Failure to connect to Postgres DB when using existing secret

[RxJcollins]

I am trying to deploy this chart with using an existing secret for the DB connection info. However, the pod(s) will not start because of failing to connect for the 'postgres' user. When I look in the DB pod, I see a value written to the environment variables for a password for the DB user 'postgres' however it is not the password that is in my sealed secret. I have even attempted to override it using values from the bitnami/chart/values.yaml to know success. It seems the secret that keeps getting deployed to my namespace is the one created by the chart and does not contain the keys and values from my existing secret.

[jbielick]

Are you able to submit a minimal reproduction of this issue? Just a values file and helm install command would probably do. At present, I cannot locate the source of the issue you're having and there are many variables to consider.

For what it's worth, there's a passing test case here which asserts that the correct secret name is used to populate the DATABASE_PASSWORD environment variable for the AWX pod containers, which sounds like your case. Does that test look different from what you have?

charts/awx/test/unit/deployment.bats

Lines 235 to 242 in 7713928

	@test "$name: with postgresqlExistingSecret: provided secret is used for DATABASE_PASSWORD" {
	template_with_defaults "$name" --set postgresqlExistingSecret=my-secret
	local envs
	envs="$(get '.spec.template.spec.containers[] | select(.name == "web").env')"
	[ "$(jq -r '.[] | select(.name == "DATABASE_PASSWORD").valueFrom.secretKeyRef | "\(.name).\(.key)"' <<< "$envs")" = "my-secret.DATABASE_PASSWORD" ]
	envs="$(get '.spec.template.spec.containers[] | select(.name == "task").env')"
	[ "$(jq -r '.[] | select(.name == "DATABASE_PASSWORD").valueFrom.secretKeyRef | "\(.name).\(.key)"' <<< "$envs")" = "my-secret.DATABASE_PASSWORD" ]
	}

[RxJcollins]

From looking at your test, I don't see where my secret would fail. One thing I need to note is I am deploying and running this chart from my ArgoCD Application definition so a minimal reproduction is a little different. But I will try. Essentially I am using the default values file, but passing parameters in to overwrite the values I need to change, specifically setting the postgresqlExistingSecret value to the name of my secret I have created in my cluster. An example of that secret would be as such:
kubectl create secret generic awx-db-user --from-literal=DATABASE_USER=postgres --from-literal=DATABASE_PASSWORD='testpassword' --from-literal=DATABASE_NAME=awx --from-literal=DATABASE_HOST=awx-devops-postgresql --from-literal=DATABASE_PORT=5432 --from-literal=DATABASE_ADMIN_PASSWORD= testpassword -n awx --dry-run=client --output yaml | kubeseal --format=yaml --scope cluster-wide

Once this secret is created and deployed I would think it could be reproduced by running the below helm install command:
helm install awx -f values.yaml --set postgresqlExistingSecret=awx-db-user

But for specificity sake, the exact parameters passed are these:
helm: valueFiles: - values.yaml parameters: - name: secretKeyExistingSecret value: awx-secret-key - name: defaultAdminExistingSecret value: awx-admin-user - name: service.type value: NodePort - name: service.port value: "80" - name: ingress.enabled value: "true" - name: ingress.hosts[0].host value: "awx.internal.local" - name: ingress.hosts[0].paths[0] value: "/" - name: ingress.annotations.kubernetes\.io/ingress\.class value: alb - name: ingress.annotations.alb\.ingress\.kubernetes\.io/scheme value: internal - name: ingress.annotations.alb\.ingress\.kubernetes\.io/group\.name value: awx - name: ingress.annotations.alb\.ingress\.kubernetes\.io/certificate-arn value: "xxxxxxxxx" - name: postgresqlExistingSecret value: awx-db-user