You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When trying to deploy OpenFGA with Postgres via Kubernetes we ran into a “userinfo” parsing error. We are providing the Job the credentials via external secrets as outlined in the helm template conditional. The final manifest produces the following URI (redacted to remove all production references): ”uri”: “postgres://postgres:<password-containing-unescaped-characters>@host:port/database”. The password contains hyphens, curly brackets, and parenthesis; looking into url.parse() in Golang it looks like it is expecting escaped characters.
case "postgres":
driver = "pgx"
migrationsPath = assets.PostgresMigrationDir
// Parse the database uri with url.Parse() and update username/password, if set via flags
dbURI, err := url.Parse(uri)
Expectation
I would expect this to sanitize the URI string on the backend and not expect the URI to be escaped. For instance, the following URI should be valid:
We implemented a workaround in our external secrets that seemed to work for now: {{ urlquery .password }} for pulling our password out of the AWS secret manager and URL encoding it.
This causes the connection URI to work with non alpha-numeric values in the userinfo.
Perhaps in leiu of updating the code, adding notes to the README that the URI string VALUES should be url encoded before being passed in -- e.g. postgres://{{ urlquery <username> }}:{{ urlquery password }}@{{ urlquery <database-server> }}:{{ <port> }}/{{ urlquery <database> }}
Checklist
Description
When trying to deploy OpenFGA with Postgres via Kubernetes we ran into a “userinfo” parsing error. We are providing the Job the credentials via external secrets as outlined in the helm template conditional. The final manifest produces the following URI (redacted to remove all production references):
”uri”: “postgres://postgres:<password-containing-unescaped-characters>@host:port/database”
. The password contains hyphens, curly brackets, and parenthesis; looking into url.parse() in Golang it looks like it is expecting escaped characters.Expectation
I would expect this to sanitize the URI string on the backend and not expect the URI to be escaped. For instance, the following URI should be valid:
postgres://postgres:JdnKsnd83$;):”-&:jaj]^]*}hs/ns\l@example.com:5432/postgres
Due to the way
url.parse()
currently handles this, this string would fail due to unescaped non-alpha-numeric characters being present in the password.Reproduction
Store data
N/A
OpenFGA version
v1.5.1
How are you running OpenFGA?
In Kubernetes
What datastore are you using?
Postgres
OpenFGA Flags
None
Logs
No response
The text was updated successfully, but these errors were encountered: