Enterprise Feeds Database user created with wrong password
Summary
During an update to the Anchore database creation jobs, a bug was introduced where the PGPASSWORD environment variable from the anchore-db-credentials is used instead of the feeds-db-credentials PGPASSWORD value in the creation of the Anchore feeds database user. This results in a confusing issue where if a unique password is supplied for the feeds database user, it is ignored completely and instead the anchore database password is used.
Steps to reproduce
- Set a unique password for the feeds database user (distinct from the one used for the anchore database user)
- Use a superuser to create the anchore databases and users by setting
.Values.addons.anchore.values.postgresSuperUser.[postgresUsername|postgresPassword] - Reconcile changes to flux
- The enterprise feeds deployment will crashloopbackoff with authentication errors from the feeds database
What is the current behavior?
The feeds deployment is broken if a distinct password is used for the feeds database user.
What is the expected behavior?
The ensure-feeds-db job should use the password supplied in the feeds-db-credentials Secret.
Relevant logs and/or screenshots
(Background on this error at: https://sqlalche.me/e/14/e3q8)
[MainThread] [anchore_manager.util.db/connect_database()] [INFO] DB attempting to connect...
[MainThread] [anchore_manager.util.db/connect_database()] [WARN] DB connection failed, retrying - exception: test connection failed - exception: (psycopg2.OperationalError) FATAL: password authentication failed for user "redacted"
FATAL: password authentication failed for user "redacted"Possible fixes
Update this line to use the feeds-db-credentials Secret.
(If you can, link to the line of code that might be responsible for the problem)
/cc {put CODEOWNERs @githandles here}