From 17547340d42db38a0bca7bca934b01964991301b Mon Sep 17 00:00:00 2001 From: Krzysztof Opasiak Date: Tue, 10 Mar 2020 23:53:31 +0100 Subject: [COMMON] Allow special characters in postgress passwords Postgres image that we are currently using uses sed to replace passwords placeholders with their actual values at startup time. This apprach is very fragile and leads to issues if & happens to be a part of password as it has a special meaning in sed. To fix this issue let's just extract the setup.sql file from the container and process it on our own in init container using envsubst and then mount it to the main container to be used. Issue-ID: OOM-2317 Signed-off-by: Krzysztof Opasiak Change-Id: Ifd51d8f0af0099958caa209185fb7a87a0480bd2 --- .../common/postgres/templates/_deployment.tpl | 40 ++++++++++++++++++++-- 1 file changed, 37 insertions(+), 3 deletions(-) (limited to 'kubernetes/common/postgres/templates') diff --git a/kubernetes/common/postgres/templates/_deployment.tpl b/kubernetes/common/postgres/templates/_deployment.tpl index 3777c1b2e4..361e64847e 100644 --- a/kubernetes/common/postgres/templates/_deployment.tpl +++ b/kubernetes/common/postgres/templates/_deployment.tpl @@ -40,6 +40,34 @@ spec: name: "{{ index $dot.Values "container" "name" $pgMode }}" spec: initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: PG_PRIMARY_USER + value: primaryuser + - name: PG_PRIMARY_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" $dot "uid" (include "common.postgres.secret.primaryPasswordUID" .) "key" "password") | indent 10 }} + - name: PG_USER + {{- include "common.secret.envFromSecret" (dict "global" $dot "uid" (include "common.postgres.secret.userCredentialsUID" .) "key" "login") | indent 10 }} + - name: PG_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" $dot "uid" (include "common.postgres.secret.userCredentialsUID" .) "key" "password") | indent 10 }} + - name: PG_DATABASE + value: "{{ $dot.Values.config.pgDatabase }}" + - name: PG_ROOT_PASSWORD + {{- include "common.secret.envFromSecret" (dict "global" $dot "uid" (include "common.postgres.secret.rootPassUID" .) "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input/setup.sql + name: config + subPath: setup.sql + - mountPath: /config + name: pgconf + image: "{{ $dot.Values.global.envsubstImage }}" + imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} + name: {{ include "common.name" $dot }}-update-config + - name: init-sysctl command: - /bin/sh @@ -98,9 +126,12 @@ spec: - name: PG_ROOT_PASSWORD {{- include "common.secret.envFromSecret" (dict "global" $dot "uid" (include "common.postgres.secret.rootPassUID" .) "key" "password") | indent 10 }} volumeMounts: - - name: pool-hba-conf + - name: config mountPath: /pgconf/pool_hba.conf subPath: pool_hba.conf + - name: pgconf + mountPath: /pgconf/setup.sql + subPath: setup.sql - mountPath: /pgdata name: {{ include "common.fullname" $dot }}-data - mountPath: /backup @@ -129,7 +160,10 @@ spec: {{- else }} emptyDir: {} {{ end }} - - name: pool-hba-conf + - name: config configMap: name: {{ include "common.fullname" $dot }} -{{- end -}} \ No newline at end of file + - name: pgconf + emptyDir: + medium: Memory +{{- end -}} -- cgit