search

qamatic / helm-charts

Helm Charts
3 stars 13 forks source link

Insecure postgres-password field #3

Open hawkesn opened 4 years ago

hawkesn commented 4 years ago

By default, this chart currently uses pactbroker as the default password.

However, the postgresql helm chart (which is a requirement for this repo), automatically generates a random alphanumeric 10 character password and stores it as a kubernetes secret.

The deployments.yaml should detect if the {{ .Values.postgresql.postgresPassword }} is blank, in which case, it should simply load the POSTGRESS_PASSWORD via :

valueFrom:
  secretKeyRef:
    name: {{ .Release.Name }}-postgresql
    key: postgres-password

Otherwise, just use the password specified. So here, something like:

- name: PACT_BROKER_DATABASE_PASSWORD
   {{ if .Values.postgresql.postgresPassword }}
  value: {{ .Values.postgresql.postgresPassword }}    
  {{ else }}
   valueFrom:
        secretKeyRef:
           name: {{ .Release.Name }}-postgresql
           key: postgres-password
   {{ end }}

This is a more secure way instead of using the default of pact-broker

pearsonhenri commented 3 years ago

great comment @hawkesnc! (note however that the secretKeyRef should refer to key: postgresql-password instead of key: postgres-password)