special chars in secrets can silently break generation of registry config file
Summary
The way we are generating the registry config file, by a bash script on the config
init container replacing strings in the config file with values from mounted secrets using sed
, can silently fail if the secret contains special chars like @
, which are also used as delimiters by sed
.
The config init container then still finishes successfully, but the config file stays without having the secret inserted. In case of the registry db-migrations k8s job pod this is leading to a crash loop if the database password is containing a '@', which makes it hard to debug the problem, as the pod is only living for a few seconds for inspection.
This happened in gitlab-com/gl-infra/delivery#1985 (comment 670474090).
Steps to reproduce
Configure the registry with database enabled and a password containing @
. The same can happen for secretkey
and httpSecret
.
Configuration used
(Please provide a sanitized version of the configuration used wrapped in a code block (```yaml))
registry:
database:
enabled: true
host: pgbouncer-registry.int.gstg.gitlab.net
user: some-user
name: some_db
password:
secret: registry-postgresql-password-v1
migration:
enabled: true
rootdirectory: gitlab
storage:
secret: registry-storage-v3
maintenance:
uploadpurging:
enabled: false
image:
tag: v3.10.1-gitlab
Current behavior
config is rendered without the right password or secretky or httpSecret without a failure in the config init container.
Expected behavior
Secrets with special chars like @
are rendered correctly and failing to render a secret into the config file should make the configure
script in the init container fail with a log message, to make it easier to debug the problem.
Relevant logs
The registry db-migrations k8s job failed with
failed to construct database connection: failed to connect to `host=pgbouncer-registry.int.gstg.gitlab.net user=some-user database=some_db`: server error (ERROR: password authentication failed (SQLSTATE 08P01))