Skip to content

Enhance externalDatabase configuration flexibility for secret references #746

New issue
New issue
Open
#855
Open
Enhance externalDatabase configuration flexibility for secret references#746
#855
Labels
enhancementNew feature or requestgood first issueGood for newcomershelp wantedExtra attention is needed
@katt-999

Description

@katt-999
katt-999
opened on Jun 18, 2025

Proposed functionality

Description

Currently, the externalDatabase configuration in the Helm chart only supports referencing a single key from an existing secret (the password). This limitation prevents users from dynamically configuring other database connection parameters when using external database operators that provide comprehensive connection information via secrets.

Current Limitation

The current values.yaml schema only allows referencing the password from an existing secret:

externalDatabase:
  host: localhost
  port: 5432
  database: netbox
  username: netbox
  password: ""
  existingSecretName: ""
  existingSecretKey: postgresql-password

Proposed Solution

Enhance the externalDatabase configuration to support referencing multiple keys from existing secrets for all connection parameters:

externalDatabase:
  host: localhost
  port: 5432
  database: netbox
  username: netbox
  password: ""
  
  # Enhanced secret reference configuration
  existingSecret:
    name: ""
    keys:
      host: "HOST"           # Optional: reference host from secret
      port: "PORT"           # Optional: reference port from secret  
      database: "DATABASE"   # Optional: reference database name from secret
      username: "LOGIN"      # Optional: reference username from secret
      password: "PASSWORD"   # Optional: reference password from secret
  
  # Backward compatibility
  existingSecretName: ""
  existingSecretKey: postgresql-password

Implementation Details

The implementation should:

  1. Maintain backward compatibility with the existing existingSecretName and existingSecretKey fields
  2. Support partial secret references - users should be able to reference only specific parameters from secrets while keeping others as static values
  3. Prioritize secret values over static values when both are provided
  4. Validate secret references during deployment

Example Usage

With the EasyMile PostgreSQL operator secret shown above, users could configure:

externalDatabase:
  existingSecret:
    name: "netbox-pg-user"
    keys:
      host: "HOST"
      port: "PORT"
      database: "DATABASE"
      username: "LOGIN"
      password: "PASSWORD"

This would dynamically configure all database connection parameters from the operator-generated secret, enabling full integration with the PostgreSQL operator lifecycle.

Benefits

  • Seamless integration with database operators like EasyMile PostgreSQL operator
  • Reduced configuration complexity and maintenance overhead
  • Enhanced security by avoiding hardcoded connection parameters in values files
  • Better GitOps compatibility with dynamic infrastructure provisioning
  • Maintained backward compatibility for existing deployments
  • Operator lifecycle alignment - connection parameters automatically update when operators modify secrets

Alternative Considered

An alternative approach could be to support secret references directly in each field:

externalDatabase:
  host: 
    value: "localhost"
    secretRef:
      name: "postgres-secret"
      key: "HOST"
  # ... similar for other fields

However, the proposed solution is cleaner and more intuitive for users managing comprehensive database secrets from operators.

Use case

I'm using EasyMile PostgreSQL operator, which creates a secret containing all necessary database connection information after provisioning a database instance. Here's an example of the generated secret:

kind: Secret
apiVersion: v1
metadata:
  labels:
    app: netbox-pg-user-role
  name: netbox-pg-user
  namespace: netbox
data:
  ARGS: ""
  DATABASE: bmV0Ym94X2Ri
  HOST: cG9zdGdyZXMtc2VydmljZQ==
  LOGIN: bmV0Ym94X3VzZXI=
  PASSWORD: c3VwZXJfc2VjcmV0X3Bhc3N3b3Jk
  PORT: NTQzMg==
  POSTGRES_URL: cG9zdGdyZXNxbDovL25ldGJveF91c2VyOnN1cGVyX3NlY3JldF9wYXNzd29yZEBwb3N0Z3Jlcy1zZXJ2aWNlOjU0MzIvbmV0Ym94X2Ri
  POSTGRES_URL_ARGS: ""

Currently, I can only reference the PASSWORD from this secret, forcing me to:

  1. Manually decode the base64-encoded secret data to extract connection parameters
  2. Hardcode these decoded values in my values.yaml file for host, port, database, and username fields
  3. Maintain these hardcoded values manually whenever the operator updates the database configuration

This workflow is error-prone, defeats the purpose of having a comprehensive secret generated by the operator, and breaks the automation benefits of using a database operator. For example, I currently have to run:

kubectl get secret netbox-pg-user -o jsonpath='{.data.HOST}' | base64 -d
kubectl get secret netbox-pg-user -o jsonpath='{.data.PORT}' | base64 -d  
kubectl get secret netbox-pg-user -o jsonpath='{.data.DATABASE}' | base64 -d
kubectl get secret netbox-pg-user -o jsonpath='{.data.LOGIN}' | base64 -d

Then manually copy these decoded values into my Helm values, which is neither scalable nor maintainable.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestgood first issueGood for newcomershelp wantedExtra attention is needed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions