odoo-tower/instance-template-v3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(chart): rip out pg dual-mode shim — ESO-only (0.1.8)

Browse Source 
A-Chunk 3 finalisation. All live instances are migrated to ESO,
and Tower 0.77.2 makes the migrate + template-deploy paths also
emit ESO-shape overlays (wizard always has). The
`{{- if not .Values.postgres.passwordVaultPath }}` shim in
postgres-secret.yaml has zero remaining production callers.

Changes:
  - DELETE templates/postgres-secret.yaml (dual-mode legacy path)
  - DELETE _helpers.tpl `instance.pgPassword` (only consumed by
    postgres-secret.yaml; no other callers)
  - UNWRAP templates/postgres-password-externalsecret.yaml — the
    outer `{{- if .Values.postgres.passwordVaultPath }}` conditional
    is removed; the template now renders unconditionally and the
    chart's `required` directive on tenant.id is the new boundary
    (chart render fails loud if Tower forgot to populate it)
  - SIMPLIFY values.yaml — drop the legacy `postgres.password` field
    and the dual-mode documentation. `passwordVaultPath` stays as an
    operator-visible advisory string but the chart hardcodes the
    path shape from tenant.id + instance.code

Chart 0.1.7 → 0.1.8. helm template + helm lint verified locally;
helm template with tenant.id missing fails loud with a clear
error pointing the operator at the chart line + the source of the
missing value.

The live instances (erp/erp18v3/v19) carry tenant.id + passwordVaultPath
in their overlays already; this chart version produces the same
manifests for them on next ArgoCD reconcile — no observable change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
OdooSky v3
2026-05-12 13:56:40 +03:00
parent 96071aec8e
commit 4a8dc61a92
5 changed files with 24 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
templates/_helpers.tpl
View File

@@ -89,19 +89,3 @@ upgrading to Medium for capacity it doesn't need.
{{- end -}}
{{- end -}}
{{/*
Postgres password. Looks up the existing Secret on upgrades; uses
.Values.postgres.password if set; otherwise generates a 32-char
random string on first install. The lookup ensures `helm upgrade`
does NOT silently rotate the password.
*/}}
{{- define "instance.pgPassword" -}}
{{- $existing := lookup "v1" "Secret" .Release.Namespace (printf "%s-pg" .Values.instance.code) -}}
{{- if and $existing $existing.data $existing.data.POSTGRES_PASSWORD -}}
{{- index $existing.data "POSTGRES_PASSWORD" | b64dec -}}
{{- else if .Values.postgres.password -}}
{{- .Values.postgres.password -}}
{{- else -}}
{{- randAlphaNum 32 -}}
{{- end -}}
{{- end -}}