(incubator-devlake-helm-chart) branch main updated: feat: separate database credentials from configuration (#337)

[klesh]

This is an automated email from the ASF dual-hosted git repository.

klesh pushed a commit to branch main
in repository 
https://gitbox.apache.org/repos/asf/incubator-devlake-helm-chart.git


The following commit(s) were added to refs/heads/main by this push:
     new 42e02ad  feat: separate database credentials from configuration (#337)
42e02ad is described below

commit 42e02ada896eef353a03bfcab2d865cd7a8fff3b
Author: kahirokunn <okinakah...@gmail.com>
AuthorDate: Wed Jul 9 12:01:37 2025 +0900

    feat: separate database credentials from configuration (#337)
    
    - Move non-sensitive database config to ConfigMap
    - Keep only passwords in Secret for better ExternalSecret integration
    - Add configMapRef to deployment envFrom section
    
    This change allows users to inject only passwords via ExternalSecret
    while keeping database configuration in ConfigMap, following
    Kubernetes best practices.
---
 .gitignore                                 |  2 ++
 charts/devlake/templates/_helpers.tpl      | 14 ++++--------
 charts/devlake/templates/configmap.yaml    | 35 ++++++++++++++++++++++++++++++
 charts/devlake/templates/deployments.yaml  |  8 ++++++-
 charts/devlake/templates/secrets.yaml      |  7 ------
 charts/devlake/templates/statefulsets.yaml |  2 ++
 6 files changed, 50 insertions(+), 18 deletions(-)

diff --git a/.gitignore b/.gitignore
index 66fd13c..128fdaf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,3 +13,5 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
+
+*.tgz
diff --git a/charts/devlake/templates/_helpers.tpl 
b/charts/devlake/templates/_helpers.tpl
index 3f5911e..5fbc671 100644
--- a/charts/devlake/templates/_helpers.tpl
+++ b/charts/devlake/templates/_helpers.tpl
@@ -104,6 +104,10 @@ The ui endpoint
 {{- end -}}
 {{- end -}}
 
+{{- define "devlake.mysql.configmap" -}}
+{{ include "devlake.fullname" . }}-config
+{{- end -}}
+
 {{- define "devlake.ui.auth.secret" -}}
 {{- if .Values.ui.basicAuth.secretName -}}
 {{- .Values.ui.basicAuth.secretName -}}
@@ -165,16 +169,6 @@ The database port
 {{- end }}
 
 
-{{/*
-The database url
-*/}}
-{{- define "database.url" -}}
-{{- if eq .Values.option.database "mysql" -}}
-mysql://{{ .Values.mysql.username }}:{{ .Values.mysql.password }}@{{ include 
"mysql.server" . }}:{{ include "mysql.port" . }}/{{ .Values.mysql.database 
}}?charset=utf8mb4&parseTime=True&loc={{ .Values.commonEnvs.TZ }}
-{{- end }}
-{{- end }}
-
-
 {{/*
 The probe for check database connection
 */}}
diff --git a/charts/devlake/templates/configmap.yaml 
b/charts/devlake/templates/configmap.yaml
new file mode 100644
index 0000000..502f44c
--- /dev/null
+++ b/charts/devlake/templates/configmap.yaml
@@ -0,0 +1,35 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "devlake.mysql.configmap" . }}
+  labels:
+    {{- include "devlake.labels" . | nindent 4 }}
+data:
+  # Database connection configuration (non-sensitive)
+{{- if (eq .Values.option.database "mysql") }}
+  MYSQL_USER: "{{ .Values.mysql.username }}"
+  MYSQL_DATABASE: "{{ .Values.mysql.database }}"
+  MYSQL_URL: "{{ include "mysql.server" . }}:{{ include "mysql.port" . }}"
+  MYSQL_SERVER: "{{ include "mysql.server" . }}"
+  MYSQL_PORT: "{{ include "mysql.port" . }}"
+  DB_CHARSET: "utf8mb4"
+  DB_PARSE_TIME: "True"
+  DB_LOCATION: "{{ .Values.commonEnvs.TZ }}"
+{{- end }}
diff --git a/charts/devlake/templates/deployments.yaml 
b/charts/devlake/templates/deployments.yaml
index c2b9ece..a93f029 100644
--- a/charts/devlake/templates/deployments.yaml
+++ b/charts/devlake/templates/deployments.yaml
@@ -162,7 +162,7 @@ spec:
         {{- with .Values.lake.containerSecurityContext }}
           securityContext:
           {{- toYaml . | nindent 12 }}
-      {{- end }}
+        {{- end }}
       containers:
         - name: lake
           {{- if .Values.lake.image.tag }}
@@ -182,6 +182,8 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           envFrom:
+            - configMapRef:
+                name: {{ include "devlake.mysql.configmap" . }}
             - secretRef:
                 name: {{ include "devlake.mysql.secret" . }}
             - secretRef:
@@ -193,6 +195,10 @@ spec:
           env:
             - name: PORT
               value: "{{ .Values.lake.port }}"
+            {{- if (eq .Values.option.database "mysql") }}
+            - name: DB_URL
+              value: 
"mysql://$(MYSQL_USER):$(MYSQL_PASSWORD)@$(MYSQL_SERVER):$(MYSQL_PORT)/$(MYSQL_DATABASE)?charset=$(DB_CHARSET)&parseTime=$(DB_PARSE_TIME)&loc=$(DB_LOCATION)"
+            {{- end }}
             {{- range $key1, $value1 := .Values.lake.envs }}
             - name: "{{ tpl $key1 $ }}"
               value: "{{ tpl (print $value1) $ }}"
diff --git a/charts/devlake/templates/secrets.yaml 
b/charts/devlake/templates/secrets.yaml
index 421c3c1..47d2298 100644
--- a/charts/devlake/templates/secrets.yaml
+++ b/charts/devlake/templates/secrets.yaml
@@ -22,17 +22,10 @@ metadata:
   name: {{ include "devlake.mysql.secret" . }}
 stringData:
 {{- if (eq .Values.option.database "mysql") }}
-  MYSQL_USER: "{{ .Values.mysql.username }}"
   MYSQL_PASSWORD: "{{ .Values.mysql.password }}"
-  MYSQL_DATABASE: "{{ .Values.mysql.database }}"
   MYSQL_ROOT_PASSWORD: "{{ .Values.mysql.rootPassword }}"
-  DB_URL: "{{ include "database.url" . }}"
-  MYSQL_URL: "{{ include "mysql.server" . }}:{{ include "mysql.port" . }}"
 #{{- else if (eq .Values.option.database "pgsql")}}
-#  POSTGRES_USER: "{{ .Values.pgsql.username }}"
 #  POSTGRES_PASSWORD: "{{ .Values.pgsql.password }}"
-#  POSTGRES_DB: "{{ .Values.pgsql.database }}"
-#  DB_URL: "{{ include "database.url" . }}"
 {{- end }}
 {{- end }}
 
diff --git a/charts/devlake/templates/statefulsets.yaml 
b/charts/devlake/templates/statefulsets.yaml
index 3424211..e15176d 100644
--- a/charts/devlake/templates/statefulsets.yaml
+++ b/charts/devlake/templates/statefulsets.yaml
@@ -90,6 +90,8 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           envFrom:
+            - configMapRef:
+                name: {{ include "devlake.mysql.configmap" . }}
             - secretRef:
                 name: {{ include "devlake.mysql.secret" . }}
           env: