Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secure handling of secrets #7

Open
alecor191 opened this issue May 16, 2024 · 6 comments · May be fixed by #14
Open

Secure handling of secrets #7

alecor191 opened this issue May 16, 2024 · 6 comments · May be fixed by #14

Comments

@alecor191
Copy link

I understand that the Helm chart takes secrets, like the DB password, and stores them in a K8S secret. However, as we have to pass it to the chart as value, users can call helm get values langfuse to retrieve all values provided at the time of installation.

Here what I get when running the mentioned command on a langfuse Helm release:

❯ helm get values langfuse

USER-SUPPLIED VALUES:
ingress:
  enabled: false
langfuse:
  nextauth:
    secret: 1234                          // <----- secret
    url: https://langfuse.example.org/
  salt: 5678                              // <----- secret
  telemetryEnabled: true
postgresql:
  auth:
    database: langfuse
    password: dbpassword                  // <----- secret
    username: archlet
  deploy: false
  host: langfuse.postgres.database.azure.com
service:
  type: ClusterIP

Do you have any thoughts on the topic resp. are there other ways that could be considered to provide secrets (e.g. by providing name/key of a secret in an existing K8S Secret)?

@mautini
Copy link
Contributor

mautini commented May 16, 2024

Hi @alecor191,

I think there are two solutions (that are not exclusive):

  • Modify the deployment and do not create secrets to allow usage of existing secrets in the cluster. This way you create your secrets on one hand and then reference them in the helm chart values.yaml
  • Use Helm Secrets Plugin:
    • Encrypt your passwords (with SOPS for example) in a values-secret.yaml file
    • helm secrets install langfuse ./langfuse -f values.yaml -f values-secret.yaml

@alecor191
Copy link
Author

Thanks @mautini! For the first option the Helm chart would have to be updated, right? As I believe currently it doesn't support providing references to K8S secrets.

The second recommendation is for sure a viable option. For us it's just a bit overkill to set up Helm secrets plugin just for Langfuse (we don't have the need for it on any other Helm chart we use in our clusters).

@mautini
Copy link
Contributor

mautini commented May 16, 2024

Yes, the first option needs an MR. Actually if you keep the same name for the secrets you just have an option to not generate the secrets via the helm chart, no need to set up custom ref.

@japan4415
Copy link

I encountered the same issue.
I will create a PR, could you please review it?

@japan4415 japan4415 linked a pull request Jul 10, 2024 that will close this issue
@japan4415
Copy link

I make PR.
Please Review.
#14

@frittentheke
Copy link

Allowing for config variables and secrets to (also) be consumed from ConfigMaps or Secrets is also important to integrate with e.g. PostgreSQL-Operators (e.g. https://cloudnative-pg.io/). These operators usually auto-magically provide these when creating the PostgreSQL instance or cluster (for Langfuse), so there is

  1. a simple interface to integrate and securely exchange the dynamic credentials
  2. a runtime-dependency that the database (and resulting Secrets / ConfigMap) must exist prior to starting the Langfuse Pod.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants