<@U04PDLR0P37> I saw there was an issue raised on ...
# contributorsm
melodic-finland-71965
05/15/2024, 3:07 PM@enough-yak-81379 I saw there was an issue raised on the new version of the helm chart, that it affects users using existing secrets. It looks like they opened an issue when the same change was made in Hydra some time ago. I wonder if there is maybe a more elegant solution that would still allow the DSN to be pulled from a separate secret. Maybe making it configurable to select a separate secret for DSN in the secret section?
๐ 1
melodic-finland-71965
05/15/2024, 3:29 PMalternatively, it may just be fine to use the same pattern Hydra has been using for some time.
melodic-finland-71965
05/15/2024, 3:30 PMthough I assume the use case to being able to set DSN as extraEnv is to set it from another secret entirely (which is our case.)
e
enough-yak-81379
05/16/2024, 7:16 AMnot only.
The secretnameOverride allows you to use an existing secret that is sideloaded with the chart
The Env overrides allows for more customization like construction of the DSN from envs injected into the system at runtime, or even supporting different dsn for the main application and for example courier (you can set different connection parameters for them, as by default they would reuse the same dsn string)
enough-yak-81379
05/16/2024, 7:17 AMi need to expand the test scenarios to cover a wider array of options, as this is a regression that is not severe, or rather easy to workaround, but still brakes stuff for regular users ๐
enough-yak-81379
05/16/2024, 10:52 AMi think i managed to fix it ๐
m
melodic-finland-71965
05/16/2024, 12:49 PMbut now I can't use an external secret for the other values ๐คฃ
melodic-finland-71965
05/16/2024, 12:49 PMI think the major issue for us is that dsn is coupled into that secret in the first place
melodic-finland-71965
05/16/2024, 12:51 PMIdeally we would create an external secret containing the cookie secrets, and then one for the database url.
e
enough-yak-81379
05/16/2024, 12:52 PMright, but you should be able to do it using envs that reference custom secrets, right?
m
melodic-finland-71965
05/16/2024, 12:52 PMyes I suppose we could do that.
melodic-finland-71965
05/16/2024, 12:55 PMactually maybe not. These gets loaded from the kratos.secretname
melodic-finland-71965
05/16/2024, 12:55 PMwith no way to override them
e
enough-yak-81379
05/16/2024, 12:57 PMcould you open a issue with your config and desired state? That will make it easier for me to see how it fits into the current pattern of managing secrets
๐ 1
enough-yak-81379
05/16/2024, 12:58 PMiโm kinda reluctant to split the secret into a dsn and โthe restโ while still maintaining a sane default installation path ๐
m
melodic-finland-71965
05/16/2024, 12:59 PMI agree with you. I think it might be helpful to have the possibility to do it though. As often DB secrets come from a completely different place.
melodic-finland-71965
05/16/2024, 1:00 PMThe problem is we automate everything, and I want to be able to just inject in the correct thing from the DB made in Terraform, and there isn't any easy way to do this when it's all in one secret.
e
enough-yak-81379
05/16/2024, 1:02 PMsure, i understand ๐. Will try to see how can we provide the option without too much regressions
10 Views