Fix operator reconcile loop - pass existing PostgreSQL credentals

[tumido]

Backstory

Backstage chart uses bitnami/postgresql chart as a DB provider. When this chart is initially installed it generates credentials for the new database. New credentials are generated, passed to the database pod, and also stored in a Kubernetes Secret. This Secret is in turn mounted to the Backstage pod. Backstage then uses these credentials to access the DB.

When a helm upgrade is triggered (the operator does reconcile through helm upgrade), given credentials are regenerated, new password is created for the secret. However, the DB is already seeded with the original credentials so the new password is ignored by the DB. Unfortunately, that's not the case for the Backstage pod, which receives the new credentials which are invalid for the DB.

Solution

Implement a logic that would check for DB credentials Secret in the target namespace and if found, make it enforce this Secret as .upstream.postgresql.auth.existingSecret value. This would ensure new credentials are not generated and "old" password remains in use by the Backstage pod.

[schultzp2020]

@tumido Is the secret config name called backstage-sample-postgresql when using the provided sample? If so, will the secret config name always have a suffix of -postgresql? If not, do you have a recommended way of grabbing the secret? This is the first time I have gone beyond the basics for kubernetes so I apologize if the question is dumb.

[kadel]

If so, will the secret config name always have a suffix of -postgresql?

It doesn't always have to be with this suffix.
The secret name is generated using this macro https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_names.tpl#L34. Someone can override Chart name name using nameOverride in values.yaml and then it will have suffix based on that new name.