Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure handling of secrets #7

Open
alecor191 opened this issue May 16, 2024 · 3 comments
Open

Secure handling of secrets #7

alecor191 opened this issue May 16, 2024 · 3 comments

Comments

@alecor191
Copy link

I understand that the Helm chart takes secrets, like the DB password, and stores them in a K8S secret. However, as we have to pass it to the chart as value, users can call helm get values langfuse to retrieve all values provided at the time of installation.

Here what I get when running the mentioned command on a langfuse Helm release:

❯ helm get values langfuse

USER-SUPPLIED VALUES:
ingress:
  enabled: false
langfuse:
  nextauth:
    secret: 1234                          // <----- secret
    url: https://langfuse.example.org/
  salt: 5678                              // <----- secret
  telemetryEnabled: true
postgresql:
  auth:
    database: langfuse
    password: dbpassword                  // <----- secret
    username: archlet
  deploy: false
  host: langfuse.postgres.database.azure.com
service:
  type: ClusterIP

Do you have any thoughts on the topic resp. are there other ways that could be considered to provide secrets (e.g. by providing name/key of a secret in an existing K8S Secret)?
@mautini
Copy link
Contributor

mautini commented May 16, 2024

Hi @alecor191,

I think there are two solutions (that are not exclusive):

  • Modify the deployment and do not create secrets to allow usage of existing secrets in the cluster. This way you create your secrets on one hand and then reference them in the helm chart values.yaml
  • Use Helm Secrets Plugin:
    • Encrypt your passwords (with SOPS for example) in a values-secret.yaml file
    • helm secrets install langfuse ./langfuse -f values.yaml -f values-secret.yaml

@alecor191
Copy link
Author

Thanks @mautini! For the first option the Helm chart would have to be updated, right? As I believe currently it doesn't support providing references to K8S secrets.

The second recommendation is for sure a viable option. For us it's just a bit overkill to set up Helm secrets plugin just for Langfuse (we don't have the need for it on any other Helm chart we use in our clusters).

@mautini
Copy link
Contributor

mautini commented May 16, 2024

Yes, the first option needs an MR. Actually if you keep the same name for the secrets you just have an option to not generate the secrets via the helm chart, no need to set up custom ref.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alecor191 @mautini