Optional customUser.secretKeys

[mreiche]

Name and Version

postgres:0.12.1

What is the problem this feature will solve?

It is not possible to define the custom user secret key only like:

  customUser:
    name: "my-user"
    database: "my-database"
    existingSecret: "my-external-secret"
    secretKeys:
        password: "psql-user-password"

which will result in:

  - name: CUSTOM_DB
    valueFrom:
      secretKeyRef:
        name: my-external-secret
        key: ''
  - name: CUSTOM_USER
    valueFrom:
      secretKeyRef:
        name: my-external-secret
        key: ''
  - name: CUSTOM_PASSWORD
    valueFrom:
      secretKeyRef:
        name: my-external-secret
        key: psql-user-password

Describe the solution you'd like?

Please make the secretKeys for username and database optional with fallback to the customUser.name and customUser.database.

That makes it a lot more easier to define username and database as convention (by overriding values) and store the actual database user secret in a secret only. Especially when your secret is defined by an ExternalSecretProvider.

What alternatives have you considered?

No response

Additional informations

No response

Affected Helm charts

postgres

[dloewen2]

Hi @mreiche, If i understand you correctly, if i use the values you added as an example, at the end i got two secrets, one existingSecret my-external-secret and one new created Secret containing the customUser.name and customUser.database or am i misunderstanding?

[mreiche]

@dloewen2 The secret reference keeps the same, but defining a secret reference means, that you need to put all custom user information in that secret like:

apiVersion: v1
kind: Secret
metadata:
  name: my-custom-user-secret
stringData:
  user: "my-user"
  database: "my-database"
  password: "secret"

You can reference it in the chart:

customUser:
  existingSecret: "my-custom-user-secret"
  secretKeys:
    name: "user"
    database: "database"
    password: "password"

But if you have a Secret, that is dynamically generated by an ExternalSecretProvider and only contains the secret information:

apiVersion: v1
kind: Secret
metadata:
  name: my-generated-external-secret
stringData:
  password: "secret"

You cannot mix it like:

customUser:
  name: "my-user"
  database: "my-database"
  existingSecret: "my-generated-external-secret"
  secretKeys:
    password: "password"

[dloewen2]

@mreiche, I understand your request. After evaluating it internally with a colleague, I have to inform you that this is not something we would implement.

When using an existingSecret, the Helm chart expects all the required information to be stored within that single secret. The ability to dynamically select which data is stored in the existing secret and which is stored in a generated secret (or to manage multiple secrets for different keys) is not a functionality typically supported by Helm charts.

To help you achieve your goals, I suggest considering one of the following alternatives:

1. Check if your external secret provider can update specific keys within the secret without modifying others (for example, cert-manager can update tls.key and tls.crt in a secret independently).

2. Use Kustomize, particularly its patch functions, to override the generated StatefulSet so it loads environment variables from multiple secrets.

If you have any further questions, feel free to open a new issue or reply to this one.

[mreiche]

I'm not talking about managing multiple secrets. I'm just talking about the feature, the Bitnami PostgreSQL chart supports:

auth:
  username: "my-username"
  database: "my-database"
  existingSecret: "my-secret"
    userPasswordKey: "password"

I want that you can define either password OR existingSecret. That is something, this chart does not support.

Anyways. What if I implement that feature on my own. Would you like to accept the PR?