-
-
Notifications
You must be signed in to change notification settings - Fork 767
Description
Provide environment information
Helm Chart Version: 4.0.0-beta.17
Kubernetes Version: v1.33.1-eks-595af52
Describe the bug
The Helm chart's electric service doesn't support reading DATABASE_URL
from Kubernetes secrets, forcing plaintext credentials in values.yaml
. This is a security risk and inconsistent with other services.
1. Missing Secret Support for DATABASE_URL
The template only uses the trigger-v4.postgres.connectionString
helper, ignoring postgres.external.existingSecret
and secretKeys.databaseUrlKey
. This results in empty DATABASE_URL
when using external PostgreSQL without plaintext URL.
From templates/electric.yaml#L40-L41
:
- name: DATABASE_URL
value: {{ include "trigger-v4.postgres.connectionString" . | quote }}
2. Inconsistent Implementation Across Services
Other services like webapp correctly use conditional logic to read from secrets.
From webapp.yaml#L183-L196
:
{{- if include "trigger-v4.postgres.useSecretUrl" . }}
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: {{ include "trigger-v4.postgres.external.secretName" . }}
key: {{ include "trigger-v4.postgres.external.databaseUrlKey" . }}
{{- else }}
- name: DATABASE_URL
value: {{ include "trigger-v4.postgres.connectionString" . | quote }}
{{- end }}
Reproduction repo
https://github.com/triggerdotdev/trigger.dev/tree/main/hosting/k8s/helm
To reproduce
- Use values.yaml with external PostgreSQL via secret (no plaintext URL):
postgres:
deploy: false
external:
existingSecret: "trigger-dev-secrets"
secretKeys:
databaseUrlKey: "DATABASE_URL"
electric:
deploy: true
-
Run
helm template trigger-dev ./trigger-4.0.0-beta.17/trigger -f values.yaml
-
Observe empty value:
- name: DATABASE_URL
value: ""