DX-1282 Load secret data to environment variables (#4493)

caroltyk · dcs3spp · web-flow · commit 6a562eb26101 · 2024-04-30T11:16:11.000+01:00
* Update tyk-stack-chart with example for how to load secret data to environment variables
---------

Co-authored-by: dcs3spp &lt;dcs3spp@users.noreply.github.com&gt;
diff --git a/tyk-docs/content/product-stack/tyk-charts/tyk-control-plane-chart.md b/tyk-docs/content/product-stack/tyk-charts/tyk-control-plane-chart.md
@@ -100,7 +100,10 @@ helm show values tyk-helm/tyk-control-plane --devel > values.yaml
 You can update any value in your local `values.yaml` file and use `-f [filename]` flag to override default values during installation. 
 Alternatively, you can use `--set` flag to set it in Tyk installation. See [Using Helm](https://helm.sh/docs/intro/using_helm/) for examples.
 
-To configure Tyk components, users can utilize both config files and [environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/). Notably, environment variables take precedence over config files. To maintain simplicity and consistency, the Tyk Helm Charts deploy components with an empty config file while setting container environment variables based on user-defined [values](https://helm.sh/docs/chart_best_practices/values/). This approach ensures seamless integration with Kubernetes practices, allowing for efficient management of configurations. For a comprehensive overview of available configurations, please refer to the [configuration documentation]({{<ref "tyk-environment-variables">}}). Additionally, should any environment variables not be set by the Helm Chart, users can easily add them under the `extraEnvs` section within the charts for further customization. Values set under `extraEnvs` would take precedence over all configurations.
+To configure Tyk components, users can utilize both config files and [environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/). Notably, environment variables take precedence over config files. To maintain simplicity and consistency, the Tyk Helm Charts deploy components with an empty config file while setting container environment variables based on user-defined [values](https://helm.sh/docs/chart_best_practices/values/). This approach ensures seamless integration with Kubernetes practices, allowing for efficient management of configurations. For a comprehensive overview of available configurations, please refer to the [configuration documentation]({{<ref "tyk-environment-variables">}}). 
+
+### Setting Environment Variables
+Should any environment variables not be set by the Helm Chart, users can easily add them under the `extraEnvs` section within the charts for further customization. Values set under `extraEnvs` would take precedence over all configurations.
 
 Example of setting extra environment variable to gateway:
 ```yaml
@@ -111,6 +114,32 @@ tyk-gateway:
       value: debug
 ```
 
+An example is listed below for setting extra [environment variable using ConfigMap data](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#define-container-environment-variables-using-configmap-data), using gateway:
+```yaml
+tyk-gateway:
+  gateway:
+    extraEnvs:
+    - name: CONFIG_USERNAME
+      valueFrom:
+        configMapKeyRef: 
+          name: backend-user
+          key: backend-username
+```
+
+An example is listed below for setting extra [environment variable using secret data](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data), using gateway:
+```yaml
+tyk-gateway:
+  gateway:
+    extraEnvs:
+    - name: SECRET_USERNAME
+      valueFrom:
+        secretKeyRef: 
+          name: backend-user
+          key: backend-username
+```
+
+In the above example, an extra environment variable `SECRET_USERNAME` will be added to the Gateway container, with a value of `backend-username` associated with the secret `backend-user`. It is useful if you want to access secret data from [Tyk Gateway configuration file (tyk.conf) or API definitions]({{<ref "tyk-configuration-reference/kv-store#how-to-access-the-externally-stored-data">}}).
+
 ### Set Redis Connection Details (Required)
 
 Tyk uses Redis for distributed rate-limiting and token storage. You may use the [Bitnami chart](https://github.com/bitnami/charts/tree/main/bitnami/redis) or Tyk's [simple-redis](https://artifacthub.io/packages/helm/tyk-helm/simple-redis) to install chart for POC purpose.
diff --git a/tyk-docs/content/product-stack/tyk-charts/tyk-data-plane-chart.md b/tyk-docs/content/product-stack/tyk-charts/tyk-data-plane-chart.md
@@ -89,7 +89,11 @@ helm show values tyk-helm/tyk-data-plane > values.yaml
 You can update any value in your local `values.yaml` file and use `-f [filename]` flag to override default values during installation. 
 Alternatively, you can use `--set` flag to set it in Tyk installation.
 
-To configure Tyk components, users can utilize both config files and [environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/). Notably, environment variables take precedence over config files. To maintain simplicity and consistency, the Tyk Helm Charts deploy components with an empty config file while setting container environment variables based on user-defined [values](https://helm.sh/docs/chart_best_practices/values/). This approach ensures seamless integration with Kubernetes practices, allowing for efficient management of configurations. For a comprehensive overview of available configurations, please refer to the [configuration documentation]({{<ref "tyk-environment-variables">}}). Additionally, should any environment variables not be set by the Helm Chart, users can easily add them under the `extraEnvs` section within the charts for further customization. Values set under `extraEnvs` would take precedence over all configurations.
+To configure Tyk components, users can utilize both config files and [environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/). Notably, environment variables take precedence over config files. To maintain simplicity and consistency, the Tyk Helm Charts deploy components with an empty config file while setting container environment variables based on user-defined [values](https://helm.sh/docs/chart_best_practices/values/). This approach ensures seamless integration with Kubernetes practices, allowing for efficient management of configurations. For a comprehensive overview of available configurations, please refer to the [configuration documentation]({{<ref "tyk-environment-variables">}}). 
+
+
+### Setting Environment Variables
+Should any environment variables not be set by the Helm Chart, users can easily add them under the `extraEnvs` section within the charts for further customization. Values set under `extraEnvs` would take precedence over all configurations.
 
 Example of setting extra environment variable to gateway:
 ```yaml
@@ -100,6 +104,32 @@ tyk-gateway:
       value: debug
 ```
 
+An example is listed below for setting extra [environment variable using ConfigMap data](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#define-container-environment-variables-using-configmap-data), using gateway:
+```yaml
+tyk-gateway:
+  gateway:
+    extraEnvs:
+    - name: CONFIG_USERNAME
+      valueFrom:
+        configMapKeyRef: 
+          name: backend-user
+          key: backend-username
+```
+
+An example is listed below for setting extra [environment variable using secret data](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data), using gateway:
+```yaml
+tyk-gateway:
+  gateway:
+    extraEnvs:
+    - name: SECRET_USERNAME
+      valueFrom:
+        secretKeyRef: 
+          name: backend-user
+          key: backend-username
+```
+
+In the above example, an extra environment variable `SECRET_USERNAME` will be added to the Gateway container, with a value of `backend-username` associated with the secret `backend-user`. It is useful if you want to access secret data from [Tyk Gateway configuration file (tyk.conf) or API definitions]({{<ref "tyk-configuration-reference/kv-store#how-to-access-the-externally-stored-data">}}).
+
 ### Set Redis Connection Details (Required)
 
 Tyk uses Redis for distributed rate-limiting and token storage. You may use the [Bitnami chart](https://github.com/bitnami/charts/tree/main/bitnami/redis) to install or Tyk's `simple-redis` chart for POC purpose.
@@ -356,16 +386,6 @@ Configure the gateways to load APIs with specific tags only by enabling `tyk-gat
       tags: "edge,dc1,product"
 ```
 
-#### Setting Environment Variable
-
-You can add environment variables for Tyk Gateway under `extraEnvs`. This can be used to override any default settings in the chart, e.g.
-
-```yaml
-    extraEnvs:
-      - name: TYK_GW_HASHKEYS
-        value: "false"
-```
-
 For further details for configuring Tyk Gateway, please consult the [Tyk Gateway Configuration Options]({{<ref "tyk-oss-gateway/configuration">}}) guide.
 
 ### Pump Configurations
diff --git a/tyk-docs/content/product-stack/tyk-charts/tyk-oss-chart.md b/tyk-docs/content/product-stack/tyk-charts/tyk-oss-chart.md
@@ -77,7 +77,10 @@ helm show values tyk-helm/tyk-oss > values.yaml
 You can update any value in your local `values.yaml` file and use `-f [filename]` flag to override default values during installation. 
 Alternatively, you can use `--set` flag to set it in Tyk installation.
 
-To configure Tyk components, users can utilize both config files and [environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/). Notably, environment variables take precedence over config files. To maintain simplicity and consistency, the Tyk Helm Charts deploy components with an empty config file while setting container environment variables based on user-defined [values](https://helm.sh/docs/chart_best_practices/values/). This approach ensures seamless integration with Kubernetes practices, allowing for efficient management of configurations. For a comprehensive overview of available configurations, please refer to the [configuration documentation]({{<ref "tyk-environment-variables">}}). Additionally, should any environment variables not be set by the Helm Chart, users can easily add them under the `extraEnvs` section within the charts for further customization. Values set under `extraEnvs` would take precedence over all configurations.
+To configure Tyk components, users can utilize both config files and [environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/). Notably, environment variables take precedence over config files. To maintain simplicity and consistency, the Tyk Helm Charts deploy components with an empty config file while setting container environment variables based on user-defined [values](https://helm.sh/docs/chart_best_practices/values/). This approach ensures seamless integration with Kubernetes practices, allowing for efficient management of configurations. For a comprehensive overview of available configurations, please refer to the [configuration documentation]({{<ref "tyk-environment-variables">}}). 
+
+### Setting Environment Variables
+Should any environment variables not be set by the Helm Chart, users can easily add them under the `extraEnvs` section within the charts for further customization. Values set under `extraEnvs` would take precedence over all configurations.
 
 Example of setting extra environment variable to gateway:
 ```yaml
@@ -88,6 +91,32 @@ tyk-gateway:
       value: debug
 ```
 
+An example is listed below for setting extra [environment variable using ConfigMap data](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#define-container-environment-variables-using-configmap-data), using gateway:
+```yaml
+tyk-gateway:
+  gateway:
+    extraEnvs:
+    - name: CONFIG_USERNAME
+      valueFrom:
+        configMapKeyRef: 
+          name: backend-user
+          key: backend-username
+```
+
+An example is listed below for setting extra [environment variable using secret data](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data), using gateway:
+```yaml
+tyk-gateway:
+  gateway:
+    extraEnvs:
+    - name: SECRET_USERNAME
+      valueFrom:
+        secretKeyRef: 
+          name: backend-user
+          key: backend-username
+```
+
+In the above example, an extra environment variable `SECRET_USERNAME` will be added to the Gateway container, with a value of `backend-username` associated with the secret `backend-user`. It is useful if you want to access secret data from [Tyk Gateway configuration file (tyk.conf) or API definitions]({{<ref "tyk-configuration-reference/kv-store#how-to-access-the-externally-stored-data">}}).
+
 ### Set Redis Connection Details (Required)
 
 Tyk uses Redis for distributed rate-limiting and token storage. You may use the [Bitnami chart](https://github.com/bitnami/charts/tree/main/bitnami/redis) to install or Tyk's `simple-redis` chart for POC purpose.
@@ -320,16 +349,6 @@ You can configure persistent volume for APIs, Policies, and middlewares using `e
       mountPath: /mnt/tyk-gateway/middleware
 ```
 
