Helm chart: add support for export.stdout.envFromSecrets to inject environment variables from Kubernetes secrets #4025
Conversation
kkourt
left a comment
kkourt
left a comment
There was a problem hiding this comment.
Thanks!
Can you please provide an example of how this is meant to be used in the commit message? Please include both newly introduced configuration values (extraenvFrom and enfFromSecrets). Also, shouldn't we update values.yaml accordingly?
| image: "{{ if .Values.export.stdout.image.override }}{{ .Values.export.stdout.image.override }}{{ else }}{{ .Values.export.stdout.image.repository }}:{{ .Values.export.stdout.image.tag }}{{ end }}" | ||
| imagePullPolicy: {{ .Values.imagePullPolicy }} | ||
| terminationMessagePolicy: FallbackToLogsOnError | ||
|
|
There was a problem hiding this comment.
Also, this was not resolved.
There was a problem hiding this comment.
This has been fixed in the latest commit. Please take a look.
There was a problem hiding this comment.
Please don't introduce changes that are negated at later commits. This makes history difficult to read.
Instead, please squash the changes from my feedback into the relevant original commits. (git rebase --interactive using the squash and fixup actions should help).
There was a problem hiding this comment.
Sorry about the extra commits earlier - I wasn’t aware of the best practice here. I’ve now squashed everything into a single commit with an updated message and examples. Hopefully the history looks clean now. Please let me know if there are any other issues I should fix. Thanks again for your guidance! @kkourt
mtardy
added
the
release-note/minor
Motivation: I ran into this need while wiring Tetragon’s stdout exporter to ship logs to OpenSearch via Fluent Bit. I had to inject multiple credentials (e.g., OPENSEARCH_USERNAME / OPENSEARCH_PASSWORD) from a Kubernetes Secret without enumerating each key. Supporting envFrom and the envFromSecrets lets us mount the whole secret cleanly and keeps sensitive values out of plain values files. |
As far as I can see, the commit messages are still empty. |
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Bagautdino
force-pushed
the
main
branch
2 times, most recently
from
6ec75ef to
ce44d0b
Compare
kkourt
left a comment
kkourt
left a comment
There was a problem hiding this comment.
Changes LGTM, thanks!
AFAICT, the CI faiure is because you need to include the doc changes in the commit. That is, run:
make -C install/kubernetes
And squash the relevant changes in your commit.
@mtardy can you also have a look?
kkourt
left a comment
kkourt
left a comment
There was a problem hiding this comment.
Changing this to Request changes, until the CI is fixed so that it's not merged by mistake.
|
sorry guys! thanks i did it. i hope... |
mtardy
left a comment
mtardy
left a comment
There was a problem hiding this comment.
lgtm overall, I haven't tested it manually though to make sure each of these work! Just a minor nit
install/kubernetes/tetragon/templates/_container_export_stdout.tpl
Outdated
Show resolved
Hide resolved
This commit extends the Helm chart for Tetragon by adding support
for envFrom in the export.stdout template. Specifically:
- export.stdout.extraEnvFrom: allows referencing ConfigMaps/Secrets
via envFrom.
- export.stdout.envFromSecrets: convenience for Secrets only,
accepts strings or objects.
Usage examples:
values.yaml
-----------
export:
stdout:
# Add specific env vars
extraEnv:
- name: LOG_LEVEL
value: info
# Pull multiple variables from ConfigMap/Secret via envFrom
extraEnvFrom:
- configMapRef:
name: fluent-bit-config
# Convenience for Secret envFrom
envFromSecrets:
- opensearch-credentials
- name: optional-secret
optional: true
Rendered container
------------------
env:
- name: LOG_LEVEL
value: info
envFrom:
- configMapRef:
name: fluent-bit-config
- secretRef:
name: opensearch-credentials
- secretRef:
name: optional-secret
optional: true
Signed-off-by: Bagautdino <[email protected]>
4 participants
This PR extends the Helm chart for Tetragon by adding support for envFromSecrets in the export.stdout template. This allows injecting environment variables from Kubernetes secrets using the envFrom field.
The implementation checks for the presence of .Values.export.stdout.envFromSecrets, and if present, renders the corresponding envFrom entries as secretRef definitions. This is useful when multiple environment variables need to be sourced from secrets without specifying each variable explicitly.
This change is backward-compatible and does not affect existing configurations that do not use envFromSecrets.