From 8a8e4742e9ac3428a3321ce7f5556810dd0d6d44 Mon Sep 17 00:00:00 2001 From: kahirokunn Date: Tue, 1 Jul 2025 18:18:55 +0900 Subject: [PATCH] feat: separate database credentials from configuration - Move non-sensitive database config to ConfigMap - Keep only passwords in Secret for better ExternalSecret integration - Add configMapRef to deployment envFrom section This change allows users to inject only passwords via ExternalSecret while keeping database configuration in ConfigMap, following Kubernetes best practices. --- .gitignore | 2 ++ charts/devlake/templates/_helpers.tpl | 14 +++------ charts/devlake/templates/configmap.yaml | 35 ++++++++++++++++++++++ charts/devlake/templates/deployments.yaml | 8 ++++- charts/devlake/templates/secrets.yaml | 7 ----- charts/devlake/templates/statefulsets.yaml | 2 ++ 6 files changed, 50 insertions(+), 18 deletions(-) create mode 100644 charts/devlake/templates/configmap.yaml diff --git a/.gitignore b/.gitignore index 66fd13c9..128fdafe 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,5 @@ # Dependency directories (remove the comment below to include it) # vendor/ + +*.tgz diff --git a/charts/devlake/templates/_helpers.tpl b/charts/devlake/templates/_helpers.tpl index 3f5911eb..5fbc671f 100644 --- a/charts/devlake/templates/_helpers.tpl +++ b/charts/devlake/templates/_helpers.tpl @@ -104,6 +104,10 @@ The ui endpoint {{- end -}} {{- end -}} +{{- define "devlake.mysql.configmap" -}} +{{ include "devlake.fullname" . }}-config +{{- end -}} + {{- define "devlake.ui.auth.secret" -}} {{- if .Values.ui.basicAuth.secretName -}} {{- .Values.ui.basicAuth.secretName -}} @@ -165,16 +169,6 @@ The database port {{- end }} -{{/* -The database url -*/}} -{{- define "database.url" -}} -{{- if eq .Values.option.database "mysql" -}} -mysql://{{ .Values.mysql.username }}:{{ .Values.mysql.password }}@{{ include "mysql.server" . }}:{{ include "mysql.port" . }}/{{ .Values.mysql.database }}?charset=utf8mb4&parseTime=True&loc={{ .Values.commonEnvs.TZ }} -{{- end }} -{{- end }} - - {{/* The probe for check database connection */}} diff --git a/charts/devlake/templates/configmap.yaml b/charts/devlake/templates/configmap.yaml new file mode 100644 index 00000000..502f44c8 --- /dev/null +++ b/charts/devlake/templates/configmap.yaml @@ -0,0 +1,35 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "devlake.mysql.configmap" . }} + labels: + {{- include "devlake.labels" . | nindent 4 }} +data: + # Database connection configuration (non-sensitive) +{{- if (eq .Values.option.database "mysql") }} + MYSQL_USER: "{{ .Values.mysql.username }}" + MYSQL_DATABASE: "{{ .Values.mysql.database }}" + MYSQL_URL: "{{ include "mysql.server" . }}:{{ include "mysql.port" . }}" + MYSQL_SERVER: "{{ include "mysql.server" . }}" + MYSQL_PORT: "{{ include "mysql.port" . }}" + DB_CHARSET: "utf8mb4" + DB_PARSE_TIME: "True" + DB_LOCATION: "{{ .Values.commonEnvs.TZ }}" +{{- end }} diff --git a/charts/devlake/templates/deployments.yaml b/charts/devlake/templates/deployments.yaml index c2b9ece0..a93f029d 100644 --- a/charts/devlake/templates/deployments.yaml +++ b/charts/devlake/templates/deployments.yaml @@ -162,7 +162,7 @@ spec: {{- with .Values.lake.containerSecurityContext }} securityContext: {{- toYaml . | nindent 12 }} - {{- end }} + {{- end }} containers: - name: lake {{- if .Values.lake.image.tag }} @@ -182,6 +182,8 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} envFrom: + - configMapRef: + name: {{ include "devlake.mysql.configmap" . }} - secretRef: name: {{ include "devlake.mysql.secret" . }} - secretRef: @@ -193,6 +195,10 @@ spec: env: - name: PORT value: "{{ .Values.lake.port }}" + {{- if (eq .Values.option.database "mysql") }} + - name: DB_URL + value: "mysql://$(MYSQL_USER):$(MYSQL_PASSWORD)@$(MYSQL_SERVER):$(MYSQL_PORT)/$(MYSQL_DATABASE)?charset=$(DB_CHARSET)&parseTime=$(DB_PARSE_TIME)&loc=$(DB_LOCATION)" + {{- end }} {{- range $key1, $value1 := .Values.lake.envs }} - name: "{{ tpl $key1 $ }}" value: "{{ tpl (print $value1) $ }}" diff --git a/charts/devlake/templates/secrets.yaml b/charts/devlake/templates/secrets.yaml index 421c3c12..47d2298e 100644 --- a/charts/devlake/templates/secrets.yaml +++ b/charts/devlake/templates/secrets.yaml @@ -22,17 +22,10 @@ metadata: name: {{ include "devlake.mysql.secret" . }} stringData: {{- if (eq .Values.option.database "mysql") }} - MYSQL_USER: "{{ .Values.mysql.username }}" MYSQL_PASSWORD: "{{ .Values.mysql.password }}" - MYSQL_DATABASE: "{{ .Values.mysql.database }}" MYSQL_ROOT_PASSWORD: "{{ .Values.mysql.rootPassword }}" - DB_URL: "{{ include "database.url" . }}" - MYSQL_URL: "{{ include "mysql.server" . }}:{{ include "mysql.port" . }}" #{{- else if (eq .Values.option.database "pgsql")}} -# POSTGRES_USER: "{{ .Values.pgsql.username }}" # POSTGRES_PASSWORD: "{{ .Values.pgsql.password }}" -# POSTGRES_DB: "{{ .Values.pgsql.database }}" -# DB_URL: "{{ include "database.url" . }}" {{- end }} {{- end }} diff --git a/charts/devlake/templates/statefulsets.yaml b/charts/devlake/templates/statefulsets.yaml index 34242116..e15176de 100644 --- a/charts/devlake/templates/statefulsets.yaml +++ b/charts/devlake/templates/statefulsets.yaml @@ -90,6 +90,8 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} envFrom: + - configMapRef: + name: {{ include "devlake.mysql.configmap" . }} - secretRef: name: {{ include "devlake.mysql.secret" . }} env: