Helm-Chart - Ability to provide Database Password outside of source-code

[valereColleville]

Is your feature request related to a problem? Please describe.
I didn't find an ability to use environment variable for database password management. Today i'am forced to have the db.password field into my values.yaml. (or i missed something which is also possible)

Describe the solution you'd like
To be able to provide a "password-less source code" we need a way to link a vault-solution to provide the database password.
Classic pattern is to rely on kubernetes secret letting everyone filling the secret "as they want" (ex: using extrenal-secret + AWS Secret Manager or Azure-Vault-CSI or any Hashcorp vault operator etc...)

So update would be:
Create a "existingSecret" field in the helm chart, if exist use it as an envVar setup for the container and update SetupDB source code to override default yaml setup with env var value if provided.

Example in another tools (Harbor):
https://github.com/goharbor/harbor-helm/blob/main/templates/core/core-dpl.yaml#L130
https://github.com/goharbor/harbor-helm/blob/main/values.yaml#L973

Describe alternatives you've considered

Additional context
I'll be happy/open to provide a PR about it if we agree that the feature could be added.

Thanks

[tegioz]

Hi @valereColleville 👋

You are not forced to write your password to your values.yaml file. You can pass it to the chart when installing/updating using --set and read the actual password from an environment variable (that can be fed from a secrets manager / vault).

export DB_PASSWORD="..."
helm install artifact-hub artifact-hub/artifact-hub --set db.password="${DB_PASSWORD}"

# Or get it from a secrets manager / vault
export DB_PASSWORD="$(command to get it from your secrets manager / vault)"

Eventually we'll improve the chart and add more options to provide credentials. We'll keep you posted!

[tegioz]

Awesome, thank you!

[valereColleville]

@tegioz , i do have faced a last "industrialization" issue to deploy onPrem. For security reason, i can't give the superuser user from the database server to artifacthub helm chart. I can create a "all prower user" over a dedicated database but not give away the superuser.

That's not an issue for the app (at least not i have feel), but for the "migration-db job" it do generate 1 issue, the script 34_partman.sql try to install the extension (i'am not a postgres admin) but if i understand correctly the issue i faced, that more or less an action that only the superuser can do. So i moved the extension installation in the "secure part" but sadly the 034_partman.sql script do not protect the schema creation so the migration fail when the extension and the schema are already here.

Fix would be to just change the first line to create schema IF NOT EXISTS partman;
(did it on my local version)

What do you think about it?

[tegioz]

That should be a harmless change, we can do that.

[tegioz]

Done in #4652

[valereColleville]

\O/ Thanks a lot \O/

With that change, Database is setup with dedicated user generating a random password, stored in our vault never seen by any human or config in our repository.

For those interesting in the "pre-requirement" setup script run with superuser before running the chart here the snippet (probably can be improved by some postgres guys but "it worked good enough for our POC"). Allowing you to be owner of the script using superuser so you can apply your rules and security check on it.

In my case run in a controlled helm-hook pre-install container using a postgres image with superuser credentials:

              psql "sslmode=require dbname=postgres" -tc "SELECT 1 FROM pg_database WHERE datname = 'artifacthub'" | grep -q 1 || psql "sslmode=require dbname=postgres" -c "CREATE DATABASE artifacthub"
              psql "sslmode=require dbname=postgres" -tc "SELECT 1 FROM pg_roles WHERE rolname = 'artifacthub_user'" | grep -q 1 || psql "sslmode=require dbname=postgres" -c "CREATE USER artifacthub_user WITH PASSWORD $DB_USER_PWD;"
              psql "sslmode=require dbname=postgres" -c "GRANT ALL PRIVILEGES ON DATABASE artifacthub TO artifacthub_user;"
              psql "sslmode=require dbname=postgres" -c "ALTER DATABASE artifacthub OWNER TO artifacthub_user;"
              psql "sslmode=require dbname=artifacthub" -c "CREATE SCHEMA IF NOT EXISTS partman;"
              psql "sslmode=require dbname=artifacthub" -c "CREATE EXTENSION IF NOT EXISTS pg_partman schema partman;"
              psql "sslmode=require dbname=artifacthub" -c "GRANT USAGE ON SCHEMA partman TO artifacthub_user;"
              psql "sslmode=require dbname=artifacthub" -c "GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA partman TO artifacthub_user;"
              psql "sslmode=require dbname=artifacthub" -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA partman TO artifacthub_user;"
              psql "sslmode=require dbname=artifacthub" -c "GRANT CREATE ON SCHEMA partman TO artifacthub_user;"
              psql "sslmode=require dbname=artifacthub" -c "
                DO
                \$do\$
                BEGIN
                  -- Make user the owner of public schema if not already
                  IF NOT EXISTS (
                      SELECT 1 FROM pg_namespace n
                      JOIN pg_roles r ON r.oid = n.nspowner
                      WHERE n.nspname = 'public' AND r.rolname = 'artifacthub_user'
                  ) THEN
                      ALTER SCHEMA public OWNER TO artifacthub_user;
                  END IF;
                END
                \$do\$;
                GRANT ALL PRIVILEGES ON SCHEMA public TO artifacthub_user;
                "