Allow/document setup of sql database via Secret

[pilhuhn]

I have a Postgres DB set up and have the name+cedentials in a secret.
The operator should allow to configure a registry from that secret.

Basically allow to set the properties in a "valueFrom: secretKeyRef" way.

As an example for what I mean: For a (different) quarkus project that uses JPA, I am setting the DC like this:

    spec:
      containers:
      - image: quay.io/pilhuhn/log-funq:jvm
        name: log-funq
        imagePullPolicy: Always
        env:
          - name: DB_HOST
            value: postgresql
          - name: DB_PORT
            value: "5432"
          - name: QUARKUS_DATASOURCE_USERNAME
            valueFrom:
              secretKeyRef:
                name: postgresql
                key: database-user
          - name: QUARKUS_DATASOURCE_PASSWORD
            valueFrom:
              secretKeyRef:
                name: postgresql
                key: database-password
          - name: QUARKUS_DATABASE_NAME
            valueFrom:
              secretKeyRef:
                name: postgresql
                key: database-name

[EricWittmann]

I think this is already on the roadmap for the operator (not sure if it's tracked in another GH issue or not), but @jsenko would know better.

[jsenko]

Thank you. Yes, it's a feature we plan to add in a next release. It's referenced here #20 , but it's good to have it as a separate issue.

[dweber019]

Had the same issue with sealed secrets ;) looking forward for the fix in the next release.

[from-nibly]

Any news on this, is there a workaround? I can't commit secrets into my git repo, the only way I can pass secrets around is a sealed secret.

[dweber019]

I saw you already implemented the feature
https://github.com/Apicurio/apicurio-registry-operator/blob/main/api/v1/apicurioregistry_types.go#L39

When will 1.1.x be released?

[uladzislau-orlovskiy]

I saw you already implemented the feature https://github.com/Apicurio/apicurio-registry-operator/blob/main/api/v1/apicurioregistry_types.go#L39

When will 1.1.x be released?

its not implemented
look at line 69(nice)

https://github.com/Apicurio/apicurio-registry-operator/blob/main/api/v1/apicurioregistry_types.go#L69

[uladzislau-orlovskiy]

@jsenko any workaround avalible? can I just mount secretfiles and toss them via env variables to apicurio registry?

[jsenko]

hi, at the moment the suggested approach is to use environment variables, as you said, via spec.configuration.env field.

[jsenko]

When will 1.1.x be released?

Version 1.1.0-v2.4.12.final has been released some time ago. I plan to update the operand to 2.5.x.

[uladzislau-orlovskiy]

hi, at the moment the suggested approach is to use environment variables, as you said, via spec.configuration.env field.

Yup but there is no DB_PASSWORD_FILE env variable like in keycloack. And pod that handles CRD ApicurioRegistry resource don't handle secretref. Any plans for apicurio to handle db credentials via files like keycloack for example do?:) @jsenko

[jsenko]

Are you sure this does not work?

spec:
  configuration:
    env:
      - name: REGISTRY_DATASOURCE_PASSWORD
        valueFrom:
          secretKeyRef:
            name: mysecret
            key: password

Are you using the latest version?

[jsenko]

Can you also try to set REGISTRY_DATASOURCE_URL and REGISTRY_DATASOURCE_USERNAME using env. variables? To see if the operator is not accidentally overwriting the password env. variable.

[uladzislau-orlovskiy]

Are you sure this does not work?

spec:

  configuration:

    env:

      - name: REGISTRY_DATASOURCE_PASSWORD

        valueFrom:

          secretKeyRef:

            name: mysecret

            key: password

Are you using the latest version?

Oh i forgot it just create deployment manifest which handle such things just fine. I'll try that. Do i need to specifically set image in specs with that approach or it will understand that i want to use sql image?

[jsenko]

If you set spec.configuration.persistence=sql, that should work. However, the Registry version it currently deploys is 2.4.12.Final, so if you want to use a 2.5.x version, you can specify a different image. In that case you must use the SQL flavor, e.g. quay.io/apicurio/apicurio-registry-sql:2.5.8.Final.

Let me know if it worked!

[uladzislau-orlovskiy]

If you set spec.configuration.persistence=sql, that should work. However, the Registry version it currently deploys is 2.4.12.Final, so if you want to use a 2.5.x version, you can specify a different image. In that case you must use the SQL flavor, e.g. quay.io/apicurio/apicurio-registry-sql:2.5.8.Final.

Let me know if it worked!

trying to deploy for testing but run on other problem. we are storing secrets by using CSI driver for AWS secrets
and I need to mount CSI volume.
what the appicurio container name in podTemplateSpecPreview.spec.containers[- name: ]? want to add volumeMounts here.

[jsenko]

The name must be registry, see https://www.apicur.io/registry/docs/apicurio-registry-operator/1.2.0-dev-v2.x/assembly-registry-maintenance.html#pod-spec