How to avoid committing db password to the repo? (k8s + GCP)

[tibotiber]

Hi,

I'd like to ask how do you achieve db password protection in v2? I've moved over from v1 and I have 2 issues.

1. The prod metadata files include my database password. I should be able to just not commit these files to the repo as they are not used in CI. Is that the right approach?
2. The metadata are setup to load HASURA_GRAPHQL_DATABASE_URL from env variables. I'm on Kubernetes and the docs suggest to add the following to the deployment file:

env:
  - name: HASURA_GRAPHQL_DATABASE_URL
    value: postgres://<username>:<password>@hostname:<port>/<dbname>

and this file is needed in CI. How can I protect the password here? Maybe get it straight from cloudsql-db-credentials (I'm on Google Cloud)?

Thanks,
Thibaut

[adas98012]

Hi Thibaut,
You can use k8s secrets as an alternative to storing the password in deployment.yaml file.
As you are using Google Cloud, this Document should be useful.
I have notified our Documentation team to include these alternatives in our k8s deployment guide.
Thank you for your invaluable feedback.

[tibotiber]

Thanks for the reply @adas98012, I was wondering about one thing. In v1, the deployment file included something like this:

command:
  - graphql-engine
  - --database-url
  - "postgres://$(POSTGRES_DB_USER):$(POSTGRES_DB_PASSWORD)@$(POSTGRES_DB_HOST):$(POSTGRES_DB_PORT)/postgres"
  - serve

env:
  - name: POSTGRES_DB_HOST
    valueFrom:
      secretKeyRef:
        name: cloudsql-db-credentials
        key: private-ip
  - name: POSTGRES_DB_PORT
    value: "5432"
  - name: POSTGRES_DB_USER
    valueFrom:
      secretKeyRef:
        name: cloudsql-db-credentials
        key: username
  - name: POSTGRES_DB_PASSWORD
    valueFrom:
      secretKeyRef:
        name: cloudsql-db-credentials
        key: password

which lets me template out the command using values directly provided by cloudsql. Is there an equivalent of this where I could template out the env value for HASURA_GRAPHQL_DATABASE_URL? I guess this is a k8s yaml question, but I can't figure out from the k8s docs.

Also, any update on the point 1, can I simply gitignore the prod metadata and migrations from the repo? CI will only use the ones that are generated through the local dev environment anyway.

Thanks again.