From 203fb0bc96af9cf1b8f58a243d2958b62c6c2222 Mon Sep 17 00:00:00 2001 From: svetychkina Date: Fri, 22 May 2026 12:46:00 +0500 Subject: [PATCH 1/4] fix: dbaas and monitoring secrets --- .../patroni-services/templates/_helpers.tpl | 3 +- .../dbaas/dbaas-adapter-deployment.yaml | 32 ++++++++---- operator/pkg/deployment/monitoring.go | 50 ++++++++++++------- .../collector/pkg/initiate/initiate.go | 4 +- .../collector/pkg/util/util.go | 9 ++++ 5 files changed, 67 insertions(+), 31 deletions(-) diff --git a/operator/charts/patroni-services/templates/_helpers.tpl b/operator/charts/patroni-services/templates/_helpers.tpl index 0f56456b..2e169aeb 100644 --- a/operator/charts/patroni-services/templates/_helpers.tpl +++ b/operator/charts/patroni-services/templates/_helpers.tpl @@ -136,6 +136,7 @@ POSTGRES ADMIN env variables for DBaaS {{/* Aggregator Registration env variables for DBaaS */}} +{{/* {{- define "postgres-dbaas.aggregatorEnvsReg" }} - name: DBAAS_AGGREGATOR_REGISTRATION_USERNAME valueFrom: @@ -148,7 +149,7 @@ Aggregator Registration env variables for DBaaS name: dbaas-aggregator-registration-credentials key: password {{- end }} - +*/}} {{- define "find_image" -}} {{- $image := .default -}} diff --git a/operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml b/operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml index 8243cb68..c982e52e 100644 --- a/operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml +++ b/operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml @@ -58,6 +58,12 @@ spec: secret: secretName: {{ include "postgres.certServicesSecret" . }} defaultMode: 416 + - name: dbaas-adapter-credentials + secret: + secretName: dbaas-adapter-credentials + - name: dbaas-adapter-registration-credentials + secret: + secretName: dbaas-adapter-registration-credentials {{- end }} {{- end }} initContainers: @@ -125,16 +131,16 @@ spec: value: {{ include "dbaas.pgHostRO" . }} - name: POSTGRES_PORT value: {{ default "5432" .Values.dbaas.pgPort | quote }} - - name: DBAAS_ADAPTER_API_USER - valueFrom: - secretKeyRef: - name: dbaas-adapter-credentials - key: username - - name: DBAAS_ADAPTER_API_PASSWORD - valueFrom: - secretKeyRef: - name: dbaas-adapter-credentials - key: password + # - name: DBAAS_ADAPTER_API_USER + # valueFrom: + # secretKeyRef: + # name: dbaas-adapter-credentials + # key: username + # - name: DBAAS_ADAPTER_API_PASSWORD + # valueFrom: + # secretKeyRef: + # name: dbaas-adapter-credentials + # key: password - name: DBAAS_AGGREGATOR_PHYSICAL_DATABASE_IDENTIFIER value: {{ .Values.dbaas.aggregator.physicalDatabaseIdentifier | default (printf "%s:%s" .Release.Namespace "postgres")}} - name: CLOUD_NAMESPACE @@ -177,6 +183,12 @@ spec: - name: tls-cert mountPath: /certs/ {{- end }} + - name: dbaas-adapter-credentials + mountPath: /secrets/credentials + readOnly: true + - name: dbaas-adapter-registration-credentials + mountPath: /secrets/credentials + readOnly: true {{- end }} livenessProbe: httpGet: diff --git a/operator/pkg/deployment/monitoring.go b/operator/pkg/deployment/monitoring.go index 714c0ec8..5aba9016 100644 --- a/operator/pkg/deployment/monitoring.go +++ b/operator/pkg/deployment/monitoring.go @@ -75,6 +75,14 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl }, }, }, + { + Name: "monitoring-user-credentials", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: MetricCollectorUserCredentials}, + }, + }, + }, }, InitContainers: []corev1.Container{}, Containers: []corev1.Container{ @@ -84,24 +92,24 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl Command: []string{}, Args: []string{}, Env: append([]corev1.EnvVar{ - { - Name: "MONITORING_USER", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: MetricCollectorUserCredentials}, - Key: "username", - }, - }, - }, - { - Name: "MONITORING_PASSWORD", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: MetricCollectorUserCredentials}, - Key: "password", - }, - }, - }, + // { + // Name: "MONITORING_USER", + // ValueFrom: &corev1.EnvVarSource{ + // SecretKeyRef: &corev1.SecretKeySelector{ + // LocalObjectReference: corev1.LocalObjectReference{Name: MetricCollectorUserCredentials}, + // Key: "username", + // }, + // }, + // }, + // { + // Name: "MONITORING_PASSWORD", + // ValueFrom: &corev1.EnvVarSource{ + // SecretKeyRef: &corev1.SecretKeySelector{ + // LocalObjectReference: corev1.LocalObjectReference{Name: MetricCollectorUserCredentials}, + // Key: "password", + // }, + // }, + // }, { Name: "PG_ROOT_USER", ValueFrom: &corev1.EnvVarSource{ @@ -197,6 +205,11 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl SubPath: "telegraf_temp.conf", Name: "telegraf-config-volume", }, + { + MountPath: "/etc/monitoring-user-credentials", + Name: "monitoring-user-credentials", + ReadOnly: true, + }, }, Resources: *metricCollector.Resources, LivenessProbe: &corev1.Probe{ @@ -232,6 +245,7 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl }, }, } + if metricCollector.PriorityClassName != "" { deployment.Spec.Template.Spec.PriorityClassName = metricCollector.PriorityClassName } diff --git a/services/monitoring-agent/collector/pkg/initiate/initiate.go b/services/monitoring-agent/collector/pkg/initiate/initiate.go index 7cbf5640..5e58eae2 100644 --- a/services/monitoring-agent/collector/pkg/initiate/initiate.go +++ b/services/monitoring-agent/collector/pkg/initiate/initiate.go @@ -36,8 +36,8 @@ func InitMetricCollector() { logger.Info("Will run preparation scripts") clusterName := util.GetEnv("PGCLUSTER", "patroni") - monitoringRole := util.GetEnv("MONITORING_USER", "monitoring-user") - monitoringPassword := util.GetEnv("MONITORING_PASSWORD", "monitoring_password") + monitoringRole := util.GetSecret("username") + monitoringPassword := util.GetSecret("password") pgHost := util.GetEnv("POSTGRES_HOST", "pg-patroni") pgPort := util.GetEnvInt("POSTGRES_PORT", 5432) diff --git a/services/monitoring-agent/collector/pkg/util/util.go b/services/monitoring-agent/collector/pkg/util/util.go index ae572b68..545179de 100644 --- a/services/monitoring-agent/collector/pkg/util/util.go +++ b/services/monitoring-agent/collector/pkg/util/util.go @@ -59,6 +59,7 @@ var ( ) const certificatesFolder = "/certs" +const MetricCollectorCredentialsFolder = "/etc/monitoring-user-credentials" func GetLogger() *zap.Logger { cfg := zap.NewProductionConfig() @@ -92,6 +93,14 @@ func GetProtocol() (string, string) { } +func GetSecret(filename string) string { + secretByte, err := os.ReadFile("/etc/monitoring-user-credentials/" + filename) + if err != nil { + log.Fatal("failed to read monitoring secret: ", err) + } + return strings.TrimSpace(string(secretByte[:])) +} + func GetToken() string { tokenByte, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token") if err != nil { From 32ec656ee9d882c432cb8d161960e3f40c66cef0 Mon Sep 17 00:00:00 2001 From: svetychkina Date: Tue, 2 Jun 2026 12:03:16 +0500 Subject: [PATCH 2/4] fix: monitoring secrets --- .../templates/secrets/monitoring-secret.yaml | 2 +- operator/pkg/deployment/monitoring.go | 60 +++++++++---------- .../collector/pkg/postgres/client.go | 4 +- .../collector/pkg/util/util.go | 2 +- 4 files changed, 32 insertions(+), 36 deletions(-) diff --git a/operator/charts/patroni-services/templates/secrets/monitoring-secret.yaml b/operator/charts/patroni-services/templates/secrets/monitoring-secret.yaml index 1a337097..48e56823 100644 --- a/operator/charts/patroni-services/templates/secrets/monitoring-secret.yaml +++ b/operator/charts/patroni-services/templates/secrets/monitoring-secret.yaml @@ -9,6 +9,6 @@ metadata: name: monitoring-credentials data: username: {{ "monitoring-user" | b64enc }} - password: {{ .Values.metricCollector.userPassword | b64enc }} + password: {{ default "p@ssWOrD1" .Values.metricCollector.userPassword | b64enc }} type: Opaque {{- end }} diff --git a/operator/pkg/deployment/monitoring.go b/operator/pkg/deployment/monitoring.go index 5aba9016..2cb65a97 100644 --- a/operator/pkg/deployment/monitoring.go +++ b/operator/pkg/deployment/monitoring.go @@ -25,6 +25,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" ) var ( @@ -79,7 +80,17 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl Name: "monitoring-user-credentials", VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ - SecretName: MetricCollectorUserCredentials}, + SecretName: MetricCollectorUserCredentials, + DefaultMode: ptr.To[int32](0400), + }, + }, + }, + { + Name: "influx-db-admin-credentials", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: influxDbAdminCredentials, + DefaultMode: ptr.To[int32](0400), }, }, }, @@ -92,24 +103,14 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl Command: []string{}, Args: []string{}, Env: append([]corev1.EnvVar{ - // { - // Name: "MONITORING_USER", - // ValueFrom: &corev1.EnvVarSource{ - // SecretKeyRef: &corev1.SecretKeySelector{ - // LocalObjectReference: corev1.LocalObjectReference{Name: MetricCollectorUserCredentials}, - // Key: "username", - // }, - // }, - // }, - // { - // Name: "MONITORING_PASSWORD", - // ValueFrom: &corev1.EnvVarSource{ - // SecretKeyRef: &corev1.SecretKeySelector{ - // LocalObjectReference: corev1.LocalObjectReference{Name: MetricCollectorUserCredentials}, - // Key: "password", - // }, - // }, - // }, + { + Name: "MONITORING_USER_FILE", + Value: "/etc/secrets/" + MetricCollectorUserCredentials + "/username", + }, + { + Name: "MONITORING_PASSWORD_FILE", + Value: "/etc/secrets/" + MetricCollectorUserCredentials + "/password", + }, { Name: "PG_ROOT_USER", ValueFrom: &corev1.EnvVarSource{ @@ -130,21 +131,11 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl }, { Name: "INFLUXDB_USER", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: influxDbAdminCredentials}, - Key: "username", - }, - }, + Value: "/etc/secrets/" + influxDbAdminCredentials + "/username", }, { Name: "INFLUXDB_PASSWORD", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: influxDbAdminCredentials}, - Key: "password", - }, - }, + Value: "/etc/secrets/" + influxDbAdminCredentials + "/password", }, { Name: "NAMESPACE", @@ -206,10 +197,15 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl Name: "telegraf-config-volume", }, { - MountPath: "/etc/monitoring-user-credentials", + MountPath: "/etc/secrets/monitoring-user-credentials", Name: "monitoring-user-credentials", ReadOnly: true, }, + { + MountPath: "/etc/secrets/influx-db-admin-credentials", + Name: "influx-db-admin-credentials", + ReadOnly: true, + }, }, Resources: *metricCollector.Resources, LivenessProbe: &corev1.Probe{ diff --git a/services/monitoring-agent/collector/pkg/postgres/client.go b/services/monitoring-agent/collector/pkg/postgres/client.go index 71a1a5ba..ef36ea0e 100644 --- a/services/monitoring-agent/collector/pkg/postgres/client.go +++ b/services/monitoring-agent/collector/pkg/postgres/client.go @@ -31,8 +31,8 @@ var logger = util.GetLogger() var ( PgHost = util.GetEnv("POSTGRES_HOST", "pg-patroni") PgPort = util.GetEnvInt("POSTGRES_PORT", 5432) - PgUser = util.GetEnv("MONITORING_USER", "monitoring-user") - PgPass = util.GetEnv("MONITORING_PASSWORD", "monitoring_password") + PgUser = util.GetSecret("username") + PgPass = util.GetSecret("password") PgDatabase = util.GetEnv("POSTGRES_DATABASE", "postgres") PgSsl = util.GetEnv("PGSSLMODE", "prefer") ) diff --git a/services/monitoring-agent/collector/pkg/util/util.go b/services/monitoring-agent/collector/pkg/util/util.go index 545179de..d73b4ea3 100644 --- a/services/monitoring-agent/collector/pkg/util/util.go +++ b/services/monitoring-agent/collector/pkg/util/util.go @@ -94,7 +94,7 @@ func GetProtocol() (string, string) { } func GetSecret(filename string) string { - secretByte, err := os.ReadFile("/etc/monitoring-user-credentials/" + filename) + secretByte, err := os.ReadFile("/etc/secrets/monitoring-user-credentials/" + filename) if err != nil { log.Fatal("failed to read monitoring secret: ", err) } From 2458b8aee109598a12ee7b32053b44840d82db7b Mon Sep 17 00:00:00 2001 From: svetychkina Date: Thu, 4 Jun 2026 16:34:29 +0500 Subject: [PATCH 3/4] fix: replicator, pg secrets for monitoring --- .../dbaas/dbaas-adapter-deployment.yaml | 10 ------- .../logical-repliction-controller.yaml | 2 +- .../templates/secrets/monitoring-secret.yaml | 2 +- operator/pkg/deployment/monitoring.go | 29 +++++++++++-------- services/dbaas-adapter/adapter/util/util.go | 9 ++++++ 5 files changed, 28 insertions(+), 24 deletions(-) diff --git a/operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml b/operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml index c982e52e..5a3d33b5 100644 --- a/operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml +++ b/operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml @@ -131,16 +131,6 @@ spec: value: {{ include "dbaas.pgHostRO" . }} - name: POSTGRES_PORT value: {{ default "5432" .Values.dbaas.pgPort | quote }} - # - name: DBAAS_ADAPTER_API_USER - # valueFrom: - # secretKeyRef: - # name: dbaas-adapter-credentials - # key: username - # - name: DBAAS_ADAPTER_API_PASSWORD - # valueFrom: - # secretKeyRef: - # name: dbaas-adapter-credentials - # key: password - name: DBAAS_AGGREGATOR_PHYSICAL_DATABASE_IDENTIFIER value: {{ .Values.dbaas.aggregator.physicalDatabaseIdentifier | default (printf "%s:%s" .Release.Namespace "postgres")}} - name: CLOUD_NAMESPACE diff --git a/operator/charts/patroni-services/templates/secrets/logical-repliction-controller.yaml b/operator/charts/patroni-services/templates/secrets/logical-repliction-controller.yaml index 10f8c261..b41738a3 100644 --- a/operator/charts/patroni-services/templates/secrets/logical-repliction-controller.yaml +++ b/operator/charts/patroni-services/templates/secrets/logical-repliction-controller.yaml @@ -9,6 +9,6 @@ metadata: name: logical-replication-controller-creds data: username: {{ default "replicator" .Values.replicationController.apiUser | b64enc }} - password: {{ default "paSsW0rdForReplicat!oN" .Values.replicationController.apiPassword | b64enc }} + password: {{ .Values.replicationController.apiPassword | b64enc }} type: Opaque {{ end }} diff --git a/operator/charts/patroni-services/templates/secrets/monitoring-secret.yaml b/operator/charts/patroni-services/templates/secrets/monitoring-secret.yaml index 48e56823..1a337097 100644 --- a/operator/charts/patroni-services/templates/secrets/monitoring-secret.yaml +++ b/operator/charts/patroni-services/templates/secrets/monitoring-secret.yaml @@ -9,6 +9,6 @@ metadata: name: monitoring-credentials data: username: {{ "monitoring-user" | b64enc }} - password: {{ default "p@ssWOrD1" .Values.metricCollector.userPassword | b64enc }} + password: {{ .Values.metricCollector.userPassword | b64enc }} type: Opaque {{- end }} diff --git a/operator/pkg/deployment/monitoring.go b/operator/pkg/deployment/monitoring.go index 2cb65a97..5fe8f3b2 100644 --- a/operator/pkg/deployment/monitoring.go +++ b/operator/pkg/deployment/monitoring.go @@ -38,6 +38,7 @@ const ( MetricCollectorUserCredentials = "monitoring-credentials" influxDbAdminCredentials = "influx-db-admin-credentials" telegrafConfig = "telegraf-configmap" + PostgresUserCredentials = "postgres-credentials" ) func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcluster string, serviceAccountName string) *appsv1.Deployment { @@ -94,6 +95,15 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl }, }, }, + { + Name: "postgres-credentials", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: "postgres-credentials", + DefaultMode: ptr.To[int32](0400), + }, + }, + }, }, InitContainers: []corev1.Container{}, Containers: []corev1.Container{ @@ -113,21 +123,11 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl }, { Name: "PG_ROOT_USER", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: GetRootSecretName(pgcluster)}, - Key: "username", - }, - }, + Value: "/etc/secrets/" + PostgresUserCredentials + "/pg-username", }, { Name: "PG_ROOT_PASSWORD", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: GetRootSecretName(pgcluster)}, - Key: "password", - }, - }, + Value: "/etc/secrets/" + PostgresUserCredentials + "/pg-password", }, { Name: "INFLUXDB_USER", @@ -206,6 +206,11 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl Name: "influx-db-admin-credentials", ReadOnly: true, }, + { + MountPath: "/etc/secrets/postgres-credentials", + Name: "postgres-credentials", + ReadOnly: true, + }, }, Resources: *metricCollector.Resources, LivenessProbe: &corev1.Probe{ diff --git a/services/dbaas-adapter/adapter/util/util.go b/services/dbaas-adapter/adapter/util/util.go index e1d48f83..593e1139 100644 --- a/services/dbaas-adapter/adapter/util/util.go +++ b/services/dbaas-adapter/adapter/util/util.go @@ -24,6 +24,7 @@ import ( "k8s.io/client-go/rest" "os" "strconv" + "strings" ) const ( @@ -135,6 +136,14 @@ func GetEnvBool(key string, fallback bool) bool { return fallback } +func GetSecret(filename string) string { + secretByte, err := os.ReadFile("/etc/secrets/dbaas-adapter-credentials/" + filename) + if err != nil { + log.Fatal("failed to read dbaas-adapter secret: ", zap.Error(err)) + } + return strings.TrimSpace(string(secretByte[:])) +} + func GetK8sClient() (*kubernetes.Clientset, error) { config, err := rest.InClusterConfig() if err != nil { From 995ef966acea8c8d20ceb2ba4c1b6832f4302987 Mon Sep 17 00:00:00 2001 From: svetychkina Date: Wed, 10 Jun 2026 12:38:24 +0500 Subject: [PATCH 4/4] fix: unification + exporter, replication --- .../patroni-services/templates/_helpers.tpl | 33 ------------------- .../dbaas/dbaas-adapter-deployment.yaml | 24 ++++++++------ operator/pkg/client/client.go | 24 ++++++++++++-- operator/pkg/deployment/monitoring.go | 30 ++--------------- operator/pkg/queryexporter/query_exporter.go | 29 +++++++++++++--- .../replication_controller.go | 18 +++------- operator/pkg/util/util.go | 19 +++++++++++ services/dbaas-adapter/adapter/main.go | 26 +++++++++------ services/dbaas-adapter/adapter/util/util.go | 16 ++++++--- .../collector/pkg/initiate/initiate.go | 14 +++++--- .../collector/pkg/postgres/client.go | 11 +++++-- .../collector/pkg/util/util.go | 24 ++++++++++---- .../pgbackrest-sidecar/pkg/utils/utils.go | 18 ++++++++++ .../pgskipper-replication-controller/main.go | 8 +++-- .../replication-controller/pkg/utils/utils.go | 17 ++++++++++ 15 files changed, 192 insertions(+), 119 deletions(-) diff --git a/operator/charts/patroni-services/templates/_helpers.tpl b/operator/charts/patroni-services/templates/_helpers.tpl index 2e169aeb..ef432f39 100644 --- a/operator/charts/patroni-services/templates/_helpers.tpl +++ b/operator/charts/patroni-services/templates/_helpers.tpl @@ -117,39 +117,6 @@ K8s Platform envs value: "https://kubernetes.default:443" {{- end }} -{{/* -POSTGRES ADMIN env variables for DBaaS -*/}} -{{- define "postgres-dbaas.pgAdminEnvs" }} - - name: POSTGRES_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: postgres-credentials - key: password - - name: POSTGRES_ADMIN_USER - valueFrom: - secretKeyRef: - name: postgres-credentials - key: username -{{- end }} - -{{/* -Aggregator Registration env variables for DBaaS -*/}} -{{/* -{{- define "postgres-dbaas.aggregatorEnvsReg" }} - - name: DBAAS_AGGREGATOR_REGISTRATION_USERNAME - valueFrom: - secretKeyRef: - name: dbaas-aggregator-registration-credentials - key: username - - name: DBAAS_AGGREGATOR_REGISTRATION_PASSWORD - valueFrom: - secretKeyRef: - name: dbaas-aggregator-registration-credentials - key: password -{{- end }} -*/}} {{- define "find_image" -}} {{- $image := .default -}} diff --git a/operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml b/operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml index 5a3d33b5..da279f79 100644 --- a/operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml +++ b/operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml @@ -52,18 +52,21 @@ spec: configMap: name: dbaas-postgres-adapter.extensions-config defaultMode: 420 - {{- if not .Values.externalDataBase }} - {{- if and .Values.tls .Values.tls.enabled }} - - name: tls-cert - secret: - secretName: {{ include "postgres.certServicesSecret" . }} - defaultMode: 416 - name: dbaas-adapter-credentials secret: secretName: dbaas-adapter-credentials - name: dbaas-adapter-registration-credentials secret: secretName: dbaas-adapter-registration-credentials + - name: postgres-credentials + secret: + secretName: postgres-credentials + {{- if not .Values.externalDataBase }} + {{- if and .Values.tls .Values.tls.enabled }} + - name: tls-cert + secret: + secretName: {{ include "postgres.certServicesSecret" . }} + defaultMode: 416 {{- end }} {{- end }} initContainers: @@ -117,10 +120,8 @@ spec: securityContext: {{- include "restricted.globalContainerSecurityContext" . | nindent 12 }} env: -{{- template "postgres-dbaas.pgAdminEnvs" . }} - name: POSTGRES_DATABASE value: {{ default "postgres" .Values.dbaas.dbName }} -{{- template "postgres-dbaas.aggregatorEnvsReg" . }} - name: DBAAS_ADAPTER_ADDRESS value: {{ default (printf "http://dbaas-postgres-adapter.%s:8080" .Release.Namespace) .Values.dbaas.adapter.address }} - name: DBAAS_AGGREGATOR_REGISTRATION_ADDRESS @@ -174,10 +175,13 @@ spec: mountPath: /certs/ {{- end }} - name: dbaas-adapter-credentials - mountPath: /secrets/credentials + mountPath: /var/run/secrets/postgresql/dbaas-adapter-credentials readOnly: true - name: dbaas-adapter-registration-credentials - mountPath: /secrets/credentials + mountPath: /var/run/secrets/postgresql/dbaas-adapter-registration-credentials + readOnly: true + - name: postgres-credentials + mountPath: /var/run/secrets/postgresql/postgres-credentials readOnly: true {{- end }} livenessProbe: diff --git a/operator/pkg/client/client.go b/operator/pkg/client/client.go index 9ab04a78..a4757492 100644 --- a/operator/pkg/client/client.go +++ b/operator/pkg/client/client.go @@ -33,11 +33,17 @@ import ( "github.com/Netcracker/pgskipper-operator/pkg/util" ) +const ( + secretsBasePath = "/var/run/secrets/postgresql/" + + pgUserCredsPath = secretsBasePath + "postgres-credentials/" +) + var ( instance *PostgresClient logger = util.GetLogger() - pgUser = flag.String("pg_user", getEnv("PG_ADMIN_USER", "postgres"), "Username of admin user in PostgreSQL, env: PG_ADMIN_USER") - pgPass = flag.String("pg_pass", getEnv("PG_ADMIN_PASSWORD", ""), "Password of admin user in PostgreSQL, env: PG_ADMIN_PASSWORD") + pgUser = flag.String("pg_user", ReadSecretFile(pgUserCredsPath+"username", "postgres"), "Username of admin user in PostgreSQL") + pgPass = flag.String("pg_pass", ReadSecretFile(pgUserCredsPath+"password", ""), "Password of admin user in PostgreSQL") dbName = "postgres" ssl = "off" ) @@ -244,3 +250,17 @@ func getEnv(key, fallback string) string { func EscapeString(str string) string { return strings.ReplaceAll(str, "'", "''") } + +func ReadSecretFile(path, defaultVal string) string { + data, err := os.ReadFile(path) + if err != nil { + logger.Error(fmt.Sprintf("Failed to read secret file %s: %v", path, err)) + return defaultVal + } + value := strings.TrimSpace(string(data)) + if value == "" { + logger.Info(fmt.Sprintf("Secret file %s is empty, using default value", path)) + return defaultVal + } + return value +} \ No newline at end of file diff --git a/operator/pkg/deployment/monitoring.go b/operator/pkg/deployment/monitoring.go index 5fe8f3b2..683848ae 100644 --- a/operator/pkg/deployment/monitoring.go +++ b/operator/pkg/deployment/monitoring.go @@ -113,30 +113,6 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl Command: []string{}, Args: []string{}, Env: append([]corev1.EnvVar{ - { - Name: "MONITORING_USER_FILE", - Value: "/etc/secrets/" + MetricCollectorUserCredentials + "/username", - }, - { - Name: "MONITORING_PASSWORD_FILE", - Value: "/etc/secrets/" + MetricCollectorUserCredentials + "/password", - }, - { - Name: "PG_ROOT_USER", - Value: "/etc/secrets/" + PostgresUserCredentials + "/pg-username", - }, - { - Name: "PG_ROOT_PASSWORD", - Value: "/etc/secrets/" + PostgresUserCredentials + "/pg-password", - }, - { - Name: "INFLUXDB_USER", - Value: "/etc/secrets/" + influxDbAdminCredentials + "/username", - }, - { - Name: "INFLUXDB_PASSWORD", - Value: "/etc/secrets/" + influxDbAdminCredentials + "/password", - }, { Name: "NAMESPACE", ValueFrom: &corev1.EnvVarSource{ @@ -197,17 +173,17 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl Name: "telegraf-config-volume", }, { - MountPath: "/etc/secrets/monitoring-user-credentials", + MountPath: "/var/run/secrets/postgresql/monitoring-user-credentials", Name: "monitoring-user-credentials", ReadOnly: true, }, { - MountPath: "/etc/secrets/influx-db-admin-credentials", + MountPath: "/var/run/secrets/postgresql/influx-db-admin-credentials", Name: "influx-db-admin-credentials", ReadOnly: true, }, { - MountPath: "/etc/secrets/postgres-credentials", + MountPath: "/var/run/secrets/postgresql/postgres-credentials", Name: "postgres-credentials", ReadOnly: true, }, diff --git a/operator/pkg/queryexporter/query_exporter.go b/operator/pkg/queryexporter/query_exporter.go index 1896fda5..f7c277e2 100644 --- a/operator/pkg/queryexporter/query_exporter.go +++ b/operator/pkg/queryexporter/query_exporter.go @@ -31,7 +31,13 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" ) -const CMName = "query-exporter-config" +const ( + CMName = "query-exporter-config" + + secretsBasePath = "/var/run/secrets/postgresql/" + + pgUserCredsPath = secretsBasePath + "postgres-credentials/" +) var ( logger = util.GetLogger() @@ -106,6 +112,14 @@ func getVolumes() []corev1.Volume { }, }, }, + { + Name: "postgresql-credentials", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: "postgresql-credentials", + }, + }, + }, } } @@ -115,6 +129,10 @@ func getVolumeMounts() []corev1.VolumeMount { MountPath: "/config", Name: "config-volume", }, + { + MountPath: "/var/run/secrets/postgresql/", + Name: "postgresql-credentials", + }, } } @@ -152,13 +170,14 @@ func getEnvVariables(spec v1.QueryExporter) []corev1.EnvVar { Name: "QUERY_EXPORTER_DISABLE_SELF_MONITOR", Value: strconv.FormatBool(spec.SelfMonitorDisabled), }, +// todo: read credentials from secret { - Name: "POSTGRES_USER", - ValueFrom: getSecretFieldEnv("username"), + Name: "POSTGRES_USER", + Value: util.ReadSecretFile(pgUserCredsPath+"username", "postgres"), }, { - Name: "POSTGRES_PASSWORD", - ValueFrom: getSecretFieldEnv("password"), + Name: "POSTGRES_PASSWORD", + Value: util.ReadSecretFile(pgUserCredsPath+"password", ""), }, { Name: "EXCLUDED_QUERIES", diff --git a/operator/pkg/replicationcontroller/replication_controller.go b/operator/pkg/replicationcontroller/replication_controller.go index 7854f49c..9e85a8de 100644 --- a/operator/pkg/replicationcontroller/replication_controller.go +++ b/operator/pkg/replicationcontroller/replication_controller.go @@ -75,22 +75,12 @@ func NewRCDeployment(cr v1.PatroniServices, sa, clusterName string, pgPort int) Value: strconv.Itoa(pgPort), }, { - Name: "POSTGRES_ADMIN_PASSWORD", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "postgres-credentials"}, - Key: "username", - }, - }, + Name: "POSTGRES_ADMIN_USER", + Value: util.ReadSecretFile(util.PgUserCredsPath+"username", "postgres"), }, { - Name: "POSTGRES_ADMIN_PASSWORD", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "postgres-credentials"}, - Key: "password", - }, - }, + Name: "POSTGRES_ADMIN_PASSWORD", + Value: util.ReadSecretFile(util.PgUserCredsPath+"password", ""), }, { Name: "API_USER", diff --git a/operator/pkg/util/util.go b/operator/pkg/util/util.go index 607ff444..195dc7bd 100644 --- a/operator/pkg/util/util.go +++ b/operator/pkg/util/util.go @@ -55,6 +55,9 @@ import ( const ( TokenFilePath = "/var/run/secrets/kubernetes.io/serviceaccount/token" ClusterName = "patroni" + + secretBasePath = "/var/run/secrets/postgresql/" + PgUserCredsPath = secretBasePath + "postgres-credentials/" ) var ( @@ -431,3 +434,19 @@ func HashJson(o interface{}) string { hash.Write(cr) return fmt.Sprintf("%x", hash.Sum(nil)) } + +func ReadSecretFile(path string, defaultVal string) string { + data, err := os.ReadFile(path) + if err != nil { + uLog.Error(fmt.Sprintf("Failed to read secret file %s: %v", path, err)) + return defaultVal + } + + value := strings.TrimSpace(string(data)) + + if value == "" { + uLog.Info(fmt.Sprintf("Secret file %s is empty, using default value", path)) + return defaultVal + } + return value +} \ No newline at end of file diff --git a/services/dbaas-adapter/adapter/main.go b/services/dbaas-adapter/adapter/main.go index ac13a39e..c477782a 100644 --- a/services/dbaas-adapter/adapter/main.go +++ b/services/dbaas-adapter/adapter/main.go @@ -40,6 +40,12 @@ import ( const ( appName = "postgresql" appPath = "/" + appName + + secretsBasePath = "/var/run/secrets/postgresql/" + + pgUserCredsPath = secretsBasePath + "postgres-credentials/" + adapterCredsPath = secretsBasePath + "dbaas-adapter-credentials/" + registrationCredsPath = secretsBasePath + "dbaas-aggregator-registration-credentials/" ) var ( @@ -49,8 +55,8 @@ var ( pgHost = flag.String("pg_host", util.GetEnv("POSTGRES_HOST", "127.0.0.1"), "Host of PostgreSQL cluster, env: POSTGRES_HOST") pgPort = flag.Int("pg_port", util.GetEnvInt("POSTGRES_PORT", 5432), "Port of PostgreSQL cluster, env: POSTGRES_PORT") - pgUser = flag.String("pg_user", util.GetEnv("POSTGRES_ADMIN_USER", "postgres"), "Username of dbaas user in PostgreSQL, env: POSTGRES_ADMIN_USER") - pgPass = flag.String("pg_pass", util.GetEnv("POSTGRES_ADMIN_PASSWORD", ""), "Password of dbaas user in PostgreSQL, env: POSTGRES_ADMIN_PASSWORD") + pgUser = flag.String("pg_user", util.ReadSecretFile(pgUserCredsPath+"username", "postgres"), "Username of dbaas user in PostgreSQL") + pgPass = flag.String("pg_pass", util.ReadSecretFile(pgUserCredsPath+"password", ""), "Password of dbaas user in PostgreSQL") pgDatabase = flag.String("pg_database", util.GetEnv("POSTGRES_DATABASE", "postgres"), "PostgreSQL database, env: POSTGRES_DATABASE") pgSsl = flag.String("pg_ssl", util.GetEnv("PG_SSL", "off"), "Enable ssl connection to postgreSQL, env: PG_SSL") @@ -71,13 +77,13 @@ var ( servePort = flag.Int("serve_port", 8080, "Port to serve requests incoming to adapter") serveUser = flag.String( "serve_user", - util.GetEnv("DBAAS_ADAPTER_API_USER", "dbaas-aggregator"), - "Username to authorize incoming requests, env: DBAAS_ADAPTER_API_USER", + util.ReadSecretFile(adapterCredsPath+"username", "dbaas-aggregator"), + "Username to authorize incoming requests", ) servePass = flag.String( "serve_pass", - util.GetEnv("DBAAS_ADAPTER_API_PASSWORD", "dbaas-aggregator"), - "Password to authorize incoming requests, env: DBAAS_ADAPTER_API_PASSWORD", + util.ReadSecretFile(adapterCredsPath+"password", "dbaas-aggregator"), + "Password to authorize incoming requests", ) phydbid = flag.String( @@ -100,14 +106,14 @@ var ( dbaasAggregatorRegistrationUsername = flag.String( "registration_username", - util.GetEnv("DBAAS_AGGREGATOR_REGISTRATION_USERNAME", "cluster-dba"), - "Username of basic auth to reach aggregator for registration, env DBAAS_AGGREGATOR_REGISTRATION_USERNAME ", + util.ReadSecretFile(registrationCredsPath+"username", "cluster-dba"), + "Username of basic auth to reach aggregator for registration", ) dbaasAggregatorRegistrationPassword = flag.String( "registration_password", - util.GetEnv("DBAAS_AGGREGATOR_REGISTRATION_PASSWORD", ""), - "Username of basic auth to reach aggregator for registration, env DBAAS_AGGREGATOR_REGISTRATION_PASSWORD ", + util.ReadSecretFile(registrationCredsPath+"password", ""), + "Password of basic auth to reach aggregator for registration", ) labelsFileName = flag.String( diff --git a/services/dbaas-adapter/adapter/util/util.go b/services/dbaas-adapter/adapter/util/util.go index 593e1139..7a0acbdd 100644 --- a/services/dbaas-adapter/adapter/util/util.go +++ b/services/dbaas-adapter/adapter/util/util.go @@ -136,12 +136,20 @@ func GetEnvBool(key string, fallback bool) bool { return fallback } -func GetSecret(filename string) string { - secretByte, err := os.ReadFile("/etc/secrets/dbaas-adapter-credentials/" + filename) +func ReadSecretFile(path string, defaultVal string) string { + data, err := os.ReadFile(path) if err != nil { - log.Fatal("failed to read dbaas-adapter secret: ", zap.Error(err)) + log.Error(fmt.Sprintf("Failed to read secret file %s: %v", path, err)) + return defaultVal } - return strings.TrimSpace(string(secretByte[:])) + + value := strings.TrimSpace(string(data)) + + if value == "" { + log.Info(fmt.Sprintf("Secret file %s is empty, using default value", path)) + return defaultVal + } + return value } func GetK8sClient() (*kubernetes.Clientset, error) { diff --git a/services/monitoring-agent/collector/pkg/initiate/initiate.go b/services/monitoring-agent/collector/pkg/initiate/initiate.go index 5e58eae2..580dcee7 100644 --- a/services/monitoring-agent/collector/pkg/initiate/initiate.go +++ b/services/monitoring-agent/collector/pkg/initiate/initiate.go @@ -26,6 +26,12 @@ import ( "k8s.io/apimachinery/pkg/types" ) +const ( + secretsBasePath = "/var/run/secrets/postgresql/" + monitoringUserCredsPath = secretsBasePath + "monitoring-user-credentials/" + pgUserCredsPath = secretsBasePath + "postgres-credentials/" +) + var ( logger = util.GetLogger() ctx = context.Background() @@ -36,8 +42,8 @@ func InitMetricCollector() { logger.Info("Will run preparation scripts") clusterName := util.GetEnv("PGCLUSTER", "patroni") - monitoringRole := util.GetSecret("username") - monitoringPassword := util.GetSecret("password") + monitoringRole := util.ReadSecretFile(monitoringUserCredsPath+"username", "") + monitoringPassword := util.ReadSecretFile(monitoringUserCredsPath+"password", "") pgHost := util.GetEnv("POSTGRES_HOST", "pg-patroni") pgPort := util.GetEnvInt("POSTGRES_PORT", 5432) @@ -80,8 +86,8 @@ func InitMetricCollector() { func getPGCredentials(clusterName string) (user, password string) { namespace := util.GetEnv("NAMESPACE", "postgres-service") - user = util.GetEnv("PG_ROOT_USER", "") - password = util.GetEnv("PG_ROOT_PASSWORD", "") + user = util.ReadSecretFile(pgUserCredsPath+"username", "") + password = util.ReadSecretFile(pgUserCredsPath+"password", "") if user != "" || password != "" { return user, password diff --git a/services/monitoring-agent/collector/pkg/postgres/client.go b/services/monitoring-agent/collector/pkg/postgres/client.go index ef36ea0e..58a55feb 100644 --- a/services/monitoring-agent/collector/pkg/postgres/client.go +++ b/services/monitoring-agent/collector/pkg/postgres/client.go @@ -26,13 +26,20 @@ import ( "go.uber.org/zap" ) +const ( + secretsBasePath = "/var/run/secrets/postgresql/" + + pgUserCredsPath = secretsBasePath + "postgres-credentials/" + +) + var logger = util.GetLogger() var ( PgHost = util.GetEnv("POSTGRES_HOST", "pg-patroni") PgPort = util.GetEnvInt("POSTGRES_PORT", 5432) - PgUser = util.GetSecret("username") - PgPass = util.GetSecret("password") + PgUser = util.ReadSecretFile(pgUserCredsPath+"username", "") + PgPass = util.ReadSecretFile(pgUserCredsPath+"password", "") PgDatabase = util.GetEnv("POSTGRES_DATABASE", "postgres") PgSsl = util.GetEnv("PGSSLMODE", "prefer") ) diff --git a/services/monitoring-agent/collector/pkg/util/util.go b/services/monitoring-agent/collector/pkg/util/util.go index d73b4ea3..cd402ec2 100644 --- a/services/monitoring-agent/collector/pkg/util/util.go +++ b/services/monitoring-agent/collector/pkg/util/util.go @@ -58,8 +58,12 @@ var ( debugEnabled = GetEnv("DEBUG_ENABLED", "false") ) -const certificatesFolder = "/certs" -const MetricCollectorCredentialsFolder = "/etc/monitoring-user-credentials" +const ( + secretsBasePath = "/var/run/secrets/postgresql/" + + certificatesFolder = "/certs" + metricCollectorCredentialsFolder = secretsBasePath + "monitoring-user-credentials/" +) func GetLogger() *zap.Logger { cfg := zap.NewProductionConfig() @@ -93,12 +97,20 @@ func GetProtocol() (string, string) { } -func GetSecret(filename string) string { - secretByte, err := os.ReadFile("/etc/secrets/monitoring-user-credentials/" + filename) +func ReadSecretFile(path string, defaultVal string) string { + data, err := os.ReadFile(path) if err != nil { - log.Fatal("failed to read monitoring secret: ", err) + Log.Error(fmt.Sprintf("Failed to read secret file %s: %v", path, err)) + return defaultVal + } + + value := strings.TrimSpace(string(data[:])) + + if value == "" { + Log.Info(fmt.Sprintf("Secret file %s is empty, using default value", path)) + return defaultVal } - return strings.TrimSpace(string(secretByte[:])) + return value } func GetToken() string { diff --git a/services/pgbackrest-sidecar/pkg/utils/utils.go b/services/pgbackrest-sidecar/pkg/utils/utils.go index 0a4a8cba..b3fadc26 100644 --- a/services/pgbackrest-sidecar/pkg/utils/utils.go +++ b/services/pgbackrest-sidecar/pkg/utils/utils.go @@ -20,6 +20,8 @@ import ( "fmt" "os" "os/exec" + "strings" + "go.uber.org/zap" "go.uber.org/zap/zapcore" @@ -88,3 +90,19 @@ func GetLogger() *zap.Logger { defer func() { _ = logger.Sync() }() return logger } + +func ReadSecretFile(path, defaultVal string) string { + data, err := os.ReadFile(path) + if err != nil { + logger.Error(fmt.Sprintf("Failed to read secret file %s: %v", path, err)) + return defaultVal + } + + value := strings.TrimSpace(string(data[:])) + + if value == "" { + logger.Info(fmt.Sprintf("Secret file %s is empty, using default value", path)) + return defaultVal + } + return value +} \ No newline at end of file diff --git a/services/replication-controller/cmd/pgskipper-replication-controller/main.go b/services/replication-controller/cmd/pgskipper-replication-controller/main.go index 0a10ad58..be818821 100644 --- a/services/replication-controller/cmd/pgskipper-replication-controller/main.go +++ b/services/replication-controller/cmd/pgskipper-replication-controller/main.go @@ -37,13 +37,17 @@ const ( usersPath = "/users" httpsPort = 8443 + + secretsBasePath = "/var/run/secrets/postgresql/" + + pgUserCredsPath = secretsBasePath + "postgres-credentials/" ) var ( pgHost = flag.String("pg_host", utils.GetEnv("POSTGRES_HOST", "127.0.0.1"), "Host of PostgreSQL cluster, env: POSTGRES_HOST") pgPort = flag.Int("pg_port", utils.GetEnvInt("POSTGRES_PORT", 5432), "Port of PostgreSQL cluster, env: POSTGRES_PORT") - pgUser = flag.String("pg_user", utils.GetEnv("POSTGRES_ADMIN_USER", "postgres"), "Username of controller user in PostgreSQL, env: POSTGRES_ADMIN_USER") - pgPass = flag.String("pg_pass", utils.GetEnv("POSTGRES_ADMIN_PASSWORD", ""), "Password of controller user in PostgreSQL, env: POSTGRES_ADMIN_PASSWORD") + pgUser = flag.String("pg_user", utils.ReadSecretFile(pgUserCredsPath+"username", "postgres"), "Username of controller user in PostgreSQL, env: POSTGRES_ADMIN_USER") + pgPass = flag.String("pg_pass", utils.ReadSecretFile(pgUserCredsPath+"password", ""), "Password of controller user in PostgreSQL, env: POSTGRES_ADMIN_PASSWORD") pgSsl = flag.String("pg_ssl", utils.GetEnv("PG_SSL", "off"), "Enable ssl connection to postgreSQL, env: PG_SSL") servePort = flag.Int("serve_port", 8080, "Port to serve requests incoming to controller") diff --git a/services/replication-controller/pkg/utils/utils.go b/services/replication-controller/pkg/utils/utils.go index c87cb70f..7f22a52d 100644 --- a/services/replication-controller/pkg/utils/utils.go +++ b/services/replication-controller/pkg/utils/utils.go @@ -20,6 +20,7 @@ import ( "fmt" "os" "strconv" + "strings" "github.com/gofiber/fiber/v2" "github.com/google/uuid" @@ -87,6 +88,22 @@ func GetEnvBool(key string, fallback bool) bool { return fallback } +func ReadSecretFile(path, defaultVal string) string { + data, err := os.ReadFile(path) + if err != nil { + log.Error(fmt.Sprintf("Failed to read secret file %s: %v", path, err)) + return defaultVal + } + + value := strings.TrimSpace(string(data)) + + if value == "" { + log.Info(fmt.Sprintf("Secret file %s is empty, using default value", path)) + return defaultVal + } + return value +} + func ContextLogger(ctx context.Context) *zap.Logger { logger := GetLogger() return logger.With(zap.ByteString("request_id", []byte(fmt.Sprintf("%s", ctx.Value(RequestId("request_id"))))))