fix(dtrack): source DB password from externalDatabase.existingSecret#110
Open
dragonpaw wants to merge 2 commits into
Open
fix(dtrack): source DB password from externalDatabase.existingSecret#110dragonpaw wants to merge 2 commits into
dragonpaw wants to merge 2 commits into
Conversation
10 tasks
Contributor
|
Thanks for this. Now that several chart PRs (including the v1.2.0 alignment #145 and the load-bearing image-tag change #78) have landed on (The red SonarCloud check is a known non-blocking fork limitation and can be ignored.) |
added 2 commits
June 3, 2026 16:38
When postgres.enabled=false and externalDatabase.existingSecret is set,
secrets.yaml intentionally skips writing POSTGRES_PASSWORD into the
chart-managed Secret. dtrack still referenced
{{ fullname }}-secrets:POSTGRES_PASSWORD, so the pod started with
CreateContainerConfigError because the referenced key did not exist.
Point ALPINE_DATABASE_PASSWORD at the operator-provided existingSecret
in that branch, using a new externalDatabase.existingPasswordKey value
(defaults to "POSTGRES_PASSWORD"). All other paths (in-cluster postgres,
or external DB with inline password) keep their previous source, so the
change is backwards compatible.
dragonpaw
force-pushed
the
fix/dtrack-password-from-existing-secret
branch
from
b588dac to
cec4108
Compare
dragonpaw
pushed a commit
to dragonpaw/artifact-keeper-iac
that referenced
this pull request
Jun 3, 2026
When `postgres.enabled=false` and `externalDatabase.existingSecret` is set (the canonical external-DB path), `templates/dtrack-deployment.yaml` built `ALPINE_DATABASE_URL` from `externalDatabase.host` / `externalDatabase.port` plain-string values. Operators following the existingSecret pattern who omit those plain values get an empty-host JDBC URL — `jdbc:postgresql://:5432/dependency_track` — which JDBC interprets as `localhost` and dtrack then fails on startup with `Connection refused`. This change projects host/port out of the operator-provided Secret into two leading env vars (`_DTRACK_DB_HOST`, `_DTRACK_DB_PORT`) and references them from `ALPINE_DATABASE_URL` via Kubernetes `$(VAR)` expansion. Two new values let operators point at custom keys in the Secret: externalDatabase.existingHostKey (default "POSTGRES_HOST") externalDatabase.existingPortKey (default "POSTGRES_PORT") Mirrors the precedent set by `externalDatabase.existingPasswordKey` (artifact-keeper#110). Strictly additive: when `existingSecret` is unset, the literal host/port substitution is preserved — `helm template` output is byte-identical for the in-cluster postgres and inline-host/port paths.
Contributor
Author
|
Rebased onto the latest |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When
postgres.enabled=falseandexternalDatabase.existingSecretis set,templates/secrets.yamlintentionally skips writingPOSTGRES_PASSWORDinto the chart-managed Secret (the operator owns the credential). dtrack, however, always referenced<release>-secrets:POSTGRES_PASSWORD, so the pod fails to start withCreateContainerConfigErrorbecause the key it points at does not exist.This PR makes dtrack source
ALPINE_DATABASE_PASSWORDfrom the operator-providedexternalDatabase.existingSecretin that branch, using a newexternalDatabase.existingPasswordKeyvalue (default"POSTGRES_PASSWORD"). All other paths (in-cluster postgres, or external DB with inlinepassword) keep their previous source, so the change is backwards compatible —helm templateoutput is byte-identical for those cases.Reproducer (before this PR):
The rendered dtrack pod env points at
ak-artifact-keeper-secrets:POSTGRES_PASSWORD, but the rendered Secret has no such key.Test Checklist
helm lintclean)Infrastructure
helm templaterenders correctly across four value combinations (defaults; external DB inline password; external DBexistingSecret; external DBexistingSecret+ customexistingPasswordKey)terraform validatepasses (N/A)terraform planshows expected changes (N/A)Closes #150