From 03623ede8be3437381cc854b92a249f16699f537 Mon Sep 17 00:00:00 2001 From: Siddharth More Date: Sun, 22 Mar 2026 22:21:34 -0700 Subject: [PATCH 1/3] fix(security): move sensitive config from ConfigMap to Secret Egress and ingress charts stored API keys, secrets, and cloud storage credentials (S3, GCS, Azure) in ConfigMaps, which are not encrypted at rest and are visible to anyone with namespace read access. Changes: - egress: add Secret template, deployment reads config from secretKeyRef when storeSecretsInSecret.enabled (default: true), with existingSecret support for external secret managers (Vault, ESO) - ingress: same pattern as egress for api_key/api_secret - livekit-server: enable storeKeysInSecret by default (mechanism already existed but was disabled) All charts retain backward compatibility: set storeSecretsInSecret.enabled to false to keep using ConfigMap. --- egress/templates/deployment.yaml | 9 +++++++++ egress/templates/secret.yaml | 11 +++++++++++ egress/values.yaml | 8 ++++++++ ingress/templates/deployment.yaml | 9 +++++++++ ingress/templates/secret.yaml | 11 +++++++++++ ingress/values.yaml | 8 ++++++++ livekit-server/values.yaml | 2 +- 7 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 egress/templates/secret.yaml create mode 100644 ingress/templates/secret.yaml diff --git a/egress/templates/deployment.yaml b/egress/templates/deployment.yaml index 4a8808a..4ac59ea 100644 --- a/egress/templates/deployment.yaml +++ b/egress/templates/deployment.yaml @@ -18,6 +18,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if and .Values.storeSecretsInSecret.enabled (not .Values.storeSecretsInSecret.existingSecret) }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- end }} labels: {{- include "egress.selectorLabels" . | nindent 8 }} spec: @@ -34,9 +37,15 @@ spec: env: - name: EGRESS_CONFIG_BODY valueFrom: + {{- if .Values.storeSecretsInSecret.enabled }} + secretKeyRef: + name: {{ .Values.storeSecretsInSecret.existingSecret | default (include "egress.fullname" .) }} + key: config.yaml + {{- else }} configMapKeyRef: name: {{ include "egress.fullname" . }} key: config.yaml + {{- end }} ports: {{- if .Values.egress.health_port }} - name: health diff --git a/egress/templates/secret.yaml b/egress/templates/secret.yaml new file mode 100644 index 0000000..68c2f37 --- /dev/null +++ b/egress/templates/secret.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.storeSecretsInSecret.enabled (not .Values.storeSecretsInSecret.existingSecret) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "egress.fullname" . }} + labels: + {{- include "egress.labels" . | nindent 4 }} +type: Opaque +data: + config.yaml: {{ toYaml .Values.egress | b64enc }} +{{- end }} diff --git a/egress/values.yaml b/egress/values.yaml index 1343c35..1534606 100644 --- a/egress/values.yaml +++ b/egress/values.yaml @@ -40,4 +40,12 @@ securityContext: {} tolerations: [] +# Store the entire egress config (which contains api_key, api_secret, storage +# credentials) in a Kubernetes Secret instead of a ConfigMap. +# This is strongly recommended for production deployments. +storeSecretsInSecret: + enabled: true + # Use a pre-existing secret (e.g. from External Secrets Operator or Vault) + existingSecret: "" + affinity: {} diff --git a/ingress/templates/deployment.yaml b/ingress/templates/deployment.yaml index c2d2307..e52c0f6 100644 --- a/ingress/templates/deployment.yaml +++ b/ingress/templates/deployment.yaml @@ -18,6 +18,9 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- if and .Values.storeSecretsInSecret.enabled (not .Values.storeSecretsInSecret.existingSecret) }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- end }} labels: {{- include "ingress.selectorLabels" . | nindent 8 }} spec: @@ -38,9 +41,15 @@ spec: env: - name: INGRESS_CONFIG_BODY valueFrom: + {{- if .Values.storeSecretsInSecret.enabled }} + secretKeyRef: + name: {{ .Values.storeSecretsInSecret.existingSecret | default (include "ingress.fullname" .) }} + key: config.yaml + {{- else }} configMapKeyRef: name: {{ include "ingress.fullname" . }} key: config.yaml + {{- end }} ports: {{- if .Values.ingress.health_port }} - name: health diff --git a/ingress/templates/secret.yaml b/ingress/templates/secret.yaml new file mode 100644 index 0000000..af87d2c --- /dev/null +++ b/ingress/templates/secret.