special chars in secrets can silently break generation of registry config file
Summary
The way we are generating the registry config file, by a bash script on the config init container replacing strings in the config file with values from mounted secrets using sed, can silently fail if the secret contains special chars like @, which are also used as delimiters by sed.
The config init container then still finishes successfully, but the config file stays without having the secret inserted. In case of the registry db-migrations k8s job pod this is leading to a crash loop if the database password is containing a '@', which makes it hard to debug the problem, as the pod is only living for a few seconds for inspection.
This happened in gitlab-com/gl-infra/delivery#1985 (comment 670474090).
Steps to reproduce
Configure the registry with database enabled and a password containing @. The same can happen for secretkey and httpSecret.
Configuration used
(Please provide a sanitized version of the configuration used wrapped in a code block (```yaml))
registry:
database:
enabled: true
host: pgbouncer-registry.int.gstg.gitlab.net
user: some-user
name: some_db
password:
secret: registry-postgresql-password-v1
migration:
enabled: true
rootdirectory: gitlab
storage:
secret: registry-storage-v3
maintenance:
uploadpurging:
enabled: false
image:
tag: v3.10.1-gitlabCurrent behavior
config is rendered without the right password or secretky or httpSecret without a failure in the config init container.
Expected behavior
Secrets with special chars like @ are rendered correctly and failing to render a secret into the config file should make the configure script in the init container fail with a log message, to make it easier to debug the problem.
Relevant logs
The registry db-migrations k8s job failed with
failed to construct database connection: failed to connect to `host=pgbouncer-registry.int.gstg.gitlab.net user=some-user database=some_db`: server error (ERROR: password authentication failed (SQLSTATE 08P01))