-
Notifications
You must be signed in to change notification settings - Fork 11
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have two thoughts:
- The
setAuthPasswords
hook sets the passwords as verbatim in the Release object after a sync.. doesn't this expose those passwords? Why is this preferred over.upstream.postgresql.auth.existingSecret
as suggested within the original issue? - How does post hook affect future reconcile loops and changes to the
Backstage
CR spec? Shouldn't this rather be apreHook
overriding the chart values if the appropriate secret is found.
I wasn't able to make As to the exposure problem, I would assume that this does. I ended up having to choose I did try to arbitrarily set the As for how the postHook affects future reconcile loops, it seems like it does by starting a reconciliation loop constantly. I was able to track down the cause for issue #10 and it looks like it is SkipDependentWatches. Setting |
I see. That makes sense to me... And I must admit, this is not an easy problem to solve. Should we maybe open an issue against operator-sdk to get some help? Also, I found out that the release object is stored as a Kubernetes Secret anyway, so when it comes to "exposing the password", it's actually not that bad... However, I've found another problem. when I was testing this PR: When I initially created the Backstage CR I had: However, after a few seconds, it reconciles to:
Do you get the same? |
I have found that if I sometimes stop the operator and restart, I will get the password error that you show above. Uninstalling the helm chart typically fixes the problem for me. Another potential alternative that I am looking into is if we can still stick with the I am fine with opening up an issue to the operator-sdk to see if they might have some suggestions that might have been overlooked. |
I was able to use the My original method created the secret and added it to the There is now a backstage field that shows up I then tried setting |
Ok... That would indicate the helm (when used as a golang library) doesn't honor aliases... That would be bad, since we would have to redo our default values... (or remove the helm dependency alias from Janus IDP chart) This is weird. I'll look into that 🙁
Nice! Does it create additional Hence I would assume your setup creates 2 secrets with the same content, correct? |
Yes, I was creating 2 secrets. But I think I can get away with just one. If we just set the The only downside is that I don't believe we will be able to allow users to define an |
I went ahead and created this PR that sets the |
SonarCloud Quality Gate failed. 0 Bugs No Coverage information Catch issues before they fail your Quality Gate with our IDE extension SonarLint |
Description
This PR adds a new PostHook called checkPostPassword that will check the Helm Release to see if
upstream.postgresql.auth.password
andupstream.postgresql.auth.postgresPassword
has been set. The purpose of this is to fix the problem of reconcile error stating thatupstream.postgresql.auth.password
andupstream.postgresql.auth.postgresPassword
must not be empty.The checkPostPassword will check for the name of the postgresql secret based on whether or not
upstream.postgresql.fullnameOverride
orupstream.postgresql.nameOverride
have been set. It will then check if the password and postgresPassword parameters have been set.Which issues(s) does this PR fix