4a8dc61a92
A-Chunk 3 finalisation. All live instances are migrated to ESO,
and Tower 0.77.2 makes the migrate + template-deploy paths also
emit ESO-shape overlays (wizard always has). The
`{{- if not .Values.postgres.passwordVaultPath }}` shim in
postgres-secret.yaml has zero remaining production callers.
Changes:
- DELETE templates/postgres-secret.yaml (dual-mode legacy path)
- DELETE _helpers.tpl `instance.pgPassword` (only consumed by
postgres-secret.yaml; no other callers)
- UNWRAP templates/postgres-password-externalsecret.yaml — the
outer `{{- if .Values.postgres.passwordVaultPath }}` conditional
is removed; the template now renders unconditionally and the
chart's `required` directive on tenant.id is the new boundary
(chart render fails loud if Tower forgot to populate it)
- SIMPLIFY values.yaml — drop the legacy `postgres.password` field
and the dual-mode documentation. `passwordVaultPath` stays as an
operator-visible advisory string but the chart hardcodes the
path shape from tenant.id + instance.code
Chart 0.1.7 → 0.1.8. helm template + helm lint verified locally;
helm template with tenant.id missing fails loud with a clear
error pointing the operator at the chart line + the source of the
missing value.
The live instances (erp/erp18v3/v19) carry tenant.id + passwordVaultPath
in their overlays already; this chart version produces the same
manifests for them on next ArgoCD reconcile — no observable change.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
52 lines
2.2 KiB
YAML
52 lines
2.2 KiB
YAML
# postgres-password-externalsecret.yaml — per-instance Postgres password
|
|
# sourced from OpenBao via ESO. Produces the `<release>-pg` Secret
|
|
# (POSTGRES_USER + POSTGRES_PASSWORD + POSTGRES_DB) consumed by
|
|
# postgres-statefulset.yaml's envFrom.
|
|
#
|
|
# Single source of truth for pg password lifecycle. The chart had a
|
|
# dual-mode shim (legacy postgres-secret.yaml gated by an empty
|
|
# passwordVaultPath) through Chunks 1-3 of the A-OpenBao migration;
|
|
# rip-out lands in 0.1.8 after all live instances + every Tower
|
|
# create path (wizard / migrate / template-deploy) generate overlays
|
|
# that carry tenant.id + postgres.passwordVaultPath.
|
|
#
|
|
# OpenBao path convention: `tenants/<tenantID>/instances/<code>/pg`
|
|
# with a `password` field. Covered by the per-cluster ESO policy
|
|
# `eso-tenant-<cluster>` (buildEsoPolicy in Go) which grants
|
|
# read on `v3/data/tenants/<tenantID>/*`. No policy change required.
|
|
apiVersion: external-secrets.io/v1beta1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: {{ include "instance.fullname" . }}-pg
|
|
labels:
|
|
{{- include "instance.labels" . | nindent 4 }}
|
|
spec:
|
|
refreshInterval: "1h"
|
|
secretStoreRef:
|
|
name: {{ .Values.postgres.externalSecretsStoreRef | default "openbao-platform" }}
|
|
kind: ClusterSecretStore
|
|
target:
|
|
name: {{ include "instance.fullname" . }}-pg
|
|
creationPolicy: Owner
|
|
# Retain — never delete the Secret on ExternalSecret deletion. The
|
|
# postgres pod's PGDATA on disk is locked to the password hash in
|
|
# this Secret; an accidental ESO removal must not cascade into the
|
|
# Secret disappearing and forcing a password rotation (which would
|
|
# then drift from pg_authid).
|
|
deletionPolicy: Retain
|
|
template:
|
|
type: Opaque
|
|
engineVersion: v2
|
|
data:
|
|
POSTGRES_USER: {{ .Values.postgres.user | quote }}
|
|
POSTGRES_PASSWORD: "{{ `{{ .password }}` }}"
|
|
POSTGRES_DB: {{ .Values.postgres.database | quote }}
|
|
data:
|
|
- secretKey: password
|
|
remoteRef:
|
|
key: tenants/{{ required "postgres.passwordVaultPath requires .Values.tenant.id (set by Tower at create time)" .Values.tenant.id }}/instances/{{ .Values.instance.code }}/pg
|
|
property: password
|
|
conversionStrategy: Default
|
|
decodingStrategy: None
|
|
metadataPolicy: None
|