Skip to content

Move secret configuration for postgresql cluster to a seperate playbook #819

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Move secret configuration for postgresql cluster to a seperate playbook #819

wants to merge 6 commits into from

Conversation

@sghosh23
Copy link
Contributor

@sghosh23 sghosh23 commented Oct 22, 2025
edited
Loading

  • Move repmgr and wire-server passwords from inventory to K8s secrets
  • Create unified postgresql-secrets.yml playbook for all PG credentials
  • Add runtime validation with helpful error messages in dependent playbooks
  • Remove hardcoded passwords from group_vars (security improvement)
  • Update documentation with new tag strategy and password access commands
  • Simplify wire-setup playbook by removing duplicate secret logic

Security improvements:

  • No hardcoded credentials in version control
  • Auto-generate 32-character strong passwords
  • Passwords managed centrally in K8s secrets
  • Add no_log directive to prevent password exposure in logs

Technical details:

  • Use modern Ansible password lookup syntax with named parameters
  • Data-driven design with pg_secrets list for easy extensibility
  • Smart tag grouping (postgresql tag runs secrets + primary + replica)
  • Fail-fast validation prevents cryptic undefined variable errors

Change type

  • Fix
  • Feature
  • Documentation
  • Security / Upgrade

Basic information

  • THIS CHANGE REQUIRES A DEPLOYMENT PACKAGE RELEASE
  • THIS CHANGE REQUIRES A WIRE-DOCS RELEASE

Testing

  • I ran/applied the changes myself, in a test environment.
  • The CI job attached to this repo will test it for me.

Tracking

  • I added a new entry in an appropriate subdirectory of changelog.d
  • I mentioned this PR in Jira, OR I mentioned the Jira ticket in this PR.
  • I mentioned this PR in one of the issues attached to one of our repositories.

Knowledge Transfer

  • An Asciinema session is attached to the Jira ticket.

Motivation

Objective

Reason

Use case

@sghosh23
move scrret creation to a seperate playbook
a6b8f38 
- Remove harcoded repmgr password to k8s secret
- Refact postgresql secret management to the secrets playbook
- Update the dependency playbooks in the deploy playbook
@sghosh23 sghosh23 requested review from a team and julialongtin as code owners October 22, 2025 12:04
@sghosh23
feat(postgresql): Centralize password management in Kubernetes Secrets
b5b8d23 
- Move repmgr and wire-server passwords from inventory to K8s secrets
- Create unified postgresql-secrets.yml playbook for all PG credentials
- Add runtime validation with helpful error messages in dependent playbooks
- Remove hardcoded passwords from group_vars (security improvement)
- Update documentation with new tag strategy and password access commands
- Simplify wire-setup playbook by removing duplicate secret logic

Security improvements:
- No hardcoded credentials in version control
- Auto-generate 32-character strong passwords
- Passwords managed centrally in K8s secrets
- Add no_log directive to prevent password exposure in logs

Technical details:
- Use modern Ansible password lookup syntax with named parameters
- Data-driven design with pg_secrets list for easy extensibility
- Smart tag grouping (postgresql tag runs secrets + primary + replica)
- Fail-fast validation prevents cryptic undefined variable errors
@sghosh23
Update task to alter repmgr password when user exists
b053c9c 
- Update the document with added scenaiors
- Fix changelog.d file
julialongtin
julialongtin reviewed Nov 3, 2025
View reviewed changes
ansible/postgresql-deploy.yml Outdated
#
# Usage Examples:
# Full deployment: ansible-playbook postgresql-deploy.yml
# Skip cleanup: ansible-playbook postgresql-deploy.yml --skip-tags cleanup
Copy link
Member

@julialongtin julialongtin Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if these examples are to be useful, the term before the colon should be a longer explanation than the skip-tags value.

@sghosh23 sghosh23 changed the title Move scrret creation to a seperate playbook Move secret configuration for postgresql cluster to a seperate playbook Nov 4, 2025
@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 4, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@julialongtin julialongtin julialongtin left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sghosh23 @julialongtin