Skip to content

skip db user actions when its secret failed to sync on update #2969

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 5, 2025
Merged

skip db user actions when its secret failed to sync on update #2969

merged 3 commits into from
Nov 5, 2025
+69 −20

Conversation

@FxKu
Copy link
Member

@FxKu FxKu commented Oct 24, 2025
edited
Loading

Bug report

On UPDATE events the secrets sync can exit early on error but the database role sync will still happen. This will potentially override database passwords with what was generated in the initUsers step. Environment variables don't get overridden and Patroni can still operate, but apps (and even the operator when it happens to postgres user) will get "locked out".

Proposed solution

We could decide to not call syncRoles if the secret sync fails. We already do so if the initUsers step fails. During cluster creation and sync any error in SyncSecrets stops the entire sync loop as well. Only during update we care to process resources as much as possible.

Therefore, I chose a more fine-grained approach:

  1. still try to sync roles when the secret sync worked for them.
  2. Instead of existing the function errors are collected and returned at the end.
  3. I've added a new field in the pgUser struct to remember if the user is degraded or not.
  4. This logic will also be applied for cluster CREATE and SYNC events, meaning no database user would get created if the secret creation failed.

More minor changes

  • The updateSecret function now returns the updated secret so callers can decide to update the cluster secret map.
  • The sync test got extended with a case that would lead to the bug where syncSecrets is quit too soon.

@FxKu FxKu added the bugfix label Oct 24, 2025
@FxKu FxKu added this to the 1.15.1 milestone Oct 24, 2025
@idanovinda
Copy link
Member

idanovinda commented Nov 5, 2025

👍

1 similar comment
@FxKu
Copy link
Member Author

FxKu commented Nov 5, 2025

👍

@FxKu FxKu merged commit 2c57498 into master Nov 5, 2025
10 of 11 checks passed
@FxKu FxKu deleted the secret-sync branch November 5, 2025 15:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sdudoladov sdudoladov Awaiting requested review from sdudoladov sdudoladov is a code owner

@Jan-M Jan-M Awaiting requested review from Jan-M Jan-M is a code owner

@jopadi jopadi Awaiting requested review from jopadi jopadi is a code owner

@idanovinda idanovinda Awaiting requested review from idanovinda idanovinda is a code owner

@hughcapet hughcapet Awaiting requested review from hughcapet hughcapet is a code owner

Assignees

No one assigned

Labels

bugfix

Projects

None yet

Milestone

1.15.1

Development

Successfully merging this pull request may close these issues.

3 participants

@FxKu @idanovinda