Octavia CLI detecting and applying wrong passwords

Hello,
I have an issue with Octavia CLI. I would like to maintain mine Postgres connectors via CLI and I tried to store the password to connection in ~/.octavia file. This worked fine for a single password.

I did some experimenting and I found out, that the Octavia tries to apply the single password to other connectors even though the name of the variable store in .octavia file does not match. This creates quite a problem, as it overwrites or not apply correct credentials.

Is this intentional / wrong usage from mine side/ bug ?
Thanks in advance

Hey @radim_sasinka,
Could you share an example of your .octavia file structure and Postgres configuration YAML files? With dummy passwords.
I was not able to reproduce your error.

Hi,
here are my example configuration files. I noticed, that the problem I described before is now not happening and the propagation of passwords in my local machine works fine.

Nevertheless, inside our team, we would like to store all our configurations in the GitLab repository while different members are responsible for different connections.

Here comes the problem with passwords. When somebody pulls the repository with described configurations and then that person runs octavia apply, the passwords will be overwritten. Their Octavia detects ‘changes’ in their ~/.octavia file and even though their local variables do not match mine, it will overwrite the passwords. Could this be somehow resolved?

~/.octavia

    AIRBYTE_URL=<url>
    USER_PASS=<pass>
    OCT_PASS=octavia
    OCT_PASSWORD=wrong
    POSTGRES_PASS=wrong

source

resource_name: postgres_source_template
definition_type: source
definition_id: decd338e-5647-4c0b-adf4-da0e75f5a750
definition_image: airbyte/source-postgres
definition_version: 0.4.10

configuration:
  ssl: true 
  host: <host>
  port: 5432 
  schemas: ["public"] 
  database: octavia_testing 
  password: ${USER_PASS} 
  username: sasinka 
  tunnel_method:
    tunnel_method: "NO_TUNNEL"
replication_method:
    method: "Standard"

destination

resource_name: postgres_destionation_template
definition_type: destination
definition_id: 25c5221d-dce2-4163-ade9-739ef790f503
definition_image: airbyte/destination-postgres
definition_version: 0.3.18

configuration:
  ssl: true 
  host: <host>
  port: 5432 
  schema: public  
  database: octavia_testing_destinations   
  password: ${OCT_PASSWORD} 
  username: octavia_testing 
  tunnel_method:
     tunnel_method: "NO_TUNNEL" 
replication_method:
    method: "Standard"

here are my example configuration files. I noticed, that the problem I described before is now not happening and the propagation of passwords in my local machine works fine.

Great!

Here comes the problem with passwords. When somebody pulls the repository with described configurations and then that person runs octavia apply, the passwords will be overwritten. Their Octavia detects ‘changes’ in their ~/.octavia file and even though their local variables do not match mine, it will overwrite the passwords. Could this be somehow resolved?

This is indeed the expected behavior. I would suggest you use a shared secret file in your team to overcome this problem or only run applies from a single environment that has the right set of credentials. Let me know what would be the best flow from your perspective.

Let me know what would be the best flow from your perspective.

We would like to keep one git repository with all configuration files, so everybody has access in our team to them. But we would like to store the credentials / passwords in the local ~/.octavia file separated from the repository, as certain members of the team will be responsible for specific connections regarding different project. This way, anybody could check each other configurations, but the database credentials would stay protected.

I would expect, that the octavia apply command won’t try to apply ‘changes’ when it cannot find the variable in the ~/.octavia file. So if my colleague does not have the credentials, and they won’t do any changes, running the apply command will not overwrite anything. This would be great for our desired use case.

Or another idea - if the user could specify, which configurations would be targeted by octavia apply, probably by writing the definition_id into the .octavia file.

Thanks.

Or another idea - if the user could specify, which configurations would be targeted by octavia apply, probably by writing the definition_id into the .octavia file.

This is already possible with the --file option eg: octavia apply --file <path-to-your-config>

I would expect, that the octavia apply command won’t try to apply ‘changes’ when it cannot find the variable in the ~/.octavia file. So if my colleague does not have the credentials, and they won’t do any changes, running the apply command will not overwrite anything. This would be great for our desired use case.

Do you mind opening an issue on our repo to ask for this feature? This is indeed an improvement that can happen on the secret management logic.

This is already possible with the --file option eg: octavia apply --file <path-to-your-config>

Oh thanks, I missed that.

Do you mind opening an issue.

You can find the issue here. I hope, I described everything just fine, let me know if I could make something clearer if necessary.

Thank you this is a perfect issue. We’ll work on this asap.