-#### Setting Environment Variables
-
-You can add environment variables for Tyk Gateway under `extraEnvs`. This can be used to override any default settings in the chart, e.g.
-
-```yaml
-    extraEnvs:
-      - name: TYK_GW_HASHKEYS
-        value: "false"
-```
-
 For further details for configuring Tyk Gateway, consult the [Tyk Gateway Configuration Options]({{<ref "tyk-oss-gateway/configuration">}}) guide.
 
 ### Pump Configurations
diff --git a/tyk-docs/content/product-stack/tyk-charts/tyk-stack-chart.md b/tyk-docs/content/product-stack/tyk-charts/tyk-stack-chart.md
@@ -94,7 +94,10 @@ helm show values tyk-helm/tyk-stack > values.yaml
 You can update any value in your local `values.yaml` file and use `-f [filename]` flag to override default values during installation. 
 Alternatively, you can use `--set` flag to set it in Tyk installation. See [Using Helm](https://helm.sh/docs/intro/using_helm/) for examples.
 
-To configure Tyk components, users can utilize both config files and [environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/). Notably, environment variables take precedence over config files. To maintain simplicity and consistency, the Tyk Helm Charts deploy components with an empty config file while setting container environment variables based on user-defined [values](https://helm.sh/docs/chart_best_practices/values/). This approach ensures seamless integration with Kubernetes practices, allowing for efficient management of configurations. For a comprehensive overview of available configurations, please refer to the [configuration documentation]({{<ref "tyk-environment-variables">}}). Additionally, should any environment variables not be set by the Helm Chart, users can easily add them under the `extraEnvs` section within the charts for further customization. Values set under `extraEnvs` would take precedence over all configurations.
+To configure Tyk components, users can utilize both config files and [environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/). Notably, environment variables take precedence over config files. To maintain simplicity and consistency, the Tyk Helm Charts deploy components with an empty config file while setting container environment variables based on user-defined [values](https://helm.sh/docs/chart_best_practices/values/). This approach ensures seamless integration with Kubernetes practices, allowing for efficient management of configurations. For a comprehensive overview of available configurations, please refer to the [configuration documentation]({{<ref "tyk-environment-variables">}}). 
+
+### Setting Environment Variables
+Should any environment variables not be set by the Helm Chart, users can easily add them under the `extraEnvs` section within the charts for further customization. Values set under `extraEnvs` would take precedence over all configurations.
 
 Example of setting extra environment variable to gateway:
 ```yaml
@@ -105,6 +108,32 @@ tyk-gateway:
       value: debug
 ```
 
+An example is listed below for setting extra [environment variable using ConfigMap data](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#define-container-environment-variables-using-configmap-data), using gateway:
+```yaml
+tyk-gateway:
+  gateway:
+    extraEnvs:
+    - name: CONFIG_USERNAME
+      valueFrom:
+        configMapKeyRef: 
+          name: backend-user
+          key: backend-username
+```
+
+An example is listed below for setting extra [environment variable using secret data](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-container-environment-variables-using-secret-data), using gateway:
+```yaml
+tyk-gateway:
+  gateway:
+    extraEnvs:
+    - name: SECRET_USERNAME
+      valueFrom:
+        secretKeyRef: 
+          name: backend-user
+          key: backend-username
+```
+
+In the above example, an extra environment variable `SECRET_USERNAME` will be added to the Gateway container, with a value of `backend-username` associated with the secret `backend-user`. It is useful if you want to access secret data from [Tyk Gateway configuration file (tyk.conf) or API definitions]({{<ref "tyk-configuration-reference/kv-store#how-to-access-the-externally-stored-data">}}).
+
 ### Set Redis Connection Details (Required)
 
 Tyk uses Redis for distributed rate-limiting and token storage. You may use the Bitnami chart to install or Tyk's `simple-redis` chart for POC purpose.
