eliminate randomized database passwords

davehadley · davehadley · commit e18326387f64 · 2025-12-18T08:06:59.000Z
diff --git a/charts/workflows-cluster/staging-values.yaml b/charts/workflows-cluster/staging-values.yaml
@@ -51,7 +51,7 @@ vcluster:
                       - staging-values.yaml
                   path: charts/apps
                   repoURL: https://github.com/DiamondLightSource/workflows.git
-                  targetRevision: HEAD
+                  targetRevision: drh/bff-pkce-dev
                 syncPolicy:
                   automated:
                     prune: true
@@ -69,6 +69,11 @@ vcluster:
             "/artifact-s3-secret": "graph-proxy/artifact-s3-secret"
             "/s3-artifact": "workflows/artifact-s3"
             "/oidc-bff-config": "workflows/oidc-bff-config"
+            "/postgres-passwords": "workflows/postgres-passwords"
+            "/postgres-argo-workflows-password": "workflows/postgres-argo-workflows-password"
+            "/postgres-auth-service-password": "workflows/postgres-auth-service-password"
+            "/postgres-application-passwords": "workflows/postgres-application-passwords"
+            "/postgres-initdb-script": "workflows/postgres-initdb-script"
 
 ingress:
   secretName: letsencrypt-kubernetes-staging-workflows-diamond-ac-uk
diff --git a/charts/workflows-cluster/templates/sealed-secret-postgres-application-passwords.yaml b/charts/workflows-cluster/templates/sealed-secret-postgres-application-passwords.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: postgres-application-passwords
+  namespace: workflows
+spec:
+  encryptedData:
+    passwords: AgAaHsA0p6ZAyHb0lUl2rtGkv6OG7f6b6d95MPjsI5sogEAzz0YL8nuSx8x7HHbtqT03dd7MmHV9gawNo0CGhGQjGFwLrtFhI67EcufAE6/5q7hX6DQAxm5/ZTZPvFffOuLMCS/PAJzZAYcBKW0Adhk8qCmcQ+Ps4G4GKcCY6kD4/BuoDvaGodvie2it16ejPHEeZ8cMzfYN+/NMRQ+6q2dmwqb/Gf5kc6HJMbynaSkQotD2OFbnkzvYUdAcjpxLMsw4Ia5kP2Hz11mgwV1LqrGW70nDHFmojN4q/+PR+VrNd7FYN1ZgwoIbIoKPbF/E1chSmwGGU8CqwJxXATS+jYz1m7X5RR2PgL0fFdMHXB5jiXoGdZqTQKyt6okXxvF1fMthmZw5VrZBiTeE9pQnDCZEHq4rAXKuoWDjsrruMGATI/4JPive+snWDgpTEzHa40k+HXIj1/lHqiQfAQaRyLS5a89j+g20berJ8R/q6oYZhVEG4noKnntRcfKeT+DaeOeRoQ5M9Jn3AUfqke3R3sJJvYFTo0mU1F6fXq9YrOJRz3cQzPEGDqladBH8D9KHcl5dKs2PzZaAbpUlvT8YVadVWTtMm46etqBpAOE7rPYRQzhrmRHdRXOrN862p5qyhZLXgIvJASWheVaBbwIGK2PKpFSk1juzkZ9sAOFTkLD7BNJYn3rq6RFPl7CYjQ8ecNOQGGYPRIDDfAmmqHujiarAJXXqvyB8tjeSXqAd50ThkZGf7dO/zRUGAyI8a1KO3wYU
+    usernames: AgBTq5CHMVyTx6l2Ihqz4EE64Dm7G2wXSAQEnZr+4BA4nwU1bz+1xVNCen8AN7t8iPA5gO+8SyPIXKj9ZhqtjO+ltY2vjvIY2QXEQXOjDozfo+Q9TxgQ3jyKN3mr4hv2OxgVx+Obz8mD0rNPDO0cqI3SwUZQleDV/87dL09leUCIWFnNxHbhaLhuDNdPKTdw7ORSplHmTa35j1x9u5xOiwfOzUYshOYRcccqNzvKsp6Ptj2QWZkqiALn0FIkWC4uZ9KN0eQxv9w/ZLr/ixY5TI7tbBW5oiNYR6iQ0IK2xAOCl4tbTk/S8qkQBVbwxbvKrsNnR2FQR9hs8iimr1HDY1gFt2nt+3qY0Cle88Bngy0Yt/o7J7pZTV1rgr3SzpogcmIu/LCA1wln4OnMlhv/U+oMsoxVL/FssJupjFbX+5UiVzMpYYZ7CTLqiGnn29A+0VCp1bNaTTTYx1R5DGZc9JQj5+XkGCitCicf0GrSRs7nEjk/O/1aILE6CISpvqvXbMncjJysgVr8CdUoKwsdqhleRQ01llmhVj20LYhoGtMPe23DejGIrItlNlphp9dT4Sl0qvLPf3pmOaladabwCF0NXub9q4zpN5sM6p88xISHUIyD0Qh7T7WJ1wk0RBDC+onfZmWK8iZsP4XT2ZpbruwMJWriF9GlH+NSZhzwbym+QOBLV7x8jFebTF8P5lEUVf6oaGIa5dCQHAy0N3H0UzXE1U+XSBvo6eg=
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        argocd.argoproj.io/instance: workflows
+      name: postgres-application-passwords
+      namespace: workflows
+    type: Opaque
diff --git a/charts/workflows-cluster/templates/sealed-secret-postgres-argo-workflows-password.yaml b/charts/workflows-cluster/templates/sealed-secret-postgres-argo-workflows-password.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: postgres-argo-workflows-password
+  namespace: workflows
+spec:
+  encryptedData:
+    password: AgABMdb+f+AyfmSgwm9NHvG13yK7Js3krlaH2nWoQAnupq1zZW7fFsmCnna1FW67RDzY0ZPOCc0T7yyWsEzVWuupBQWliRh9FaROQZ21wt6GWeQZD65tf0lqu9pLORwhMbaW8oSTTx/GAY2ojyz1YX0npsYfEdfh32YAEgpfrqZN8GAjdhqQUwGhsrhMIcxS4vilO8pk98Q6G+9hajduPNl766qW+IMyRnK1iZQdSU3i7r4neiLCaMh+cLpdbYfIYwG+LlChGWmHfYIucIH0pMb7bkCWzIdtQRobbcwK+atcD+nAEEl6IicyhEU+b/qHrGjCNvUQ5jq7JFYy6Ri0lKzFSpwVH4MkdzZWUpttsqo3EnKayQB8ZXZH5hTrpspifhhiI0D3s90relTAhn7UNz5fwbRtdTBpevhQzp5IZVuAMuvDdzcISh3LoBe7Vr/UUVHGOMLVyqzGY9z80VO95tJV+iDO2TNpEE3gNl4Gaxm9Dr3zDBmDyo8uKUuLYE38lVzB4EJmgo/vuE8OIdKdZGK905PIGQ6O5AidZbL3nEUvIHXoGrYiE0pZjyF4uVJpu65Dw5A3GDH6W6l5iK/sCTcL9LQdPX7o/AOfUWyNJbD4O6FAau3d1m5gie5kVVT8zzMhVH+BUxwT1JvRTxL3J6nazKlo0Xcoq4UdDai+I/dFg3di7aHo9obyWvcLAYPRMvhY3357PaxOsDAYkvaEbwPoFGTPIPLz8/o=
+    username: AgCfSEt91Uw44NHBeRVfIZOuu7zVlZFu80R9VifqNnxN2A/ggpIaHVqozXsStTeb/Qkl/axG2feP6hC2ilHVti20XHzDD98tTeo5p5j9yfStudLL/rIYZnNsO12uVUjKDPbOTrxgxtjJkRdDlO3Zd1Aqrsk11xZieeu9RaGBqY1qRVUkZb2bIM9kege/3wL8eTO9jF2ogMEybEtCBoOridBdmLMCPncYHt36NcPXi/8cpJOgj2icEFAQJT6MKlkdigiREMDXLByscJO0EseonIyiLdK/1WgRx/nUUMoqyt7CTqTej41cUZCM9ufjLC8VuM8OCtAHVKu4OOf76ya3wGp2OBf7ajBUQe0NbZ3+ckyrSgodQv92jemKCPkW2GeN2+t+M3/kTn9xQ0lc+TPpRR7JnlbHNYvCXLLtrtGG3AzkeyZJZ4FKBaIL5V5dS6ywSLvMsPlmjci1jfCswsHOE9uCVt456v968cvGFOpOXneHTALc46r/vjvJ58Nrtkayik3glhRsS7kPH26AJ2HhOOu6FwIp//+Emd2W3fw7MEWizu9tNCPJMUm9HrO7I59db74Cb7hZoBpzhNyzi7mfwQJCGCDU/ahlbYSWiknc2EDE0mCNZTIpyTPVYv7gc66yyroZSq4KHnaQl6pKLOCl3pHLa9xP6nuZfGqN5gaf+YCu6Qi05Ktq0IEHqIKNs/AXZE3iXVHzamhyUwFBqwnpDA==
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        argocd.argoproj.io/instance: workflows
+      name: postgres-argo-workflows-password
+      namespace: workflows
+    type: Opaque
diff --git a/charts/workflows-cluster/templates/sealed-secret-postgres-auth-service-password.yaml b/charts/workflows-cluster/templates/sealed-secret-postgres-auth-service-password.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: postgres-auth-service-password
+  namespace: workflows
+spec:
+  encryptedData:
+    password: AgDHejDxPArV97Etg07L0oUlMDTIFlluz3cqYfMfJe/MBoPWLN8wxWq/Vpmy/0+LAW5aj9sIPnsXCE0Pfq4tXdr7sLdhNHOA0Efy2m5WLcoyTzbTU4/f/beXIGsabDFVvgEvIrEYIu2TOJj1mTLFmESWbYG4Z822oXdKEdmAE4Zvf8wmSkGLfOoFXYueNBaQ7N2BNIeA1+8pywuHMmoyeTOyxk6J743vRiPqEK940H+BT5bhuZz370FJVeXnKq+SBgsckqVZ42Rp7VW2qW1+j+tAku6AHcRhCxV0KLPjf08oQrzcY60blBvW4AUiwLrSghK88DfswBENQKtYlYO9nt5mV7ZaBD1dnSetCM867fRiSyTXXN0PJAXZjgAqkdQ5W8cBA5wImD0cF+wsZShZyVEO2qYGL5THrUATjHkSF2zGfhLSGHIlJlmsC527Yo2J0SovqjY4g3qTI8VxdugOax7yj/W8y2iwUxjokTvtwplIjM0nXNxwF7KqkbIOgxiW3IdtMyI7PQxTgO69jnch4odnzCgFToE7lOs/uVo1lNH+iU7a0o/o/5ksL8MqjX56zU1BYuGOtq+eGL9B3t7jnN91SkJzO9glRzuo15wRARKMdJ2Et2tqkfw6qQlCVnpvj8r4xApUnsMbvyrR6odP2jg5Sr2mgYnoN2krb6jjJwiBFeC3FZcJVctBUa60ZPpRiftXvUCpjhU4qMaABrk66k2xZZTD346wcMg=
+    username: AgBRyZIlJrZnf0VtwQE1iqJbwxwcE9d638Ii21F75xCj1eVGne0t1oCysZpi9ZLOjhPYTWZADBW8VwYM6OchzMRcTAO3M4tsALsb2tsf8id9zMl7He1NIeprLeKr3hNQQ4Ktcf+CNrStr/f/b5Ei3Po8aA1Aq3VOiuBd+C+0P/nHJWcEGl0hbw3GEytjILHl7JwjMg40B6j2Diq3Z3o7fry17iJ98V0ta1kyQBpAZdlmPr+mSXpllpl915dhepE86//k9c+2ZIN7+WmLln4MYmznakbcZpiN5QAhuxnJO69G8wYcwSsJdI0B4fOy3iNMc/zNCWLbd3pgmz0h5hvumU1XZ42ftujTvhDb6eagBWPMWr7gguNSjWw6zwgtCPSVt+lzRBEu9MUBAY1TA3Zk5MvMXAYPTlix0vN6lPZweB2u1C/f/GqAV7BzTDMzxj58Fa/r/B1PEkOvgZygZ16TojXOQlkcMT7DfPf9Yf4YWL59i1RBzUvw2lgDB1glZ4GqMcxYHTfTR6j4feQJzmvVh2FgP0kthsxAXhO0a/sZ4EHfxVeN51PKA3BPuFdX56HLAkYvj2Osmuy+fVC8UGsDW9ik5fndzhaqxap/9qzLYUtU2AtEI3tPKvJhpM0QQvFockUgY6J31y1IivOo+gGGS1DCnRVnNDPHXETE2DBidSwBSThTiuV8+7LMrCyoAvaFEBFhENcrbtX5Eb8=
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        argocd.argoproj.io/instance: workflows
+      name: postgres-auth-service-password
+      namespace: workflows
+    type: Opaque
diff --git a/charts/workflows-cluster/templates/sealed-secret-postgres-initdb-script.yaml b/charts/workflows-cluster/templates/sealed-secret-postgres-initdb-script.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: postgres-initdb-script
+  namespace: workflows
+spec:
+  encryptedData:
+    init.sql: AgB4hcgbt4yJhii5v3cJ5WZBuGOcRBS4PaZeT8kjHSc9gNAfxyCPM0EtwBaVZMfE2dinj3nk+2GDsoVsoYaKl8XXz7Ey0xfdPfypLLGmTaAUGFWFRL9ygrJV8T1wZB6rI33erTgO/NQCu35umLYq8xyFkIZolrZEOFP6hHShBMbz51yIjRdwvTVkYItfiEOKmHmHs4psyWvsK+KL58zhB/7PZZ7Twi4+rdBmB+wV0NMy6lpq41mQNz12tLVQUlvM0KKyUApow1FVXuBbeZkKgTSKEgHYOtrmrWwoqAl2qK1hf4B0jRocZAv1WCOcevbTb+IFqRdAUiOHDHc5TnCuSUNiffmTwyRXlvLgvoJLElFUaamsEESgzAS7+qkwzSeyrZ3F+qmeXXCIfnKUL0kzCo9kMgXGqOjJ6gibo4wFSL4QUctv6GT4rAGIqyUyLvrCoU0QhNpPfhZkXQf5FUz/n0wHD1qbisPLEyqsCGcZR45RClrhncza1RLWb/xWhHAsVUTeolrSZXpZOnEYOsjuIF2Gyf8029HMMQMhgguThhBho93MwhA7BUnbSbuMrQlQ+R7TryxlplOsWZfPGBEs1M/YYCVXs4+PRHPvttYps9KHcpvN+WlObE+IIxtVbozVaVEBz26j9xZezC7hFXYTifRXEpgRExfRtNtRIpel/xYpkAoQsBbJ+Xsi23Vrp/uyjU2ogXJoziGHaWs8/YKnvD5bA4AXnNAm3zLokCeXJ1ei3O8iFZ5R2vxXUSvDFC4oOxLMj+nB89xR7/0z7L5BxMe8v7gtOZ1q1qd543LgNvuysSOb8CT24bc3gc9Ueqk8nFZTg+R2L6avDUJuzPXRS0zl8cCfxZ/GEEkzPsVYTY6wTJm3GJ6wnf3Mwyzk+dTBViPhjzj96XMMAqEzWVHKpfQkxjmeUfoRynK7/quQvsWl2tLGZofDHGKAAB6ZdVirGHTqCqqidgVz8QNIz9ECybDJQpilwzWxHUHTCu0YoBidXwjR25BOI0Q=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: postgres-initdb-script
+      namespace: workflows
diff --git a/charts/workflows-cluster/templates/sealed-secret-postgres-passwords.yaml b/charts/workflows-cluster/templates/sealed-secret-postgres-passwords.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: postgres-passwords
+  namespace: workflows
+spec:
+  encryptedData:
+    password: AgBD1UtI2bqrlgkSPQVTOE0L7baaX/42Bq0w9209GiA7FztZkaOxGsOroAW0cCKifbbK9E4BlTPyFu6X1onw8OSowpmZ8bih5amuroYECugw/g669kfh//G7nKi44o26XoI9CajDJUVb+LkXHZFEJ8Xb9xnclxdR4U4klCriIow1cUnCkif2ELa1MMZ+mVvAIdsArIehymNfCpCRZzNu35u38Yf0EYAOCeh5W0LT5cyKp1pql8AGAGbpSSzojJxWpx8N0lA8toeKjOmVegKK2jS7q+4IfF8In2UU8E/DtcMTUbvorYwLPVKtDA7AlHTH8qU1+tosjTHQa5s8U0XvAGKuboiy7vPVDpypMo+tP5LKab9cdFkJumT+PFoIyJkacJnzs2TEzGAAi+PAgr/6yUBgsFejtV0yjFXNbh0vPhVdDQaqt+ylm451bTQo1FxgS6sOFYHnUo4Cj7+0vnMu8f994GZilaqdkY20aRWn/6pg66K1d/koDXB0hDJncx5xsZ1Zgx8Bo1B7rm0v7cyDmFaFEv4BSdcU9XMor98tRMOMQgdHaKBkyz4T/eViwmfoGI/9VA1PaqvO5cEZgkQ6Rn5LqvmkvNanKtrgn+BTsvlximUskQq0NklDl84EUEvieT4OmzNIAWiVTVImZ3/erVQFau7sILc8U+s5H6srGJO45wtFx4r+eKMGC/ZK4Ie128vVWn8e5JFDZ8UAJChyeV4aCzQw1Uw2soQ=
+    repmgr-password: AgDGDte8on0ZOp1Ts++H8D0ZtVDS6LrTZj6XQ1pdER1WoACEjuzg/VhEmqMBP52Rla1lU6agGbZph65tdS6cbf2c2pUSvTnh2agVncdADMjSZonG1dh5wW0fQj9k0WxB+40gv2iWlW3jsaOhYPSCaI38vSL4yjnTr0IVxTIRDBF3Lst+P4jSTgQxUaHzDy7OtRTsGMJDky/BCDFR4fh4MAJxFCoDLnPPG8FBsVVoPz4UeeOMNdq4Yj4/BH677G1PCbsJGGbbSOPn4zr1Fh0q9pJ4ge+vE82bhoqBkb++v2jYtjyCgicS0Tj+KaA6y87/6RTveOpDyooetomwa3JwVawzPWY2wMFB6NrPGeie97wMiYGTFZzcnVZycqfAp5LuSrWdqx+lvJEg2UOyXXHiT3v4qTJxvsDbONuVkHB/ogYi2o66ZBaAUObzFi5G4LHZg5qzxkTroO3T7OTZTSnqAPoyApHHo/t0uSPAWbv+wyqBaZQJxV4cQ7Eyf3wni7UKIXLK139D7Ah2/BrxCM0l4pL8gmFnCjkGKgJiDgG3C+rQXZc+lbjdw4XaLjdTh/T5fg5q1ve0ZErFIa+ugyoLmU17hFlIIbDKaw3nIQJP/abOkx08lLlAZLNuDhGj/HQR7gzEgiLXYWHpBWgUFYRrlAcF2pnq774QL7mnuHbDTZERu5eiC0TPI1FqpYWqujeIB/RIZw9caAzdB9fPJMvbeYQCIdY4uTbQlrs=
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        argocd.argoproj.io/instance: workflows
+      name: postgres-passwords
+      namespace: workflows
+    type: Opaque
diff --git a/charts/workflows/templates/postgres-application-passwords-secret.yaml b/charts/workflows/templates/postgres-application-passwords-secret.yaml
diff --git a/charts/workflows/templates/postgres-initdb-script-secret.yaml b/charts/workflows/templates/postgres-initdb-script-secret.yaml
diff --git a/charts/workflows/templates/postgres-passwords-secret.yaml b/charts/workflows/templates/postgres-passwords-secret.yaml
