fix: wait for app user secret before starting initdb by armru · Pull Request #8663 · cloudnative-pg/cloudnative-pg

armru · 2025-09-25T09:52:12Z

The scope of this PR is to address #6069 with minimally invasive changes

Closes #6069

github-actions · 2025-09-25T09:52:23Z

❗ By default, the pull request is configured to backport to all release branches.

To stop backporting this pr, remove the label: backport-requested ◀️ or add the label 'do not backport'
To stop backporting this pr to a certain release branch, remove the specific branch label: release-x.y

internal/controller/cluster_create.go

armru · 2025-09-25T09:57:49Z

/test limit=local

github-actions · 2025-09-25T09:58:02Z

@armru, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/18003840131

armru · 2025-09-25T15:14:39Z

/test limit=local

github-actions · 2025-09-25T15:14:52Z

@armru, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/18012162947

armru · 2025-09-27T09:44:26Z

/test limit=local

github-actions · 2025-09-27T09:44:37Z

@armru, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/18058199848

armru · 2025-09-27T09:51:52Z

pkg/specs/jobs.go

+		job.Spec.Template.Spec.Containers[0].Env = append(job.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{
+			Name: "APP_USERNAME",
+			ValueFrom: &corev1.EnvVarSource{
+				SecretKeyRef: &corev1.SecretKeySelector{
+					LocalObjectReference: corev1.LocalObjectReference{Name: cluster.GetApplicationSecretName()},
+					Key:                  "username",
+					Optional:             ptr.To(false),
+				},
+			},
+		})
+	}
+


Potentially we could use the container envfrom field to mount the whole secret, but I felt like for what we want to achieve this minimalistic approach that exposes only the username to the job is the best

armru · 2025-09-29T14:10:32Z

/test limit=local

github-actions · 2025-09-29T14:10:43Z

@armru, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/18099907008

dominik-niebuhr · 2025-09-30T07:13:11Z

do we have any ETA for a release once this is merged? :) this would help us remove a very ugly workaround

Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>

This patch ensures that the operator waits for the application user secret to be available before running `initdb`. The change is implemented with minimal impact by adding a reference to the secret in the Pod created by the `initdb` Job. The username is exposed as an environment variable, which is not currently used, but guarantees that the Job cannot start until the secret exists. Closes: #6069 Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com> (cherry picked from commit 9d4ec08)

…tive-pg#8663) This patch ensures that the operator waits for the application user secret to be available before running `initdb`. The change is implemented with minimal impact by adding a reference to the secret in the Pod created by the `initdb` Job. The username is exposed as an environment variable, which is not currently used, but guarantees that the Job cannot start until the secret exists. Closes: cloudnative-pg#6069 Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>

dominik-niebuhr · 2025-10-22T08:00:14Z

@armru Will this fix also work for secrets of managed roles? If not should I open a new issue or do we keep the existing issue open for that?

…tive-pg#8663) This patch ensures that the operator waits for the application user secret to be available before running `initdb`. The change is implemented with minimal impact by adding a reference to the secret in the Pod created by the `initdb` Job. The username is exposed as an environment variable, which is not currently used, but guarantees that the Job cannot start until the secret exists. Closes: cloudnative-pg#6069 Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com> Signed-off-by: theBrahma <office.utpal.brahma@gmail.com>

armru requested a review from a team as a code owner September 25, 2025 09:52

cnpg-bot added backport-requested ◀️ This pull request should be backported to all supported releases release-1.25 release-1.26 release-1.27 labels Sep 25, 2025

dosubot bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Sep 25, 2025

armru commented Sep 25, 2025

View reviewed changes

internal/controller/cluster_create.go Outdated Show resolved Hide resolved

dosubot bot added the bug 🐛 Something isn't working label Sep 25, 2025

armru force-pushed the dev/6069 branch from 03b528c to 38aa5d4 Compare September 25, 2025 09:55

armru changed the title ~~fix: wait for secrets before starting initdb~~ fix: wait for AppSecret before starting initdb Sep 25, 2025

armru added release-1.25 release-1.26 and removed release-1.25 release-1.26 labels Sep 25, 2025

dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. and removed size:S This PR changes 10-29 lines, ignoring generated files. labels Sep 25, 2025

cnpg-bot added the ok to merge 👌 This PR can be merged label Sep 25, 2025

dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. and removed size:M This PR changes 30-99 lines, ignoring generated files. labels Sep 27, 2025

armru force-pushed the dev/6069 branch 3 times, most recently from b416c6d to 5d37c09 Compare September 27, 2025 09:44

armru force-pushed the dev/6069 branch from 5d37c09 to ac71d8d Compare September 27, 2025 09:50

armru commented Sep 27, 2025

View reviewed changes

armru force-pushed the dev/6069 branch from ac71d8d to 8038a00 Compare September 29, 2025 14:10

armru added 4 commits October 2, 2025 10:49

fix: wait for secrets before starting initdb

6e986d1

Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>

feat: volumeMount approach

6a26765

Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>

chore: strict job role check

930668e

Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>

refactor: minimally invasive approach

dc146af

Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>

leonardoce force-pushed the dev/6069 branch from 8038a00 to dc146af Compare October 2, 2025 08:49

leonardoce changed the title ~~fix: wait for AppSecret before starting initdb~~ fix: wait for app user secret before starting initdb Oct 2, 2025

leonardoce approved these changes Oct 2, 2025

View reviewed changes

dosubot bot added the lgtm This PR has been approved by a maintainer label Oct 2, 2025

mnencia approved these changes Oct 2, 2025

View reviewed changes

leonardoce merged commit 9d4ec08 into main Oct 2, 2025
37 checks passed

leonardoce deleted the dev/6069 branch October 2, 2025 09:01

dosubot bot mentioned this pull request Oct 22, 2025

[Bug]: init db doesn't wait for managed role secret #8905

Open

4 tasks

Conversation

armru commented Sep 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Sep 25, 2025

Uh oh!

Uh oh!

armru commented Sep 25, 2025

Uh oh!

github-actions bot commented Sep 25, 2025

Uh oh!

armru commented Sep 25, 2025

Uh oh!

github-actions bot commented Sep 25, 2025

Uh oh!

armru commented Sep 27, 2025

Uh oh!

github-actions bot commented Sep 27, 2025

Uh oh!

armru Sep 27, 2025

Choose a reason for hiding this comment

Uh oh!

armru commented Sep 29, 2025

Uh oh!

github-actions bot commented Sep 29, 2025

Uh oh!

dominik-niebuhr commented Sep 30, 2025

Uh oh!

Uh oh!

dominik-niebuhr commented Oct 22, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

armru commented Sep 25, 2025 •

edited

Loading