Per-instance Postgres password sourced from OpenBao via External
Secrets Operator. Dual-mode for the migration window:
- postgres.passwordVaultPath unset → legacy postgres-secret.yaml
renders with .Values.postgres.password (helm lookup + random
fallback, bit-exact existing behaviour for live instances).
- postgres.passwordVaultPath set → postgres-password-externalsecret.yaml
renders an ExternalSecret that produces the same <release>-pg
Secret (POSTGRES_USER/PASSWORD/DB) from OpenBao path
`tenants/<tenant.id>/instances/<instance.code>/pg`.
Exactly one of the two templates ships per instance (mutually
exclusive `if`s on .Values.postgres.passwordVaultPath). The Postgres
StatefulSet envFroms <release>-pg unchanged.
OpenBao policy already grants the per-cluster ESO read on
`v3/data/tenants/<tenantID>/*` (buildEsoPolicy in tower's
openbao_auth_setup.go) — the new instances/<code>/pg subpath is
covered. No policy change required.
A `required` directive on the ExternalSecret asserts tenant.id is
present when passwordVaultPath is set — fails loud at helm template
time if Tower forgot to populate it.
deletionPolicy: Retain on the ExternalSecret. Postgres PGDATA on
disk hashes to the password in the Secret; an accidental ESO
removal must not cascade into the Secret disappearing.
Chart 0.1.6 → 0.1.7. Verified locally: helm template both modes,
helm lint clean.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Heavy addon installs (e.g. ks_dashboard_ninja) blocked /web/login
probes for >10s, causing K8s to pull the Pod from Endpoints; Traefik
then 503d the operator addon-apply RPC. failureThreshold: 15 (~75s
of headroom) covers the install window without affecting true
pod-restart detection (initialDelay gates boot).
Chart 0.1.0 -> 0.1.1.
