Kubernetes Secrets for Lenses configuration values

Question

How can I setup Lenses using credentials outside of Lenses Helm chart?

Answer

Sensitive values used in passwords while configuring Lenses can be taken from external Kubernetes resources using the underlying mechanism of transforming env vars to Lenses configuration.

Currenlty, supported sensitive values:

  • Schema registry Basic Auth username/password
  • Postgres username/password
  • Lenses default user username/password
  • License
  • Jaas config

For the whole list of supported sensitive values, take a look into the latest values.yaml file.

Specific values overrides


To get Schema registry Basic Auth username/password from external secret:
lenses:
  schemaRegistries:
    enabled: true
    security:
      enabled: true
      authType: USER_INFO
      # Use the value "external" to bypass the Helm validation and handle externally.
      username: external
      password: external

  additionalEnv:
    - name: LENSES_SCHEMA_REGISTRY_USERNAME
      valueFrom:
        secretKeyRef:
          name: [SECRET_RESOURCE_NAME]
          key: lenses-schema-registry-username
    - name: LENSES_SCHEMA_REGISTRY_PASSWORD
      valueFrom:
        secretKeyRef:
          name: [SECRET_RESOURCE_NAME]
          key: lenses-schema-registry-password

To get Postgres username/password from external secret:
lenses:
  storage:
    postgres:
      enabled: true
      # Use the value "external" to bypass the Helm validation and handle externally.
      username: external
      password: external
  additionalEnv:
    - name: LENSES_STORAGE_POSTGRES_USERNAME
      valueFrom:
        secretKeyRef:
          name: [SECRET_RESOURCE_NAME]
          key: lenses-storage-postgres-username
    - name: LENSES_STORAGE_POSTGRES_PASSWORD
      valueFrom:
        secretKeyRef:
          name: [SECRET_RESOURCE_NAME]
          key: lenses-storage-postgres-password

To get Lenses default user username/password from external secret:
lenses:
  security:
    defaultUser:
      # Use the value "external" to bypass the Helm validation and handle externally.
      username: external
      password: external
  additionalEnv:
    - name: LENSES_SECURITY_USER
      valueFrom:
        secretKeyRef:
          name: [SECRET_RESOURCE_NAME]
          key: lenses-security-username
    - name: LENSES_SECURITY_PASSWORD
      valueFrom:
        secretKeyRef:
          name: [SECRET_RESOURCE_NAME]
          key: lenses-security-password

To get Lenses License from external secret:
lenses:
  # Use the value "external" to bypass the Helm validation and handle externally.
  license: external
  additionalEnv:
    - name: LICENSE
      valueFrom:
        secretKeyRef:
          name: [SECRET_RESOURCE_NAME]
          key: lenses-license

To get Jaas config from external secret:
lenses:
  kafka:
    sasl:
      enabled: true
      # Use the value "external" to bypass the Helm validation and handle externally.
      jaasConfig: external
  additionalEnv:
    - name: LENSES_KAFKA_SETTINGS_CLIENT_SASL_JAAS_CONFIG
      valueFrom:
        secretKeyRef:
          name: [SECRET_RESOURCE_NAME]
          key: lenses-kafka-settings-client-sasl-jaas-config