Using Kubernetes external secrets with AWS Secrets Manager

I am looking to do a helm install of sonarqube 9.6.1 and I am looking to leverage AWS Secrets Manager along with Kubernetes external secrets to pull username/password and postgres url. What is the easiest way to implement this. I assume that I need to use extraConfig, but having an example to work with would be ideal.

Regards,

Kevin

I am looking to install sonarqube 9.6.1 where I am leveraging an external Postgresql database. All JDBC Overwrite values are stored in a kubernetes ExternalSecret tied to AWS Secrets Manager. My question is whether or not this is feasible as part of the install. If so is there an option to have the ExternalSecret created with the helm values.yaml file within the extraConfig property or is there another recommended approach. Any help would be greatly appreciated along with examples if possible.

Regards,

Kevin

Hi Kevin,

I’ve combined your two threads, which seem to be essentially the same question(?)

Your initial thread was overlooked at first, but I pinged the product team yesterday - without responding to you directly because I have no clue. Hopefully they’ll be along soon.

 
Ann

Hi Ann,
Thanks for routing to the product team.

Regards,

Kevin

Hi @khopkins32,

thanks for reaching out, I’m happy to give you some suggestions :slight_smile:

Assuming that your cluster has visibility of all the secrets managed through the AWS Secrets Manager, the best approach is to set some jdbcOverwrite parameters, specifically jdbcSecretName and jdbcSecretPasswordKey.

About your request of creating external secrets from our helm chart, this is something that goes beyond the scope of our chart: our goal is to define an environment that has sonarqube running reliably, while creating and managing secrets should be performed using other applications.

Carmine

Thanks for the response Carmine. Can I set the other jdbcOverwrite parameters, such as jdbcUrl, jdbcUsername using the secrets managed through AWS Secrets Manager? Lastly I see that there is an option using extraConfig that appears to allow for creation of configmaps and secrets. Do you have any examples on how to leverage this feature. For example I want to create a few secrets.

Regards,

Kevin

Hi @khopkins32,

Our helm chart does not require interaction with a specific vault technology, therefore, you might want to check on AWS how the secrets managed through the Secrets Manager are made available to the entire k8s cluster.

About the extraConfig value, you can inject existing secrets and/or configmaps in our chart using it. These Secrets/ConfigMaps are expected to contain Key/Value pairs, such as:

apiVersion: v1
kind: ConfigMap
metadata:
   name: external-sonarqube-opts
data:
   SONARQUBE_JDBC_USERNAME: foo
   SONARQUBE_JDBC_URL: jdbc:postgresql://db.example.com:5432/sonar

I want to emphasize that our chart will not create these secrets/configmaps for you, but it assumes they exist already.

Carmine

1 Like