Use client secret from env in kubernikus-api deployment (#984)

Nuckal777 · web-flow · commit ec8f2f9bcac8 · 2025-02-14T16:29:05.000+01:00
diff --git a/charts/kubernikus/Chart.yaml b/charts/kubernikus/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 description: A Helm chart for Kubernetes
 name: kubernikus
 type: application
-version: 0.3.21
+version: 0.3.22
 dependencies:
   - name: k8sniff
     repository: file://../k8sniff
diff --git a/charts/kubernikus/templates/api.yaml b/charts/kubernikus/templates/api.yaml
@@ -38,14 +38,23 @@ spec:
       containers:
         - name: api
           image: "{{ .Values.image }}:{{ .Values.imageTag }}"
+          env:
+          {{- if .Values.dex.enabled }}
+          - name: DEX_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: kubernikus-api-dex
+                key: clientSecret
+          {{- end }}
           args:
             - apiserver
             - --port={{ .Values.api.port }}
             - --host=0.0.0.0
             {{- if .Values.dex.enabled }}
             - --oidc-issuer-url=https://{{ include "oidc.issuer" . }}
-            - --oidc-client-id={{ required "api.oidc.clientID missing" .Values.dex.clientID }}
-            - --oidc-client-secret={{ required "api.oidc.clientSecret missing" .Values.dex.clientSecret }}
+            - --oidc-client-id={{ required "dex.clientID missing" .Values.dex.clientID }}
+            # Kubelet env var expansion
+            - --oidc-client-secret=$(DEX_CLIENT_SECRET)
             - --oidc-callback-url=https://{{ required "domain missing" .Values.domain }}/auth/callback
             {{- else }}
             - --policy={{ default "/etc/kubernikus/policy.json" .Values.api.policyFile }}
