allow populating pod environment from Secrets

[kupson]

It would be nice to populate env variables from secrets e.g. AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY so they won't be exposed in ConfigMaps.

[Jan-M]

Is there a reason you cannot use iam/pod iam role for this?

[kupson]

Is there a reason you cannot use iam/pod iam role for this?

That would be kube_iam_role option?
I would like to use minio instead of Amazon S3 and I'm not sure that kube2iam could handle it.

[erthalion]

Are there any other alternatives, maybe just mount these credentials and let the client library to discover it? If I'm not mistaken, this mentioned in the minio documentation

[kupson]

It's the wal-g that needs those environment variables. It would need the volume with credentials mounted so the file ~postgres/.aws/credentials will be available.

But all the Pods created by postgres-operator would need the volume and I see no way to create it in the postgres-operator configuration or the postgresql object right now.

Is there a way to add custom volume to all spilo containers and I'm missing it?

[erthalion]

Not yet, but probably we can leverage #535 for that purpose?

[kupson]

I find #535 suboptimal as I still would need to run some script to turn secrets from Minio format (name: value) into .aws/credentials:

[default]
aws_access_key_id=EXAMPLE
aws_secret_access_key=EXAMPLEKEY

or maybe keep two secrets in sync with same values but different format.
I see environment variables as more flexible solution.

[FxKu]

Closing this issue as now supported with #946 being merged.