Netcracker · svetychkina · May 22, 2026 · Jun 2, 2026 · Jun 4, 2026 · Jun 10, 2026
diff --git a/operator/charts/patroni-services/templates/_helpers.tpl b/operator/charts/patroni-services/templates/_helpers.tpl
@@ -117,38 +117,6 @@ K8s Platform envs
               value: "https://kubernetes.default:443"
 {{- end }}
 
-{{/*
-POSTGRES ADMIN env variables for DBaaS
-*/}}
-{{- define "postgres-dbaas.pgAdminEnvs" }}
-            - name: POSTGRES_ADMIN_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: postgres-credentials
-                  key: password
-            - name: POSTGRES_ADMIN_USER
-              valueFrom:
-                secretKeyRef:
-                  name: postgres-credentials
-                  key: username
-{{- end }}
-
-{{/*
-Aggregator Registration env variables for DBaaS
-*/}}
-{{- define "postgres-dbaas.aggregatorEnvsReg" }}
-            - name: DBAAS_AGGREGATOR_REGISTRATION_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  name: dbaas-aggregator-registration-credentials
-                  key: username
-            - name: DBAAS_AGGREGATOR_REGISTRATION_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: dbaas-aggregator-registration-credentials
-                  key: password
-{{- end }}
-
 {{- define "find_image" -}}
   {{- $image := .default -}}
 

diff --git a/operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml b/operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml
@@ -52,6 +52,15 @@ spec:
           configMap:
             name: dbaas-postgres-adapter.extensions-config
             defaultMode: 420
+        - name: dbaas-adapter-credentials
+          secret:
+            secretName: dbaas-adapter-credentials
+        - name: dbaas-adapter-registration-credentials
+          secret:
+            secretName: dbaas-adapter-registration-credentials
+        - name: postgres-credentials
+          secret:
+            secretName: postgres-credentials
         {{- if not .Values.externalDataBase }}
         {{- if and .Values.tls .Values.tls.enabled }}
         - name: tls-cert
@@ -111,10 +120,8 @@ spec:
           securityContext:
             {{- include "restricted.globalContainerSecurityContext" . | nindent 12 }}
           env:
-{{- template "postgres-dbaas.pgAdminEnvs" . }}
             - name: POSTGRES_DATABASE
               value: {{ default "postgres" .Values.dbaas.dbName }}
-{{- template "postgres-dbaas.aggregatorEnvsReg" . }}
             - name: DBAAS_ADAPTER_ADDRESS
               value: {{ default (printf "http://dbaas-postgres-adapter.%s:8080" .Release.Namespace) .Values.dbaas.adapter.address }}
             - name: DBAAS_AGGREGATOR_REGISTRATION_ADDRESS
@@ -125,16 +132,6 @@ spec:
               value: {{ include "dbaas.pgHostRO" . }}
             - name: POSTGRES_PORT
               value: {{ default "5432" .Values.dbaas.pgPort | quote }}
-            - name: DBAAS_ADAPTER_API_USER
-              valueFrom:
-                secretKeyRef:
-                  name: dbaas-adapter-credentials
-                  key: username
-            - name: DBAAS_ADAPTER_API_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: dbaas-adapter-credentials
-                  key: password
             - name: DBAAS_AGGREGATOR_PHYSICAL_DATABASE_IDENTIFIER
               value: {{ .Values.dbaas.aggregator.physicalDatabaseIdentifier | default (printf "%s:%s" .Release.Namespace "postgres")}}
             - name: CLOUD_NAMESPACE
@@ -177,6 +174,15 @@ spec:
             - name: tls-cert
               mountPath: /certs/
   {{- end }}
+            - name: dbaas-adapter-credentials
+              mountPath: /var/run/secrets/postgresql/dbaas-adapter-credentials
+              readOnly: true
+            - name: dbaas-adapter-registration-credentials
+              mountPath: /var/run/secrets/postgresql/dbaas-adapter-registration-credentials
+              readOnly: true
+            - name: postgres-credentials
+              mountPath: /var/run/secrets/postgresql/postgres-credentials
+              readOnly: true
   {{- end }}
           livenessProbe:
             httpGet:

diff --git a/operator/charts/patroni-services/templates/secrets/logical-repliction-controller.yaml b/operator/charts/patroni-services/templates/secrets/logical-repliction-controller.yaml
@@ -9,6 +9,6 @@ metadata:
   name: logical-replication-controller-creds
 data:
   username: {{ default "replicator" .Values.replicationController.apiUser | b64enc }}
-  password: {{ default "paSsW0rdForReplicat!oN" .Values.replicationController.apiPassword | b64enc }}
+  password: {{ .Values.replicationController.apiPassword | b64enc }}
 type: Opaque
 {{ end }}
diff --git a/operator/pkg/client/client.go b/operator/pkg/client/client.go
@@ -33,11 +33,17 @@ import (
 	"github.com/Netcracker/pgskipper-operator/pkg/util"
 )
 
+const (
+	secretsBasePath = "/var/run/secrets/postgresql/"
+
+	pgUserCredsPath    = secretsBasePath + "postgres-credentials/"
+)
+
 var (
 	instance *PostgresClient
 	logger   = util.GetLogger()
-	pgUser   = flag.String("pg_user", getEnv("PG_ADMIN_USER", "postgres"), "Username of admin user in PostgreSQL, env: PG_ADMIN_USER")
-	pgPass   = flag.String("pg_pass", getEnv("PG_ADMIN_PASSWORD", ""), "Password of admin user in PostgreSQL, env: PG_ADMIN_PASSWORD")
+	pgUser   = flag.String("pg_user", ReadSecretFile(pgUserCredsPath+"username", "postgres"), "Username of admin user in PostgreSQL")
+	pgPass   = flag.String("pg_pass", ReadSecretFile(pgUserCredsPath+"password", ""), "Password of admin user in PostgreSQL")
 	dbName   = "postgres"
 	ssl      = "off"
 )
@@ -244,3 +250,17 @@ func getEnv(key, fallback string) string {
 func EscapeString(str string) string {
 	return strings.ReplaceAll(str, "'", "''")
 }
+
+func ReadSecretFile(path, defaultVal string) string {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		logger.Error(fmt.Sprintf("Failed to read secret file %s: %v", path, err))
+		return defaultVal
+	}
+	value := strings.TrimSpace(string(data))
+	if value == "" {
+		logger.Info(fmt.Sprintf("Secret file %s is empty, using default value", path))
+		return defaultVal
+	}
+	return value
+}
diff --git a/operator/pkg/deployment/monitoring.go b/operator/pkg/deployment/monitoring.go
@@ -25,6 +25,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/utils/ptr"
 )
 
 var (
@@ -37,6 +38,7 @@ const (
 	MetricCollectorUserCredentials = "monitoring-credentials"
 	influxDbAdminCredentials       = "influx-db-admin-credentials"
 	telegrafConfig                 = "telegraf-configmap"
+	PostgresUserCredentials        = "postgres-credentials"
 )
 
 func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcluster string, serviceAccountName string) *appsv1.Deployment {
@@ -75,6 +77,33 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl
 								},
 							},
 						},
+						{
+							Name: "monitoring-user-credentials",
+							VolumeSource: corev1.VolumeSource{
+								Secret: &corev1.SecretVolumeSource{
+									SecretName:  MetricCollectorUserCredentials,
+									DefaultMode: ptr.To[int32](0400),
+								},
+							},
+						},
+						{
+							Name: "influx-db-admin-credentials",
+							VolumeSource: corev1.VolumeSource{
+								Secret: &corev1.SecretVolumeSource{
+									SecretName:  influxDbAdminCredentials,
+									DefaultMode: ptr.To[int32](0400),
+								},
+							},
+						},
+						{
+							Name: "postgres-credentials",
+							VolumeSource: corev1.VolumeSource{
+								Secret: &corev1.SecretVolumeSource{
+									SecretName:  "postgres-credentials",
+									DefaultMode: ptr.To[int32](0400),
+								},
+							},
+						},
 					},
 					InitContainers: []corev1.Container{},
 					Containers: []corev1.Container{
@@ -84,60 +113,6 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl
 							Command: []string{},
 							Args:    []string{},
 							Env: append([]corev1.EnvVar{
-								{
-									Name: "MONITORING_USER",
-									ValueFrom: &corev1.EnvVarSource{
-										SecretKeyRef: &corev1.SecretKeySelector{
-											LocalObjectReference: corev1.LocalObjectReference{Name: MetricCollectorUserCredentials},
-											Key:                  "username",
-										},
-									},
-								},
-								{
-									Name: "MONITORING_PASSWORD",
-									ValueFrom: &corev1.EnvVarSource{
-										SecretKeyRef: &corev1.SecretKeySelector{
-											LocalObjectReference: corev1.LocalObjectReference{Name: MetricCollectorUserCredentials},
-											Key:                  "password",
-										},
-									},
-								},
-								{
-									Name: "PG_ROOT_USER",
-									ValueFrom: &corev1.EnvVarSource{
-										SecretKeyRef: &corev1.SecretKeySelector{
-											LocalObjectReference: corev1.LocalObjectReference{Name: GetRootSecretName(pgcluster)},
-											Key:                  "username",
-										},
-									},
-								},
-								{
-									Name: "PG_ROOT_PASSWORD",
-									ValueFrom: &corev1.EnvVarSource{
-										SecretKeyRef: &corev1.SecretKeySelector{
-											LocalObjectReference: corev1.LocalObjectReference{Name: GetRootSecretName(pgcluster)},
-											Key:                  "password",
-										},
-									},
-								},
-								{
-									Name: "INFLUXDB_USER",
-									ValueFrom: &corev1.EnvVarSource{
-										SecretKeyRef: &corev1.SecretKeySelector{
-											LocalObjectReference: corev1.LocalObjectReference{Name: influxDbAdminCredentials},
-											Key:                  "username",
-										},
-									},
-								},
-								{
-									Name: "INFLUXDB_PASSWORD",
-									ValueFrom: &corev1.EnvVarSource{
-										SecretKeyRef: &corev1.SecretKeySelector{
-											LocalObjectReference: corev1.LocalObjectReference{Name: influxDbAdminCredentials},
-											Key:                  "password",
-										},
-									},
-								},
 								{
 									Name: "NAMESPACE",
 									ValueFrom: &corev1.EnvVarSource{
@@ -197,6 +172,21 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl
 									SubPath:   "telegraf_temp.conf",
 									Name:      "telegraf-config-volume",
 								},
+								{
+									MountPath: "/var/run/secrets/postgresql/monitoring-user-credentials",
+									Name:      "monitoring-user-credentials",
+									ReadOnly: true,
+								},
+								{
+									MountPath: "/var/run/secrets/postgresql/influx-db-admin-credentials",
+									Name:      "influx-db-admin-credentials",
+									ReadOnly: true,
+								},
+								{
+									MountPath: "/var/run/secrets/postgresql/postgres-credentials",
+									Name:      "postgres-credentials",
+									ReadOnly: true,
+								},
 							},
 							Resources: *metricCollector.Resources,
 							LivenessProbe: &corev1.Probe{
@@ -232,6 +222,7 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl
 			},
 		},
 	}
+
 	if metricCollector.PriorityClassName != "" {
 		deployment.Spec.Template.Spec.PriorityClassName = metricCollector.PriorityClassName
 	}

diff --git a/operator/pkg/queryexporter/query_exporter.go b/operator/pkg/queryexporter/query_exporter.go
@@ -31,7 +31,13 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 )
 
-const CMName = "query-exporter-config"
+const (
+	CMName = "query-exporter-config"
+
+	secretsBasePath   = "/var/run/secrets/postgresql/"
+
+	pgUserCredsPath   = secretsBasePath + "postgres-credentials/"
+)
 
 var (
 	logger              = util.GetLogger()
@@ -106,6 +112,14 @@ func getVolumes() []corev1.Volume {
 				},
 			},
 		},
+		{
+			Name: "postgresql-credentials",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: "postgresql-credentials",
+				},
+			},
+		},
 	}
 }
 
@@ -115,6 +129,10 @@ func getVolumeMounts() []corev1.VolumeMount {
 			MountPath: "/config",
 			Name:      "config-volume",
 		},
+		{
+			MountPath: "/var/run/secrets/postgresql/",
+			Name:      "postgresql-credentials",
+		},
 	}
 }
 
@@ -152,13 +170,14 @@ func getEnvVariables(spec v1.QueryExporter) []corev1.EnvVar {
 			Name:  "QUERY_EXPORTER_DISABLE_SELF_MONITOR",
 			Value: strconv.FormatBool(spec.SelfMonitorDisabled),
 		},
+// todo: read credentials from secret
 		{
-			Name:      "POSTGRES_USER",
-			ValueFrom: getSecretFieldEnv("username"),
+			Name:  "POSTGRES_USER",
+			Value: util.ReadSecretFile(pgUserCredsPath+"username", "postgres"),
 		},
 		{
-			Name:      "POSTGRES_PASSWORD",
-			ValueFrom: getSecretFieldEnv("password"),
+			Name:  "POSTGRES_PASSWORD",
+			Value: util.ReadSecretFile(pgUserCredsPath+"password", ""),
 		},
 		{
 			Name:  "EXCLUDED_QUERIES",

diff --git a/operator/pkg/replicationcontroller/replication_controller.go b/operator/pkg/replicationcontroller/replication_controller.go
@@ -75,22 +75,12 @@ func NewRCDeployment(cr v1.PatroniServices, sa, clusterName string, pgPort int)
 									Value: strconv.Itoa(pgPort),
 								},
 								{
-									Name: "POSTGRES_ADMIN_PASSWORD",
-									ValueFrom: &corev1.EnvVarSource{
-										SecretKeyRef: &corev1.SecretKeySelector{
-											LocalObjectReference: corev1.LocalObjectReference{Name: "postgres-credentials"},
-											Key:                  "username",
-										},
-									},
+									Name:  "POSTGRES_ADMIN_USER",
+									Value: util.ReadSecretFile(util.PgUserCredsPath+"username", "postgres"),
 								},
 								{
-									Name: "POSTGRES_ADMIN_PASSWORD",
-									ValueFrom: &corev1.EnvVarSource{
-										SecretKeyRef: &corev1.SecretKeySelector{
-											LocalObjectReference: corev1.LocalObjectReference{Name: "postgres-credentials"},
-											Key:                  "password",
-										},
-									},
+									Name:  "POSTGRES_ADMIN_PASSWORD",
+									Value: util.ReadSecretFile(util.PgUserCredsPath+"password", ""),
 								},
 								{
 									Name: "API_USER",