fix(helm): use CNPG-generated secrets for DB passwords#10
Merged
charlie83Gs merged 1 commit intomainfrom Mar 23, 2026
Merged
Conversation
Read DB passwords from CNPG credential secrets by default, with configurable override via credentialsSecret field per database. Each DB section (graphDb, writeDb, hatchetDb) now accepts: credentialsSecret: "" # empty = use CNPG-generated <name>-credentials credentialsSecret: "my-custom-secret" # use custom secret (key: password) Remove DB password keys from the chart-managed app secret. The app secret now only contains API keys, JWT, OAuth, and Hatchet token. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
charlie83Gs
force-pushed
the
fix/helm-use-cnpg-secrets
branch
from
c2bce94 to
1c9a170
Compare
This was referenced Mar 23, 2026
charlie83Gs
added a commit
that referenced
this pull request
Mar 27, 2026
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
charlie83Gs
added a commit
that referenced
this pull request
Apr 5, 2026
Critical: - #1: Validate schema names with strict ^[a-z0-9_]+$ regex before DDL - #2: Escape ILIKE special chars (%, _, \) in graph_nodes search - #3: Replace cached Graph ORM instances with frozen GraphInfo dataclass to prevent DetachedInstanceError High: - #4: Reuse system session factories for default graph (no duplicate pools) via default_graph_session_factory/default_write_session_factory params - #5: Add 23 unit tests — GraphInfo, GraphSessions, GraphSessionResolver, slug/schema validation, CreateGraphRequest, role validation - #6: Scope sync watermarks by graph_slug — SyncEngine now passes graph_slug to _get_watermark/_set_watermark, composite PK on (table_name, graph_slug) Medium: - #7: Replace N+1 member count queries with batch GROUP BY - #8: Replace catch { // ignore } with console.error in frontend - #9: Engine pool disposal on GraphSessionResolver.invalidate() - #10: Run Alembic migrations during graph provisioning - #11: (node_count in list deferred — requires cross-schema queries) Low: - #13: Replace "Cycle Role" button with role dropdown - #14: require_writer/require_graph_admin kept for future endpoints Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
charlie83Gs
added a commit
that referenced
this pull request
Apr 5, 2026
- #2/#14: Fix MCP scope check — empty scopes = unrestricted access (graph_slugs=null tokens and SKIP_AUTH both work again). Only tokens with explicit graph:* scopes are restricted to those graphs. - #3: Block reserved PG schema names (public, pg_catalog, pg_toast, pg_temp, information_schema, pg_*) in validate_schema_name() - #4: Fix scalar_one() → scalar_one_or_none() in resolve_by_slug (introduced by session-release refactor in prior commit) - #10: Sync raises RuntimeError instead of returning error dict when graph_resolver is unavailable Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The Helm chart reads DB passwords from the app secret (
knowledge-tree-secrets), requiring users to manually synchronize passwords between CNPG and the app secret. This is error-prone and unnecessary since CNPG auto-generates credentials.Fix
Read DB passwords directly from CNPG-generated credential secrets:
GRAPH_DB_PASSWORD←<fullname>-graph-db-credentials→passwordWRITE_DB_PASSWORD←<fullname>-write-db-credentials→passwordHATCHET_DB_PASSWORD←<fullname>-hatchet-db-credentials→passwordThe app secret (
knowledge-tree-secrets) now only needs:openrouter-api-key,openai-api-key,brave-key,serper-keyjwt-secret-keygoogle-oauth-client-id,google-oauth-client-secrethatchet-client-token🤖 Generated with Claude Code