Skip to content

fix(helm): external config and secret support #2245

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Jul 10, 2025
Merged

fix(helm): external config and secret support #2245

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
eaacf63
fix postgres and redis external config, incl redis tls
nicktrn Jul 7, 2025
beb9a9d
external secret support for postgres, redis, clickhouse, plus fixes
nicktrn Jul 8, 2025
8ef2052
s3: full existing secret support, external fixes
nicktrn Jul 8, 2025
6e56c4b
bump chart version
nicktrn Jul 8, 2025
8373d66
add subchart links
nicktrn Jul 8, 2025
ad33a8f
Merge remote-tracking branch 'origin/main' into helm/fix-external-config
nicktrn Jul 8, 2025
24d273d
update external config docs
nicktrn Jul 8, 2025
9bdcc8b
tidy up validation and helper
nicktrn Jul 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
141 changes: 137 additions & 4 deletions docs/self-hosting/kubernetes.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,19 +198,152 @@ webapp:

### External services

You can disable the built-in services and use external services instead. For example:
You can disable the built-in services and use external services instead. The chart supports both direct configuration and existing Kubernetes secrets for secure credential management.

#### PostgreSQL

**Direct configuration:**
```yaml
postgres:
deploy: false
external:
databaseUrl: "postgresql://user:password@host:5432/database?schema=public"
directUrl: "" # Optional, defaults to databaseUrl
```

**Using existing secrets (recommended):**
```yaml
postgres:
deploy: false
external:
host: "my-postgres.example.com"
port: 5432
database: "my-database"
existingSecret: "postgres-credentials"
# Optional: Use secretKeys to specify the key names in the secret
# secretKeys:
# databaseUrlKey: "postgres-database-url" # default
# directUrlKey: "postgres-direct-url" # default
```

#### Redis

**Direct configuration:**
```yaml
redis:
deploy: false
external:
host: "my-redis.example.com"
port: 6379
password: "my-password"
tls:
enabled: true
```

**Using existing secrets (recommended):**
```yaml
redis:
deploy: false
external:
host: "my-redis.example.com"
port: 6379
existingSecret: "redis-credentials"
# existingSecretPasswordKey: "redis-password" # default (optional)
tls:
enabled: true
```

#### ClickHouse

**Direct configuration:**
```yaml
clickhouse:
deploy: false
external:
host: "my-clickhouse.example.com"
port: 8123
username: "my-username"
password: "my-password"
```

**Using existing secrets (recommended):**
```yaml
clickhouse:
deploy: false
external:
host: "my-clickhouse.example.com"
port: 8123
username: "my-username"
existingSecret: "clickhouse-credentials"
# existingSecretKey: "clickhouse-password" # default (optional)
```

#### S3 Object Storage

**Direct configuration:**
```yaml
minio:
deploy: false
s3:
external:
endpoint: "https://s3.amazonaws.com"
accessKeyId: "my-access-key"
secretAccessKey: "my-secret-key"
```

**Using existing secrets (recommended):**
```yaml
minio:
deploy: false
s3:
external:
endpoint: "https://s3.amazonaws.com"
existingSecret: "s3-credentials"
# Optional: Use secretKeys to specify the key names in the secret
# secretKeys:
# accessKeyIdKey: "access-key-id" # default
# secretAccessKeyKey: "secret-access-key" # default
```

### PostgreSQL SSL with custom CA certificates

When connecting to PostgreSQL instances that require custom CA certificates (such as AWS RDS with SSL verification), you can mount the CA certificate as a volume and configure the webapp to use it:

```yaml
postgres:
deploy: false
external:
databaseUrl: "postgresql://user:[email protected]:5432/triggerdb?schema=public&sslmode=require"
# Alternatively, use an existing secret
existingSecret: "postgres-credentials"
# secretKeys:
# databaseUrlKey: "postgres-database-url" # default
connection:
sslMode: "require"

# Webapp configuration with SSL CA certificate
webapp:
extraEnvVars:
- name: NODE_EXTRA_CA_CERTS
value: "/etc/ssl/certs/postgres-ca.crt"

extraVolumes:
- name: postgres-ca-cert
secret:
secretName: postgres-ca-secret
items:
- key: ca.crt
path: postgres-ca.crt

extraVolumeMounts:
- name: postgres-ca-cert
mountPath: /etc/ssl/certs
readOnly: true
```

**Benefits:**
- No plaintext credentials in `values.yaml` or Helm releases
- Complete `DATABASE_URL` stored securely in Kubernetes secrets
- Compatible with secret management tools (External Secrets Operator, etc.)
- Follows Kubernetes security best practices

## Worker token

When using the default bootstrap configuration, worker creation and authentication is handled automatically. The webapp generates a worker token and makes it available to the supervisor via a shared volume.
Expand Down
2 changes: 1 addition & 1 deletion hosting/k8s/helm/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: trigger
description: The official Trigger.dev Helm chart
type: application
version: 4.0.0-beta.16
version: 4.0.0-beta.17
appVersion: v4.0.0-v4-beta.22
home: https://trigger.dev
sources:
Expand Down
Loading