diff --git a/deploy/helm/openshell/README.md b/deploy/helm/openshell/README.md index cc856731d..38d67a68c 100644 --- a/deploy/helm/openshell/README.md +++ b/deploy/helm/openshell/README.md @@ -52,6 +52,7 @@ See [`values.yaml`](values.yaml) for configurable values. Selected overlays: - [`ci/values-gateway.yaml`](ci/values-gateway.yaml) — gateway-only configuration - [`ci/values-cert-manager.yaml`](ci/values-cert-manager.yaml) — cert-manager integration - [`ci/values-keycloak.yaml`](ci/values-keycloak.yaml) — Keycloak OIDC integration +- [`ci/values-postgres.yaml`](ci/values-postgres.yaml) — Postgres persistence via a Secret-backed DB URL ## PKI bootstrap diff --git a/deploy/helm/openshell/ci/values-postgres.yaml b/deploy/helm/openshell/ci/values-postgres.yaml new file mode 100644 index 000000000..a65aee0fd --- /dev/null +++ b/deploy/helm/openshell/ci/values-postgres.yaml @@ -0,0 +1,31 @@ +# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. +# SPDX-License-Identifier: Apache-2.0 + +# Postgres persistence overlay. +# +# Sources the gateway's database URL from a Kubernetes Secret so the password +# never lives in values.yaml or Helm release history. +# +# 1. Create the Secret in the release namespace, out-of-band: +# +# kubectl create secret generic openshell-db \ +# --namespace openshell \ +# --from-literal=url='postgres://openshell:CHANGEME@postgres.openshell.svc.cluster.local:5432/openshell?sslmode=require' +# +# Both `postgres://` and `postgresql://` schemes are accepted. The gateway +# runs the embedded migrations on first connect. +# +# 2. Layer this file on top of values.yaml when deploying: +# +# helm upgrade --install openshell . \ +# -f values.yaml -f ci/values-postgres.yaml +# +# When `server.dbUrlSecretRef.name` is set, the chart drops the `--db-url` +# CLI flag and the gateway reads OPENSHELL_DB_URL from the referenced Secret. +# The plaintext `server.dbUrl` value is ignored. The chart still provisions +# the `/var/openshell` PVC, but it is unused when persistence is Postgres. + +server: + dbUrlSecretRef: + name: openshell-db + key: url diff --git a/deploy/helm/openshell/templates/statefulset.yaml b/deploy/helm/openshell/templates/statefulset.yaml index 69140a70c..3d9eec0fd 100644 --- a/deploy/helm/openshell/templates/statefulset.yaml +++ b/deploy/helm/openshell/templates/statefulset.yaml @@ -59,9 +59,18 @@ spec: {{- end }} - --log-level - {{ .Values.server.logLevel }} + {{- if not .Values.server.dbUrlSecretRef.name }} - --db-url - {{ .Values.server.dbUrl | quote }} + {{- end }} env: + {{- if .Values.server.dbUrlSecretRef.name }} + - name: OPENSHELL_DB_URL + valueFrom: + secretKeyRef: + name: {{ .Values.server.dbUrlSecretRef.name | quote }} + key: {{ .Values.server.dbUrlSecretRef.key | quote }} + {{- end }} - name: OPENSHELL_SANDBOX_NAMESPACE value: {{ include "openshell.sandboxNamespace" . | quote }} - name: OPENSHELL_SANDBOX_IMAGE diff --git a/deploy/helm/openshell/values.yaml b/deploy/helm/openshell/values.yaml index 17c0fedd9..d64b392df 100644 --- a/deploy/helm/openshell/values.yaml +++ b/deploy/helm/openshell/values.yaml @@ -90,6 +90,14 @@ server: # namespace (.Release.Namespace) when left empty. sandboxNamespace: "" dbUrl: "sqlite:/var/openshell/openshell.db" + # Source the database URL from a Kubernetes Secret instead of `dbUrl`. When + # `name` is set, the gateway reads OPENSHELL_DB_URL from this Secret and the + # plaintext `dbUrl` value above is ignored. Use this for Postgres so the + # password never lives in values.yaml or Helm release history. + # See ci/values-postgres.yaml for a worked example. + dbUrlSecretRef: + name: "" + key: "url" sandboxImage: "ghcr.io/nvidia/openshell-community/sandboxes/base:latest" # Kubernetes imagePullPolicy for sandbox pods. Empty = Kubernetes default # (Always for :latest, IfNotPresent otherwise). Set to "Always" for dev