https://www.ory.sh/ logo
Join Slack
Powered by
Hello, I use the official Helm charts to deploy kr...
# ory-selfhosting
v
Hello, I use the official Helm charts to deploy kratos and oathkeeper in my kubernetes cluster. The charts require a "dsn" value in the values.yaml file to be able to connect to the database. In production, theses credentials are hosted on AWS and can be accessed by the cluster through an external-secret. My issue is that the values.yaml file is only used in the templating processed to generate kubernetes ressources dynamically. It thus cannot interact with kubernetes and has no way of interacting with the external secret. What is the standard way to solve this issue ? I know we can set the DSN also by env variable but can't figure out how to compose this information with the Helm chart
d
in your values file you can specify extra environment variables
to override the DSN at runtime
Copy code
deployment:
  serviceAccount:
    create: false
    name: kratos-secrets-service-account
  extraVolumes:
    - name: secrets-store-inline
      csi:
        driver: <http://secrets-store.csi.k8s.io|secrets-store.csi.k8s.io>
        readOnly: true
        volumeAttributes:
          secretProviderClass: "kratos-database-secrets"
  extraVolumeMounts:
        - name: secrets-store-inline
          mountPath: "/mnt/secrets-store"
          readOnly: true
  extraEnv:
    - name: DB_HOST
      valueFrom: 
        secretKeyRef:
          name: kratos-database-secrets
          key: host 
    - name: DB_USER 
      valueFrom: 
        secretKeyRef:
          name: kratos-database-secrets
          key: username
    - name: DB_PASSWORD
      valueFrom: 
        secretKeyRef:
          name: kratos-database-secrets
          key: password
    - name: DSN
      value: "postgres://$(DB_USER):$(DB_PASSWORD)@$(DB_HOST):5432/$(DB_USER)"
this mounts a secret from AWS Secrets Manager, then uses it for environment variables to compose the DSN
❤️ 1
v
Perfect! Thanks a lot ❤️ I supposed this extraEnv could be used for this but had absolutely no idea what it was asking for. Thanks for getting me unstunk!
d
no worries
2 Views
Open in Slack
PreviousNext
Powered by