Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/postgresql-ha] Existing secret enforces key "postgres-password" even if user is postgres #28927

Closed
Hareshraman opened this issue Aug 19, 2024 · 4 comments · Fixed by #29120
Closed

[bitnami/postgresql-ha] Existing secret enforces key "postgres-password" even if user is postgres #28927

Hareshraman opened this issue Aug 19, 2024 · 4 comments · Fixed by #29120
Assignees
@juan131
Labels
postgresql-ha solved tech-issues The user has a technical issue about an application

Comments

@Hareshraman
Copy link

Hareshraman commented Aug 19, 2024
edited
Loading

Name and Version

bitnami/postgesql-ha:14.2.16

What architecture are you using?

None

What steps will reproduce the bug?

  1. Create a secret for using existing Secret : -- create postgres-chart-ha-secrets with 3 Keys admin-password, password , repmgr-password
apiVersion: v1
metadata:
  name: postgres-chart-ha-secrets
  namespace: infra
  uid: ab760782-7279-4f00-b400-5c3506bf60c6
  resourceVersion: '1962'
  creationTimestamp: '2024-08-19T12:46:17Z'
  ownerReferences:
    - apiVersion: bitnami.com/v1alpha1
      kind: SealedSecret
      name: postgres-chart-ha-secrets
      uid: 5b7a9bb5-e0b8-4002-ac13-38241fcf8dd3
      controller: true
  managedFields:
    - manager: controller
      operation: Update
      apiVersion: v1
      time: '2024-08-19T12:46:17Z'
      fieldsType: FieldsV1
      fieldsV1:
        f:data:
          .: {}
          f:admin-password: {}
          f:password: {}
          f:repmgr-password: {}
        f:metadata:
          f:ownerReferences:
            .: {}
            k:{"uid":"5b7a9bb5-e0b8-4002-ac13-38241fcf8dd3"}: {}
        f:type: {}
data:
  admin-password: cG9zdGdyZXM=
  password: cG9zdGdyZXM=
  repmgr-password: cG9zdGdyZXM=
type: Opaque
  1. If the username is postgres , Key POSTGRES_POSTGRES_PASSWORD shouldn't be created.
    As per block , in postgresql statefulset.yaml
{{- if (or (not (eq (include "postgresql-ha.postgresqlUsername" .) "postgres")) (not (include "postgresql-ha.postgresqlCreateSecret" .)) (include "postgresql-ha.postgresqlPasswordProvided" .))}}
{{- if .Values.postgresql.usePasswordFile }}
- name: POSTGRES_POSTGRES_PASSWORD_FILE
  value: "/opt/bitnami/postgresql/secrets/postgres-password"
{{- else }}
- name: POSTGRES_POSTGRES_PASSWORD
  valueFrom:
    secretKeyRef:
      name: {{ template "postgresql-ha.postgresqlSecretName" . }}
      key: postgres-password
{{- end }}
{{- end }}
- name: POSTGRES_USER
  value: {{ (include "postgresql-ha.postgresqlUsername" .) | quote }}
{{- if .Values.postgresql.usePasswordFile }}
- name: POSTGRES_PASSWORD_FILE
  value: "/opt/bitnami/postgresql/secrets/password"
{{- else }}
- name: POSTGRES_PASSWORD
  valueFrom:
    secretKeyRef:
      name: {{ include "postgresql-ha.postgresqlSecretName" . }}
      {{- if (include "postgresql-ha.postgresqlCreateSecret" .) }}
      key: password
      {{- else }}
      {{- if ( index ( lookup "v1" "Secret" (include "common.names.namespace" .) (include "postgresql-ha.postgresqlSecretName" .) ) ".data.postgres-password" ) }}
      key: postgres-password
      {{- else }}
      key: password
      {{- end }}
      {{- end }}
{{- end }}
  1. Postgres statefulset fails to be ready as it expects a key postgres-password in the existing-secret postgres-chart-ha-secrets

Are you using any custom parameters or values?

The values.yaml are provided below.

global:
  imageRegistry: ""
  ## E.g.
  ## imagePullSecrets:
  ##   - myRegistryKeySecretName
  ##
  imagePullSecrets: []
  defaultStorageClass: ""
  storageClass: ""
  postgresql:
    username: "postgres"
    password: ""
    database: ""
    repmgrUsername: ""
    repmgrPassword: ""
    repmgrDatabase: ""
    existingSecret: "postgres-chart-ha-secrets"
  ldap:
    bindpw: ""
    existingSecret: ""
  pgpool:
    adminUsername: ""
    adminPassword: ""
    existingSecret: "postgres-chart-ha-secrets"

What is the expected behavior?

If user is postgres, the section should not be executed

What do you see instead?

Environment is created for postgres_postgres_password even if the username is postgres.

image

Additional information

No response
@Hareshraman Hareshraman added the tech-issues The user has a technical issue about an application label Aug 19, 2024
@Hareshraman Hareshraman changed the title [bitnami/postgresql-ha] Existing secret to have key "postgres-password" even if user is postgres [bitnami/postgresql-ha] Existing secret enforces key "postgres-password" even if user is postgres Aug 19, 2024
@github-actions github-actions bot added the triage Triage is needed label Aug 19, 2024
@javsalgar
Copy link
Contributor

Hi! Thank you so much for the report. I will forward this to the team, but as it is not a critical feature, I cannot guarantee an ETA. However, if you want to speed up the process, you can submit a PR and the team will take a look

@age9990
Copy link

age9990 commented Aug 23, 2024

I thought the bug maybe related to this PR #27095
According to the logic, A secret is used -> use the provided, "not" should not be in the following condition
(not (include "postgresql-ha.postgresqlCreateSecret" .))

@github-actions github-actions bot removed the triage Triage is needed label Aug 23, 2024
@github-actions github-actions bot assigned juan131 and unassigned carrodher Aug 23, 2024
@juan131 juan131 mentioned this issue Aug 30, 2024
Merged
4 tasks
@juan131
Copy link
Contributor

juan131 commented Aug 30, 2024

Hi everyone! Thanks so much for reporting this bug, I just created a PR to address it.

@age9990
Copy link

age9990 commented Aug 30, 2024

@juan131 Looks like the new PR is just a revert of PR #27095, is that correct?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@juan131 juan131

Labels
postgresql-ha solved tech-issues The user has a technical issue about an application
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[bitnami/postgresql-ha] bugfix: conditions to set POSTGRES_POSTGRES_PASSWORD juan131/charts
5 participants
@javsalgar @juan131 @carrodher @Hareshraman @age9990