Postgres doesn't reuse Chart generated secret when performing a Helm Upgrade

[Homopatrol]

Which chart:
postgresql 8.9.1

Describe the bug
This isn't a bug but I believe additional functionality surrounding secrets would be beneficial to the Postgresql chart when performing upgrades.

In the current Values.yaml there is a KV entry for existing secret.

## PostgreSQL password using existing secret
## existingSecret: secret

And this is then referenced in the _helpers.tpl

Return true if a secret object should be created
*/}}
{{- define "postgresql.createSecret" -}}
{{- if .Values.global.postgresql.existingSecret }}
{{- else if .Values.existingSecret -}}
{{- else -}}
    {{- true -}}
{{- end -}}
{{- end -}}

The output of this function then plays a role in the secrets.yaml

{{- if (include "postgresql.createSecret" .) }}
apiVersion: v1
kind: Secret

Where by the secret will or won't be created based on the value provided from postgresql.createSecret.

In our case we would like the chart to generate a new secret when it is first installed. When we run an upgrade to the chart we would like the ability to tell Postgresql to reuse the secret it created when it first installed. However, the values available in the chart only permit us to specify to use an existing secret on install and continue to use this upon upgrades.

The reason we don't want to do this is we would like the chart to control the secret, ie when the chart is uninstalled the secret is removed as well.

On other charts we use we have solved this by adding a {{- if .Release.IsUpgrade }} check into our secret.yaml. This finds the current secret if it exists and uses this instead of creating a new one.

{{- if .Values.myChart.existingSecret.chartToGenerate -}}
{{- $relname := printf "%s-%s" .Release.Name .Values.myChart.existingSecret.name -}}
apiVersion: v1
kind: Secret
metadata:
  name: {{ $relname }}
  labels:
    app: {{ template "myChart.name" . }}
    chart: {{ template "myChart.chart" . }}
    release: {{ .Release.Name | quote }}
    heritage: {{ .Release.Service | quote }}
type: Opaque
data:
  {{- if .Release.IsUpgrade }}
    {{- if .Values.myChart.existingSecret.name }}
      myChart-dbuser-password: {{ index (lookup "v1" "Secret" .Release.Namespace $relname).data "myChart-dbuser-password" }}
    {{ else }}
      myChart-dbuser-password:  {{ include "myChart.dbuserpassword" . | b64enc | quote }}
    {{ end }}
  {{ else }} # install operation
    myChart-dbuser-password:  {{ include "myChart.dbuserpassword" . | b64enc | quote }}
  {{ end }}
{{- end }}

And in the values.yaml file we use

myChart:
  existingSecret:
    chartToGenerate: "true"
    name: "dbsecret"

This gives us the flexibility to either use an existing secret which is separate from the Chart or to generate a secret and retain the secret when the Chart is upgraded.

Is it please possible to add this into the Postgres Chart as we believe this functionality would be beneficial when performing an upgrade.

To Reproduce
Steps to reproduce the behavior:

1. Install chart
   helm install <release_name> ./

2. Record the current secrets created for Postgresql

oc rsh  <release_name>-postgresql-0 sh -c 'echo "$POSTGRES_PASSWORD"' = <value_1>
oc extract secret/<release_name>-postgres --to=- = <value_1>

3. Upgrade to a new version

helm upgrade  <release_name> ./ --reuse-values -f values.yaml 

4. check secrets again

oc rsh  <release_name>-postgresql-0 sh -c 'echo "$POSTGRES_PASSWORD" = <value_2>
oc extract secret/<release_name>-postgres --to=-
Error from server (NotFound): secrets "<release_name>-postgres" not found

Expected behavior
I want postgresql to generate a secret as normal and then have but have the ability to handle the {{- if .Release.IsUpgrade }} with a setting in values.yaml so that I can reuse the secret from first install.

Version of Helm and Kubernetes:

• Output of helm version:

Helm v3.5.2

• Output of kubectl version:

Kubernetes 1.19.0

Additional context

[juan131]

Hi @Homopatrol

Thanks so much for your feedback! As you mentioned, the "existingSecret" parameter assumes that you're managing the creation of the secret outside Helm.

In order to manage the secrets using Helm you have 3 alternatives:

• Allow Helm to create random values for you (note: obtaining the generated values and indicating them will be mandatory for upgrading)
• Indicate the credentials using the postgresqlPostgresPassword, and postgresqlPassword parameters.
• Use existingSecret in combination with extraDeploy so the secret to be created is listed in the second parameter.

On other charts we use we have solved this by adding a {{- if .Release.IsUpgrade }} check into our secret.yaml

We're trying to avoid using this kind of functionalities (along with helm hooks) since there are many users that only use Helm to render the templates but they're not actually using it to deploy their solutions. Instead they use sth like:

$ helm template my-release bitanmi/XXX | kubectl apply -f

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.