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.storeSecretsInSecret.enabled (not .Values.storeSecretsInSecret.existingSecret) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "ingress.fullname" . }} + labels: + {{- include "ingress.labels" . | nindent 4 }} +type: Opaque +data: + config.yaml: {{ toYaml .Values.ingress | b64enc }} +{{- end }} diff --git a/ingress/values.yaml b/ingress/values.yaml index 00d8b06..e1f9eda 100644 --- a/ingress/values.yaml +++ b/ingress/values.yaml @@ -60,3 +60,11 @@ securityContext: {} tolerations: [] affinity: {} + +# Store the entire ingress config (which contains api_key, api_secret) in a +# Kubernetes Secret instead of a ConfigMap. +# This is strongly recommended for production deployments. +storeSecretsInSecret: + enabled: true + # Use a pre-existing secret (e.g. from External Secrets Operator or Vault) + existingSecret: "" diff --git a/livekit-server/values.yaml b/livekit-server/values.yaml index bcf6d51..e427b61 100644 --- a/livekit-server/values.yaml +++ b/livekit-server/values.yaml @@ -49,7 +49,7 @@ livekit: # Set this option to true if you want to store your API keys in a secret instead of the config file storeKeysInSecret: - enabled: false + enabled: true # Use a pre existing secret, useful to combine with external secret managers # as GCP External Secrets or Hashicorp Vault existingSecret: "" From adc2c33910da22046e415c917451b4aa963db73d Mon Sep 17 00:00:00 2001 From: Siddharth More Date: Sun, 22 Mar 2026 22:35:37 -0700 Subject: [PATCH 2/3] fix: guard configmap when secrets enabled, update examples - Wrap egress/ingress configmap.yaml with conditional guard so ConfigMap is NOT created when storeSecretsInSecret is enabled (prevents secrets from existing in both ConfigMap and Secret) - Add storeSecretsInSecret documentation to egress-sample.yaml, ingress-sample.yaml, and examples/egress.yaml - Add labels to configmap templates for consistency --- egress-sample.yaml | 9 +++++++++ egress/templates/configmap.yaml | 4 ++++ egress/templates/deployment.yaml | 7 +++++-- egress/values.yaml | 1 - examples/egress.yaml | 5 +++++ ingress-sample.yaml | 9 +++++++++ ingress/templates/configmap.yaml | 4 ++++ ingress/templates/deployment.yaml | 7 +++++-- ingress/values.yaml | 1 - 9 files changed, 41 insertions(+), 6 deletions(-) diff --git a/egress-sample.yaml b/egress-sample.yaml index 72df4f8..2583b9b 100644 --- a/egress-sample.yaml +++ b/egress-sample.yaml @@ -90,3 +90,12 @@ securityContext: {} tolerations: [] affinity: {} + +# By default, the entire egress config (including api_key, api_secret, and storage +# credentials) is stored in a Kubernetes Secret rather than a ConfigMap. +# Set enabled: false to use ConfigMap instead (not recommended for production). +storeSecretsInSecret: + enabled: true + # Use a pre-existing secret (e.g. from External Secrets Operator or Vault) + # existingSecret: "my-egress-secret" + diff --git a/egress/templates/configmap.yaml b/egress/templates/configmap.yaml index 409929d..58cdf8f 100644 --- a/egress/templates/configmap.yaml +++ b/egress/templates/configmap.yaml @@ -1,7 +1,11 @@ +{{- if not .Values.storeSecretsInSecret.enabled }} apiVersion: v1 kind: ConfigMap metadata: name: {{ include "egress.fullname" . }} + labels: + {{- include "egress.labels" . | nindent 4 }} data: config.yaml: | {{ toYaml .Values.egress | indent 4 }} +{{- end }} diff --git a/egress/templates/deployment.yaml b/egress/templates/deployment.yaml index 4ac59ea..7f5ebcb 100644 --- a/egress/templates/deployment.yaml +++ b/egress/templates/deployment.yaml @@ -17,10 +17,13 @@ spec: annotations: {{- toYaml . | nindent 8 }} {{- end }} - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - {{- if and .Values.storeSecretsInSecret.enabled (not .Values.storeSecretsInSecret.existingSecret) }} + {{- if .Values.storeSecretsInSecret.enabled }} + {{- if not .Values.storeSecretsInSecret.existingSecret }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- end }} + {{- else }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} labels: {{- include "egress.selectorLabels" . | nindent 8 }} spec: diff --git a/egress/values.yaml b/egress/values.yaml index 1534606..555dc9f 100644 --- a/egress/values.yaml +++ b/egress/values.yaml @@ -42,7 +42,6 @@ tolerations: [] # Store the entire egress config (which contains api_key, api_secret, storage # credentials) in a Kubernetes Secret instead of a ConfigMap. -# This is strongly recommended for production deployments. storeSecretsInSecret: enabled: true # Use a pre-existing secret (e.g. from External Secrets Operator or Vault) diff --git a/examples/egress.yaml b/examples/egress.yaml index 5845ba6..e0725b0 100644 --- a/examples/egress.yaml +++ b/examples/egress.yaml @@ -14,3 +14,8 @@ egress: secret: region: "us-west-2" bucket: "my-egress" + +# Config (including api_key, api_secret, s3 credentials above) is stored in a +# Kubernetes Secret by default. To use an externally managed secret instead: +# storeSecretsInSecret: +# existingSecret: "my-egress-secret" diff --git a/ingress-sample.yaml b/ingress-sample.yaml index 28af89d..0640cee 100644 --- a/ingress-sample.yaml +++ b/ingress-sample.yaml @@ -88,3 +88,12 @@ securityContext: tolerations: [] affinity: {} + +# By default, the entire ingress config (including api_key, api_secret) is stored +# in a Kubernetes Secret rather than a ConfigMap. +# Set enabled: false to use ConfigMap instead (not recommended for production). +storeSecretsInSecret: + enabled: true + # Use a pre-existing secret (e.g. from External Secrets Operator or Vault) + # existingSecret: "my-ingress-secret" + diff --git a/ingress/templates/configmap.yaml b/ingress/templates/configmap.yaml index 0ab2a6f..9dcd55a 100644 --- a/ingress/templates/configmap.yaml +++ b/ingress/templates/configmap.yaml @@ -1,7 +1,11 @@ +{{- if not .Values.storeSecretsInSecret.enabled }} apiVersion: v1 kind: ConfigMap metadata: name: {{ include "ingress.fullname" . }} + labels: + {{- include "ingress.labels" . | nindent 4 }} data: config.yaml: | {{ toYaml .Values.ingress | indent 4 }} +{{- end }} diff --git a/ingress/templates/deployment.yaml b/ingress/templates/deployment.yaml index e52c0f6..67c94b0 100644 --- a/ingress/templates/deployment.yaml +++ b/ingress/templates/deployment.yaml @@ -17,10 +17,13 @@ spec: annotations: {{- toYaml . | nindent 8 }} {{- end }} - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - {{- if and .Values.storeSecretsInSecret.enabled (not .Values.storeSecretsInSecret.existingSecret) }} + {{- if .Values.storeSecretsInSecret.enabled }} + {{- if not .Values.storeSecretsInSecret.existingSecret }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- end }} + {{- else }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} labels: {{- include "ingress.selectorLabels" . | nindent 8 }} spec: diff --git a/ingress/values.yaml b/ingress/values.yaml index e1f9eda..0658cca 100644 --- a/ingress/values.yaml +++ b/ingress/values.yaml @@ -63,7 +63,6 @@ affinity: {} # Store the entire ingress config (which contains api_key, api_secret) in a # Kubernetes Secret instead of a ConfigMap. -# This is strongly recommended for production deployments. storeSecretsInSecret: enabled: true # Use a pre-existing secret (e.g. from External Secrets Operator or Vault) From 27f95f6d48c11e5066fb1746552273a275779023 Mon Sep 17 00:00:00 2001 From: Siddharth More Date: Mon, 23 Mar 2026 07:05:11 -0700 Subject: [PATCH 3/3] split config and secrets in values and example --- egress-sample.yaml | 38 +++++++++++++++---------------- egress/templates/configmap.yaml | 6 +++-- egress/templates/deployment.yaml | 13 ++--------- egress/templates/secret.yaml | 8 +++++-- egress/values.yaml | 25 +++++++++++++++----- examples/egress.yaml | 17 +++++++------- ingress-sample.yaml | 21 ++++++++--------- ingress/templates/configmap.yaml | 6 +++-- ingress/templates/deployment.yaml | 13 ++--------- ingress/templates/secret.yaml | 8 +++++-- ingress/values.yaml | 19 +++++++++++----- 11 files changed, 92 insertions(+), 82 deletions(-) diff --git a/egress-sample.yaml b/egress-sample.yaml index 2583b9b..39d85da 100644 --- a/egress-sample.yaml +++ b/egress-sample.yaml @@ -4,9 +4,6 @@ replicaCount: 1 terminationGracePeriodSeconds: 3600 egress: - api_key: "server-api-key" - api_secret: "server-api-secret" - ws_url: "ws://livekit-host:" log_level: info health_port: 8080 prometheus_port: 9090 @@ -16,26 +13,32 @@ egress: address: # db: 0 # username: - # password: # use_tls: false + # Non-sensitive S3 config (bucket, region) can stay here s3: - access_key: "access_key" - secret: "secret" region: "us-west-2" # endpoint: bucket: "my-egress" - # azure: - # account_name: - # account_key: - # container_name: - # gcp: - # credentials_json: - # bucket: # cpu_cost: # room_composite_cpu_cost: 3 # track_composite_cpu_cost: 2 # track_cpu_cost: 1 + # Sensitive values — stored in a Kubernetes Secret, not in ConfigMap + secrets: + api_key: "server-api-key" + api_secret: "server-api-secret" + ws_url: "ws://livekit-host:" + redis: + password: "" + s3: + access_key: "access_key" + secret: "secret" + # azure: + # account_key: "" + # gcp: + # credentials_json: "" + # autoscaling requires resources to be defined autoscaling: # set to true to enable autoscaling. when set, ignores replicaCount @@ -91,11 +94,6 @@ tolerations: [] affinity: {} -# By default, the entire egress config (including api_key, api_secret, and storage -# credentials) is stored in a Kubernetes Secret rather than a ConfigMap. -# Set enabled: false to use ConfigMap instead (not recommended for production). -storeSecretsInSecret: - enabled: true - # Use a pre-existing secret (e.g. from External Secrets Operator or Vault) - # existingSecret: "my-egress-secret" +# Use a pre-existing secret for the full egress config (e.g. from External Secrets Operator or Vault) +# existingSecret: "my-egress-secret" diff --git a/egress/templates/configmap.yaml b/egress/templates/configmap.yaml index 58cdf8f..f4e8852 100644 --- a/egress/templates/configmap.yaml +++ b/egress/templates/configmap.yaml @@ -1,4 +1,6 @@ -{{- if not .Values.storeSecretsInSecret.enabled }} +{{- if not .Values.existingSecret }} +{{- $config := deepCopy .Values.egress }} +{{- $_ := unset $config "secrets" }} apiVersion: v1 kind: ConfigMap metadata: @@ -7,5 +9,5 @@ metadata: {{- include "egress.labels" . | nindent 4 }} data: config.yaml: | -{{ toYaml .Values.egress | indent 4 }} +{{ toYaml $config | indent 4 }} {{- end }} diff --git a/egress/templates/deployment.yaml b/egress/templates/deployment.yaml index 7f5ebcb..4385999 100644 --- a/egress/templates/deployment.yaml +++ b/egress/templates/deployment.yaml @@ -17,11 +17,8 @@ spec: annotations: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.storeSecretsInSecret.enabled }} - {{- if not .Values.storeSecretsInSecret.existingSecret }} + {{- if not .Values.existingSecret }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} - {{- end }} - {{- else }} checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} {{- end }} labels: @@ -40,15 +37,9 @@ spec: env: - name: EGRESS_CONFIG_BODY valueFrom: - {{- if .Values.storeSecretsInSecret.enabled }} secretKeyRef: - name: {{ .Values.storeSecretsInSecret.existingSecret | default (include "egress.fullname" .) }} - key: config.yaml - {{- else }} - configMapKeyRef: - name: {{ include "egress.fullname" . }} + name: {{ .Values.existingSecret | default (include "egress.fullname" .) }} key: config.yaml - {{- end }} ports: {{- if .Values.egress.health_port }} - name: health diff --git a/egress/templates/secret.yaml b/egress/templates/secret.yaml index 68c2f37..0513ae3 100644 --- a/egress/templates/secret.yaml +++ b/egress/templates/secret.yaml @@ -1,4 +1,8 @@ -{{- if and .Values.storeSecretsInSecret.enabled (not .Values.storeSecretsInSecret.existingSecret) }} +{{- if not .Values.existingSecret }} +{{- $config := deepCopy .Values.egress }} +{{- $secrets := $config.secrets | default dict }} +{{- $_ := unset $config "secrets" }} +{{- $merged := mustMergeOverwrite $config $secrets }} apiVersion: v1 kind: Secret metadata: @@ -7,5 +11,5 @@ metadata: {{- include "egress.labels" . | nindent 4 }} type: Opaque data: - config.yaml: {{ toYaml .Values.egress | b64enc }} + config.yaml: {{ toYaml $merged | b64enc }} {{- end }} diff --git a/egress/values.yaml b/egress/values.yaml index 555dc9f..c0f5089 100644 --- a/egress/values.yaml +++ b/egress/values.yaml @@ -12,6 +12,21 @@ egress: log_level: info health_port: 8080 prometheus_port: 9090 + # Sensitive values go under 'secrets' — these are stored in a Kubernetes Secret, + # never in the ConfigMap. The Secret merges these into the full config at deploy time. + secrets: {} + # api_key: "" + # api_secret: "" + # ws_url: "" + # redis: + # password: "" + # s3: + # access_key: "" + # secret: "" + # gcp: + # credentials_json: "" + # azure: + # account_key: "" terminationGracePeriodSeconds: 3600 @@ -40,11 +55,9 @@ securityContext: {} tolerations: [] -# Store the entire egress config (which contains api_key, api_secret, storage -# credentials) in a Kubernetes Secret instead of a ConfigMap. -storeSecretsInSecret: - enabled: true - # Use a pre-existing secret (e.g. from External Secrets Operator or Vault) - existingSecret: "" +# Use a pre-existing secret for the full egress config (e.g. from External Secrets Operator or Vault). +# When set, neither the chart's Secret nor ConfigMap will contain config — the deployment reads +# from this secret directly. +existingSecret: "" affinity: {} diff --git a/examples/egress.yaml b/examples/egress.yaml index e0725b0..c44a6d5 100644 --- a/examples/egress.yaml +++ b/examples/egress.yaml @@ -1,21 +1,20 @@ replicaCount: 2 egress: - ws_url: - api_key: - api_secret: log_level: info health_port: 8080 prometheus_port: 9090 redis: address: s3: - access_key: - secret: region: "us-west-2" bucket: "my-egress" -# Config (including api_key, api_secret, s3 credentials above) is stored in a -# Kubernetes Secret by default. To use an externally managed secret instead: -# storeSecretsInSecret: -# existingSecret: "my-egress-secret" + # Sensitive values — stored in a Kubernetes Secret, never in ConfigMap + secrets: + api_key: + api_secret: + ws_url: + s3: + access_key: + secret: diff --git a/ingress-sample.yaml b/ingress-sample.yaml index 0640cee..36cb807 100644 --- a/ingress-sample.yaml +++ b/ingress-sample.yaml @@ -4,9 +4,6 @@ replicaCount: 1 terminationGracePeriodSeconds: 10800 ingress: - api_key: "server-api-key" - api_secret: "server-api-secret" - ws_url: "ws://livekit-host:" logging: level: info health_port: 7888 @@ -22,7 +19,6 @@ ingress: address: # db: 0 # username: - # password: # use_tls: false cpu_cost: @@ -33,6 +29,14 @@ ingress: # See kubernetes serviceTypes on official documentation: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types serviceType: "LoadBalancer" + # Sensitive values — stored in a Kubernetes Secret, not in ConfigMap + secrets: + api_key: "server-api-key" + api_secret: "server-api-secret" + ws_url: "ws://livekit-host:" + redis: + password: "" + # autoscaling requires resources to be defined autoscaling: # set to true to enable autoscaling. when set, ignores replicaCount @@ -89,11 +93,6 @@ tolerations: [] affinity: {} -# By default, the entire ingress config (including api_key, api_secret) is stored -# in a Kubernetes Secret rather