Skip to content

Secrets hardening #474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
svetychkina wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Secrets hardening #474

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
203fb0b
fix: dbaas and monitoring secrets
svetychkina May 22, 2026
32ec656
fix: monitoring secrets
svetychkina Jun 2, 2026
2458b8a
fix: replicator, pg secrets for monitoring
svetychkina Jun 4, 2026
995ef96
fix: unification + exporter, replication
svetychkina Jun 10, 2026
0faa7c4
fix: [CPCAP-9492] replace Secret-to-ENV with file-based
svetychkina Jun 16, 2026
50f7594
Merge remote-tracking branch 'origin/main' into secrets-hardening
svetychkina Jun 16, 2026
96fef77
Update pgsLibrary.py
svetychkina Jun 16, 2026
2c1d27f
fix: [CPCAP-9492] tests
svetychkina Jun 16, 2026
69d4eb0
fix: [CPCAP-9492] path to secrets
svetychkina Jun 16, 2026
9757857
fix: [CPCAP-9492] tests secrets hardening
svetychkina Jun 17, 2026
3de62e6
fix: [CPCAP-9492] delete template
svetychkina Jun 17, 2026
1c23c8d
fix: [CPCAP-9492] secrets naming
svetychkina Jun 18, 2026
2c74b37
fix: [CPCAP-9492] secrets naming
svetychkina Jun 18, 2026
a5dc811
fix: [CPCAP-9492] add secrets volume directly to deployment
svetychkina Jun 18, 2026
d01c751
fix: [CPCAP-9492] add volumemounts to init container
svetychkina Jun 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 16 additions & 15 deletions operator/charts/patroni-core/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,13 @@ spec:
readOnly: true
{{ end }}
{{ end }}
volumeMounts:
- mountPath: /var/run/secrets/postgresql/postgres-credentials
name: postgres-credentials
readOnly: true
- mountPath: /var/run/secrets/postgresql/replicator-credentials
name: replicator-credentials
readOnly: true
env:
- name: WATCH_NAMESPACE
valueFrom:
Expand Down Expand Up @@ -96,21 +103,6 @@ spec:
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: PG_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-credentials
key: password
- name: PG_ADMIN_USER
valueFrom:
secretKeyRef:
name: postgres-credentials
key: username
- name: PG_REPLICATOR_PASSWORD
valueFrom:
secretKeyRef:
name: replicator-credentials
key: password
- name: GLOBAL_SECURITY_CONTEXT
value: {{ .Values.GLOBAL_SECURITY_CONTEXT | quote | default ("true" | quote) }}
- name: CLOUD_PUBLIC_HOST
Expand Down Expand Up @@ -163,6 +155,15 @@ spec:
secretName: {{ default "cloudsql-instance-credentials" .Values.externalDataBase.authSecretName }}
{{ end }}
{{ end }}
volumes:
- name: postgres-credentials
secret:
defaultMode: 420
secretName: postgres-credentials
- name: replicator-credentials
secret:
defaultMode: 420
secretName: replicator-credentials
tolerations:
{{- range $tKey, $t := .Values.policies.tolerations }}
- key: {{ $t.key }}
Expand Down
32 changes: 0 additions & 32 deletions operator/charts/patroni-services/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,38 +118,6 @@ K8s Platform envs
value: "https://kubernetes.default:443"
{{- end }}

{{/*
POSTGRES ADMIN env variables for DBaaS
*/}}
{{- define "postgres-dbaas.pgAdminEnvs" }}
- name: POSTGRES_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-credentials
key: password
- name: POSTGRES_ADMIN_USER
valueFrom:
secretKeyRef:
name: postgres-credentials
key: username
{{- end }}

{{/*
Aggregator Registration env variables for DBaaS
*/}}
{{- define "postgres-dbaas.aggregatorEnvsReg" }}
- name: DBAAS_AGGREGATOR_REGISTRATION_USERNAME
valueFrom:
secretKeyRef:
name: dbaas-aggregator-registration-credentials
key: username
- name: DBAAS_AGGREGATOR_REGISTRATION_PASSWORD
valueFrom:
secretKeyRef:
name: dbaas-aggregator-registration-credentials
key: password
{{- end }}

