fix(databases): preserve encoded postgres credentials#488
Conversation
✅ Approve — automated reviewThe credential-encoding fix correctly parses and applies No findings. |
NumaryBot
left a comment
There was a problem hiding this comment.
NumaryBot posted 1 new inline finding.
Summary: #488 (comment)
2d717c2 to
4118b9d
Compare
WalkthroughAdds ChangesPostgreSQL credential encoding
Estimated code review effort: 3 (Moderate) | ~20 minutes Sequence Diagram(s)sequenceDiagram
participant Reconcile
participant EncodingParser
participant SecretReconciler
participant KubernetesSecret
Reconcile->>EncodingParser: Parse secretCredentialsEncoding
EncodingParser-->>Reconcile: Return urlEncoded or raw
Reconcile->>SecretReconciler: Pass credentials encoding
SecretReconciler->>KubernetesSecret: Write processed credentials
Possibly related PRs
Suggested reviewers: Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
NumaryBot
left a comment
There was a problem hiding this comment.
NumaryBot posted 1 new inline finding.
Summary: #488 (comment)
4118b9d to
65b0813
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@internal/resources/databases/env.go`:
- Line 133: Ensure the credential-encoding migration triggers a rollout when
secret data changes: update the relevant pod/job template metadata with a
deterministic hash or equivalent annotation derived from the generated Secret
data, while retaining the delete of postgresCredentialsEncodingQueryParam in the
URI generation.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 517023cf-f4e6-40fc-a987-e8c87c396618
⛔ Files ignored due to path filters (3)
config/crd/bases/formance.com_databases.yamlis excluded by!**/*.yamldocs/09-Configuration reference/settings.catalog.jsonis excluded by!**/*.jsonhelm/crds/templates/crds/apiextensions.k8s.io_v1_customresourcedefinition_databases.formance.com.yamlis excluded by!**/*.yaml
📒 Files selected for processing (9)
api/formance.com/v1beta1/database_types.godocs/07-Upgrade/01-Upgrade from the operator.mddocs/09-Configuration reference/01-Settings.mddocs/09-Configuration reference/02-Custom Resource Definitions.mdinternal/resources/databases/env.gointernal/resources/databases/env_test.gointernal/resources/databases/init.gointernal/resources/databases/secret.gointernal/resources/databases/secret_test.go
NumaryBot
left a comment
There was a problem hiding this comment.
NumaryBot review complete: no remaining inline findings.
Resolved 1 stale NumaryBot review thread (1 fixed, 0 outdated).
Summary: #488 (comment)
Summary
secretCredentialsEncoding=rawmode for Secrets that contain raw credentials, and reject unsupported valuesPOSTGRES_CREDENTIALS_ENCODINGso Kubernetes rolls affected workloads when the behavior changesContext
Operator v3.12.0 started URL-encoding every Secret-backed database credential. Deployments that had already encoded special characters for earlier operator versions were therefore double-encoded (
%5Ebecame%255E) after upgrading through Formance Helm 1.15.0.This keeps the legacy URL-encoded contract as the default because auto-detecting encoded credentials is ambiguous for literal
%XXpasswords. Users who store raw credentials can opt in explicitly with:References TS-493. Related to #481.
Validation
nix --extra-experimental-features "nix-command flakes" develop --impure --command just pre-commitnix --extra-experimental-features "nix-command flakes" develop --impure --command just testsRisk
Deployments created on v3.12.0 that rely on raw credentials containing URI-special characters must add
secretCredentialsEncoding=raw. Plain credentials without special characters are unchanged.