Story #8289
Story #5132: [Epic] As a user, I can consume Pulp 3 from OperatorHub.io
pulp-operator should use a secret for database configuration
0%
Description
Currently database configuration is in the clear within the Pulp custom resource, this is not a good practice as it leaks credentials to anyone who can view the customer resource.
The operator should allow for the specification of a secret. If the secret is not provided in the configuration it should look for a default named secret "pulp-postgres-configuration" and use if it exists otherwise it should create the secret with default values.
Example generated secret:
# Postgres Secret.
---
apiVersion: v1
kind: Secret
metadata:
name: '{{ meta.name }}-postgres-configuration'
namespace: '{{ meta.namespace }}'
stringData:
password: '{{ lookup('password', 'p' + meta.name + 'pg length=32 chars=ascii_letters,digits') }}'
username: '{{ deployment_type }}'
database: '{{ deployment_type }}'
port: '5432'
host: {{ meta.name }}-postgres
type: 'managed'
The intent is to have a common usage pattern as other operators that this operator is often deployed with.
The values for the secret should be mounted as a volume on the required deployments. The mounted secrets should then be exported within the container so the values are available as settings.
History
#1
Updated by chambridge 9 days ago
- Parent task set to #5132
Please register to edit this issue