1

This is how I'm trying to create a secret for my kubernetes mongodb, which gets deployed using the bitnami mongodb helm chart:

apiVersion: v1
kind: Secret
metadata:
  name: mongodb-secret
  namespace: mongodb
  labels:
    app.kubernetes.io/component: mongodb
type: Opaque
data: 
  mongodb-root-password: 'encoded value'
  mongodb-passwords: '???'
  mongodb-metrics-password: 'encoded value'
  mongodb-replica-set-key: 'encoded value'

The helm chart values.yaml says:

auth:
  ## MongoDB(®) custom users and databases
  ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#creating-a-user-and-database-on-first-run
  ## @param auth.usernames List of custom users to be created during the initialization
  ## @param auth.passwords List of passwords for the custom users set at `auth.usernames`
  ## @param auth.databases List of custom databases to be created during the initialization
  ##
  usernames: []
  passwords: []
  databases: []
  ## @param auth.existingSecret Existing secret with MongoDB(®) credentials (keys: `mongodb-passwords`, `mongodb-root-password`, `mongodb-metrics-password`, ` mongodb-replica-set-key`)
  ## NOTE: When it's set the previous parameters are ignored.
  ##
  existingSecret: ""

So passwords is an array of strings for each username and each database.

How do I have to implement these multiple passwords in my secret?

The helm template should give me a hint, but I don't understand it: secret.yaml

Or is it a simple string with all passwords separated by , and encoded?

user3142695
  • 15,844
  • 47
  • 176
  • 332
  • Key names in secrets should be unique. What you could do is put your whole values as a secret. Or figure out a way to concatenate your usernames/passwords into a single value – SYN Nov 19 '22 at 13:59
  • [helm 模板的一些解释 ](https://helm.sh/zh/docs/chart_template_guide/named_templates/), `secret.yaml` introduces variable templates, but I didn't find the relevant `EXAMPLES` in the documentation, have you tried the `auth.usernames` approach, I think it should create multiple `secret`s for you – 山河以无恙 Nov 20 '22 at 04:44

1 Answers1

2

Should be something like:

auth:
  usernames: ["bob", "alice"]
  passwords: ["bobpass", "alicepass"]
  databases: ["bobdb", "alicedb"]

If you want to pass those on the cli --set flag instead, you should be able to use curly braces as per this comment: https://github.com/helm/helm/issues/1987#issuecomment-280497496 - like:

--set auth.usernames={bob,alice},auth.passwords={bobpass,alicepass},auth.databases={bobdb,alicedb}

This would produce a secret like following - which you can check with helm template command:

---
# Source: mongodb/templates/secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: release-name-mongodb
  namespace: default
  labels:
    app.kubernetes.io/name: mongodb
    helm.sh/chart: mongodb-13.4.4
    app.kubernetes.io/instance: release-name
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: mongodb
type: Opaque
data:
  mongodb-root-password: "Uk1tZThhYzNFZg=="
  mongodb-passwords: "Ym9icGFzcyxhbGljZXBhc3M="
---

You can decode mongodb-passwords, using:

echo -n Ym9icGFzcyxhbGljZXBhc3M= | base64 -d

and notice that it looks as following: bobpass,alicepass

Also note that there seems to be an option to have mongodb.createSecret flag set to false and creating that secret manually (which may be more secure depending on the exact workflow).

taleodor
  • 1,849
  • 1
  • 13
  • 15
  • My question is how the passwords value in the secret should look like, as every key in a secret have just one value. There is no array. Or should I just encode `["bobpass", "alicepass"]` and put this in the secret? – user3142695 Nov 20 '22 at 12:07
  • Updated the answer with more details; general hint - use helm template command to see how the templates are resolved. – taleodor Nov 21 '22 at 01:14
  • Thanks for the hint with the resolved template – user3142695 Nov 21 '22 at 12:12