make k8s secret optional

[asokolsky4clari]

trino-gateway helm chart unconditionally generates secret.yaml.

k8s secrets are not secure and in our deployments we do not allow for applications to rely on k8s sercets.

Instead we:

• store secrets in vault
• pass these to applications using environment variables

This issue requests:

• make generation os k8s secret optional
• allow for the secrets to be passed to trino-gateway via environment variables

[kumiDa]

I would like to work on this issue, please assign this to me.

[sdaberdaku]

Maybe you are not aware of this, but you can declare other secrets as env variables and then reference them in the config like so:

...
envFrom:
  - secretRef:
      name: postgres-credentials

config:
  serverConfig:
    node.environment: production
    http-server.http.port: 8080
    http-server.http.enabled: true
    http-server.process-forwarded: true
  dataStore:
    jdbcUrl: ${ENV:DB_JDBC_URL}
    user: ${ENV:DB_USERNAME}
    password: ${ENV:DB_PASSWORD}
    driver: org.postgresql.Driver
    queryHistoryHoursRetention: 48
...

Here postgres-credentials can be created using Vault Secrets Operator and will contain the following keys:
DB_JDBC_URL, DB_USERNAME, and DB_PASSWORD which are mounted as env variables.

apiVersion: ricoberger.de/v1alpha1
kind: VaultSecret
metadata:
  name: postgres-credentials
spec:
  type: Opaque
  path: trino/trino_gateway_postgres_credentials
  keys:
    - db_name
    - db_host
    - db_port
    - db_username
    - db_password
  templates:
    DB_JDBC_URL: "jdbc:postgresql://{% .Secrets.db_host %}:{% .Secrets.db_port %}/{% .Secrets.db_name %}"
    DB_USERNAME: "{% .Secrets.db_username %}"
    DB_PASSWORD: "{% .Secrets.db_password %}"

[sdaberdaku]

Thinking about this, I believe this configuration could be a ConfigMap instead of a Secret, and we should be able to disable it if needed (e.g. if we provide an empty configuration config: {}).