feat: separate database credentials from configuration (#337)

kahirokunn · web-flow · commit 42e02ada896e · 2025-07-09T11:01:37.000+08:00
- Move non-sensitive database config to ConfigMap
- Keep only passwords in Secret for better ExternalSecret integration
- Add configMapRef to deployment envFrom section

This change allows users to inject only passwords via ExternalSecret
while keeping database configuration in ConfigMap, following
Kubernetes best practices.
diff --git a/.gitignore b/.gitignore
@@ -13,3 +13,5 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
+
+*.tgz
diff --git a/charts/devlake/templates/_helpers.tpl b/charts/devlake/templates/_helpers.tpl
@@ -104,6 +104,10 @@ The ui endpoint
 {{- end -}}
 {{- end -}}
 
+{{- define "devlake.mysql.configmap" -}}
+{{ include "devlake.fullname" . }}-config
+{{- end -}}
+
 {{- define "devlake.ui.auth.secret" -}}
 {{- if .Values.ui.basicAuth.secretName -}}
 {{- .Values.ui.basicAuth.secretName -}}
@@ -165,16 +169,6 @@ The database port
 {{- end }}
 
 
-{{/*
-The database url
-*/}}
-{{- define "database.url" -}}
-{{- if eq .Values.option.database "mysql" -}}
-mysql://{{ .Values.mysql.username }}:{{ .Values.mysql.password }}@{{ include "mysql.server" . }}:{{ include "mysql.port" . }}/{{ .Values.mysql.database }}?charset=utf8mb4&parseTime=True&loc={{ .Values.commonEnvs.TZ }}
-{{- end }}
-{{- end }}
-
-
 {{/*
 The probe for check database connection
 */}}
diff --git a/charts/devlake/templates/configmap.yaml b/charts/devlake/templates/configmap.yaml
@@ -0,0 +1,35 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "devlake.mysql.configmap" . }}
+  labels:
+    {{- include "devlake.labels" . | nindent 4 }}
+data:
+  # Database connection configuration (non-sensitive)
+{{- if (eq .Values.option.database "mysql") }}
+  MYSQL_USER: "{{ .Values.mysql.username }}"
+  MYSQL_DATABASE: "{{ .Values.mysql.database }}"
+  MYSQL_URL: "{{ include "mysql.server" . }}:{{ include "mysql.port" . }}"
+  MYSQL_SERVER: "{{ include "mysql.server" . }}"
+  MYSQL_PORT: "{{ include "mysql.port" . }}"
+  DB_CHARSET: "utf8mb4"
+  DB_PARSE_TIME: "True"
+  DB_LOCATION: "{{ .Values.commonEnvs.TZ }}"
+{{- end }}
diff --git a/charts/devlake/templates/deployments.yaml b/charts/devlake/templates/deployments.yaml
@@ -162,7 +162,7 @@ spec:
         {{- with .Values.lake.containerSecurityContext }}
           securityContext:
           {{- toYaml . | nindent 12 }}
-      {{- end }}
+        {{- end }}
       containers:
         - name: lake
           {{- if .Values.lake.image.tag }}
@@ -182,6 +182,8 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           envFrom:
+            - configMapRef:
+                name: {{ include "devlake.mysql.configmap" . }}
             - secretRef:
                 name: {{ include "devlake.mysql.secret" . }}
             - secretRef:
@@ -193,6 +195,10 @@ spec:
           env:
             - name: PORT
               value: "{{ .Values.lake.port }}"
+            {{- if (eq .Values.option.database "mysql") }}
+            - name: DB_URL
+              value: "mysql://$(MYSQL_USER):$(MYSQL_PASSWORD)@$(MYSQL_SERVER):$(MYSQL_PORT)/$(MYSQL_DATABASE)?charset=$(DB_CHARSET)&parseTime=$(DB_PARSE_TIME)&loc=$(DB_LOCATION)"
+            {{- end }}
             {{- range $key1, $value1 := .Values.lake.envs }}
             - name: "{{ tpl $key1 $ }}"
               value: "{{ tpl (print $value1) $ }}"
diff --git a/charts/devlake/templates/secrets.yaml b/charts/devlake/templates/secrets.yaml
@@ -22,17 +22,10 @@ metadata:
   name: {{ include "devlake.mysql.secret" . }}
 stringData:
 {{- if (eq .Values.option.database "mysql") }}
-  MYSQL_USER: "{{ .Values.mysql.username }}"
   MYSQL_PASSWORD: "{{ .Values.mysql.password }}"
-  MYSQL_DATABASE: "{{ .Values.mysql.database }}"
   MYSQL_ROOT_PASSWORD: "{{ .Values.mysql.rootPassword }}"
-  DB_URL: "{{ include "database.url" . }}"
-  MYSQL_URL: "{{ include "mysql.server" . }}:{{ include "mysql.port" . }}"
 #{{- else if (eq .Values.option.database "pgsql")}}
-#  POSTGRES_USER: "{{ .Values.pgsql.username }}"
 #  POSTGRES_PASSWORD: "{{ .Values.pgsql.password }}"
-#  POSTGRES_DB: "{{ .Values.pgsql.database }}"
-#  DB_URL: "{{ include "database.url" . }}"
 {{- end }}
 {{- end }}
 
diff --git a/charts/devlake/templates/statefulsets.yaml b/charts/devlake/templates/statefulsets.yaml
@@ -90,6 +90,8 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
           envFrom:
+            - configMapRef:
+                name: {{ include "devlake.mysql.configmap" . }}
             - secretRef:
                 name: {{ include "devlake.mysql.secret" . }}
           env:
