diff --git a/operator/charts/patroni-core/templates/deployment.yaml b/operator/charts/patroni-core/templates/deployment.yaml index 7f6c004d..28915d10 100644 --- a/operator/charts/patroni-core/templates/deployment.yaml +++ b/operator/charts/patroni-core/templates/deployment.yaml @@ -67,6 +67,13 @@ spec: readOnly: true {{ end }} {{ end }} + volumeMounts: + - mountPath: /var/run/secrets/postgresql/postgres-credentials + name: postgres-credentials + readOnly: true + - mountPath: /var/run/secrets/postgresql/replicator-credentials + name: replicator-credentials + readOnly: true env: - name: WATCH_NAMESPACE valueFrom: @@ -96,21 +103,6 @@ spec: valueFrom: fieldRef: fieldPath: status.hostIP - - name: PG_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: postgres-credentials - key: password - - name: PG_ADMIN_USER - valueFrom: - secretKeyRef: - name: postgres-credentials - key: username - - name: PG_REPLICATOR_PASSWORD - valueFrom: - secretKeyRef: - name: replicator-credentials - key: password - name: GLOBAL_SECURITY_CONTEXT value: {{ .Values.GLOBAL_SECURITY_CONTEXT | quote | default ("true" | quote) }} - name: CLOUD_PUBLIC_HOST @@ -163,6 +155,15 @@ spec: secretName: {{ default "cloudsql-instance-credentials" .Values.externalDataBase.authSecretName }} {{ end }} {{ end }} + volumes: + - name: postgres-credentials + secret: + defaultMode: 420 + secretName: postgres-credentials + - name: replicator-credentials + secret: + defaultMode: 420 + secretName: replicator-credentials tolerations: {{- range $tKey, $t := .Values.policies.tolerations }} - key: {{ $t.key }} diff --git a/operator/charts/patroni-services/templates/_helpers.tpl b/operator/charts/patroni-services/templates/_helpers.tpl index 9ab3fbba..e9a7fc5f 100644 --- a/operator/charts/patroni-services/templates/_helpers.tpl +++ b/operator/charts/patroni-services/templates/_helpers.tpl @@ -118,38 +118,6 @@ K8s Platform envs value: "https://kubernetes.default:443" {{- end }} -{{/* -POSTGRES ADMIN env variables for DBaaS -*/}} -{{- define "postgres-dbaas.pgAdminEnvs" }} - - name: POSTGRES_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: postgres-credentials - key: password - - name: POSTGRES_ADMIN_USER - valueFrom: - secretKeyRef: - name: postgres-credentials - key: username -{{- end }} - -{{/* -Aggregator Registration env variables for DBaaS -*/}} -{{- define "postgres-dbaas.aggregatorEnvsReg" }} - - name: DBAAS_AGGREGATOR_REGISTRATION_USERNAME - valueFrom: - secretKeyRef: - name: dbaas-aggregator-registration-credentials - key: username - - name: DBAAS_AGGREGATOR_REGISTRATION_PASSWORD - valueFrom: - secretKeyRef: - name: dbaas-aggregator-registration-credentials - key: password -{{- end }} - {{- define "find_image" -}} {{- $image := .default -}} diff --git a/operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml b/operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml index ef3979bf..399edecd 100644 --- a/operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml +++ b/operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml @@ -55,6 +55,17 @@ spec: configMap: name: dbaas-postgres-adapter.extensions-config defaultMode: 420 + - name: dbaas-adapter-credentials + secret: + secretName: dbaas-adapter-credentials + defaultMode: 420 + - name: dbaas-aggregator-registration-credentials + secret: + secretName: dbaas-aggregator-registration-credentials + defaultMode: 420 + - name: postgres-credentials + secret: + secretName: postgres-credentials {{- if not .Values.externalDataBase }} {{- if and .Values.tls .Values.tls.enabled }} - name: tls-cert @@ -76,10 +87,18 @@ spec: mountPath: /tmp - name: dbaas-default-extensions-mount mountPath: /app/extensions + - name: dbaas-adapter-credentials + mountPath: /var/run/secrets/postgresql/dbaas-adapter-credentials + readOnly: true + - name: dbaas-aggregator-registration-credentials + mountPath: /var/run/secrets/postgresql/dbaas-aggregator-registration-credentials + readOnly: true + - name: postgres-credentials + mountPath: /var/run/secrets/postgresql/postgres-credentials + readOnly: true resources: {{ .Values.dbaas.resources | toYaml | indent 12 }} env: - {{- template "postgres-dbaas.pgAdminEnvs" . }} - name: POSTGRES_DATABASE value: {{ default "postgres" .Values.dbaas.dbName }} - name: POSTGRES_HOST @@ -116,10 +135,8 @@ spec: securityContext: {{- include "restricted.globalContainerSecurityContext" . | nindent 12 }} env: -{{- template "postgres-dbaas.pgAdminEnvs" . }} - name: POSTGRES_DATABASE value: {{ default "postgres" .Values.dbaas.dbName }} -{{- template "postgres-dbaas.aggregatorEnvsReg" . }} - name: DBAAS_ADAPTER_ADDRESS value: {{ default (printf "http://dbaas-postgres-adapter.%s:8080" .Release.Namespace) .Values.dbaas.adapter.address }} - name: DBAAS_AGGREGATOR_REGISTRATION_ADDRESS @@ -130,16 +147,6 @@ spec: value: {{ include "dbaas.pgHostRO" . }} - name: POSTGRES_PORT value: {{ default "5432" .Values.dbaas.pgPort | quote }} - - name: DBAAS_ADAPTER_API_USER - valueFrom: - secretKeyRef: - name: dbaas-adapter-credentials - key: username - - name: DBAAS_ADAPTER_API_PASSWORD - valueFrom: - secretKeyRef: - name: dbaas-adapter-credentials - key: password - name: DBAAS_AGGREGATOR_PHYSICAL_DATABASE_IDENTIFIER value: {{ .Values.dbaas.aggregator.physicalDatabaseIdentifier | default (printf "%s:%s" .Release.Namespace "postgres")}} - name: CLOUD_NAMESPACE @@ -184,6 +191,15 @@ spec: - name: tls-cert mountPath: /certs/ {{- end }} + - name: dbaas-adapter-credentials + mountPath: /var/run/secrets/postgresql/dbaas-adapter-credentials + readOnly: true + - name: dbaas-aggregator-registration-credentials + mountPath: /var/run/secrets/postgresql/dbaas-aggregator-registration-credentials + readOnly: true + - name: postgres-credentials + mountPath: /var/run/secrets/postgresql/postgres-credentials + readOnly: true {{- end }} livenessProbe: httpGet: diff --git a/operator/charts/patroni-services/templates/deployment.yaml b/operator/charts/patroni-services/templates/deployment.yaml index 19c56c6b..853c4efe 100644 --- a/operator/charts/patroni-services/templates/deployment.yaml +++ b/operator/charts/patroni-services/templates/deployment.yaml @@ -74,6 +74,12 @@ spec: mountPath: /certs/ {{- end }} {{- end }} + - name: postgres-credentials + mountPath: /var/run/secrets/postgres-credentials + readOnly: true + - name: replicator-credentials + mountPath: /var/run/secrets/replicator-credentials + readOnly: true env: - name: WATCH_NAMESPACE valueFrom: @@ -107,21 +113,6 @@ spec: valueFrom: fieldRef: fieldPath: status.hostIP - - name: PG_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: postgres-credentials - key: password - - name: PG_ADMIN_USER - valueFrom: - secretKeyRef: - name: postgres-credentials - key: username - - name: PG_REPLICATOR_PASSWORD - valueFrom: - secretKeyRef: - name: replicator-credentials - key: password - name: GLOBAL_SECURITY_CONTEXT value: {{ .Values.GLOBAL_SECURITY_CONTEXT | quote | default ("true" | quote) }} - name: CLOUD_PUBLIC_HOST @@ -182,7 +173,17 @@ spec: secretName: {{ .Values.tls.certificateSecretName }} defaultMode: 416 {{- end }} + {{- if .Values.replicationController }} + - name: replicator-credentials + secret: + secretName: replicator-credentials + defaultMode: 420 {{- end }} + {{- end }} + - name: postgres-credentials + secret: + secretName: postgres-credentials + defaultMode: 420 tolerations: {{- range $tKey, $t := .Values.policies.tolerations }} - key: {{ $t.key }} diff --git a/operator/charts/patroni-services/templates/secrets/logical-repliction-controller.yaml b/operator/charts/patroni-services/templates/secrets/logical-repliction-controller.yaml index 10f8c261..b41738a3 100644 --- a/operator/charts/patroni-services/templates/secrets/logical-repliction-controller.yaml +++ b/operator/charts/patroni-services/templates/secrets/logical-repliction-controller.yaml @@ -9,6 +9,6 @@ metadata: name: logical-replication-controller-creds data: username: {{ default "replicator" .Values.replicationController.apiUser | b64enc }} - password: {{ default "paSsW0rdForReplicat!oN" .Values.replicationController.apiPassword | b64enc }} + password: {{ .Values.replicationController.apiPassword | b64enc }} type: Opaque {{ end }} diff --git a/operator/pkg/client/client.go b/operator/pkg/client/client.go index 9ab04a78..a4757492 100644 --- a/operator/pkg/client/client.go +++ b/operator/pkg/client/client.go @@ -33,11 +33,17 @@ import ( "github.com/Netcracker/pgskipper-operator/pkg/util" ) +const ( + secretsBasePath = "/var/run/secrets/postgresql/" + + pgUserCredsPath = secretsBasePath + "postgres-credentials/" +) + var ( instance *PostgresClient logger = util.GetLogger() - pgUser = flag.String("pg_user", getEnv("PG_ADMIN_USER", "postgres"), "Username of admin user in PostgreSQL, env: PG_ADMIN_USER") - pgPass = flag.String("pg_pass", getEnv("PG_ADMIN_PASSWORD", ""), "Password of admin user in PostgreSQL, env: PG_ADMIN_PASSWORD") + pgUser = flag.String("pg_user", ReadSecretFile(pgUserCredsPath+"username", "postgres"), "Username of admin user in PostgreSQL") + pgPass = flag.String("pg_pass", ReadSecretFile(pgUserCredsPath+"password", ""), "Password of admin user in PostgreSQL") dbName = "postgres" ssl = "off" ) @@ -244,3 +250,17 @@ func getEnv(key, fallback string) string { func EscapeString(str string) string { return strings.ReplaceAll(str, "'", "''") } + +func ReadSecretFile(path, defaultVal string) string { + data, err := os.ReadFile(path) + if err != nil { + logger.Error(fmt.Sprintf("Failed to read secret file %s: %v", path, err)) + return defaultVal + } + value := strings.TrimSpace(string(data)) + if value == "" { + logger.Info(fmt.Sprintf("Secret file %s is empty, using default value", path)) + return defaultVal + } + return value +} \ No newline at end of file diff --git a/operator/pkg/deployment/backup.go b/operator/pkg/deployment/backup.go index 72271f47..1009c93b 100644 --- a/operator/pkg/deployment/backup.go +++ b/operator/pkg/deployment/backup.go @@ -25,6 +25,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" ) var ( @@ -72,6 +73,15 @@ func NewBackupDaemonDeployment(backupDaemon *netcrackerv1.BackupDaemon, pgCluste }, }, }, +// { +// Name: "postgres-credentials", +// VolumeSource: corev1.VolumeSource{ +// Secret: &corev1.SecretVolumeSource{ +// SecretName: GetRootSecretName(pgClusterName), +// DefaultMode: ptr.To[int32](0400), +// }, +// }, +// }, }, ServiceAccountName: serviceAccountName, Affinity: &backupDaemon.Affinity, @@ -83,24 +93,6 @@ func NewBackupDaemonDeployment(backupDaemon *netcrackerv1.BackupDaemon, pgCluste Command: []string{}, Args: []string{}, Env: []corev1.EnvVar{ - { - Name: "POSTGRES_PASSWORD", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: GetRootSecretName(pgClusterName)}, - Key: "password", - }, - }, - }, - { - Name: "POSTGRES_USER", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: GetRootSecretName(pgClusterName)}, - Key: "username", - }, - }, - }, { Name: "PGPASSWORD", ValueFrom: &corev1.EnvVarSource{ @@ -230,6 +222,10 @@ func NewBackupDaemonDeployment(backupDaemon *netcrackerv1.BackupDaemon, pgCluste MountPath: "/backup-storage", Name: "backup-data", }, + { + MountPath: "/var/run/secrets/postgresql/", + Name: "postgres-credentials", + }, }, LivenessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ @@ -296,6 +292,20 @@ func NewBackupDaemonDeployment(backupDaemon *netcrackerv1.BackupDaemon, pgCluste }, } } +// Add postgres-credentials volume regardless of storage type + deployment.Spec.Template.Spec.Volumes = append( + deployment.Spec.Template.Spec.Volumes, + corev1.Volume{ + Name: "postgres-credentials", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: GetRootSecretName(pgClusterName), + DefaultMode: ptr.To[int32](0400), + }, + }, + }, + ) + if backupDaemon.ExternalPv != nil { deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes, getExternalBackupVolume()) diff --git a/operator/pkg/deployment/monitoring.go b/operator/pkg/deployment/monitoring.go index 714c0ec8..683848ae 100644 --- a/operator/pkg/deployment/monitoring.go +++ b/operator/pkg/deployment/monitoring.go @@ -25,6 +25,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" ) var ( @@ -37,6 +38,7 @@ const ( MetricCollectorUserCredentials = "monitoring-credentials" influxDbAdminCredentials = "influx-db-admin-credentials" telegrafConfig = "telegraf-configmap" + PostgresUserCredentials = "postgres-credentials" ) func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcluster string, serviceAccountName string) *appsv1.Deployment { @@ -75,6 +77,33 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl }, }, }, + { + Name: "monitoring-user-credentials", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: MetricCollectorUserCredentials, + DefaultMode: ptr.To[int32](0400), + }, + }, + }, + { + Name: "influx-db-admin-credentials", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: influxDbAdminCredentials, + DefaultMode: ptr.To[int32](0400), + }, + }, + }, + { + Name: "postgres-credentials", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: "postgres-credentials", + DefaultMode: ptr.To[int32](0400), + }, + }, + }, }, InitContainers: []corev1.Container{}, Containers: []corev1.Container{ @@ -84,60 +113,6 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl Command: []string{}, Args: []string{}, Env: append([]corev1.EnvVar{ - { - Name: "MONITORING_USER", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: MetricCollectorUserCredentials}, - Key: "username", - }, - }, - }, - { - Name: "MONITORING_PASSWORD", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: MetricCollectorUserCredentials}, - Key: "password", - }, - }, - }, - { - Name: "PG_ROOT_USER", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: GetRootSecretName(pgcluster)}, - Key: "username", - }, - }, - }, - { - Name: "PG_ROOT_PASSWORD", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: GetRootSecretName(pgcluster)}, - Key: "password", - }, - }, - }, - { - Name: "INFLUXDB_USER", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: influxDbAdminCredentials}, - Key: "username", - }, - }, - }, - { - Name: "INFLUXDB_PASSWORD", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: influxDbAdminCredentials}, - Key: "password", - }, - }, - }, { Name: "NAMESPACE", ValueFrom: &corev1.EnvVarSource{ @@ -197,6 +172,21 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl SubPath: "telegraf_temp.conf", Name: "telegraf-config-volume", }, + { + MountPath: "/var/run/secrets/postgresql/monitoring-user-credentials", + Name: "monitoring-user-credentials", + ReadOnly: true, + }, + { + MountPath: "/var/run/secrets/postgresql/influx-db-admin-credentials", + Name: "influx-db-admin-credentials", + ReadOnly: true, + }, + { + MountPath: "/var/run/secrets/postgresql/postgres-credentials", + Name: "postgres-credentials", + ReadOnly: true, + }, }, Resources: *metricCollector.Resources, LivenessProbe: &corev1.Probe{ @@ -232,6 +222,7 @@ func NewMonitoringDeployment(metricCollector *netcrackerv1.MetricCollector, pgcl }, }, } + if metricCollector.PriorityClassName != "" { deployment.Spec.Template.Spec.PriorityClassName = metricCollector.PriorityClassName } diff --git a/operator/pkg/deployment/tests.go b/operator/pkg/deployment/tests.go index cedafa87..9e437526 100644 --- a/operator/pkg/deployment/tests.go +++ b/operator/pkg/deployment/tests.go @@ -65,6 +65,16 @@ func NewIntegrationTestsPod(cr *v1.PatroniServices, cluster *patroniv1.PatroniCl Spec: corev1.PodSpec{ ServiceAccountName: cr.Spec.ServiceAccountName, Affinity: &testsSpec.Affinity, + Volumes: []corev1.Volume{ + { + Name: "postgres-credentials", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: "postgres-credentials", + }, + }, + }, + }, InitContainers: []corev1.Container{}, Containers: []corev1.Container{ { @@ -73,24 +83,6 @@ func NewIntegrationTestsPod(cr *v1.PatroniServices, cluster *patroniv1.PatroniCl ImagePullPolicy: cr.Spec.ImagePullPolicy, SecurityContext: util.GetDefaultSecurityContext(), Env: []corev1.EnvVar{ - { - Name: "POSTGRES_USER", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "postgres-credentials"}, - Key: "username", - }, - }, - }, - { - Name: "PG_ROOT_PASSWORD", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "postgres-credentials"}, - Key: "password", - }, - }, - }, { Name: "PG_CLUSTER_NAME", Value: cluster.ClusterName, @@ -128,7 +120,13 @@ func NewIntegrationTestsPod(cr *v1.PatroniServices, cluster *patroniv1.PatroniCl Value: testsSpec.MonitoredImages, }, }, - VolumeMounts: []corev1.VolumeMount{}, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "postgres-credentials", + MountPath: "/var/run/secrets/postgresql/postgres-credentials", + ReadOnly: true, + }, + }, }, }, RestartPolicy: corev1.RestartPolicyNever, @@ -192,6 +190,16 @@ func NewCoreIntegrationTests(cr *patroniv1.PatroniCore, cluster *patroniv1.Patro Spec: corev1.PodSpec{ ServiceAccountName: cr.Spec.ServiceAccountName, Affinity: &testsSpec.Affinity, + Volumes: []corev1.Volume{ + { + Name: "postgres-credentials", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: "postgres-credentials", + }, + }, + }, + }, InitContainers: []corev1.Container{}, Containers: []corev1.Container{ { @@ -200,24 +208,6 @@ func NewCoreIntegrationTests(cr *patroniv1.PatroniCore, cluster *patroniv1.Patro ImagePullPolicy: cr.Spec.ImagePullPolicy, SecurityContext: util.GetDefaultSecurityContext(), Env: []corev1.EnvVar{ - { - Name: "POSTGRES_USER", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "postgres-credentials"}, - Key: "username", - }, - }, - }, - { - Name: "PG_ROOT_PASSWORD", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "postgres-credentials"}, - Key: "password", - }, - }, - }, { Name: "PG_CLUSTER_NAME", Value: cluster.ClusterName, @@ -259,7 +249,13 @@ func NewCoreIntegrationTests(cr *patroniv1.PatroniCore, cluster *patroniv1.Patro Value: testsSpec.MonitoredImages, }, }, - VolumeMounts: []corev1.VolumeMount{}, + VolumeMounts: []corev1.VolumeMount{ + { + Name: "postgres-credentials", + MountPath: "/var/run/secrets/postgresql/postgres-credentials", + ReadOnly: true, + }, + }, }, }, RestartPolicy: corev1.RestartPolicyNever, diff --git a/operator/pkg/helper/patroni_core_helper.go b/operator/pkg/helper/patroni_core_helper.go index 6e45ec64..92a9db08 100644 --- a/operator/pkg/helper/patroni_core_helper.go +++ b/operator/pkg/helper/patroni_core_helper.go @@ -42,7 +42,12 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" ) -var pHelper *PatroniHelper = nil +var ( + pHelper *PatroniHelper = nil + + secretFilePath = "/var/run/secrets/postgresql/" + replicatorPasswordPath = secretFilePath + "replicator-credentials/" +) type PatroniHelper struct { ResourceManager @@ -444,7 +449,7 @@ func (ph *PatroniHelper) RevokeGrantOnPublicSchema(pgHost string) error { } func (ph *PatroniHelper) SyncReplicatorPassword(pgHost string) error { - password := util.GetEnv("PG_REPLICATOR_PASSWORD", "replicator") + password := util.ReadSecretFile(replicatorPasswordPath+"password", "") pgC := pgClient.GetPostgresClient(pgHost) if pgC == nil { return errors.New("Can't create Postgres Client") diff --git a/operator/pkg/queryexporter/query_exporter.go b/operator/pkg/queryexporter/query_exporter.go index 1896fda5..aa344192 100644 --- a/operator/pkg/queryexporter/query_exporter.go +++ b/operator/pkg/queryexporter/query_exporter.go @@ -31,7 +31,13 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" ) -const CMName = "query-exporter-config" +const ( + CMName = "query-exporter-config" + + secretsBasePath = "/var/run/secrets/postgresql/" + + pgUserCredsPath = secretsBasePath + "postgres-credentials/" +) var ( logger = util.GetLogger() @@ -106,6 +112,14 @@ func getVolumes() []corev1.Volume { }, }, }, + { + Name: "postgres-credentials", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: "postgres-credentials", + }, + }, + }, } } @@ -115,6 +129,10 @@ func getVolumeMounts() []corev1.VolumeMount { MountPath: "/config", Name: "config-volume", }, + { + MountPath: "/var/run/secrets/postgresql/", + Name: "postgres-credentials", + }, } } @@ -152,14 +170,6 @@ func getEnvVariables(spec v1.QueryExporter) []corev1.EnvVar { Name: "QUERY_EXPORTER_DISABLE_SELF_MONITOR", Value: strconv.FormatBool(spec.SelfMonitorDisabled), }, - { - Name: "POSTGRES_USER", - ValueFrom: getSecretFieldEnv("username"), - }, - { - Name: "POSTGRES_PASSWORD", - ValueFrom: getSecretFieldEnv("password"), - }, { Name: "EXCLUDED_QUERIES", Value: strings.Join(spec.ExcludeQueries, ","), diff --git a/operator/pkg/replicationcontroller/replication_controller.go b/operator/pkg/replicationcontroller/replication_controller.go index 7854f49c..c28ea92d 100644 --- a/operator/pkg/replicationcontroller/replication_controller.go +++ b/operator/pkg/replicationcontroller/replication_controller.go @@ -24,6 +24,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" ) const ( @@ -57,6 +58,26 @@ func NewRCDeployment(cr v1.PatroniServices, sa, clusterName string, pgPort int) Spec: corev1.PodSpec{ ServiceAccountName: sa, Affinity: &spec.Affinity, + Volumes: []corev1.Volume{ + { + Name: "postgres-credentials", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: "postgres-credentials", + DefaultMode: ptr.To[int32](0400), + }, + }, + }, + { + Name: "replicator-api-creds", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: "logical-replication-controller-creds", + DefaultMode: ptr.To[int32](0400), + }, + }, + }, + }, InitContainers: []corev1.Container{}, Containers: []corev1.Container{ { @@ -75,22 +96,12 @@ func NewRCDeployment(cr v1.PatroniServices, sa, clusterName string, pgPort int) Value: strconv.Itoa(pgPort), }, { - Name: "POSTGRES_ADMIN_PASSWORD", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "postgres-credentials"}, - Key: "username", - }, - }, + Name: "POSTGRES_ADMIN_USER", + Value: util.ReadSecretFile(util.PgUserCredsPath+"username", "postgres"), }, { - Name: "POSTGRES_ADMIN_PASSWORD", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "postgres-credentials"}, - Key: "password", - }, - }, + Name: "POSTGRES_ADMIN_PASSWORD", + Value: util.ReadSecretFile(util.PgUserCredsPath+"password", ""), }, { Name: "API_USER", @@ -115,6 +126,18 @@ func NewRCDeployment(cr v1.PatroniServices, sa, clusterName string, pgPort int) Value: spec.SslMode, }, }, + VolumeMounts: []corev1.VolumeMount{ + { + MountPath: "/var/run/secrets/postgresql/replicator-api-creds", + Name: "replicator-api-creds", + ReadOnly: true, + }, + { + MountPath: "/var/run/secrets/postgresql/postgres-credentials", + Name: "postgres-credentials", + ReadOnly: true, + }, + }, Ports: []corev1.ContainerPort{ {ContainerPort: 8080, Name: "web", Protocol: corev1.ProtocolTCP}, }, diff --git a/operator/pkg/util/util.go b/operator/pkg/util/util.go index 8b127812..cac30271 100644 --- a/operator/pkg/util/util.go +++ b/operator/pkg/util/util.go @@ -56,6 +56,9 @@ import ( const ( TokenFilePath = "/var/run/secrets/kubernetes.io/serviceaccount/token" ClusterName = "patroni" + + secretBasePath = "/var/run/secrets/postgresql/" + PgUserCredsPath = secretBasePath + "postgres-credentials/" ) var ( @@ -470,3 +473,19 @@ func HashJson(o interface{}) string { hash.Write(cr) return fmt.Sprintf("%x", hash.Sum(nil)) } + +func ReadSecretFile(path string, defaultVal string) string { + data, err := os.ReadFile(path) + if err != nil { + uLog.Error(fmt.Sprintf("Failed to read secret file %s: %v", path, err)) + return defaultVal + } + + value := strings.TrimSpace(string(data)) + + if value == "" { + uLog.Info(fmt.Sprintf("Secret file %s is empty, using default value", path)) + return defaultVal + } + return value +} \ No newline at end of file diff --git a/services/backup-daemon/docker/granular/configs.py b/services/backup-daemon/docker/granular/configs.py index c0736f4d..ea7abc1e 100644 --- a/services/backup-daemon/docker/granular/configs.py +++ b/services/backup-daemon/docker/granular/configs.py @@ -17,6 +17,8 @@ import logging from utils import get_postgres_version_by_path +_SECRET_BASE_PATH = "/var/run/secrets/postgresql/" +_PG_USER_CREDS_PATH = _SECRET_BASE_PATH + "postgres-credentials/" _PROTECTED_DATABASES = ['template0', 'template1', 'postgres', 'rdsadmin', # aws rds @@ -63,6 +65,17 @@ def backups_storage(version=None): storage_path = '/backup-storage/pg18/granular' return storage_path +def read_secret_file(path: str, default_val: str): + try: + with open(path, 'r') as f: + value = f.read().strip() + except OSError as e: + logging.error(f"Failed to read secret file {path}: {e}") + return default_val + if not value: + logging.info(f"Secret file {path} is empty, using default value") + return default_val + return value def default_namespace(): return 'default' @@ -77,7 +90,7 @@ def default_backup_expiration_period(): def postgresql_user(): - return os.getenv('POSTGRES_USER') or 'postgres' + return read_secret_file(_PG_USER_CREDS_PATH + "username", 'postgres') def postgresql_host(): @@ -89,7 +102,7 @@ def postgresql_port(): def postgres_password(): - return os.getenv('POSTGRES_PASSWORD') + return read_secret_file(_PG_USER_CREDS_PATH + "password", '') def postgresql_no_role_password_flag(): diff --git a/services/backup-daemon/docker/postgres/aws-s3-backup.sh b/services/backup-daemon/docker/postgres/aws-s3-backup.sh index 67eeab79..18398318 100755 --- a/services/backup-daemon/docker/postgres/aws-s3-backup.sh +++ b/services/backup-daemon/docker/postgres/aws-s3-backup.sh @@ -27,6 +27,30 @@ readonly BUCKET="$1" # Go to AWS S3 terminology readonly BACKUP_ID="$2" BACKUP_NAME="pg_${PG_CLUSTER_NAME}_backup_${BACKUP_ID}.tar.gz" +SECRET_BASE_PATH="/var/run/secrets/postgresql/" +PG_USER_CREDS_PATH="${SECRET_BASE_PATH}postgres-credentials/" + +function read_secret_file() { + local path="$1" + local default_val="$2" + if [ ! -f "$path" ]; then + echo "Failed to read secret file ${path}" >&2 + echo "$default_val" + return + fi + local value + value=$(tr -d '[:space:]' < "$path") + if [ -z "$value" ]; then + echo "Secret file ${path} is empty, using default value" >&2 + echo "$default_val" + return + fi + echo "$value" +} + +POSTGRES_USER=$(read_secret_file "${PG_USER_CREDS_PATH}username" "postgres") +POSTGRES_PASSWORD=$(read_secret_file "${PG_USER_CREDS_PATH}password" "") + function log() { log_module "$1" "aws-s3-backup" "$2" diff --git a/services/backup-daemon/docker/postgres/postgres_backup.sh b/services/backup-daemon/docker/postgres/postgres_backup.sh index 9d692112..cfe0d7d2 100755 --- a/services/backup-daemon/docker/postgres/postgres_backup.sh +++ b/services/backup-daemon/docker/postgres/postgres_backup.sh @@ -26,6 +26,9 @@ readonly ENCRYPTION_KEY="$2" BACKUP_DESTINATION_DIRECTORY="$1" BACKUP_NAME="pg_${PG_CLUSTER_NAME}_backup_$(basename ${BACKUP_DESTINATION_DIRECTORY}).tar.gz" +POSTGRES_USER=$(cat /var/run/secrets/postgresql/postgres-credentials/username) +POSTGRES_PASSWORD=$(cat /var/run/secrets/postgresql/postgres-credentials/password) + source utils.sh function test_swift() { diff --git a/services/backup-daemon/docker/postgres/utils.py b/services/backup-daemon/docker/postgres/utils.py index 6674cf01..0e14682e 100644 --- a/services/backup-daemon/docker/postgres/utils.py +++ b/services/backup-daemon/docker/postgres/utils.py @@ -18,6 +18,7 @@ log = logging.getLogger("utils") +POSTGRES_CREDS_PATH = '/var/run/secrets/postgresql/postgres-credentials' def execute_query(conn_properties, query): conn = None @@ -35,8 +36,8 @@ def get_version_of_pgsql_server(): conn_properties = { 'host': os.getenv('POSTGRES_HOST'), 'port': os.getenv('POSTGRES_PORT'), - 'user': os.getenv('POSTGRES_USER') or 'postgres', - 'password': os.getenv('POSTGRES_PASSWORD'), + 'user': read_secret_file(f'{POSTGRES_CREDS_PATH}/username', 'postgres'), + 'password': read_secret_file(f'{POSTGRES_CREDS_PATH}/password', ''), 'database': 'postgres', 'connect_timeout': int(os.getenv("CONNECT_TIMEOUT", "5")), } @@ -81,11 +82,24 @@ def get_encryption(): encrypt_backups = os.getenv("KEY_SOURCE", 'false').lower() return encrypt_backups != 'false' +def read_secret_file(path: str, default_val: str) -> str: + try: + with open(path, 'r') as f: + value = f.read().strip() + except OSError as e: + logging.error(f"Failed to read secret file {path}: {e}") + return default_val -def validate_user(username, password): + if not value: + logging.info(f"Secret file {path} is empty, using default value") + return default_val + + return value + +def validate_user(username: str, password: str) -> bool: if not os.getenv("AUTH", "false").lower() == "false": - return username == os.getenv("POSTGRES_USER") and \ - password == os.getenv("POSTGRES_PASSWORD") + return username == read_secret_file(f'{POSTGRES_CREDS_PATH}/username', "postgres") and \ + password == read_secret_file(f'{POSTGRES_CREDS_PATH}/password', "") else: return True diff --git a/services/backup-daemon/maintenance/recovery/recovery.py b/services/backup-daemon/maintenance/recovery/recovery.py index ff9e67c8..62cd0f2c 100644 --- a/services/backup-daemon/maintenance/recovery/recovery.py +++ b/services/backup-daemon/maintenance/recovery/recovery.py @@ -64,6 +64,20 @@ Value can be '' if wal_archive is disabled and 'curl -v -S -f --connect-timeout 3 postgres-backup-daemon:8082/archive/get?filename=%f -o %p' if enabled. """ +_SECRET_FILE_PATH = "/var/run/secrets/postgresql/" +_PG_CREDS_PATH = _SECRET_FILE_PATH + "postgres-credentials/" + +def read_secret_file(path: str, default_val: str) -> str: + try: + with open(path, 'r') as f: + value = f.read().strip() + except OSError as e: + logging.error(f"Failed to read secret file {path}: {e}") + return default_val + if not value: + logging.info(f"Secret file {path} is empty, using default value") + return default_val + return value class PoolLogger(object): @@ -383,10 +397,10 @@ def statefulset_from_pod(pod_name: str) -> str: def download_archive(oc_client, recovery_pod_id, restore_version): if restore_version: - oc_client.oc_exec(recovery_pod_id, "sh -c 'cd {} ; curl -u postgres:\"$PG_ROOT_PASSWORD\" postgres-backup-daemon:8081/get?id={} | tar -xzf - '" - .format(pg_data_dir, restore_version)) + oc_client.oc_exec(recovery_pod_id, "sh -c 'cd {} ; curl -u postgres:\"$(cat /var/run/secrets/postgresql/postgres-credentials/password)\" postgres-backup-daemon:8081/get?id={} | tar -xzf - '" + .format(pg_data_dir, restore_version)) #do not touch yet else: - oc_client.oc_exec(recovery_pod_id, "sh -c 'cd {} ; curl -u postgres:\"$PG_ROOT_PASSWORD\" postgres-backup-daemon:8081/get | tar -xzf - '" + oc_client.oc_exec(recovery_pod_id, "sh -c 'cd {} ; curl -u postgres:\"$(cat /var/run/secrets/postgresql/postgres-credentials/password)\" postgres-backup-daemon:8081/get | tar -xzf - '" .format(pg_data_dir)) @@ -629,11 +643,11 @@ def perform_recovery(oc_openshift_url, oc_username, oc_password, oc_project, log.info("Try to validate backup {} against list of backups from {}".format(restore_version, backup_daemon_pod_id)) - backup_list = requests.get("http://localhost:8081/list", auth=('postgres', os.getenv('POSTGRES_PASSWORD'))) + backup_list = requests.get("http://localhost:8081/list", auth=('postgres', read_secret_file(_PG_CREDS_PATH + 'password', ""))) validate_restore_version(backup_list.json(), restore_version) elif recovery_target_time: log.info("Try to find backup id from specified recovery_target_time={}".format(recovery_target_time)) - backup_list = requests.get("http://localhost:8081/list", auth=('postgres', os.getenv('POSTGRES_PASSWORD'))) + backup_list = requests.get("http://localhost:8081/list", auth=('postgres', read_secret_file(_PG_CREDS_PATH + 'password', ""))) cluster_tz_name = oc_client.oc_exec(backup_daemon_pod_id, 'date "+%Z"').strip() log.debug("Cluster time zone: {}" + cluster_tz_name) diff --git a/services/backup-daemon/maintenance/recovery/utils_pg.py b/services/backup-daemon/maintenance/recovery/utils_pg.py index 39cf8e1a..ed1b136b 100644 --- a/services/backup-daemon/maintenance/recovery/utils_pg.py +++ b/services/backup-daemon/maintenance/recovery/utils_pg.py @@ -19,6 +19,20 @@ log = logging.getLogger() +_SECRET_FILE_PATH = "/var/run/secrets/postgresql/" +_PG_CREDS_PATH = _SECRET_FILE_PATH + "postgres-credentials/" + +def read_secret_file(path: str, default_val: str) -> str: + try: + with open(path, 'r') as f: + value = f.read().strip() + except OSError as e: + logging.error(f"Failed to read secret file {path}: {e}") + return default_val + if not value: + logging.info(f"Secret file {path} is empty, using default value") + return default_val + return value class PostgresqlClient: @@ -32,7 +46,7 @@ def execute_select_query(self, query): import os try: connection = psycopg2.connect(user="postgres", - password=os.getenv('POSTGRES_PASSWORD'), + password=read_secret_file(_PG_CREDS_PATH + 'password', ""), # host=os.getenv('POSTGRES_HOST'), port="5432", database="postgres") diff --git a/services/dbaas-adapter/adapter/main.go b/services/dbaas-adapter/adapter/main.go index ac13a39e..c477782a 100644 --- a/services/dbaas-adapter/adapter/main.go +++ b/services/dbaas-adapter/adapter/main.go @@ -40,6 +40,12 @@ import ( const ( appName = "postgresql" appPath = "/" + appName + + secretsBasePath = "/var/run/secrets/postgresql/" + + pgUserCredsPath = secretsBasePath + "postgres-credentials/" + adapterCredsPath = secretsBasePath + "dbaas-adapter-credentials/" + registrationCredsPath = secretsBasePath + "dbaas-aggregator-registration-credentials/" ) var ( @@ -49,8 +55,8 @@ var ( pgHost = flag.String("pg_host", util.GetEnv("POSTGRES_HOST", "127.0.0.1"), "Host of PostgreSQL cluster, env: POSTGRES_HOST") pgPort = flag.Int("pg_port", util.GetEnvInt("POSTGRES_PORT", 5432), "Port of PostgreSQL cluster, env: POSTGRES_PORT") - pgUser = flag.String("pg_user", util.GetEnv("POSTGRES_ADMIN_USER", "postgres"), "Username of dbaas user in PostgreSQL, env: POSTGRES_ADMIN_USER") - pgPass = flag.String("pg_pass", util.GetEnv("POSTGRES_ADMIN_PASSWORD", ""), "Password of dbaas user in PostgreSQL, env: POSTGRES_ADMIN_PASSWORD") + pgUser = flag.String("pg_user", util.ReadSecretFile(pgUserCredsPath+"username", "postgres"), "Username of dbaas user in PostgreSQL") + pgPass = flag.String("pg_pass", util.ReadSecretFile(pgUserCredsPath+"password", ""), "Password of dbaas user in PostgreSQL") pgDatabase = flag.String("pg_database", util.GetEnv("POSTGRES_DATABASE", "postgres"), "PostgreSQL database, env: POSTGRES_DATABASE") pgSsl = flag.String("pg_ssl", util.GetEnv("PG_SSL", "off"), "Enable ssl connection to postgreSQL, env: PG_SSL") @@ -71,13 +77,13 @@ var ( servePort = flag.Int("serve_port", 8080, "Port to serve requests incoming to adapter") serveUser = flag.String( "serve_user", - util.GetEnv("DBAAS_ADAPTER_API_USER", "dbaas-aggregator"), - "Username to authorize incoming requests, env: DBAAS_ADAPTER_API_USER", + util.ReadSecretFile(adapterCredsPath+"username", "dbaas-aggregator"), + "Username to authorize incoming requests", ) servePass = flag.String( "serve_pass", - util.GetEnv("DBAAS_ADAPTER_API_PASSWORD", "dbaas-aggregator"), - "Password to authorize incoming requests, env: DBAAS_ADAPTER_API_PASSWORD", + util.ReadSecretFile(adapterCredsPath+"password", "dbaas-aggregator"), + "Password to authorize incoming requests", ) phydbid = flag.String( @@ -100,14 +106,14 @@ var ( dbaasAggregatorRegistrationUsername = flag.String( "registration_username", - util.GetEnv("DBAAS_AGGREGATOR_REGISTRATION_USERNAME", "cluster-dba"), - "Username of basic auth to reach aggregator for registration, env DBAAS_AGGREGATOR_REGISTRATION_USERNAME ", + util.ReadSecretFile(registrationCredsPath+"username", "cluster-dba"), + "Username of basic auth to reach aggregator for registration", ) dbaasAggregatorRegistrationPassword = flag.String( "registration_password", - util.GetEnv("DBAAS_AGGREGATOR_REGISTRATION_PASSWORD", ""), - "Username of basic auth to reach aggregator for registration, env DBAAS_AGGREGATOR_REGISTRATION_PASSWORD ", + util.ReadSecretFile(registrationCredsPath+"password", ""), + "Password of basic auth to reach aggregator for registration", ) labelsFileName = flag.String( diff --git a/services/dbaas-adapter/adapter/util/util.go b/services/dbaas-adapter/adapter/util/util.go index e1d48f83..7a0acbdd 100644 --- a/services/dbaas-adapter/adapter/util/util.go +++ b/services/dbaas-adapter/adapter/util/util.go @@ -24,6 +24,7 @@ import ( "k8s.io/client-go/rest" "os" "strconv" + "strings" ) const ( @@ -135,6 +136,22 @@ func GetEnvBool(key string, fallback bool) bool { return fallback } +func ReadSecretFile(path string, defaultVal string) string { + data, err := os.ReadFile(path) + if err != nil { + log.Error(fmt.Sprintf("Failed to read secret file %s: %v", path, err)) + return defaultVal + } + + value := strings.TrimSpace(string(data)) + + if value == "" { + log.Info(fmt.Sprintf("Secret file %s is empty, using default value", path)) + return defaultVal + } + return value +} + func GetK8sClient() (*kubernetes.Clientset, error) { config, err := rest.InClusterConfig() if err != nil { diff --git a/services/monitoring-agent/collector/pkg/initiate/initiate.go b/services/monitoring-agent/collector/pkg/initiate/initiate.go index 7cbf5640..580dcee7 100644 --- a/services/monitoring-agent/collector/pkg/initiate/initiate.go +++ b/services/monitoring-agent/collector/pkg/initiate/initiate.go @@ -26,6 +26,12 @@ import ( "k8s.io/apimachinery/pkg/types" ) +const ( + secretsBasePath = "/var/run/secrets/postgresql/" + monitoringUserCredsPath = secretsBasePath + "monitoring-user-credentials/" + pgUserCredsPath = secretsBasePath + "postgres-credentials/" +) + var ( logger = util.GetLogger() ctx = context.Background() @@ -36,8 +42,8 @@ func InitMetricCollector() { logger.Info("Will run preparation scripts") clusterName := util.GetEnv("PGCLUSTER", "patroni") - monitoringRole := util.GetEnv("MONITORING_USER", "monitoring-user") - monitoringPassword := util.GetEnv("MONITORING_PASSWORD", "monitoring_password") + monitoringRole := util.ReadSecretFile(monitoringUserCredsPath+"username", "") + monitoringPassword := util.ReadSecretFile(monitoringUserCredsPath+"password", "") pgHost := util.GetEnv("POSTGRES_HOST", "pg-patroni") pgPort := util.GetEnvInt("POSTGRES_PORT", 5432) @@ -80,8 +86,8 @@ func InitMetricCollector() { func getPGCredentials(clusterName string) (user, password string) { namespace := util.GetEnv("NAMESPACE", "postgres-service") - user = util.GetEnv("PG_ROOT_USER", "") - password = util.GetEnv("PG_ROOT_PASSWORD", "") + user = util.ReadSecretFile(pgUserCredsPath+"username", "") + password = util.ReadSecretFile(pgUserCredsPath+"password", "") if user != "" || password != "" { return user, password diff --git a/services/monitoring-agent/collector/pkg/postgres/client.go b/services/monitoring-agent/collector/pkg/postgres/client.go index 71a1a5ba..58a55feb 100644 --- a/services/monitoring-agent/collector/pkg/postgres/client.go +++ b/services/monitoring-agent/collector/pkg/postgres/client.go @@ -26,13 +26,20 @@ import ( "go.uber.org/zap" ) +const ( + secretsBasePath = "/var/run/secrets/postgresql/" + + pgUserCredsPath = secretsBasePath + "postgres-credentials/" + +) + var logger = util.GetLogger() var ( PgHost = util.GetEnv("POSTGRES_HOST", "pg-patroni") PgPort = util.GetEnvInt("POSTGRES_PORT", 5432) - PgUser = util.GetEnv("MONITORING_USER", "monitoring-user") - PgPass = util.GetEnv("MONITORING_PASSWORD", "monitoring_password") + PgUser = util.ReadSecretFile(pgUserCredsPath+"username", "") + PgPass = util.ReadSecretFile(pgUserCredsPath+"password", "") PgDatabase = util.GetEnv("POSTGRES_DATABASE", "postgres") PgSsl = util.GetEnv("PGSSLMODE", "prefer") ) diff --git a/services/monitoring-agent/collector/pkg/util/util.go b/services/monitoring-agent/collector/pkg/util/util.go index ae572b68..cd402ec2 100644 --- a/services/monitoring-agent/collector/pkg/util/util.go +++ b/services/monitoring-agent/collector/pkg/util/util.go @@ -58,7 +58,12 @@ var ( debugEnabled = GetEnv("DEBUG_ENABLED", "false") ) -const certificatesFolder = "/certs" +const ( + secretsBasePath = "/var/run/secrets/postgresql/" + + certificatesFolder = "/certs" + metricCollectorCredentialsFolder = secretsBasePath + "monitoring-user-credentials/" +) func GetLogger() *zap.Logger { cfg := zap.NewProductionConfig() @@ -92,6 +97,22 @@ func GetProtocol() (string, string) { } +func ReadSecretFile(path string, defaultVal string) string { + data, err := os.ReadFile(path) + if err != nil { + Log.Error(fmt.Sprintf("Failed to read secret file %s: %v", path, err)) + return defaultVal + } + + value := strings.TrimSpace(string(data[:])) + + if value == "" { + Log.Info(fmt.Sprintf("Secret file %s is empty, using default value", path)) + return defaultVal + } + return value +} + func GetToken() string { tokenByte, err := os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token") if err != nil { diff --git a/services/patroni/scripts/archive_wal.sh b/services/patroni/scripts/archive_wal.sh index 4aa75e5b..2f3bea98 100644 --- a/services/patroni/scripts/archive_wal.sh +++ b/services/patroni/scripts/archive_wal.sh @@ -19,7 +19,8 @@ f="${2}" set +x -export `cat /proc/1/environ | tr '\0' '\n' | grep PG_ROOT_PASSWORD` +#export `cat /proc/1/environ | tr '\0' '\n' | grep PG_ROOT_PASSWORD` +PG_ROOT_PASSWORD=`cat /var/run/secrets/postgresql/postgres-credentials/password | tr '\0' '\n' | grep PG_ROOT_PASSWORD | cut -d "=" -f2` sha256sum -b "$p" | cut -d " " -f1 | xargs -I {} echo sha256={} | \ python3 -c "import sys; print(chr(38) + sys.stdin.read().strip())" | \ diff --git a/services/pgbackrest-sidecar/pkg/utils/utils.go b/services/pgbackrest-sidecar/pkg/utils/utils.go index 0a4a8cba..b3fadc26 100644 --- a/services/pgbackrest-sidecar/pkg/utils/utils.go +++ b/services/pgbackrest-sidecar/pkg/utils/utils.go @@ -20,6 +20,8 @@ import ( "fmt" "os" "os/exec" + "strings" + "go.uber.org/zap" "go.uber.org/zap/zapcore" @@ -88,3 +90,19 @@ func GetLogger() *zap.Logger { defer func() { _ = logger.Sync() }() return logger } + +func ReadSecretFile(path, defaultVal string) string { + data, err := os.ReadFile(path) + if err != nil { + logger.Error(fmt.Sprintf("Failed to read secret file %s: %v", path, err)) + return defaultVal + } + + value := strings.TrimSpace(string(data[:])) + + if value == "" { + logger.Info(fmt.Sprintf("Secret file %s is empty, using default value", path)) + return defaultVal + } + return value +} \ No newline at end of file diff --git a/services/query-exporter/build/bin/entrypoint b/services/query-exporter/build/bin/entrypoint index 837b791a..4de5cd62 100755 --- a/services/query-exporter/build/bin/entrypoint +++ b/services/query-exporter/build/bin/entrypoint @@ -1,3 +1,14 @@ #!/bin/sh -e -exec ${EXPORTER_FILE} $@ +read_secret() { + local path="$1" + + if [ -f "$path" ]; then + cat "$path" + fi +} + +POSTGRES_USER="$(read_secret /var/run/secrets/postgresql/postgres-credentials/username)" +POSTGRES_PASSWORD="$(read_secret /var/run/secrets/postgresql/postgres-credentials/password)" + +POSTGRES_USER="${POSTGRES_USER}" POSTGRES_PASSWORD="${POSTGRES_PASSWORD}" exec ${EXPORTER_FILE} $@ \ No newline at end of file diff --git a/services/replication-controller/cmd/pgskipper-replication-controller/main.go b/services/replication-controller/cmd/pgskipper-replication-controller/main.go index 0a10ad58..696623f7 100644 --- a/services/replication-controller/cmd/pgskipper-replication-controller/main.go +++ b/services/replication-controller/cmd/pgskipper-replication-controller/main.go @@ -37,25 +37,30 @@ const ( usersPath = "/users" httpsPort = 8443 + + secretsBasePath = "/var/run/secrets/postgresql/" + + pgUserCredsPath = secretsBasePath + "postgres-credentials/" + apiUserCredsPath = secretsBasePath + "logical-repl-credentials/" ) var ( pgHost = flag.String("pg_host", utils.GetEnv("POSTGRES_HOST", "127.0.0.1"), "Host of PostgreSQL cluster, env: POSTGRES_HOST") pgPort = flag.Int("pg_port", utils.GetEnvInt("POSTGRES_PORT", 5432), "Port of PostgreSQL cluster, env: POSTGRES_PORT") - pgUser = flag.String("pg_user", utils.GetEnv("POSTGRES_ADMIN_USER", "postgres"), "Username of controller user in PostgreSQL, env: POSTGRES_ADMIN_USER") - pgPass = flag.String("pg_pass", utils.GetEnv("POSTGRES_ADMIN_PASSWORD", ""), "Password of controller user in PostgreSQL, env: POSTGRES_ADMIN_PASSWORD") + pgUser = flag.String("pg_user", utils.ReadSecretFile(pgUserCredsPath+"username", "postgres"), "Username of controller user in PostgreSQL") + pgPass = flag.String("pg_pass", utils.ReadSecretFile(pgUserCredsPath+"password", ""), "Password of controller user in PostgreSQL") pgSsl = flag.String("pg_ssl", utils.GetEnv("PG_SSL", "off"), "Enable ssl connection to postgreSQL, env: PG_SSL") servePort = flag.Int("serve_port", 8080, "Port to serve requests incoming to controller") serveUser = flag.String( "server_user", - utils.GetEnv("API_USER", "logical-repl-user"), - "Username to authorize incoming requests, env: API_USER", + utils.ReadSecretFile(apiUserCredsPath+"username", "logical-repl-user"), + "Username to authorize incoming requests", ) servePass = flag.String( "server_pass", - utils.GetEnv("API_PASSWORD", "logical-repl-password"), - "Password to authorize incoming requests, env: API_PASSWORD", + utils.ReadSecretFile(apiUserCredsPath+"password", "logical-repl-password"), + "Password to authorize incoming requests", ) log = utils.GetLogger() diff --git a/services/replication-controller/pkg/utils/utils.go b/services/replication-controller/pkg/utils/utils.go index c87cb70f..7f22a52d 100644 --- a/services/replication-controller/pkg/utils/utils.go +++ b/services/replication-controller/pkg/utils/utils.go @@ -20,6 +20,7 @@ import ( "fmt" "os" "strconv" + "strings" "github.com/gofiber/fiber/v2" "github.com/google/uuid" @@ -87,6 +88,22 @@ func GetEnvBool(key string, fallback bool) bool { return fallback } +func ReadSecretFile(path, defaultVal string) string { + data, err := os.ReadFile(path) + if err != nil { + log.Error(fmt.Sprintf("Failed to read secret file %s: %v", path, err)) + return defaultVal + } + + value := strings.TrimSpace(string(data)) + + if value == "" { + log.Info(fmt.Sprintf("Secret file %s is empty, using default value", path)) + return defaultVal + } + return value +} + func ContextLogger(ctx context.Context) *zap.Logger { logger := GetLogger() return logger.With(zap.ByteString("request_id", []byte(fmt.Sprintf("%s", ctx.Value(RequestId("request_id")))))) diff --git a/services/upgrade/docker/start.sh b/services/upgrade/docker/start.sh index 2b3b651e..f51868f1 100755 --- a/services/upgrade/docker/start.sh +++ b/services/upgrade/docker/start.sh @@ -107,7 +107,7 @@ function handle_master_upgrade() { --old-bindir "/usr/lib/postgresql/${PG_VERSION}/bin" \ --new-bindir "/usr/lib/postgresql/${PG_VERSION_TARGET}/bin" \ --check \ - > /var/lib/pgsql/data/check_result + > /var/lib/pgsql/data/check_result 2>&1 CHECK_CODE=$? diff --git a/tests/robot/Lib/lib.robot b/tests/robot/Lib/lib.robot index 079c4298..e2c443f2 100644 --- a/tests/robot/Lib/lib.robot +++ b/tests/robot/Lib/lib.robot @@ -11,6 +11,8 @@ Library ../Lib/pgsLibrary.py namespace=${NAMESPACE} ssl_mode=${PGSSL ${NAMESPACE} %{POD_NAMESPACE} ${PGSSLMODE} %{PGSSLMODE} ${INTERNAL_TLS_ENABLED} %{INTERNAL_TLS_ENABLED} +${PG_ROOT_PASSWORD_PATH} /var/run/secrets/postgresql/postgres-credentials/password +${PG_ROOT_USERNAME_PATH} /var/run/secrets/postgresql/postgres-credentials/username *** Keywords *** Checks Before Tests @@ -335,7 +337,7 @@ Check /backups Endpoint For Granular Backups ... response code should be `200` and response should contain `storage` key ... and `status` key with `UP` value ... - ${PG_ROOT_PASSWORD}= Get Environment Variable PG_ROOT_PASSWORD + ${PG_ROOT_PASSWORD}= Get Secret Or Env PG_ROOT_PASSWORD ${PG_ROOT_PASSWORD_PATH} ${auth}= Create List postgres ${PG_ROOT_PASSWORD} ${PGSSLMODE}= Get Environment Variable PGSSLMODE ${scheme}= Set Variable If '${PGSSLMODE}' == 'require' https http @@ -372,7 +374,7 @@ Check Enabled Auth ${resp}= GET On Session postgres_backup_daemon /delete/test?namespace=test Should Be Equal ${resp.status_code} ${401} #set auth credentials - ${PG_ROOT_PASSWORD}= Get Environment Variable PG_ROOT_PASSWORD + ${PG_ROOT_PASSWORD}= Get Secret Or Env PG_ROOT_PASSWORD ${PG_ROOT_PASSWORD_PATH} ${auth}= Create List postgres ${PG_ROOT_PASSWORD} Create Granular Backup ${name_space} ${auth} ${databases} #wait backup complete @@ -445,3 +447,12 @@ Check Backup Api With Broken Metric File Wait Replica Pods In Up State ${replicas_status}= Wait Replica Pods Scale up Should Be Equal ${replicas_status} ${True} + +Get Secret Or Env + [Arguments] ${env_name} ${file_path} + ${value}= Get Environment Variable ${env_name} default=${EMPTY} + IF not $value + ${value}= Get File ${file_path} + ${value}= Strip String ${value} + END + RETURN ${value} diff --git a/tests/robot/Lib/pgsLibrary.py b/tests/robot/Lib/pgsLibrary.py index 248f6fb8..a75878e6 100644 --- a/tests/robot/Lib/pgsLibrary.py +++ b/tests/robot/Lib/pgsLibrary.py @@ -32,6 +32,8 @@ log = logging.getLogger() log.setLevel(logging.DEBUG) +POSTGRES_CREDS_PATH = "/var/run/secrets/postgresql/postgres-credentials" + class pgsLibrary(object): def __init__(self, namespace, ssl_mode, internal_tls): self._namespace = namespace @@ -247,7 +249,7 @@ def get_replica_count(self, dc_name): @keyword('Execute Query') def execute_query(self, host, query, dbname='postgres'): - password = os.getenv("PG_ROOT_PASSWORD") + password = self.read_secret_file(POSTGRES_CREDS_PATH + "/password", "") connection_properties = { 'host': host, 'password': password, @@ -415,8 +417,8 @@ def get_pg_version(self): def connection_for_pg(self): conn = psycopg2.connect(dbname='postgres', - user=os.getenv('POSTGRES_USER', "postgres"), - password=os.getenv('PG_ROOT_PASSWORD'), + user=self.read_secret_file(POSTGRES_CREDS_PATH + "/username", "postgres"), + password=self.read_secret_file(POSTGRES_CREDS_PATH + "/password", ""), host="pg-" + os.getenv("PG_CLUSTER_NAME", "patroni")) return conn @@ -821,6 +823,20 @@ def get_dd_images_from_config_map(self, config_map_name): def get_image_from_resource(self, type, name, container_name): return self.pl_lib.get_resource_image(type, name, self._namespace, container_name) + def read_secret_file(self, path: str, default_val: str) -> str: + try: + with open(path, "r") as f: + value = f.read().strip() + except OSError as e: + logging.error(f"Failed to read secret file {path}: {e}") + return default_val + + if not value: + logging.info(f"Secret file {path} is empty, using default value") + return default_val + + return value + @keyword def check_container_hardening(self, part_of=None, namespace=None, exclusions=None): self.pl_lib.check_container_hardening(part_of=part_of, namespace=namespace or self._namespace, exclusions=exclusions) diff --git a/tests/robot/check_full_backup_api/check_backup_api_auth.robot b/tests/robot/check_full_backup_api/check_backup_api_auth.robot index 76259a2b..7cb325f9 100644 --- a/tests/robot/check_full_backup_api/check_backup_api_auth.robot +++ b/tests/robot/check_full_backup_api/check_backup_api_auth.robot @@ -30,7 +30,7 @@ Check Enabled Auth Create Session postgres_backup_daemon ${scheme}://postgres-backup-daemon:8081 ${resp}= GET On Session postgres_backup_daemon /backups/list expected_status=401 Should Be Equal ${resp.status_code} ${401} - ${PG_ROOT_PASSWORD}= Get Environment Variable PG_ROOT_PASSWORD + ${PG_ROOT_PASSWORD}= Get Secret Or Env PG_ROOT_PASSWORD ${PG_ROOT_PASSWORD_PATH} ${auth}= Create List postgres ${PG_ROOT_PASSWORD} Create Session postgres_backup_daemon ${scheme}://postgres-backup-daemon:8081 auth=${auth} ${resp}= GET On Session postgres_backup_daemon /backups/list diff --git a/tests/robot/check_granular_api/check_granular_backups_list_auth_api.robot b/tests/robot/check_granular_api/check_granular_backups_list_auth_api.robot index 7a5b155e..994e3f6b 100644 --- a/tests/robot/check_granular_api/check_granular_backups_list_auth_api.robot +++ b/tests/robot/check_granular_api/check_granular_backups_list_auth_api.robot @@ -12,7 +12,7 @@ Create Backup And Wait Create Backup And Wait Till Complete ${name_space} Check Backup List - ${PG_ROOT_PASSWORD}= Get Environment Variable PG_ROOT_PASSWORD + ${PG_ROOT_PASSWORD}= Get Secret Or Env PG_ROOT_PASSWORD ${PG_ROOT_PASSWORD_PATH} ${auth}= Create List postgres ${PG_ROOT_PASSWORD} # wait while daemon will start backup ${backups_in_namespace}= Create Dictionary diff --git a/tests/robot/check_granular_api/check_granular_restore_added_data_after_backup.robot b/tests/robot/check_granular_api/check_granular_restore_added_data_after_backup.robot index b325e73e..dfe845d5 100644 --- a/tests/robot/check_granular_api/check_granular_restore_added_data_after_backup.robot +++ b/tests/robot/check_granular_api/check_granular_restore_added_data_after_backup.robot @@ -97,7 +97,7 @@ Check Enabled Auth With Restore Added Data After Backup Create Session postgres_backup_daemon ${scheme}://postgres-backup-daemon:9000 ${resp}= POST On Session postgres_backup_daemon /restore/request expected_status=401 Should Be Equal ${resp.status_code} ${401} - ${PG_ROOT_PASSWORD}= Get Environment Variable PG_ROOT_PASSWORD + ${PG_ROOT_PASSWORD}= Get Secret Or Env PG_ROOT_PASSWORD ${PG_ROOT_PASSWORD_PATH} ${auth}= Create List postgres ${PG_ROOT_PASSWORD} ${PG_CLUSTER_NAME}= Get Environment Variable PG_CLUSTER_NAME default=patroni ${POSTGRES_USER}= Get Environment Variable POSTGRES_USER default=postgres diff --git a/tests/robot/check_granular_api/check_granular_restore_backup_auth_api.robot b/tests/robot/check_granular_api/check_granular_restore_backup_auth_api.robot index 594cc871..91730433 100644 --- a/tests/robot/check_granular_api/check_granular_restore_backup_auth_api.robot +++ b/tests/robot/check_granular_api/check_granular_restore_backup_auth_api.robot @@ -89,7 +89,7 @@ Check Enabled Auth Regular Backup Create Session postgres_backup_daemon ${scheme}://postgres-backup-daemon:9000 ${resp}= POST On Session postgres_backup_daemon /restore/request expected_status=401 Should Be Equal ${resp.status_code} ${401} - ${PG_ROOT_PASSWORD}= Get Environment Variable PG_ROOT_PASSWORD + ${PG_ROOT_PASSWORD}= Get Secret Or Env PG_ROOT_PASSWORD ${PG_ROOT_PASSWORD_PATH} ${auth}= Create List postgres ${PG_ROOT_PASSWORD} ${PG_CLUSTER_NAME}= Get Environment Variable PG_CLUSTER_NAME default=patroni ${POSTGRES_USER}= Get Environment Variable POSTGRES_USER default=postgres @@ -154,7 +154,7 @@ Check Enabled Auth Failed Backup Create Session postgres_backup_daemon ${scheme}://postgres-backup-daemon:9000 ${resp}= POST On Session postgres_backup_daemon /restore/request expected_status=401 Should Be Equal ${resp.status_code} ${401} - ${PG_ROOT_PASSWORD}= Get Environment Variable PG_ROOT_PASSWORDF + ${PG_ROOT_PASSWORD}= Get Secret Or Env PG_ROOT_PASSWORD ${PG_ROOT_PASSWORD_PATH} ${auth}= Create List postgres ${PG_ROOT_PASSWORD} Create Session postgres_backup_daemon ${scheme}://postgres-backup-daemon:9000 auth=${auth} ${name_space}= Get Current Date result_format=%Y%m%d%H%M diff --git a/tests/robot/check_granular_api/check_granular_restore_backup_with_new_names_auth.robot b/tests/robot/check_granular_api/check_granular_restore_backup_with_new_names_auth.robot index 63464027..1a8ba51b 100644 --- a/tests/robot/check_granular_api/check_granular_restore_backup_with_new_names_auth.robot +++ b/tests/robot/check_granular_api/check_granular_restore_backup_with_new_names_auth.robot @@ -87,7 +87,7 @@ Check Enabled Auth With Db Name Change Create Session postgres_backup_daemon ${scheme}://postgres-backup-daemon:9000 ${resp}= POST On Session postgres_backup_daemon /restore/request expected_status=401 Should Be Equal ${resp.status_code} ${401} - ${PG_ROOT_PASSWORD}= Get Environment Variable PG_ROOT_PASSWORD + ${PG_ROOT_PASSWORD}= Get Secret Or Env PG_ROOT_PASSWORD ${PG_ROOT_PASSWORD_PATH} ${auth}= Create List postgres ${PG_ROOT_PASSWORD} ${PG_CLUSTER_NAME}= Get Environment Variable PG_CLUSTER_NAME default=patroni ${POSTGRES_USER}= Get Environment Variable POSTGRES_USER default=postgres diff --git a/tests/robot/check_granular_api/check_granular_restore_backup_with_roles_auth.robot b/tests/robot/check_granular_api/check_granular_restore_backup_with_roles_auth.robot index b391657d..da50e059 100644 --- a/tests/robot/check_granular_api/check_granular_restore_backup_with_roles_auth.robot +++ b/tests/robot/check_granular_api/check_granular_restore_backup_with_roles_auth.robot @@ -79,7 +79,7 @@ Check Enabled Auth With Roles Create Session postgres_backup_daemon ${scheme}://postgres-backup-daemon:9000 ${resp}= POST On Session postgres_backup_daemon /restore/request expected_status=401 Should Be Equal ${resp.status_code} ${401} - ${PG_ROOT_PASSWORD}= Get Environment Variable PG_ROOT_PASSWORD + ${PG_ROOT_PASSWORD}= Get Secret Or Env PG_ROOT_PASSWORD ${PG_ROOT_PASSWORD_PATH} ${auth}= Create List postgres ${PG_ROOT_PASSWORD} ${PG_CLUSTER_NAME}= Get Environment Variable PG_CLUSTER_NAME default=patroni ${POSTGRES_USER}= Get Environment Variable POSTGRES_USER default=postgres diff --git a/tests/robot/check_granular_api/check_granular_restore_status_auth_api.robot b/tests/robot/check_granular_api/check_granular_restore_status_auth_api.robot index 919333a5..a684c144 100644 --- a/tests/robot/check_granular_api/check_granular_restore_status_auth_api.robot +++ b/tests/robot/check_granular_api/check_granular_restore_status_auth_api.robot @@ -94,7 +94,7 @@ Check Enabled Auth restore endpoint ${resp}= Get On Session postgres_backup_daemon url=/restore/status/test expected_status=401 Should Be Equal ${resp.status_code} ${401} - ${PG_ROOT_PASSWORD}= Get Environment Variable PG_ROOT_PASSWORD + ${PG_ROOT_PASSWORD}= Get Secret Or Env PG_ROOT_PASSWORD ${PG_ROOT_PASSWORD_PATH} ${auth}= Create List postgres ${PG_ROOT_PASSWORD} ${PG_CLUSTER_NAME}= Get Environment Variable PG_CLUSTER_NAME default=patroni ${POSTGRES_USER}= Get Environment Variable POSTGRES_USER default=postgres @@ -162,7 +162,7 @@ Check Enabled Auth not existing ${resp}= Get On Session postgres_backup_daemon url=/restore/status/test expected_status=401 Should Be Equal ${resp.status_code} ${401} - ${PG_ROOT_PASSWORD}= Get Environment Variable PG_ROOT_PASSWORD + ${PG_ROOT_PASSWORD}= Get Secret Or Env PG_ROOT_PASSWORD ${PG_ROOT_PASSWORD_PATH} ${auth}= Create List postgres ${PG_ROOT_PASSWORD} Create Session postgres_backup_daemon ${scheme}://postgres-backup-daemon:9000 auth=${auth} diff --git a/tests/robot/check_granular_api/check_granular_restore_with_owner_auth.robot b/tests/robot/check_granular_api/check_granular_restore_with_owner_auth.robot index 09ff59f3..7ce16a59 100644 --- a/tests/robot/check_granular_api/check_granular_restore_with_owner_auth.robot +++ b/tests/robot/check_granular_api/check_granular_restore_with_owner_auth.robot @@ -90,7 +90,7 @@ Check Enabled Auth With Owner Of DB Create Session postgres_backup_daemon ${scheme}://postgres-backup-daemon:9000 ${resp}= POST On Session postgres_backup_daemon /restore/request expected_status=401 Should Be Equal ${resp.status_code} ${401} - ${PG_ROOT_PASSWORD}= Get Environment Variable PG_ROOT_PASSWORD + ${PG_ROOT_PASSWORD}= Get Secret Or Env PG_ROOT_PASSWORD ${PG_ROOT_PASSWORD_PATH} ${auth}= Create List postgres ${PG_ROOT_PASSWORD} Create Session postgres_backup_daemon ${scheme}://postgres-backup-daemon:9000 auth=${auth} ${name_space}= Get Current Date result_format=%Y%m%d%H%M diff --git a/tests/robot/check_granular_api/check_granular_restore_with_specified_dbs.robot b/tests/robot/check_granular_api/check_granular_restore_with_specified_dbs.robot index c1ff418e..5b948723 100644 --- a/tests/robot/check_granular_api/check_granular_restore_with_specified_dbs.robot +++ b/tests/robot/check_granular_api/check_granular_restore_with_specified_dbs.robot @@ -99,7 +99,7 @@ Check Enabled Auth With Specified DBs Create Session postgres_backup_daemon ${scheme}://postgres-backup-daemon:9000 ${resp}= POST On Session postgres_backup_daemon /restore/request expected_status=401 Should Be Equal ${resp.status_code} ${401} - ${PG_ROOT_PASSWORD}= Get Environment Variable PG_ROOT_PASSWORD + ${PG_ROOT_PASSWORD}= Get Secret Or Env PG_ROOT_PASSWORD ${PG_ROOT_PASSWORD_PATH} ${auth}= Create List postgres ${PG_ROOT_PASSWORD} ${PG_CLUSTER_NAME}= Get Environment Variable PG_CLUSTER_NAME default=patroni ${POSTGRES_USER}= Get Environment Variable POSTGRES_USER default=postgres diff --git a/tests/robot/check_scale_down_backup_daemon/check_scale_down_backup_daemon.robot b/tests/robot/check_scale_down_backup_daemon/check_scale_down_backup_daemon.robot index e88689b0..5cc4b3b5 100644 --- a/tests/robot/check_scale_down_backup_daemon/check_scale_down_backup_daemon.robot +++ b/tests/robot/check_scale_down_backup_daemon/check_scale_down_backup_daemon.robot @@ -17,7 +17,7 @@ Setup Set Suite Variable ${db_name} test_ha_backup_${postfix} Make Backup And Return ID - ${PG_ROOT_PASSWORD}= Get Environment Variable PG_ROOT_PASSWORD + ${PG_ROOT_PASSWORD}= Get Secret Or Env PG_ROOT_PASSWORD ${PG_ROOT_PASSWORD_PATH} ${auth}= Create List postgres ${PG_ROOT_PASSWORD} ${databases}= Create List ${db_name} &{data}= Create Dictionary databases=${databases} diff --git a/tests/robot/check_terminate_backup_api/keywords.robot b/tests/robot/check_terminate_backup_api/keywords.robot index 3a073c0b..20a90be5 100644 --- a/tests/robot/check_terminate_backup_api/keywords.robot +++ b/tests/robot/check_terminate_backup_api/keywords.robot @@ -34,7 +34,7 @@ Check Authorization Should Be Equal ${resp.status_code} ${401} Prepare Auth - ${POSTGRES_USER}= Get Environment Variable POSTGRES_USER default=postgres - ${PG_ROOT_PASSWORD}= Get Environment Variable PG_ROOT_PASSWORD + ${POSTGRES_USER}= Get Secret Or Env POSTGRES_USER ${PG_ROOT_USERNAME_PATH} + ${PG_ROOT_PASSWORD}= Get Secret Or Env PG_ROOT_PASSWORD ${PG_ROOT_PASSWORD_PATH} ${auth}= Create List ${POSTGRES_USER} ${PG_ROOT_PASSWORD} RETURN ${auth}