Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating the helm chart version forces plaintext DB password #89

Open
conilas opened this issue Sep 17, 2024 · 2 comments
Open

Updating the helm chart version forces plaintext DB password #89

conilas opened this issue Sep 17, 2024 · 2 comments

Comments

@conilas
Copy link

conilas commented Sep 17, 2024

Hello there!

So it seems that I've run into a conundrum.

When first installing the helm chart, i.e by simply:

helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add pact-broker https://pact-foundation.github.io/pact-broker-chart/

helm install pact-broker pact-broker/pact-broker

The postgresql instance is created, a secret is generated and the deployment points to that secret. Perfect!

However, at a later stage, when I try to do a helm diff upgrade pact-broker pact-broker/pact-broker --version 1.1.0 (for example), one gets an error at first:

PASSWORDS ERROR: You must provide your current passwords when upgrading the release.
                 Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims.
                 Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases

Makes sense: the password has to be provided.

However, if I do provide the password (either via values file or via --set postgresql.auth.password=$(kubectl get secret --namespace "observability" pact-broker-postgresql -o jsonpath="{.data.user-password}" | base64 -d)), the diff will be something like:

-               valueFrom:
-                 secretKeyRef:
-                   name: pact-broker-postgresql
-                   key: password
+               value: "PLAIN-TEXT-PASSWORD"

meaning that my deployment will be overriden and it will stop looking for the secret and go directly for a plaintext password, which is clearly unintended.

To my understanding this is related to how this part is being run.

That is to say, if one needs to provide the password and then the template will use that value if provided, it seems impossible to maintain the variable set to a secret value when upgrading versions.

Seems like this is a bug?

@conilas
Copy link
Author

conilas commented Sep 18, 2024

Well, slight update: if one uses the global.postgresql.auth.password instead it seems like the overriding does not happen and the upgrade will happily go through.

I'm not entirely sure this has other side effects, but did not seem to be the case for the simple case at the very least.

I'll leave the issue open so that all facts can be brought to light. Maybe this was intentional? I'm not fully sure. I'd be happy to help w/ reproducing the issue or even a fix if this is considered to be a bug.

@ChrisJBurns
Copy link
Contributor

Hi @conilas, the postgres functionality can be quite tricky as there are bits of logic we do in the chart (which you've linked) but there's also some quirks to the way the underlying Postgres sub-chart that we're using. Have you had a look into bitnami/charts#16417 ? As when you upgrade, it tries to generate the password, instead try to get the password and create your own secret with it in, and reference it in the Chart?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants