Scheduled maintenance on Saturday, 27 September 2025, from 07:00 AM to 4:00 PM GMT (09:00 AM to 6:00 PM CEST) - some services may be unavailable -

Skip to content

Use kubernetes Secrets for credentials and other sensitive data in the helm chart

Currently the Openslice chart in kubernetes/helm/openslice templates the credentials for the database and message broker and other secrets directly into the Deployment/StatefulSet of the services that need it (as shown in the example below, Link to the referenced code)

          env:
            - name: SPRING_APPLICATION_JSON
              value: >-
                {
                  "origins":"{{ .Values.rooturl }}",
                  "spring.datasource.url": "jdbc:mysql://{{ include "openslice.fullname" . }}-mysql/osdb?createDatabaseIfNotExist=true",
                  "spring.datasource.username": "{{ .Values.oscreds.mysql.username }}",
                  "spring.datasource.password": "{{ .Values.oscreds.mysql.password }}",

This from a security standpoint is less than ideal, since kubernetes treats these as regular values. This should instead be refactored to use the kubernetes Secret resource.