Helm chart - Allow kes-configuration (kesSecret) to be loaded from existing secret #1960
Labels
Comments
simicivan173
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Problem description
When configuring KES configuration and vault interaction, there is no option to provide a secret to secure the role_id and secret_id as part of the config. As a consequence, vault configuration needs to be in clear in the general values.yaml. In the templates there is a helm/tenant/templates/kes-configuration-secret.yaml which is not possible to skip, and it forces creation of the secret. That way there is not way to use the existing pre-created secret which would be more secure.
Describe the solution you'd like
Trivial solution might be to change the condition of the https://github.com/minio/operator/blob/master/helm/tenant/templates/kes-configuration-secret.yaml
to not create a secret if we provide one. Then we could al kes confiruation to use the existing pre-created secret to be used.
There is already options of existingSecret in tenant configuration, but for KES it's missing.
Additional context
This secret could be pre created, so you don't have to force creation.
The text was updated successfully, but these errors were encountered: