feat: share the DB password across external-secrets keys#31
Conversation
The odoo.conf ExternalSecret read both postgresqlPassword (db_password) and
odooAdminPasswd (admin_passwd) from odooKey, forcing the DB password to be
stored twice in Vault (under postgresqlKey for Postgres and again under odooKey
for Odoo) and kept in sync by hand.
Restructure externalsecrets.properties.odoo.* into { key, property } objects so
each odoo.conf credential picks its own Vault key. Key resolution (helper
..externalsecrets.odooConfData, shared by the normal + hook copies):
- db_password: explicit key -> postgresqlKey -> odooKey
- admin_passwd: explicit key -> odooKey
The DB password now lives in Vault once (postgresqlKey, shared with the
PostgreSQL secret) instead of being duplicated under odooKey, falls back to
odooKey when postgresqlKey is unset (external DB), and any credential's key can
be overridden to point at a different Vault key.
Bump chart to 1.4.0; update CLAUDE.md and README.
Signed-off-by: Alexandre Nuttinck <alexandre@nuttinck.be>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughWalkthroughThis PR changes how Odoo ExternalSecrets resolve Vault keys and properties. The values schema now supports per-credential ChangesConfigurable ExternalSecret credential mapping
Estimated code review effort: 2 (Simple) | ~15 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@templates/_helpers.tpl`:
- Around line 163-172: The odoo externalsecrets helper now assumes
externalsecrets.properties.odoo.postgresqlPassword and adminPasswd are
object-shaped overrides, so legacy scalar values will be ignored by Helm
coalescing and the old secret overrides stop working. Update the
..externalsecrets.odooConfData template to preserve compatibility with the
previous string form or add a migration note/changelog entry explaining the
values-shape change, and verify the fallback behavior around the property
lookups for postgresqlPassword and adminPasswd.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: db4b421f-0b7d-49bf-8028-3cadbb747739
📒 Files selected for processing (6)
CLAUDE.mdChart.yamlREADME.mdtemplates/_helpers.tpltemplates/externalsecrets.yamlvalues.yaml
… change
externalsecrets.properties.odoo.{postgresqlPassword,adminPasswd} changed from a
bare string (remoteRef property name) to a map {key, property} in the pending
release. That form was released in 1.1.0-1.3.0, so an upgrade with a legacy
scalar override crashes at render (dig panic). Ship it as a breaking major
release with a README migration note rather than a compatibility shim.
- Chart.yaml: 1.4.0 -> 2.0.0
- README: add "To 2.0.0" upgrade note (before/after values + failure signature),
fix stale pre-1.4.0 reference
The odoo.conf ExternalSecret read both postgresqlPassword (db_password) and odooAdminPasswd (admin_passwd) from odooKey, forcing the DB password to be stored twice in Vault (under postgresqlKey for Postgres and again under odooKey for Odoo) and kept in sync by hand.
Restructure externalsecrets.properties.odoo.* into { key, property } objects so each odoo.conf credential picks its own Vault key. Key resolution (helper ..externalsecrets.odooConfData, shared by the normal + hook copies):
The DB password now lives in Vault once (postgresqlKey, shared with the PostgreSQL secret) instead of being duplicated under odooKey, falls back to odooKey when postgresqlKey is unset (external DB), and any credential's key can be overridden to point at a different Vault key.
Bump chart to 1.4.0; update CLAUDE.md and README.
Summary by CodeRabbit
keyis left empty, ensuring consistent shared-secret routing when desired.postgresqlPasswordandadminPasswdnow use a{key, property}mapping (instead of a bare value).