Project

Profile

Help

Story #8289

closed

Story #5132: [Epic] As a user, I can consume Pulp 3 from OperatorHub.io

pulp-operator should use a secret for database configuration

Added by chambridge over 3 years ago. Updated over 3 years ago.

Status:
MODIFIED
Priority:
Normal
Assignee:
Category:
Operator - Moved to Github Issues
Sprint/Milestone:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

Currently database configuration is in the clear within the Pulp custom resource, this is not a good practice as it leaks credentials to anyone who can view the customer resource.

The operator should allow for the specification of a secret. If the secret is not provided in the configuration it should look for a default named secret "pulp-postgres-configuration" and use if it exists otherwise it should create the secret with default values.

Example generated secret:

# Postgres Secret.
---
apiVersion: v1
kind: Secret
metadata:
  name: '{{ meta.name }}-postgres-configuration'
  namespace: '{{ meta.namespace }}'
stringData:
  password: '{{ lookup('password', 'p' + meta.name + 'pg length=32 chars=ascii_letters,digits') }}'
  username: '{{ deployment_type }}'
  database: '{{ deployment_type }}'
  port: '5432'
  host: {{ meta.name }}-postgres
  type: 'managed'

The intent is to have a common usage pattern as other operators that this operator is often deployed with.

The values for the secret should be mounted as a volume on the required deployments. The mounted secrets should then be exported within the container so the values are available as settings.

Actions #1

Updated by chambridge over 3 years ago

  • Parent issue set to #5132
Actions #2

Updated by pulpbot over 3 years ago

  • Status changed from NEW to POST

Added by chambridge over 3 years ago

Revision 5e4982fd | View on GitHub

Deploy postgres db using kubernetes secret for configuration.

  • Update CRD to consume a secret for the db configuration
  • Update playbook for default settings configuration
  • Update postgres role to check for secret or create one based on the CR
  • Postgres will be deployed specific to CR
  • Pulp deployments updated to reference the db secret as a volume mount

closes #8289 https://pulp.plan.io/issues/8289

Actions #3

Updated by chambridge over 3 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

Also available in: Atom PDF