Project

Profile

Help

Story #8289

closed

Story #5132: [Epic] As a user, I can consume Pulp 3 from OperatorHub.io

pulp-operator should use a secret for database configuration

Added by chambridge over 3 years ago. Updated over 3 years ago.

Status:
MODIFIED
Priority:
Normal
Assignee:
Category:
Operator - Moved to Github Issues
Sprint/Milestone:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

Currently database configuration is in the clear within the Pulp custom resource, this is not a good practice as it leaks credentials to anyone who can view the customer resource.

The operator should allow for the specification of a secret. If the secret is not provided in the configuration it should look for a default named secret "pulp-postgres-configuration" and use if it exists otherwise it should create the secret with default values.

Example generated secret:

# Postgres Secret.
---
apiVersion: v1
kind: Secret
metadata:
  name: '{{ meta.name }}-postgres-configuration'
  namespace: '{{ meta.namespace }}'
stringData:
  password: '{{ lookup('password', 'p' + meta.name + 'pg length=32 chars=ascii_letters,digits') }}'
  username: '{{ deployment_type }}'
  database: '{{ deployment_type }}'
  port: '5432'
  host: {{ meta.name }}-postgres
  type: 'managed'

The intent is to have a common usage pattern as other operators that this operator is often deployed with.

The values for the secret should be mounted as a volume on the required deployments. The mounted secrets should then be exported within the container so the values are available as settings.

Also available in: Atom PDF