Use Secret for st2.docker.conf instead of ConfigMap

[pshanoop]

Here all these credentials are stored in ConfigMap

Doesn't it make more sense to use Secret since this contains credentials.

[cognifloyd]

This is supported via st2.existingConfigSecret. You create a secret with your st2.conf contents, and then pass that secret name to the chart. It then gets mounted like this:

stackstorm-k8s/templates/_helpers.tpl

Lines 167 to 171 in fabbea9

	{{- if $.Values.st2.existingConfigSecret }}
	- name: st2-config-secrets-vol
	mountPath: /etc/st2/st2.secrets.conf
	subPath: st2.secrets.conf
	{{- end }}

stackstorm-k8s/templates/_helpers.tpl

Lines 177 to 181 in fabbea9

	{{- if $.Values.st2.existingConfigSecret }}
	- name: st2-config-secrets-vol
	secret:
	secretName: {{ $.Values.st2.existingConfigSecret }}
	{{- end }}

The value is described here:

stackstorm-k8s/values.yaml

Lines 112 to 116 in fabbea9

	# Custom StackStorm config (st2.secrets.conf) which will be created from the key 'st2.secrets.conf' within this secret.
	# If this is defined, '--config-file=/etc/st2/st2.secrets.conf' will be added to the end of the command line arguments
	# for all pods, superseding all other configuration values.
	# This secret must be populated outside of this chart.
	# existingConfigSecret: stackstorm-config-secret

Does that resolve your concerns?

[akshat-rubrik]

Can we add this to docs please?

[fdrab]

I'm using the existingConfig and now I have a secret called st2-secrets-conf that contains the DB / LDAP / RabbitMQ connection info and also a configMap called -st2-config that contains both st2.docker.conf that contains redis and rabbitMQ connection info in clear text.

And I think that the only reason I don't have Mongo connection info there as well is that I'm not using the mongo chart.

imo there should be a way to force the installation to only accept credentials from secrets.