Skip to content

Provide the ability to pass a Postgres password via file instead of k8s secret

Context

In my current work, we are using HashiCorp Vault as a central secret engine to not rely on k8s secrets and we're now adopting Gitlab. In our current Gitlab instance, we use only an external Postgres DB (the rest is provided by this chart) with it and we'd like to be able to bring this integration inline with our current way of working. Due to how gitlab loads the postgresql password, this was not possible out of the box, hence this MR.

Description

To be able to load the postgresql password via user-defined file, there were three changes to be made:

  • define a variable that can be used by the configurations to load the file path, instead of using a hardcoded value;
  • remove postgres as a required configuration for the necessary subcharts used;
  • use the postgresql secret only if no password file was provided in the chart values.yml.

A quick list of all changes performed:

  • charts/gitlab/templates/_configure.tpl: Defines the configure script, with a required dict including "postgres". This is incompatible with not using a secret for the password, so this value was moved to the optional field.
  • templates/_helpers.tpl: Create the variable gitlab.psql.password.file that reads from Values.global.psql.password.file, with the default set to the previously hardcoded value set in _database.yml.tpl (see next line)
  • charts/gitlab/templates/_database.yml.tpl: Defines the file from where the postgres password is read. This was a hardcoded value and was moved to the defined variable gitlab.psql.password.file.
  • charts/gitlab/charts/[webservice|task-runner|sidekiq|gitlab-exporter|geo-logcursor]/templates/deployment.yaml: Add an if condition to the use of postgresql password secret, where if the values Values.psql.password.file is set, the secret is not loaded by the deployment
  • charts/gitlab/charts/migrations/templates/_jobspec.yaml: Add if condition as per last item
  • charts/gitlab/charts/task-runner/templates/backup-job.yaml: Add if condition as per last item
  • charts/gitlab/charts/[webservice|task-runner|sidekiq|gitlab-exporter|geo-logcursor|migrations]/templates/configmap.yaml: Move postgres from required to optional when including the configure script and for the exporter, change the hardcoded postgresql password file to include the variable gitlab.psql.password.file.

Merge request reports

Loading