helm chart: read target postgres from k8s secret

[noamliber-reco]

We are missing a very important part, we want to read the postgres connecction from a secret, we can't just write the password of our postgres inside the values.yaml, need to have the ability to read from a secret

[drdrsh]

Yes. I have been thinking about this for a while as I am actually in the process of deploying PgCat using the helm chart.

I am not sure how to go about that. One option I have seen Datadog Agent do is to allow you to define a "Secret backend" which is a binary that the agent calls with some input parameters and the backend fetches the secret.

So, In PgCat config, it will look like this

secret_backend = "/bin/some_tool_to_get_the_secret.sh"
....

password = ENC["<SECRET_IDENTIFIER>"] 

and when the PgCat binary encounters that value, it passes the SECRET_IDENTIFIER to the secret backend and that binary goes out and fetches the secret. This approach allow us to put the secret name right in values.yaml file and decouple the process of fetching the secret from PgCat. It also means we don't have plain passwords in the pgcat.toml at any point of PgCat lifetime. How does that sound?

[noamliber-reco]

Sounds like a plan

[noamliber-reco]

I think it's also required for the users section:
users: [] - username: "user" password: "pass"

Can be something like that:

    password:
      valueFrom:
        secretKeyRef:
          name: nameof-secret-in-k8s 
          key: password 

[noamliber-reco]

Hey @drdrsh I saw that you have added support for k8s secret in the context of users for pgCat - thank you! any chance to add the same functionallity for the shards servers section ?