Add Env Variable/secret Support For Postgres Password

by ADMIN 54 views

Problem Statement

In Armada, the applicationConfig.postgres.connection field requires the PostgreSQL password to be specified directly in plaintext. This poses a significant security risk in GitOps environments, where secrets should be avoided in Git or rendered manifests. Currently, there is no supported way to reference Kubernetes secrets or environment variables for injecting the PostgreSQL password, making secure deployment challenging without custom patching.

Solution Overview

To address this issue, we propose adding support for securely injecting the PostgreSQL password using an environment variable or a Kubernetes secret reference. This will enable secure deployment in GitOps environments and provide a clean separation of secrets from configurations.

Environment Variable Support

We suggest introducing a new field passwordFromEnvVar in the postgres configuration, which would allow the password to be resolved from an environment variable at runtime. This would eliminate the need to store the password directly in the configuration.

Example Configuration

postgres:
  connection:
    host: postgresql.armada-deps.svc.cluster.local
    port: 5432
    user: postgres
    passwordFromEnvVar: POSTGRES_PASSWORD
    dbname: lookout

In this example, the POSTGRES_PASSWORD environment variable would be resolved at runtime, and the connection string would be constructed accordingly.

Kubernetes Secret Reference Support

Alternatively, we propose introducing a new field passwordFromSecret in the postgres configuration, which would allow the password to be referenced directly from a Kubernetes secret. This would enable the use of SealedSecrets, external secret managers, or other secure secret storage solutions.

Example Configuration

postgres:
  connection:
    host: postgresql.armada-deps.svc.cluster.local
    port: 5432
    user: postgres
    passwordFromSecret:
      name: my-postgres-secret
      key: postgres-password
    dbname: lookout

In this example, the my-postgres-secret secret would be referenced, and the postgres-password key would be used to retrieve the password.

Alternatives Considered

We have considered the following alternatives:

  • Patching the Deployment to add the POSTGRES_PASSWORD env var and leaving the password field blank. However, this approach is not currently supported and would require custom patching.
  • Storing a SealedSecret and patching the CRD with decrypted values. This approach is fragile and has not been successfully implemented in our setup.

Benefits

The proposed solution provides several benefits, including:

  • Secure deployment in GitOps environments
  • Clean separation of secrets from configurations
  • Support for environment variable and Kubernetes secret references
  • Improved security and reduced risk of password exposure

Implementation Plan

To implement this solution, we propose the following steps:

  1. Introduce the passwordFromEnvVar and passwordFromSecret fields in the postgres configuration.
  2. Update the CreateConnectionString logic to support the new fields.
  3. Test the solution in various environments and configurations.
  4. Document the new features and provide guidance on their use.

Q: What is the current issue with PostgreSQL password injection in Armada?

A: Currently, the applicationConfig.postgres.connection field in Armada requires the PostgreSQL password to be specified directly in plaintext. This poses a significant security risk in GitOps environments, where secrets should be avoided in Git or rendered manifests.

Q: Why is it a problem to store secrets in Git or rendered manifests?

A: Storing secrets in Git or rendered manifests can lead to security breaches and unauthorized access to sensitive information. In a GitOps environment, it's essential to keep secrets separate from configurations to maintain security and integrity.

Q: What are the proposed solutions for securely injecting the PostgreSQL password?

A: We propose two solutions:

  1. Environment Variable Support: Introduce a new field passwordFromEnvVar in the postgres configuration, which would allow the password to be resolved from an environment variable at runtime.
  2. Kubernetes Secret Reference Support: Introduce a new field passwordFromSecret in the postgres configuration, which would allow the password to be referenced directly from a Kubernetes secret.

Q: How would the environment variable support work?

A: With environment variable support, the POSTGRES_PASSWORD environment variable would be resolved at runtime, and the connection string would be constructed accordingly. This would eliminate the need to store the password directly in the configuration.

Q: How would the Kubernetes secret reference support work?

A: With Kubernetes secret reference support, the my-postgres-secret secret would be referenced, and the postgres-password key would be used to retrieve the password. This would enable the use of SealedSecrets, external secret managers, or other secure secret storage solutions.

Q: What are the benefits of these proposed solutions?

A: The proposed solutions provide several benefits, including:

  • Secure deployment in GitOps environments
  • Clean separation of secrets from configurations
  • Support for environment variable and Kubernetes secret references
  • Improved security and reduced risk of password exposure

Q: What are the alternatives considered, and why were they not chosen?

A: We considered the following alternatives:

  • Patching the Deployment to add the POSTGRES_PASSWORD env var and leaving the password field blank. However, this approach is not currently supported and would require custom patching.
  • Storing a SealedSecret and patching the CRD with decrypted values. This approach is fragile and has not been successfully implemented in our setup.

Q: What is the implementation plan for these proposed solutions?

A: To implement these solutions, we propose the following steps:

  1. Introduce the passwordFromEnvVar and passwordFromSecret fields in the postgres configuration.
  2. Update the CreateConnectionString logic to support the new fields.
  3. Test the solution in various environments and configurations.
  4. Document the new features and provide guidance on their use.

By implementing these solutions, we can improve the security and reliability of Armada deployments in GitOps environments.