feat(statefulset): add support for valueFrom in env#417
feat(statefulset): add support for valueFrom in env#417xoxys merged 4 commits intowoodpecker-ci:mainfrom
Conversation
|
yes please, in the mean-time im using a hacky workaround involving externalsecrets operator: ---
# eso-service-account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: eso-k8s-store-sa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: eso-k8s-store-role
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- authorization.k8s.io
resources:
- selfsubjectrulesreviews
verbs:
- create
---
# eso-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: eso-k8s-store-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: eso-k8s-store-role
subjects:
- kind: ServiceAccount
name: eso-k8s-store-sa
namespace: cicd
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: k8s-secret-store
spec:
provider:
kubernetes:
remoteNamespace: cicd
# We use the 'server' block to get access to the caProvider field
server:
caProvider:
type: ConfigMap
name: kube-root-ca.crt
key: ca.crt
auth:
serviceAccount:
name: "eso-k8s-store-sa"
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: woodpecker-db-secret-translator
spec:
secretStoreRef:
name: k8s-secret-store # <-- Matches the SecretStore you just created
kind: SecretStore
# This is the name of the new secret ESO will create
target:
name: woodpecker-db-secret
template:
type: Opaque
data:
# This creates a new key in the target secret
- secretKey: WOODPECKER_DATABASE_DATASOURCE
# This points to the source secret and key
remoteRef:
key: woodpecker-psql-pguser-woodpecker # <-- The PGO-generated secret
property: uri # <-- The key *inside* the PGO secret |
|
I'm simply using |
I created this PR because the secret is managed by another component (the DB operator) which doesn't allow custom secret keys, so I can't just load the secret as env vars. |
|
Fine for me to add. Will take a closer look today. Thank you all and sorry for the delay. |
|
Personally, I would prefer to change the syntax to something like this: {{- range $value := .Values.env }}
- name: {{ $value.name }}
{{- if $value.value }}
value: {{ $value.value | quote }}
{{- else if $value.valueFrom }}
valueFrom: {{ toYaml $value.valueFrom | nindent 8 }}
{{- end }}
{{- end }}The current syntax is already a bit uncommon and gets even more weird with this proposed changed. However, this would be a breaking change for the chart, but that would be fine for me. From user perspective, @baprx @psych0d0g @marcusramberg what do you think? |
Signed-off-by: Baptiste Roux <arte.but.posix@gmail.com>
Signed-off-by: Baptiste Roux <arte.but.posix@gmail.com>
baprx
force-pushed
the
feat/env-valueFrom
branch
from
917bc20 to
c849c9e
Compare
|
@xoxys ironically I find myself in need of this functionality too now. Any chance we could get a release of the chart? |
|
Sorry, release triggered right now. |
|
fyi guys I had the WOODPECKER_GITHUB env value as boolean, not as string, which was not fully correct i guess, but it worked with the previous version of the chart and after the upgrade the boolean env value is rendered to an empty value and my woodpecker server crushed because no forges configured. I guess the same would happen with number values, such as |
|
Sorry about that. Can take a look next week. If someone wants to provide a PR in the meantime, it would be very welcome. |
6 participants
Hi, this PR adds support for adding single env variable from a secret key: