Skip to content

feat: share the DB password across external-secrets keys#31

Merged
alexnuttinck merged 2 commits into
mainfrom
feat/externalsecrets-shared-pg-key
Jul 7, 2026
Merged

feat: share the DB password across external-secrets keys#31
alexnuttinck merged 2 commits into
mainfrom
feat/externalsecrets-shared-pg-key

Conversation

@alexnuttinck

@alexnuttinck alexnuttinck commented Jul 6, 2026

Copy link
Copy Markdown
Member

The odoo.conf ExternalSecret read both postgresqlPassword (db_password) and odooAdminPasswd (admin_passwd) from odooKey, forcing the DB password to be stored twice in Vault (under postgresqlKey for Postgres and again under odooKey for Odoo) and kept in sync by hand.

Restructure externalsecrets.properties.odoo.* into { key, property } objects so each odoo.conf credential picks its own Vault key. Key resolution (helper ..externalsecrets.odooConfData, shared by the normal + hook copies):

  • db_password: explicit key -> postgresqlKey -> odooKey
  • admin_passwd: explicit key -> odooKey

The DB password now lives in Vault once (postgresqlKey, shared with the PostgreSQL secret) instead of being duplicated under odooKey, falls back to odooKey when postgresqlKey is unset (external DB), and any credential's key can be overridden to point at a different Vault key.

Bump chart to 1.4.0; update CLAUDE.md and README.

Summary by CodeRabbit

  • New Features
    • Enhanced external-secrets templating for Odoo credentials, supporting separate Vault key and property mappings for database and admin passwords.
    • Improved fallback behavior when key is left empty, ensuring consistent shared-secret routing when desired.
  • Documentation
    • Updated identity/routing documentation and expanded mapping examples for Vault key selection.
    • Added upgrade notes for the 2.0.0 breaking change: postgresqlPassword and adminPasswd now use a {key, property} mapping (instead of a bare value).

The odoo.conf ExternalSecret read both postgresqlPassword (db_password) and
odooAdminPasswd (admin_passwd) from odooKey, forcing the DB password to be
stored twice in Vault (under postgresqlKey for Postgres and again under odooKey
for Odoo) and kept in sync by hand.

Restructure externalsecrets.properties.odoo.* into { key, property } objects so
each odoo.conf credential picks its own Vault key. Key resolution (helper
..externalsecrets.odooConfData, shared by the normal + hook copies):
- db_password:  explicit key -> postgresqlKey -> odooKey
- admin_passwd: explicit key -> odooKey

The DB password now lives in Vault once (postgresqlKey, shared with the
PostgreSQL secret) instead of being duplicated under odooKey, falls back to
odooKey when postgresqlKey is unset (external DB), and any credential's key can
be overridden to point at a different Vault key.

Bump chart to 1.4.0; update CLAUDE.md and README.

Signed-off-by: Alexandre Nuttinck <alexandre@nuttinck.be>
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: eda549d9-b5cd-4760-b4b0-39d098efc01f

📥 Commits

Reviewing files that changed from the base of the PR and between b519c07 and a174698.

📒 Files selected for processing (2)
  • Chart.yaml
  • README.md
✅ Files skipped from review due to trivial changes (1)
  • Chart.yaml

📝 Walkthrough

Walkthrough

This PR changes how Odoo ExternalSecrets resolve Vault keys and properties. The values schema now supports per-credential {key, property} overrides, a shared helper renders the odoo.conf data entries, both ExternalSecret templates use that helper, and the chart version and docs are updated.

Changes

Configurable ExternalSecret credential mapping

Layer / File(s) Summary
Values schema for credential key/property overrides
values.yaml
externalsecrets.properties.odoo.postgresqlPassword and adminPasswd change from plain string values to {key, property} objects with empty-key fallback defaults and added explanatory comments.
Shared odooConfData helper
templates/_helpers.tpl
New ..externalsecrets.odooConfData helper resolves remoteRef.key via tpl with nested default fallback and remoteRef.property via nil-safe dig, emitting entries for db_password and admin_passwd.
Wire helper into ExternalSecret templates
templates/externalsecrets.yaml
Both the *-odoo-conf-secret and *-odoo-conf-hook-secret data blocks replace hardcoded remoteRef entries with an include of the shared helper.
Version bump and documentation updates
Chart.yaml, CLAUDE.md, README.md
Chart version bumped to 2.0.0; docs describe the new per-credential key overrides, default key selection, and shared vs. split password mapping including external-DB fallback behavior.

Estimated code review effort: 2 (Simple) | ~15 minutes

Possibly related PRs

  • IMIO/helm-odoo#21: Modifies the same templates/externalsecrets.yaml remoteRef/data entries for postgresqlPassword and adminPasswd that this PR refactors into the shared helper.
  • IMIO/helm-odoo#24: Makes remoteRef.property mapping for Odoo/PostgreSQL credentials configurable via values, directly related to the values schema and helper changes here.
  • IMIO/helm-odoo#29: Touches the same ExternalSecrets key-rendering path by templating remoteRef.key values for Odoo/PostgreSQL credentials.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately reflects the main change: sharing the DB password across ExternalSecrets keys.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/externalsecrets-shared-pg-key

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@templates/_helpers.tpl`:
- Around line 163-172: The odoo externalsecrets helper now assumes
externalsecrets.properties.odoo.postgresqlPassword and adminPasswd are
object-shaped overrides, so legacy scalar values will be ignored by Helm
coalescing and the old secret overrides stop working. Update the
..externalsecrets.odooConfData template to preserve compatibility with the
previous string form or add a migration note/changelog entry explaining the
values-shape change, and verify the fallback behavior around the property
lookups for postgresqlPassword and adminPasswd.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: db4b421f-0b7d-49bf-8028-3cadbb747739

📥 Commits

Reviewing files that changed from the base of the PR and between 7a63d89 and b519c07.

📒 Files selected for processing (6)
  • CLAUDE.md
  • Chart.yaml
  • README.md
  • templates/_helpers.tpl
  • templates/externalsecrets.yaml
  • values.yaml

Comment thread templates/_helpers.tpl
… change

externalsecrets.properties.odoo.{postgresqlPassword,adminPasswd} changed from a
bare string (remoteRef property name) to a map {key, property} in the pending
release. That form was released in 1.1.0-1.3.0, so an upgrade with a legacy
scalar override crashes at render (dig panic). Ship it as a breaking major
release with a README migration note rather than a compatibility shim.

- Chart.yaml: 1.4.0 -> 2.0.0
- README: add "To 2.0.0" upgrade note (before/after values + failure signature),
  fix stale pre-1.4.0 reference
@alexnuttinck
alexnuttinck merged commit 53bdbcd into main Jul 7, 2026
3 checks passed
@alexnuttinck
alexnuttinck deleted the feat/externalsecrets-shared-pg-key branch July 15, 2026 08:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant