You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
we are currently using the backup functionality of the operator, which creates a cronjob within kubernetes that regularly executes logical backups as described here
For this we can pass along logical_backup_s3_secret_access_key in order to provide access to the storage. However this is currently passed in a configmap which is insecure. We therefore tried to use the pod_environment_secret mechanism in order to mount a custom secret which holds the credentials necessary upload the backup to storage.
It turned out that the secrets configured with pod_environment_secret are only considered / mounted on the operator itself. They are not present on the cronjob created by the operator to do the backups. Which leaves the whole backup mechanism insecure in terms of credential management.
I would suggest to either consider the pod_environment_secret also for creating the cronjob or to introduce a new variable specifically used for the logical backup.
Which image of the operator are you using?
---> registry.opensource.zalan.do/acid/postgres-operator:v1.6.0
Type of issue? [Bug report, question, feature request, etc.]
--> BugReport / feature request
The text was updated successfully, but these errors were encountered:
Same. I was wondering if it is possible to pass pod_environment_configmap to logical backup cron jobs so that I don't have to hardcode the S3 credentials to the configLogicalBackup section. Is it supported?
Hi,
we are currently using the backup functionality of the operator, which creates a cronjob within kubernetes that regularly executes logical backups as described here
For this we can pass along logical_backup_s3_secret_access_key in order to provide access to the storage. However this is currently passed in a configmap which is insecure. We therefore tried to use the pod_environment_secret mechanism in order to mount a custom secret which holds the credentials necessary upload the backup to storage.
It turned out that the secrets configured with pod_environment_secret are only considered / mounted on the operator itself. They are not present on the cronjob created by the operator to do the backups. Which leaves the whole backup mechanism insecure in terms of credential management.
I would suggest to either consider the pod_environment_secret also for creating the cronjob or to introduce a new variable specifically used for the logical backup.
---> registry.opensource.zalan.do/acid/postgres-operator:v1.6.0
--> BugReport / feature request
The text was updated successfully, but these errors were encountered: