WIP: feat: allow passing postgresql username and password from operator secret #100
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nvironment variables separately This allows the use of postgres-operator which provides the username and password as separate keys feat: allow passing postgresql username and password from secret as environment variables separately This allows the use of postgres-operator which provides the username and password as separate keys fix: correctly check which keys to use
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Addresses #92
I invested a couple of hours how to solve this issue and want to share my findings:
In a kubernetes environment it's common to share credentials and connection information with secrets, e.g. from an external secrets operator, sealed secrets, or as mentioned in the issue postgres-operator. Generally there is no agreed standard, some might only include the password and other also the username. Therefore it's generally necessary to specifiy each connection parameter (host, port, username, password, database) separately so we can map it to the corresponding secret key instead of passing the whole connection to the container. Fortunately the vaultwarden image (or more correctly underlying pgsql library) supports this (https://github.com/dani-garcia/vaultwarden/wiki/Using-the-PostgreSQL-Backendm https://www.postgresql.org/docs/current/libpq-envars.html) . Unfortunately for mysql there seems to be no such support, so the solution I propose is postgresql only.
To specify the connection parameters separately instead of
use
Note that DATABASE_URL must still be specified but must only contain the host, all parameters must be specified as the corresponding
PGvariables, otherwise vaultwarden tries to use the ones from DATABASE_URL.The correcting handling of the environment is enabled specifying
This trigger on the condition
{{- if and ( eq .Values.database.type "postgresql") .Values.database.existingSecret (not .Values.database.existingSecretKey)}}so it is backwards compatible with setups specifying already specifying existingSecretKey.Please let me know what you think about this.
If you want to try this out you can use
oci://ghcr.io/danielr1996/vaultwarden:0.24.3