{{- define "find_image" -}}
{{- $image := .default -}}

Expand Down
42 changes: 29 additions & 13 deletions operator/charts/patroni-services/templates/dbaas/dbaas-adapter-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,17 @@ spec:
configMap:
name: dbaas-postgres-adapter.extensions-config
defaultMode: 420
- name: dbaas-adapter-credentials
secret:
secretName: dbaas-adapter-credentials
defaultMode: 420
- name: dbaas-aggregator-registration-credentials
secret:
secretName: dbaas-aggregator-registration-credentials
defaultMode: 420
- name: postgres-credentials
secret:
secretName: postgres-credentials
{{- if not .Values.externalDataBase }}
{{- if and .Values.tls .Values.tls.enabled }}
- name: tls-cert
Expand All @@ -76,10 +87,18 @@ spec:
mountPath: /tmp
- name: dbaas-default-extensions-mount
mountPath: /app/extensions
- name: dbaas-adapter-credentials
mountPath: /var/run/secrets/postgresql/dbaas-adapter-credentials
readOnly: true
- name: dbaas-aggregator-registration-credentials
mountPath: /var/run/secrets/postgresql/dbaas-aggregator-registration-credentials
readOnly: true
- name: postgres-credentials
mountPath: /var/run/secrets/postgresql/postgres-credentials
readOnly: true
resources:
{{ .Values.dbaas.resources | toYaml | indent 12 }}
env:
{{- template "postgres-dbaas.pgAdminEnvs" . }}
- name: POSTGRES_DATABASE
value: {{ default "postgres" .Values.dbaas.dbName }}
- name: POSTGRES_HOST
Expand Down Expand Up @@ -116,10 +135,8 @@ spec:
securityContext:
{{- include "restricted.globalContainerSecurityContext" . | nindent 12 }}
env:
{{- template "postgres-dbaas.pgAdminEnvs" . }}
- name: POSTGRES_DATABASE
value: {{ default "postgres" .Values.dbaas.dbName }}
{{- template "postgres-dbaas.aggregatorEnvsReg" . }}
- name: DBAAS_ADAPTER_ADDRESS
value: {{ default (printf "http://dbaas-postgres-adapter.%s:8080" .Release.Namespace) .Values.dbaas.adapter.address }}
- name: DBAAS_AGGREGATOR_REGISTRATION_ADDRESS
Expand All @@ -130,16 +147,6 @@ spec:
value: {{ include "dbaas.pgHostRO" . }}
- name: POSTGRES_PORT
value: {{ default "5432" .Values.dbaas.pgPort | quote }}
- name: DBAAS_ADAPTER_API_USER
valueFrom:
secretKeyRef:
name: dbaas-adapter-credentials
key: username
- name: DBAAS_ADAPTER_API_PASSWORD
valueFrom:
secretKeyRef:
name: dbaas-adapter-credentials
key: password
- name: DBAAS_AGGREGATOR_PHYSICAL_DATABASE_IDENTIFIER
value: {{ .Values.dbaas.aggregator.physicalDatabaseIdentifier | default (printf "%s:%s" .Release.Namespace "postgres")}}
- name: CLOUD_NAMESPACE
Expand Down Expand Up @@ -184,6 +191,15 @@ spec:
- name: tls-cert
mountPath: /certs/
{{- end }}
- name: dbaas-adapter-credentials
mountPath: /var/run/secrets/postgresql/dbaas-adapter-credentials
readOnly: true
- name: dbaas-aggregator-registration-credentials
mountPath: /var/run/secrets/postgresql/dbaas-aggregator-registration-credentials
readOnly: true
- name: postgres-credentials
mountPath: /var/run/secrets/postgresql/postgres-credentials
readOnly: true
{{- end }}
livenessProbe:
httpGet:
Expand Down
31 changes: 16 additions & 15 deletions operator/charts/patroni-services/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,12 @@ spec:
mountPath: /certs/
{{- end }}
{{- end }}
- name: postgres-credentials
mountPath: /var/run/secrets/postgres-credentials
readOnly: true
- name: replicator-credentials
mountPath: /var/run/secrets/replicator-credentials
readOnly: true
env:
- name: WATCH_NAMESPACE
valueFrom:
Expand Down Expand Up @@ -107,21 +113,6 @@ spec:
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: PG_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-credentials
key: password
- name: PG_ADMIN_USER
valueFrom:
secretKeyRef:
name: postgres-credentials
key: username
- name: PG_REPLICATOR_PASSWORD
valueFrom:
secretKeyRef:
name: replicator-credentials
key: password
- name: GLOBAL_SECURITY_CONTEXT
value: {{ .Values.GLOBAL_SECURITY_CONTEXT | quote | default ("true" | quote) }}
- name: CLOUD_PUBLIC_HOST
Expand Down Expand Up @@ -182,7 +173,17 @@ spec:
secretName: {{ .Values.tls.certificateSecretName }}
defaultMode: 416
{{- end }}
{{- if .Values.replicationController }}
- name: replicator-credentials
secret:
secretName: replicator-credentials
defaultMode: 420
{{- end }}
{{- end }}
- name: postgres-credentials
secret:
secretName: postgres-credentials
defaultMode: 420
tolerations:
{{- range $tKey, $t := .Values.policies.tolerations }}
- key: {{ $t.key }}
Expand Down
2 changes: 1 addition & 1 deletion operator/charts/patroni-services/templates/secrets/logical-repliction-controller.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,6 @@ metadata:
name: logical-replication-controller-creds
data:
username: {{ default "replicator" .Values.replicationController.apiUser | b64enc }}
password: {{ default "paSsW0rdForReplicat!oN" .Values.replicationController.apiPassword | b64enc }}
password: {{ .Values.replicationController.apiPassword | b64enc }}
type: Opaque
{{ end }}
24 changes: 22 additions & 2 deletions operator/pkg/client/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,17 @@ import (
"github.com/Netcracker/pgskipper-operator/pkg/util"
)

