Merge pull request #232 from numtide/postgres-password-secret

feat(shard): add postgres password Secret

Author: fernando-villalba

pkg/resource-handler/controller/shard/containers.go

@@ -78,6 +78,12 @@ const (
 
 	// PgHbaTemplatePath is the full path to the pg_hba template file
 	PgHbaTemplatePath = PgHbaMountPath + "/pg_hba_template.conf"
+
+	// PostgresPasswordSecretName is the name of the Secret containing the PostgreSQL password
+	PostgresPasswordSecretName = "postgres-password"
+
+	// PostgresPasswordSecretKey is the key within the Secret that holds the password
+	PostgresPasswordSecretKey = "password"
 )
 
 // buildSocketDirVolume creates the shared emptyDir volume for unix sockets.
@@ -145,6 +151,7 @@ func buildPostgresContainer(
 				Name:  "PGDATA",
 				Value: PgDataPath,
 			},
+			pgPasswordEnvVar(),
 		},
 		SecurityContext: &corev1.SecurityContext{
 			RunAsUser:    ptr.To(int64(999)), // Must match postgres:17 image UID for file access
@@ -222,6 +229,7 @@ func buildPgctldContainer(
 				Name:  "PGDATA",
 				Value: PgDataPath,
 			},
+			pgPasswordEnvVar(),
 		},
 		SecurityContext: &corev1.SecurityContext{
 			RunAsUser:    ptr.To(int64(999)),
@@ -270,7 +278,7 @@ func buildMultiPoolerSidecar(
 
 	// TODO: Add remaining command line arguments:
 	// --grpc-socket-file, --log-level, --log-output, --hostname
-	// --pgbackrest-stanza, --connpool-admin-password
+	// --pgbackrest-stanza
 
 	args := []string{
 		"multipooler", // Subcommand
@@ -288,6 +296,7 @@ func buildMultiPoolerSidecar(
 		"--service-id=$(POD_NAME)", // Use pod name as unique service ID
 		"--pgctld-addr=localhost:15470",
 		"--pg-port=5432",
+		"--connpool-admin-password=$(CONNPOOL_ADMIN_PASSWORD)", // Resolved from env var below
 	}
 
 	c := corev1.Container{
@@ -339,6 +348,7 @@ func buildMultiPoolerSidecar(
 					},
 				},
 			},
+			connpoolAdminPasswordEnvVar(),
 		},
 		VolumeMounts: []corev1.VolumeMount{
 			{
@@ -487,3 +497,36 @@ func buildBackupVolume(shard *multigresv1alpha1.Shard, poolName, cellName string
 		},
 	}
 }
+
+// pgPasswordEnvVar returns a PGPASSWORD env var sourced from the postgres-password Secret.
+// pgctld reads this during initdb to set the superuser password.
+func pgPasswordEnvVar() corev1.EnvVar {
+	return corev1.EnvVar{
+		Name: "PGPASSWORD",
+		ValueFrom: &corev1.EnvVarSource{
+			SecretKeyRef: &corev1.SecretKeySelector{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: PostgresPasswordSecretName,
+				},
+				Key: PostgresPasswordSecretKey,
+			},
+		},
+	}
+}
+
+// connpoolAdminPasswordEnvVar returns a CONNPOOL_ADMIN_PASSWORD env var sourced
+// from the postgres-password Secret. Multipooler uses this to authenticate
+// with PostgreSQL for connection pool administration.
+func connpoolAdminPasswordEnvVar() corev1.EnvVar {
+	return corev1.EnvVar{
+		Name: "CONNPOOL_ADMIN_PASSWORD",
+		ValueFrom: &corev1.EnvVarSource{
+			SecretKeyRef: &corev1.SecretKeySelector{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: PostgresPasswordSecretName,
+				},
+				Key: PostgresPasswordSecretKey,
+			},
+		},
+	}
+}

pkg/resource-handler/controller/shard/containers_test.go

@@ -47,6 +47,7 @@ func TestBuildPostgresContainer(t *testing.T) {
 						Name:  "PGDATA",
 						Value: PgDataPath,
 					},
+					pgPasswordEnvVar(),
 				},
 				SecurityContext: &corev1.SecurityContext{
 					RunAsUser:    ptr.To(int64(999)),
@@ -110,6 +111,7 @@ func TestBuildPostgresContainer(t *testing.T) {
 						Name:  "PGDATA",
 						Value: PgDataPath,
 					},
+					pgPasswordEnvVar(),
 				},
 				SecurityContext: &corev1.SecurityContext{
 					RunAsUser:    ptr.To(int64(999)),
@@ -191,6 +193,7 @@ func TestBuildPostgresContainer(t *testing.T) {
 						Name:  "PGDATA",
 						Value: PgDataPath,
 					},
+					pgPasswordEnvVar(),
 				},
 				SecurityContext: &corev1.SecurityContext{
 					RunAsUser:    ptr.To(int64(999)),
@@ -279,6 +282,7 @@ func TestBuildMultiPoolerSidecar(t *testing.T) {
 					"--service-id=$(POD_NAME)",
 					"--pgctld-addr=localhost:15470",
 					"--pg-port=5432",
+					"--connpool-admin-password=$(CONNPOOL_ADMIN_PASSWORD)",
 				},
 				Ports:         buildMultiPoolerContainerPorts(),
 				Resources:     corev1.ResourceRequirements{},
@@ -325,6 +329,7 @@ func TestBuildMultiPoolerSidecar(t *testing.T) {
 							},
 						},
 					},
+					connpoolAdminPasswordEnvVar(),
 				},
 				VolumeMounts: []corev1.VolumeMount{
 					{
@@ -382,6 +387,7 @@ func TestBuildMultiPoolerSidecar(t *testing.T) {
 					"--service-id=$(POD_NAME)",
 					"--pgctld-addr=localhost:15470",
 					"--pg-port=5432",
+					"--connpool-admin-password=$(CONNPOOL_ADMIN_PASSWORD)",
 				},
 				Ports:         buildMultiPoolerContainerPorts(),
 				Resources:     corev1.ResourceRequirements{},
@@ -428,6 +434,7 @@ func TestBuildMultiPoolerSidecar(t *testing.T) {
 							},
 						},
 					},
+					connpoolAdminPasswordEnvVar(),
 				},
 				VolumeMounts: []corev1.VolumeMount{
 					{
@@ -494,6 +501,7 @@ func TestBuildMultiPoolerSidecar(t *testing.T) {
 					"--service-id=$(POD_NAME)",
 					"--pgctld-addr=localhost:15470",
 					"--pg-port=5432",
+					"--connpool-admin-password=$(CONNPOOL_ADMIN_PASSWORD)",
 				},
 				Ports: buildMultiPoolerContainerPorts(),
 				Resources: corev1.ResourceRequirements{
@@ -549,6 +557,7 @@ func TestBuildMultiPoolerSidecar(t *testing.T) {
 							},
 						},
 					},
+					connpoolAdminPasswordEnvVar(),
 				},
 				VolumeMounts: []corev1.VolumeMount{
 					{

pkg/resource-handler/controller/shard/integration_test.go

@@ -337,6 +337,7 @@ func TestShardReconciliation(t *testing.T) {
 											"--service-id=$(POD_NAME)",
 											"--pgctld-addr=localhost:15470",
 											"--pg-port=5432",
+											"--connpool-admin-password=$(CONNPOOL_ADMIN_PASSWORD)",
 										},
 										Ports:         multipoolerPorts(t),
 										RestartPolicy: ptr.To(corev1.ContainerRestartPolicyAlways),
@@ -383,6 +384,17 @@ func TestShardReconciliation(t *testing.T) {
 													},
 												},
 											},
+											{
+												Name: "CONNPOOL_ADMIN_PASSWORD",
+												ValueFrom: &corev1.EnvVarSource{
+													SecretKeyRef: &corev1.SecretKeySelector{
+														LocalObjectReference: corev1.LocalObjectReference{
+															Name: shardcontroller.PostgresPasswordSecretName,
+														},
+														Key: shardcontroller.PostgresPasswordSecretKey,
+													},
+												},
+											},
 										},
 										VolumeMounts: []corev1.VolumeMount{
 											{Name: "pgdata", MountPath: "/var/lib/pooler"},
@@ -411,6 +423,17 @@ func TestShardReconciliation(t *testing.T) {
 										},
 										Env: []corev1.EnvVar{
 											{Name: "PGDATA", Value: "/var/lib/pooler/pg_data"},
+											{
+												Name: "PGPASSWORD",
+												ValueFrom: &corev1.EnvVarSource{
+													SecretKeyRef: &corev1.SecretKeySelector{
+														LocalObjectReference: corev1.LocalObjectReference{
+															Name: shardcontroller.PostgresPasswordSecretName,
+														},
+														Key: shardcontroller.PostgresPasswordSecretKey,
+													},
+												},
+											},
 										},
 										SecurityContext: &corev1.SecurityContext{
 											RunAsUser:    ptr.To(int64(999)),
@@ -681,6 +704,7 @@ func TestShardReconciliation(t *testing.T) {
 											"--service-id=$(POD_NAME)",
 											"--pgctld-addr=localhost:15470",
 											"--pg-port=5432",
+											"--connpool-admin-password=$(CONNPOOL_ADMIN_PASSWORD)",
 										},
 										Ports:         multipoolerPorts(t),
 										RestartPolicy: ptr.To(corev1.ContainerRestartPolicyAlways),
@@ -727,6 +751,17 @@ func TestShardReconciliation(t *testing.T) {
 													},
 												},
 											},
+											{
+												Name: "CONNPOOL_ADMIN_PASSWORD",
+												ValueFrom: &corev1.EnvVarSource{
+													SecretKeyRef: &corev1.SecretKeySelector{
+														LocalObjectReference: corev1.LocalObjectReference{
+															Name: shardcontroller.PostgresPasswordSecretName,
+														},
+														Key: shardcontroller.PostgresPasswordSecretKey,
+													},
+												},
+											},
 										},
 										VolumeMounts: []corev1.VolumeMount{
 											{Name: "pgdata", MountPath: "/var/lib/pooler"},
@@ -755,6 +790,17 @@ func TestShardReconciliation(t *testing.T) {
 										},
 										Env: []corev1.EnvVar{
 											{Name: "PGDATA", Value: "/var/lib/pooler/pg_data"},
+											{
+												Name: "PGPASSWORD",
+												ValueFrom: &corev1.EnvVarSource{
+													SecretKeyRef: &corev1.SecretKeySelector{
+														LocalObjectReference: corev1.LocalObjectReference{
+															Name: shardcontroller.PostgresPasswordSecretName,
+														},
+														Key: shardcontroller.PostgresPasswordSecretKey,
+													},
+												},
+											},
 										},
 										SecurityContext: &corev1.SecurityContext{
 											RunAsUser:    ptr.To(int64(999)),
@@ -1133,6 +1179,7 @@ func TestShardReconciliation(t *testing.T) {
 											"--service-id=$(POD_NAME)",
 											"--pgctld-addr=localhost:15470",
 											"--pg-port=5432",
+											"--connpool-admin-password=$(CONNPOOL_ADMIN_PASSWORD)",
 										},
 										Ports: []corev1.ContainerPort{
 											tcpPort(t, "http", 15200),
@@ -1183,6 +1230,17 @@ func TestShardReconciliation(t *testing.T) {
 													},
 												},
 											},
+											{
+												Name: "CONNPOOL_ADMIN_PASSWORD",
+												ValueFrom: &corev1.EnvVarSource{
+													SecretKeyRef: &corev1.SecretKeySelector{
+														LocalObjectReference: corev1.LocalObjectReference{
+															Name: shardcontroller.PostgresPasswordSecretName,
+														},
+														Key: shardcontroller.PostgresPasswordSecretKey,
+													},
+												},
+											},
 										},
 										VolumeMounts: []corev1.VolumeMount{
 											{Name: "pgdata", MountPath: "/var/lib/pooler"},
@@ -1211,6 +1269,17 @@ func TestShardReconciliation(t *testing.T) {
 										},
 										Env: []corev1.EnvVar{
 											{Name: "PGDATA", Value: "/var/lib/pooler/pg_data"},
+											{
+												Name: "PGPASSWORD",
+												ValueFrom: &corev1.EnvVarSource{
+													SecretKeyRef: &corev1.SecretKeySelector{
+														LocalObjectReference: corev1.LocalObjectReference{
+															Name: shardcontroller.PostgresPasswordSecretName,
+														},
+														Key: shardcontroller.PostgresPasswordSecretKey,
+													},
+												},
+											},
 										},
 										SecurityContext: &corev1.SecurityContext{
 											RunAsUser:    ptr.To(int64(999)),
@@ -1350,6 +1419,7 @@ func TestShardReconciliation(t *testing.T) {
 											"--service-id=$(POD_NAME)",
 											"--pgctld-addr=localhost:15470",
 											"--pg-port=5432",
+											"--connpool-admin-password=$(CONNPOOL_ADMIN_PASSWORD)",
 										},
 										Ports: []corev1.ContainerPort{
 											tcpPort(t, "http", 15200),
@@ -1400,6 +1470,17 @@ func TestShardReconciliation(t *testing.T) {
 													},
 												},
 											},
+											{
+												Name: "CONNPOOL_ADMIN_PASSWORD",
+												ValueFrom: &corev1.EnvVarSource{
+													SecretKeyRef: &corev1.SecretKeySelector{
+														LocalObjectReference: corev1.LocalObjectReference{
+															Name: shardcontroller.PostgresPasswordSecretName,
+														},
+														Key: shardcontroller.PostgresPasswordSecretKey,
+													},
+												},
+											},
 										},
 										VolumeMounts: []corev1.VolumeMount{
 											{Name: "pgdata", MountPath: "/var/lib/pooler"},
@@ -1428,6 +1509,17 @@ func TestShardReconciliation(t *testing.T) {
 										},
 										Env: []corev1.EnvVar{
 											{Name: "PGDATA", Value: "/var/lib/pooler/pg_data"},
+											{
+												Name: "PGPASSWORD",
+												ValueFrom: &corev1.EnvVarSource{
+													SecretKeyRef: &corev1.SecretKeySelector{
+														LocalObjectReference: corev1.LocalObjectReference{
+															Name: shardcontroller.PostgresPasswordSecretName,
+														},
+														Key: shardcontroller.PostgresPasswordSecretKey,
+													},
+												},
+											},
 										},
 										SecurityContext: &corev1.SecurityContext{
 											RunAsUser:    ptr.To(int64(999)),

pkg/resource-handler/controller/shard/pool_statefulset_test.go

@@ -157,6 +157,7 @@ func TestBuildPoolStatefulSet(t *testing.T) {
 											Name:  "PGDATA",
 											Value: "/var/lib/pooler/pg_data",
 										},
+										pgPasswordEnvVar(),
 									},
 									SecurityContext: &corev1.SecurityContext{
 										RunAsUser:    ptr.To(int64(999)),
@@ -369,6 +370,7 @@ func TestBuildPoolStatefulSet(t *testing.T) {
 											Name:  "PGDATA",
 											Value: "/var/lib/pooler/pg_data",
 										},
+										pgPasswordEnvVar(),
 									},
 									SecurityContext: &corev1.SecurityContext{
 										RunAsUser:    ptr.To(int64(999)),
@@ -574,6 +576,7 @@ func TestBuildPoolStatefulSet(t *testing.T) {
 											Name:  "PGDATA",
 											Value: "/var/lib/pooler/pg_data",
 										},
+										pgPasswordEnvVar(),
 									},
 									SecurityContext: &corev1.SecurityContext{
 										RunAsUser:    ptr.To(int64(999)),
@@ -814,6 +817,7 @@ func TestBuildPoolStatefulSet(t *testing.T) {
 											Name:  "PGDATA",
 											Value: "/var/lib/pooler/pg_data",
 										},
+										pgPasswordEnvVar(),
 									},
 									SecurityContext: &corev1.SecurityContext{
 										RunAsUser:    ptr.To(int64(999)),