Hello,
I have an issue with Octavia CLI. I would like to maintain mine Postgres connectors via CLI and I tried to store the password to connection in ~/.octavia file. This worked fine for a single password.
I did some experimenting and I found out, that the Octavia tries to apply the single password to other connectors even though the name of the variable store in .octavia file does not match. This creates quite a problem, as it overwrites or not apply correct credentials.
Is this intentional / wrong usage from mine side/ bug ?
Thanks in advance
Hey @radim_sasinka,
Could you share an example of your .octavia file structure and Postgres configuration YAML files? With dummy passwords.
I was not able to reproduce your error.
Hi,
here are my example configuration files. I noticed, that the problem I described before is now not happening and the propagation of passwords in my local machine works fine.
Nevertheless, inside our team, we would like to store all our configurations in the GitLab repository while different members are responsible for different connections.
Here comes the problem with passwords. When somebody pulls the repository with described configurations and then that person runs octavia apply, the passwords will be overwritten. Their Octavia detects ‘changes’ in their ~/.octavia file and even though their local variables do not match mine, it will overwrite the passwords. Could this be somehow resolved?
~/.octavia
AIRBYTE_URL=<url>
USER_PASS=<pass>
OCT_PASS=octavia
OCT_PASSWORD=wrong
POSTGRES_PASS=wrong
source
resource_name: postgres_source_template
definition_type: source
definition_id: decd338e-5647-4c0b-adf4-da0e75f5a750
definition_image: airbyte/source-postgres
definition_version: 0.4.10
configuration:
ssl: true
host: <host>
port: 5432
schemas: ["public"]
database: octavia_testing
password: ${USER_PASS}
username: sasinka
tunnel_method:
tunnel_method: "NO_TUNNEL"
replication_method:
method: "Standard"
destination
resource_name: postgres_destionation_template
definition_type: destination
definition_id: 25c5221d-dce2-4163-ade9-739ef790f503
definition_image: airbyte/destination-postgres
definition_version: 0.3.18
configuration:
ssl: true
host: <host>
port: 5432
schema: public
database: octavia_testing_destinations
password: ${OCT_PASSWORD}
username: octavia_testing
tunnel_method:
tunnel_method: "NO_TUNNEL"
replication_method:
method: "Standard"
here are my example configuration files. I noticed, that the problem I described before is now not happening and the propagation of passwords in my local machine works fine.
Great!
Here comes the problem with passwords. When somebody pulls the repository with described configurations and then that person runs octavia apply, the passwords will be overwritten. Their Octavia detects ‘changes’ in their ~/.octavia file and even though their local variables do not match mine, it will overwrite the passwords. Could this be somehow resolved?
This is indeed the expected behavior. I would suggest you use a shared secret file in your team to overcome this problem or only run applies from a single environment that has the right set of credentials. Let me know what would be the best flow from your perspective.
Let me know what would be the best flow from your perspective.
We would like to keep one git repository with all configuration files, so everybody has access in our team to them. But we would like to store the credentials / passwords in the local ~/.octavia file separated from the repository, as certain members of the team will be responsible for specific connections regarding different project. This way, anybody could check each other configurations, but the database credentials would stay protected.
I would expect, that the octavia apply command won’t try to apply ‘changes’ when it cannot find the variable in the ~/.octavia file. So if my colleague does not have the credentials, and they won’t do any changes, running the apply command will not overwrite anything. This would be great for our desired use case.
Or another idea - if the user could specify, which configurations would be targeted by octavia apply, probably by writing the definition_id into the .octavia file.
Thanks.
Or another idea - if the user could specify, which configurations would be targeted by octavia apply, probably by writing the definition_id into the .octavia file.
This is already possible with the --file option eg: octavia apply --file <path-to-your-config>
I would expect, that the octavia apply command won’t try to apply ‘changes’ when it cannot find the variable in the ~/.octavia file. So if my colleague does not have the credentials, and they won’t do any changes, running the apply command will not overwrite anything. This would be great for our desired use case.
Do you mind opening an issue on our repo to ask for this feature? This is indeed an improvement that can happen on the secret management logic.
This is already possible with the --file option eg: octavia apply --file <path-to-your-config>
Oh thanks, I missed that.
Do you mind opening an issue.
You can find the issue here. I hope, I described everything just fine, let me know if I could make something clearer if necessary.
Thank you this is a perfect issue. We’ll work on this asap.
Hi there from the Community Assistance team.
We’re letting you know about an issue we discovered with the back-end process we use to handle topics and responses on the forum. If you experienced a situation where you posted the last message in a topic that did not receive any further replies, please open a new topic to continue the discussion. In addition, if you’re having a problem and find a closed topic on the subject, go ahead and open a new topic on it and we’ll follow up with you. We apologize for the inconvenience, and appreciate your willingness to work with us to provide a supportive community.