const (
secretsBasePath = "/var/run/secrets/postgresql/"

pgUserCredsPath = secretsBasePath + "postgres-credentials/"
)

var (
instance *PostgresClient
logger = util.GetLogger()
pgUser = flag.String("pg_user", getEnv("PG_ADMIN_USER", "postgres"), "Username of admin user in PostgreSQL, env: PG_ADMIN_USER")
pgPass = flag.String("pg_pass", getEnv("PG_ADMIN_PASSWORD", ""), "Password of admin user in PostgreSQL, env: PG_ADMIN_PASSWORD")
pgUser = flag.String("pg_user", ReadSecretFile(pgUserCredsPath+"username", "postgres"), "Username of admin user in PostgreSQL")
pgPass = flag.String("pg_pass", ReadSecretFile(pgUserCredsPath+"password", ""), "Password of admin user in PostgreSQL")
dbName = "postgres"
ssl = "off"
)
Expand Down Expand Up @@ -244,3 +250,17 @@ func getEnv(key, fallback string) string {
func EscapeString(str string) string {
return strings.ReplaceAll(str, "'", "''")
}

func ReadSecretFile(path, defaultVal string) string {
data, err := os.ReadFile(path)
if err != nil {
logger.Error(fmt.Sprintf("Failed to read secret file %s: %v", path, err))
return defaultVal
}
value := strings.TrimSpace(string(data))
if value == "" {
logger.Info(fmt.Sprintf("Secret file %s is empty, using default value", path))
return defaultVal
}
return value
}
46 changes: 28 additions & 18 deletions operator/pkg/deployment/backup.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/utils/ptr"
)

var (
Expand Down Expand Up @@ -72,6 +73,15 @@ func NewBackupDaemonDeployment(backupDaemon *netcrackerv1.BackupDaemon, pgCluste
},
},
},
// {
// Name: "postgres-credentials",
// VolumeSource: corev1.VolumeSource{
// Secret: &corev1.SecretVolumeSource{
// SecretName: GetRootSecretName(pgClusterName),
// DefaultMode: ptr.To[int32](0400),
// },
// },
// },
},
ServiceAccountName: serviceAccountName,
Affinity: &backupDaemon.Affinity,
Expand All @@ -83,24 +93,6 @@ func NewBackupDaemonDeployment(backupDaemon *netcrackerv1.BackupDaemon, pgCluste
Command: []string{},
Args: []string{},
Env: []corev1.EnvVar{
{
Name: "POSTGRES_PASSWORD",
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{Name: GetRootSecretName(pgClusterName)},
Key: "password",
},
},
},
{
Name: "POSTGRES_USER",
ValueFrom: &corev1.EnvVarSource{
SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{Name: GetRootSecretName(pgClusterName)},
Key: "username",
},
},
},
{
Name: "PGPASSWORD",
ValueFrom: &corev1.EnvVarSource{
Expand Down Expand Up @@ -230,6 +222,10 @@ func NewBackupDaemonDeployment(backupDaemon *netcrackerv1.BackupDaemon, pgCluste
MountPath: "/backup-storage",
Name: "backup-data",
},
{
MountPath: "/var/run/secrets/postgresql/",
Name: "postgres-credentials",
},
},
LivenessProbe: &corev1.Probe{
ProbeHandler: corev1.ProbeHandler{
Expand Down Expand Up @@ -296,6 +292,20 @@ func NewBackupDaemonDeployment(backupDaemon *netcrackerv1.BackupDaemon, pgCluste
},
}
}
// Add postgres-credentials volume regardless of storage type
deployment.Spec.Template.Spec.Volumes = append(
deployment.Spec.Template.Spec.Volumes,
corev1.Volume{
Name: "postgres-credentials",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: GetRootSecretName(pgClusterName),
DefaultMode: ptr.To[int32](0400),
},
},
},
)

if backupDaemon.ExternalPv != nil {
deployment.Spec.Template.Spec.Volumes =
append(deployment.Spec.Template.Spec.Volumes, getExternalBackupVolume())
Expand Down
Loading
Loading