Story #8289
closed
Story #5132: [Epic] As a user, I can consume Pulp 3 from OperatorHub.io
pulp-operator should use a secret for database configuration
100%
Description
Currently database configuration is in the clear within the Pulp custom resource, this is not a good practice as it leaks credentials to anyone who can view the customer resource.
The operator should allow for the specification of a secret. If the secret is not provided in the configuration it should look for a default named secret "pulp-postgres-configuration" and use if it exists otherwise it should create the secret with default values.
Example generated secret:
# Postgres Secret.
---
apiVersion: v1
kind: Secret
metadata:
name: '{{ meta.name }}-postgres-configuration'
namespace: '{{ meta.namespace }}'
stringData:
password: '{{ lookup('password', 'p' + meta.name + 'pg length=32 chars=ascii_letters,digits') }}'
username: '{{ deployment_type }}'
database: '{{ deployment_type }}'
port: '5432'
host: {{ meta.name }}-postgres
type: 'managed'
The intent is to have a common usage pattern as other operators that this operator is often deployed with.
The values for the secret should be mounted as a volume on the required deployments. The mounted secrets should then be exported within the container so the values are available as settings.
Updated by pulpbot about 3 years ago
- Status changed from NEW to POST
Added by chambridge about 3 years ago
Updated by chambridge about 3 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulp-operator|5e4982fd9bfdba63c7261767764ba156e0232abb.
.
Deploy postgres db using kubernetes secret for configuration.
closes #8289 https://pulp.plan.io/issues/8289