feat(chart): source JDBC datasource password from a Secret at runtime#25
Open
andrey-embarklabs wants to merge 1 commit into
Open
feat(chart): source JDBC datasource password from a Secret at runtime#25andrey-embarklabs wants to merge 1 commit into
andrey-embarklabs wants to merge 1 commit into
Conversation
Opt-in via cnpg.cluster.credentials.externalSecret. When set, the datasource
password is no longer templated into the chart-rendered config Secret;
instead the home-init container reads it from the referenced Secret via the
XNAT_DB_PASSWORD env (secretKeyRef, key externalSecretPasswordKey, default
"password") and appends it to xnat-conf.properties at startup. This also
fixes the prior bug where setting externalSecret rendered an empty datasource
password. Inline `password` remains the default (dev/quickstart), so existing
deploys are unaffected.
- secret.yaml omits the datasource.password line in externalSecret mode.
- home-init injects the password inside a { set +x; } window so the script's
`set -x` never echoes it to the pod log, and fast-fails if the secret key is
empty/missing.
- Works in both bundled-CNPG and external-DB modes; in bundled mode the same
Secret also bootstraps the CNPG cluster.
kubeconform. Adversarially reviewed (no must-fix; one false-positive
"required() fires" claim refuted by live render). Runtime injection (jar/file
flow, scrape) still needs an adapt-dev smoke test; the overlay's home-init
postRenderer must be dropped before flipping to externalSecret.
kathrynalpert
approved these changes
Jun 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Opt-in via cnpg.cluster.credentials.externalSecret. When set, the datasource password is no longer templated into the chart-rendered config Secret; instead the home-init container reads it from the referenced Secret via the XNAT_DB_PASSWORD env (secretKeyRef, key externalSecretPasswordKey, default "password") and appends it to xnat-conf.properties at startup. This also fixes the prior bug where setting externalSecret rendered an empty datasource password. Inline
passwordremains the default (dev/quickstart), so existing deploys are unaffected.set -xnever echoes it to the pod log, and fast-fails if the secret key is empty/missing.kubeconform. Adversarially reviewed (no must-fix; one false-positive "required() fires" claim refuted by live render). Runtime injection (jar/file flow, scrape) still needs an adapt-dev smoke test; the overlay's home-init postRenderer must be dropped before flipping to externalSecret.