Skip to content

feat(chart): source JDBC datasource password from a Secret at runtime#25

Open
andrey-embarklabs wants to merge 1 commit into
NrgXnat:mainfrom
andrey-embarklabs:plt/xnat-chart-eso-datasource
Open

feat(chart): source JDBC datasource password from a Secret at runtime#25
andrey-embarklabs wants to merge 1 commit into
NrgXnat:mainfrom
andrey-embarklabs:plt/xnat-chart-eso-datasource

Conversation

@andrey-embarklabs

Copy link
Copy Markdown
Contributor

Opt-in via cnpg.cluster.credentials.externalSecret. When set, the datasource password is no longer templated into the chart-rendered config Secret; instead the home-init container reads it from the referenced Secret via the XNAT_DB_PASSWORD env (secretKeyRef, key externalSecretPasswordKey, default "password") and appends it to xnat-conf.properties at startup. This also fixes the prior bug where setting externalSecret rendered an empty datasource password. Inline password remains the default (dev/quickstart), so existing deploys are unaffected.

  • secret.yaml omits the datasource.password line in externalSecret mode.
  • home-init injects the password inside a { set +x; } window so the script's set -x never echoes it to the pod log, and fast-fails if the secret key is empty/missing.
  • Works in both bundled-CNPG and external-DB modes; in bundled mode the same Secret also bootstraps the CNPG cluster.

kubeconform. Adversarially reviewed (no must-fix; one false-positive "required() fires" claim refuted by live render). Runtime injection (jar/file flow, scrape) still needs an adapt-dev smoke test; the overlay's home-init postRenderer must be dropped before flipping to externalSecret.

Opt-in via cnpg.cluster.credentials.externalSecret. When set, the datasource
password is no longer templated into the chart-rendered config Secret;
instead the home-init container reads it from the referenced Secret via the
XNAT_DB_PASSWORD env (secretKeyRef, key externalSecretPasswordKey, default
"password") and appends it to xnat-conf.properties at startup. This also
fixes the prior bug where setting externalSecret rendered an empty datasource
password. Inline `password` remains the default (dev/quickstart), so existing
deploys are unaffected.

- secret.yaml omits the datasource.password line in externalSecret mode.
- home-init injects the password inside a { set +x; } window so the script's
  `set -x` never echoes it to the pod log, and fast-fails if the secret key is
  empty/missing.
- Works in both bundled-CNPG and external-DB modes; in bundled mode the same
  Secret also bootstraps the CNPG cluster.

kubeconform. Adversarially reviewed (no must-fix; one false-positive
"required() fires" claim refuted by live render). Runtime injection (jar/file
flow, scrape) still needs an adapt-dev smoke test; the overlay's home-init
postRenderer must be dropped before flipping to externalSecret.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants