Helm chart: add support for export.stdout.envFromSecrets to inject environment variables from Kubernetes secrets #4025
Conversation
| image: "{{ if .Values.export.stdout.image.override }}{{ .Values.export.stdout.image.override }}{{ else }}{{ .Values.export.stdout.image.repository }}:{{ .Values.export.stdout.image.tag }}{{ end }}" | ||
| imagePullPolicy: {{ .Values.imagePullPolicy }} | ||
| terminationMessagePolicy: FallbackToLogsOnError | ||
|
|
There was a problem hiding this comment.
Also, this was not resolved.
There was a problem hiding this comment.
This has been fixed in the latest commit. Please take a look.
There was a problem hiding this comment.
Please don't introduce changes that are negated at later commits. This makes history difficult to read.
Instead, please squash the changes from my feedback into the relevant original commits. (git rebase --interactive using the squash and fixup actions should help).
There was a problem hiding this comment.
Sorry about the extra commits earlier - I wasn’t aware of the best practice here. I’ve now squashed everything into a single commit with an updated message and examples. Hopefully the history looks clean now. Please let me know if there are any other issues I should fix. Thanks again for your guidance! @kkourt
mtardy
added
the
release-note/minor
Motivation: I ran into this need while wiring Tetragon’s stdout exporter to ship logs to OpenSearch via Fluent Bit. I had to inject multiple credentials (e.g., OPENSEARCH_USERNAME / OPENSEARCH_PASSWORD) from a Kubernetes Secret without enumerating each key. Supporting envFrom and the envFromSecrets lets us mount the whole secret cleanly and keeps sensitive values out of plain values files. |
As far as I can see, the commit messages are still empty. |
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
This commit extends the Helm chart for Tetragon by adding support
for envFrom in the export.stdout template. Specifically:
- export.stdout.extraEnvFrom: allows referencing ConfigMaps/Secrets
via envFrom.
- export.stdout.envFromSecrets: convenience for Secrets only,
accepts strings or objects.
Usage examples:
values.yaml
-----------
export:
stdout:
# Add specific env vars
extraEnv:
- name: LOG_LEVEL
value: info
# Pull multiple variables from ConfigMap/Secret via envFrom
extraEnvFrom:
- configMapRef:
name: fluent-bit-config
# Convenience for Secret envFrom
envFromSecrets:
- opensearch-credentials
- name: optional-secret
optional: true
Rendered container
------------------
env:
- name: LOG_LEVEL
value: info
envFrom:
- configMapRef:
name: fluent-bit-config
- secretRef:
name: opensearch-credentials
- secretRef:
name: optional-secret
optional: true
Signed-off-by: Bagautdino <[email protected]>
This PR extends the Helm chart for Tetragon by adding support for envFromSecrets in the export.stdout template. This allows injecting environment variables from Kubernetes secrets using the envFrom field.
The implementation checks for the presence of .Values.export.stdout.envFromSecrets, and if present, renders the corresponding envFrom entries as secretRef definitions. This is useful when multiple environment variables need to be sourced from secrets without specifying each variable explicitly.
This change is backward-compatible and does not affect existing configurations that do not use envFromSecrets.