User exporter's password is not valued in DATA_SOURCE_NAME

Orange-OpenSource / galera-operator

Galera Operator automates tasks for managing a Galera cluster in Kubernetes

Apache License 2.0

34 stars 18 forks source link

User exporter's password is not valued in DATA_SOURCE_NAME #6

Closed plafosse-orange closed 4 years ago

plafosse-orange commented 4 years ago

In the example file 40-GALERA.yaml, it is proposed to reconstitute the variable DATA_SOURCE_NAME by passing the password of the user EXPORTER via an environment variable.

- name: DATA_SOURCE_NAME
  value: exporter:${EXPORTER_PASSWORD}@(localhost:3306)/

With this method, the password is not valued when the mysqld-exporter program uses the variable DATA_SOURCE_NAME. It would be a shame to be forced to supply the variable DATA_SOURCE_NAME with the password in clear when it is encrypted in the "secret" file.

sebs42 commented 4 years ago

There are two things. First, about the security. It is an example, you can pass the value from a secret using valueFrom: secretKeyRef: instead of value: The object type is k8s.io/api/core/v1/EnvVar and you can easy secure it as all env values used

Secondly, if you want to use a value using an env variable, and you want this value to be valued, the right form is $(env) instead of ${env}

plafosse-orange commented 4 years ago

You have the solution that works. It would be appropriate for the example to integrate this solution.

    metric:
      image: prom/mysqld-exporter:v0.12.1
      env:
        - name: EXPORTER_PWD
          valueFrom:
            secretKeyRef:
              name: galera-secret
              key: exporter-password
        - name: DATA_SOURCE_NAME
#          value: exporter:export@(localhost:3306)/
          value: exporter:$(EXPORTER_PWD)@(localhost:3306)/

it's not much but it can help