[PR] feat: Improved convenience when using External Secrets through separation of ConfigMap and Secret [incubator-devlake-helm-chart]

Tue, 01 Jul 2025 02:22:27 -0700 


kahirokunn opened a new pull request, #337:
URL: https://github.com/apache/incubator-devlake-helm-chart/pull/337

   # feat: Improved convenience when using External Secrets through separation 
of ConfigMap and Secret
   
   ## Overview
   Separates MySQL configuration information into confidential and 
non-confidential data to improve integration with external secret management 
systems such as External Secret.
   
   ## Changes
   
   ### 🔧 Modified Files
   - `charts/devlake/templates/secrets.yaml` - Modified to contain only 
confidential information
   - `charts/devlake/templates/configmap.yaml` - Newly created: manages 
non-confidential settings
   - `charts/devlake/templates/deployments.yaml` - Updated to reference both 
ConfigMap and Secret
   
   ### 📋 Detailed Changes
   
   #### Secret (confidential information only)
   ```yaml
   # Before changes
   MYSQL_USER: "merico"           # Removed
   MYSQL_PASSWORD: "merico"       # Retained
   MYSQL_DATABASE: "lake"         # Removed  
   MYSQL_ROOT_PASSWORD: "admin"   # Retained
   DB_URL: "mysql://..."          # Removed
   MYSQL_URL: "server:port"       # Removed
   
   # After changes
   MYSQL_PASSWORD: "merico"       # Retained
   MYSQL_ROOT_PASSWORD: "admin"   # Retained
   ```
   
   #### ConfigMap (non-confidential settings) - Newly created
   ```yaml
   MYSQL_USER: "merico"
   MYSQL_DATABASE: "lake"
   MYSQL_URL: "server:port"
   DB_URL_TEMPLATE: "mysql://user:${MYSQL_PASSWORD}@server:port/db?..."
   ```
   
   #### Deployment
   ```yaml
   envFrom:
     - configMapRef:              # Newly added
         name: devlake-config
     - secretRef:
         name: devlake-mysql-auth
   ```
   
   ## 🎯 Problems Resolved
   
   ### Issues Before Changes
   - When injecting passwords with External Secret, `MYSQL_USER`, 
`MYSQL_DATABASE`, `MYSQL_URL` also needed to be managed externally
   - Non-confidential information was included in Secret, which goes against 
Kubernetes best practices
   - Secret updates were required when changing configurations
   
   ### Improvements After Changes
   - External Secret only needs to manage passwords
   - Configuration information is managed in ConfigMap and properly separated
   - Follows Kubernetes best practices
   
   ## 🔄 Compatibility
   - Maintains backward compatibility with existing deployments
   - When `option.autoCreateSecret: true`, operates as before
   - When using External Secret, only passwords need to be provided
   
   ## 📚 Related Issues
   Fixes #336
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to