Pete Lorenz
06/09/2023, 12:05 AMRobert Moucha
06/09/2023, 2:02 PMpostgresql-password
) and existingExporterSecret
(containing md_exporter
user's password in key exporter-password
).
While application user name is configurable (using metadataApi.database.user
), the md_exporter
is hardcoded š
The puprose of this user is not documented, but it is exclusively used in GoodData Cloud product (deployment hosted by GoodData) for collecting internal statistics. In GoodData CN, it has absolutely no purpose, and it's a mistake we didn't make this user optional. Unfortunately, some older database migrations already rely on this user's existence to create reporting views in md
database, so it would be rather difficult to remove it.
k8s Secrets/aws secrets/passwords: If you precreate k8s secrets (one with postgresql-password
key and one with exporter-password
key), you do not need to specify metadataApi.database.password
. AWS secrets (for AWS secrets manager product) are completely irrelevant. we don't use them.
sharing postgresql-password: not exactly. There are 3 distinct services that need some database credentials (dex, metadataApi and sqlExecutor). Each service can have its own user and password.
dex user: dex.config.database.user
dex pass: dex.config.database.password
dex existing secret (can be used instead of dex password): dex.config.database.existingSecret
--
metadata-api user: metadataApi.database.user (described above)
metadata-api pass: metadataApi.database.password
metadata-api secret: metadataApi.database.existingSecret (as described above, can be used instead of metdata-api password)
--
sql-exec-api user: sqlExecutor.database.user
sql-exec-api pass: sqlExecutor.database.password
sql-exec-api secret: sqlExecutor.database.existingSecret (can be used instead of sql-exec-api password)
All these "existingSecret"s need to have password stored in postgresql-password
key.
There's yet another set of db credentials, configured in service.postgresql
structure:
ā¢ username
- name of pg admin user (usually postgres
)
ā¢ password
or existingSecret
- password of admin user.
This account is used only during installation to create necessary databases (dex, md, and execution) and to create all the application users described above. It is not used in runtime.
RDS endpoints: Assign only the writer endpoint. multi-node Aurora is used primarily for high-availability, not for load distribution. service.postges.host (and port)
is the right place for setting the writer endpoint. reader endpoints are not used.
S3 Settings: S3 can be used to store PDF and tabular exports (CSV, XLS). If not configured (default), local file system is used. If you decide to use S3, you need to provision S3 bucket (e.g. by terraform) and provide static aws credentials. IRSA credentials do not work as described in docs due to 3rd-party library bug we discovered and fixed 2 days ago š But gooddata-cn version 2.4.0 will have it fixed.Pete Lorenz
06/09/2023, 2:36 PMPete Lorenz
06/09/2023, 2:49 PMRobert Moucha
06/09/2023, 2:56 PMkubectl -n gooddata-cn create secret generic gdcn-db-secrets \
--from-literal=postgresql-password=somepassword \
--from-literal=exporter-password=otherpassword \
--dry-run=client -o yaml
to generate yaml-formatted secret with keys postgresql-password
and exporter-password
:
apiVersion: v1
data:
exporter-password: b3RoZXJwYXNzd29yZA==
postgresql-password: c29tZXBhc3N3b3Jk
kind: Secret
metadata:
creationTimestamp: null
name: gdcn-db-secrets
namespace: gooddata-cn
Pete Lorenz
06/09/2023, 2:58 PMRobert Moucha
06/09/2023, 3:01 PMstringData
instead of data
where you can place values in raw strings (without base64 encoding):
apiVersion: v1
stringData:
exporter-password: otherpassword
postgresql-password: somepassword
kind: Secret
metadata:
creationTimestamp: null
name: gdcn-db-secrets
namespace: gooddata-cn
š