feat: separate database credentials from configuration

- Move non-sensitive database config to ConfigMap
- Keep only passwords in Secret for better ExternalSecret integration
- Add configMapRef to deployment envFrom section

This change allows users to inject only passwords via ExternalSecret
while keeping database configuration in ConfigMap, following
Kubernetes best practices.

Author: kahirokunn

charts/devlake/charts/grafana-6.56.6.tgz

@@ -165,16 +165,6 @@ The database port
 {{- end }}
 
 
-{{/*
-The database url
-*/}}
-{{- define "database.url" -}}
-{{- if eq .Values.option.database "mysql" -}}
-mysql://{{ .Values.mysql.username }}:{{ .Values.mysql.password }}@{{ include "mysql.server" . }}:{{ include "mysql.port" . }}/{{ .Values.mysql.database }}?charset=utf8mb4&parseTime=True&loc={{ .Values.commonEnvs.TZ }}
-{{- end }}
-{{- end }}
-
-
 {{/*
 The probe for check database connection
 */}}

charts/devlake/templates/_helpers.tpl

@@ -0,0 +1,33 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "devlake.fullname" . }}-config
+  labels:
+    {{- include "devlake.labels" . | nindent 4 }}
+data:
+  # Database connection configuration (non-sensitive)
+{{- if (eq .Values.option.database "mysql") }}
+  MYSQL_USER: "{{ .Values.mysql.username }}"
+  MYSQL_DATABASE: "{{ .Values.mysql.database }}"
+  MYSQL_URL: "{{ include "mysql.server" . }}:{{ include "mysql.port" . }}"
+  MYSQL_SERVER: "{{ include "mysql.server" . }}"
+  MYSQL_PORT: "{{ include "mysql.port" . }}"
+  DB_LOCATION: "{{ .Values.commonEnvs.TZ }}"
+{{- end }}

charts/devlake/templates/configmap.yaml

@@ -162,7 +162,7 @@ spec:
         {{- with .Values.lake.containerSecurityContext }}
           securityContext:
           {{- toYaml . | nindent 12 }}
-      {{- end }}
+        {{- end }}
       containers:
         - name: lake
           {{- if .Values.lake.image.tag }}
@@ -182,6 +182,8 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           envFrom:
+            - configMapRef:
+                name: {{ include "devlake.fullname" . }}-config
             - secretRef:
                 name: {{ include "devlake.mysql.secret" . }}
             - secretRef:
@@ -193,6 +195,10 @@ spec:
           env:
             - name: PORT
               value: "{{ .Values.lake.port }}"
+            {{- if (eq .Values.option.database "mysql") }}
+            - name: DB_URL
+              value: "mysql://$(MYSQL_USER):$(MYSQL_PASSWORD)@$(MYSQL_SERVER):$(MYSQL_PORT)/$(MYSQL_DATABASE)?charset=utf8mb4&parseTime=True&loc=$(DB_LOCATION)"
+            {{- end }}
             {{- range $key1, $value1 := .Values.lake.envs }}
             - name: "{{ tpl $key1 $ }}"
               value: "{{ tpl (print $value1) $ }}"

charts/devlake/templates/deployments.yaml

@@ -22,17 +22,10 @@ metadata:
   name: {{ include "devlake.mysql.secret" . }}
 stringData:
 {{- if (eq .Values.option.database "mysql") }}
-  MYSQL_USER: "{{ .Values.mysql.username }}"
   MYSQL_PASSWORD: "{{ .Values.mysql.password }}"
-  MYSQL_DATABASE: "{{ .Values.mysql.database }}"
   MYSQL_ROOT_PASSWORD: "{{ .Values.mysql.rootPassword }}"
-  DB_URL: "{{ include "database.url" . }}"
-  MYSQL_URL: "{{ include "mysql.server" . }}:{{ include "mysql.port" . }}"
 #{{- else if (eq .Values.option.database "pgsql")}}
-#  POSTGRES_USER: "{{ .Values.pgsql.username }}"
 #  POSTGRES_PASSWORD: "{{ .Values.pgsql.password }}"
-#  POSTGRES_DB: "{{ .Values.pgsql.database }}"
-#  DB_URL: "{{ include "database.url" . }}"
 {{- end }}
 {{- end }}