postgresql and keyBase, which would be breaking. |
|
Alright, this looks great, good work! The only thing I'm considering is if it's a good idea to name it .secretName instead of .name? That makes it a bit more explicit - but on the other hand it's already somewhat clear from the context 🤔 Do you have an opinion on that? |
|
I based my naming on the but I'd be fine either way |
|
@Cogitri so, should I go ahead and change Also should I migrate the rest of the secrets over to this as well ? |
|
Hi, sorry for not getting back to you, I think the naming is fine as-is. I'll test the PR later today and merge it :) I think we can migrate the other secrets too |
|
then let's defer the testing and merge until I migrated the rest over this evening, ok ? |
|
I pushed a few more commits. The first 2 are unrelated cleanups, which I could pull out of this PR if wanted. the third migrates the rest of the secrets over to the new scheme, which didn't fully work out for the redis password. The 4. commit goes all the way for the redis password, while still keeping the chart preconfigured correctly for the subchart. It's probably debatable of the last commit is really worth the trouble, but I think it's the only clean way to have the redis password configuration consistent with the other secrets. If you want I can also write up a summary of the breaking changes and a quick migration guide |
Hmm, I think it's nice to have it consistent, but it's a bit odd how there's a
That'd be much appreciated, thank you so much for your work! :) |
charts/dawarich/values.yaml
Outdated
| keyBase: | ||
| existingSecret: null | ||
| value: changeme | ||
| keyBase: changeme |
There was a problem hiding this comment.
Hmmm, maybe I'm doing something wrong, when leaving this at the default value, installing the template fails:
Error: dawarich/templates/secret.yaml:9:107
executing "dawarich/templates/secret.yaml" at <.Values.keyBase.existingSecret>:
can't evaluate field existingSecret in type interface {}
There was a problem hiding this comment.
Hmm, I'm also getting a few warnings here, I'm not quite sure what's the dawarich. prefix doing in dawarich.postgresql.auth.password?
level=INFO msg="warning: destination for dawarich.postgresql.auth.password is a table. Ignoring non-table value (changeme)"
level=INFO msg="warning: destination for dawarich.postgresql.auth.username is a table. Ignoring non-table value (dawarich)"
level=INFO msg="warning: destination for dawarich.postgresql.auth.database is a table. Ignoring non-table value (dawarich)"
level=INFO msg="warning: destination for dawarich.postgresql.auth.username is a table. Ignoring non-table value (dawarich)"
level=INFO msg="warning: destination for dawarich.postgresql.auth.database is a table. Ignoring non-table value (dawarich)"
level=INFO msg="warning: destination for dawarich.postgresql.auth.password is a table. Ignoring non-table value (changeme)"
There was a problem hiding this comment.
I fixed the template on defaults (missed removing a reference to a existingSecret).
Not sure how you are producing those warnings, are those application logs from dawarich ?
There was a problem hiding this comment.
Ah sorry, should've mentioned that in my initial post. I got those warnings when doing helm install of this chart with your changes applied with the default values.yaml with a few small changes. I'll test again with the updated PR later today and if that still produces the warnings post values.yaml.
There was a problem hiding this comment.
This is the values.yaml I use for my testing environment:
dawarich:
replicaCount: 1
hosts:
- "..."
sidekiq:
replicaCount: 1
postgresql:
host: dawarich-postgres-rw
auth:
database:
name: dawarich-postgresql-secret
key: database
username:
name: dawarich-postgresql-secret
key: username
password:
name: dawarich-postgresql-secret
key: password
redis:
auth: false
password: ""
Installed it via helm upgrade --install dawarich . --values=staging.yaml --namespace=dawarich-test --create-namespace
There was a problem hiding this comment.
Oh and ignoring those log messages, the resulting pod doesn't start due to Error: couldn't find key photonApiKey in Secret dawarich-test/dawarich - which shouldn't be mandatory.
There was a problem hiding this comment.
time was a little tight last week, I'll test this through sometime this week.
There was a problem hiding this comment.
Ok so the warnings are being produced by helm, because the additional values override a non-object value (e.g. dawarich.postgresql.auth.database which defaults to dawarich) with an object. The warnings says, that it's using the object value, so everything works as expected, but the warning is still ugly. Surprisingly this warnings is not produced when using helm template, which I did most of my testing with and argocd also uses helm template internally. We could avoid these by moving the value to a subkey like value and giving the secretKeyRef precedence over the value. even though we are not currently doing that, it could be problematic when defaulting things to secrets, which can then not be overridden.
since we are breaking things anyway, I can propose a different approach, which might simplify things.
pschichtel
force-pushed
the
feature/db-operator-support
branch
2 times, most recently
from
68f8d0d to
e7c7633
Compare
pschichtel
force-pushed
the
feature/db-operator-support
branch
5 times, most recently
from
6208ae5 to
d6217fc
Compare
|
The commit Rename ha-redis to bundled-redis renames ha-redis to bundled-redis, however I'm not sure that rename is worth the migration. The commit Convert all secrets to secretKeyRefs converts all secrets in the values.yaml to secretKeyRefs with a default |
| postgresPassword: changeme | ||
| existingSecret: null | ||
| database: | ||
| key: postgresDatabase |
There was a problem hiding this comment.
Thanks, I'll test this later tomorrow. Could you also add a short section in the README how existing users can port their values.yaml? I suppose simply replacing e.g. database.existingSecret with database.existingSecret.name (and changing database.existingSecret.key if it doesn't happen to match) should be sufficient?
| secret: | ||
| create: true | ||
| stringData: |
There was a problem hiding this comment.
Hmm, I don't have a good suggestion for how to change this, but it'd be nice if .secret already reflected that that's only to be used if you really want the helm chart to create the secrets for you, which isn't necessarily what you'd do in prod. Maybe a comment would already be sufficient ("Change the values below if you don't use existing secrets and want the chart to create secrets for you").
It'd also be nice to know which values are mandatory in the default configuration (all non-null values are required + redisPassword, or does the combination of .redis.auth=true and secret.stringData.redisPassword=null work?)
|
Upgrading to the new version fails with the values.yaml I linked here: |
it was outdated compared to the Chart.lock anyway
I aggregate several helm repository projects into a single intellij multi-module project.
pschichtel
force-pushed
the
feature/db-operator-support
branch
from
d6217fc to
e553ef7
Compare
the redis section is now there to configure dawarich's redis parameters (host, port, password) and the redis-ha section configures just the subchart. Both sections are preconfigured to work with each other.
unfortunately, without setting more options, this is also a breaking change in that it changes the names of the redis pvcs which will require an annoying migration or data loss. However: I don't think dawarich's redis needs persistence, but maybe that should be clarified
All secrets are secretKeyRefs here, but there is a new "secret" section that allows creating a secret with given data.
pschichtel
force-pushed
the
feature/db-operator-support
branch
from
e553ef7 to
0dd1c8e
Compare
2 participants
This PR allows to configure more postgres details (db name, host, port) via secretKeyRefs. This is useful, when using an operator that manages databases and that automatically provides a secret with all the details. One such operator is the db-operator project.
The same approach could also be applied to other secrets, of that is of interest.