than a ConfigMap. -# Set enabled: false to use ConfigMap instead (not recommended for production). -storeSecretsInSecret: - enabled: true - # Use a pre-existing secret (e.g. from External Secrets Operator or Vault) - # existingSecret: "my-ingress-secret" +# Use a pre-existing secret for the full ingress config (e.g. from External Secrets Operator or Vault) +# existingSecret: "my-ingress-secret" diff --git a/ingress/templates/configmap.yaml b/ingress/templates/configmap.yaml index 9dcd55a..e0c5de7 100644 --- a/ingress/templates/configmap.yaml +++ b/ingress/templates/configmap.yaml @@ -1,4 +1,6 @@ -{{- if not .Values.storeSecretsInSecret.enabled }} +{{- if not .Values.existingSecret }} +{{- $config := deepCopy .Values.ingress }} +{{- $_ := unset $config "secrets" }} apiVersion: v1 kind: ConfigMap metadata: @@ -7,5 +9,5 @@ metadata: {{- include "ingress.labels" . | nindent 4 }} data: config.yaml: | -{{ toYaml .Values.ingress | indent 4 }} +{{ toYaml $config | indent 4 }} {{- end }} diff --git a/ingress/templates/deployment.yaml b/ingress/templates/deployment.yaml index 67c94b0..563b050 100644 --- a/ingress/templates/deployment.yaml +++ b/ingress/templates/deployment.yaml @@ -17,11 +17,8 @@ spec: annotations: {{- toYaml . | nindent 8 }} {{- end }} - {{- if .Values.storeSecretsInSecret.enabled }} - {{- if not .Values.storeSecretsInSecret.existingSecret }} + {{- if not .Values.existingSecret }} checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} - {{- end }} - {{- else }} checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} {{- end }} labels: @@ -44,15 +41,9 @@ spec: env: - name: INGRESS_CONFIG_BODY valueFrom: - {{- if .Values.storeSecretsInSecret.enabled }} secretKeyRef: - name: {{ .Values.storeSecretsInSecret.existingSecret | default (include "ingress.fullname" .) }} - key: config.yaml - {{- else }} - configMapKeyRef: - name: {{ include "ingress.fullname" . }} + name: {{ .Values.existingSecret | default (include "ingress.fullname" .) }} key: config.yaml - {{- end }} ports: {{- if .Values.ingress.health_port }} - name: health diff --git a/ingress/templates/secret.yaml b/ingress/templates/secret.yaml index af87d2c..a0904c6 100644 --- a/ingress/templates/secret.yaml +++ b/ingress/templates/secret.yaml @@ -1,4 +1,8 @@ -{{- if and .Values.storeSecretsInSecret.enabled (not .Values.storeSecretsInSecret.existingSecret) }} +{{- if not .Values.existingSecret }} +{{- $config := deepCopy .Values.ingress }} +{{- $secrets := $config.secrets | default dict }} +{{- $_ := unset $config "secrets" }} +{{- $merged := mustMergeOverwrite $config $secrets }} apiVersion: v1 kind: Secret metadata: @@ -7,5 +11,5 @@ metadata: {{- include "ingress.labels" . | nindent 4 }} type: Opaque data: - config.yaml: {{ toYaml .Values.ingress | b64enc }} + config.yaml: {{ toYaml $merged | b64enc }} {{- end }} diff --git a/ingress/values.yaml b/ingress/values.yaml index 0658cca..4208ebd 100644 --- a/ingress/values.yaml +++ b/ingress/values.yaml @@ -26,6 +26,15 @@ ingress: whip_cpu_cost: 2 whip_bypass_transcoding_cpu_cost: 0.1 + # Sensitive values go under 'secrets' — these are stored in a Kubernetes Secret, + # never in the ConfigMap. The Secret merges these into the full config at deploy time. + secrets: {} + # api_key: "" + # api_secret: "" + # ws_url: "" + # redis: + # password: "" + loadBalancer: servicePort: 7888 annotations: {} @@ -61,9 +70,7 @@ tolerations: [] affinity: {} -# Store the entire ingress config (which contains api_key, api_secret) in a -# Kubernetes Secret instead of a ConfigMap. -storeSecretsInSecret: - enabled: true - # Use a pre-existing secret (e.g. from External Secrets Operator or Vault) - existingSecret: "" +# Use a pre-existing secret for the full ingress config (e.g. from External Secrets Operator or Vault). +# When set, neither the chart's Secret nor ConfigMap will contain config — the deployment reads +# from this secret directly. +existingSecret: ""