skip to Main Content

Here create a random password:

resource "random_password" "password" {
  length  = 12  
  special = true
  override_special = "!#$%&*()-_=+[]{}:?"
}

Here I create a secret for the database:

resource "kubernetes_secret" "db_pass" {
  metadata {
    name = "db-pass"
  }
  data = {
    MYSQL_PASSWORD = "${aws_db_instance.database.password}"
    S3_ACCESS_KEY_ID : ""
    S3_SECRET_KEY : ""
    RABBITMQ_PASSWORD     = "${var.rabbitpassw}"
    RABBITMQ_ERLANGCOOKIE = "${var.erlangcookie}"
  }

  depends_on = [
    aws_db_instance.database,
    module.s3_bucket
  ]
}

Then this code should use a random password that db uses to connect:

resource "aws_db_instance" "database" {
  allocated_storage       = var.instance_storage_db
  max_allocated_storage   = var.max_storage_db
  engine                  = var.instance_engine_db
  engine_version          = var.instance_engine_version_db
  instance_class          = var.instance_size_db
  identifier              = "${var.cluster_name}-db-instance"
  db_name                 = "tester"
  username                = "admin"
  password                = random_password.password.result
  snapshot_identifier     = var.db_snapshot_id
  db_subnet_group_name    = aws_db_subnet_group.default.name
  vpc_security_group_ids  = [aws_security_group.db_sg.id]
  skip_final_snapshot     = var.skip_final_snapshot_db
  multi_az                = var.multi_az_db
  backup_retention_period = var.ret_period_db
}

I I use it before, and it was working normally, now i create new cluster and secret create 24 character password, and i cannot connect to RDS it using mysql

When create hardcoded password, connections to RDS is normal

Same problem have with grafana random password.

Is anyone go true this problem?

2

Answers


  1. Chosen as BEST ANSWER

    Thanks to @mrexojo, I found what's the problem.

    I change from windows to linux OS, and i used kubectl get secret db-pass -o json, while on windows i used kubectl get secret db-pass -o json | jq '{name: .metadata.name,data: .data|map_values(@base64d)}' On windows work normaly, but on linux is deferent command

    Thanks @MarkoE for help also, you are great!

    right comand is kubectl get secret db-pass -o jsonpath='{.data.MYSQL_PASSWORD}' -n namespace | base64 --decode | awk '{print $1}'


  2. First of all, I’d use the random_password.password.result as data content for the kubernetes secret. You are creating a not necessary dependency.

    When you create a hardcoded password (not recomended) or random_password.password.result inside a aws_db_instance resource, it works because it use the real content.

    But remember that kubernetes secret content is offuscated with base64 format. So when you create a resource kubernetes_secret it’s already generating the random_password with base64.

    Anyway you can debug the content of your kubernetes secret and the random password.

    Debug:

    The output option from terraform is not allowed showing password even using sensitive = false , but if you has access to the plain text teraform.tfstate you could to find the plaint text of random password (something like "result": "V1dp81Dxr#nj",) and checking if it match with a similar query result of:

    kubectl get secret db-pass -o jsonpath='{.data.MYSQL_PASSWORD}' -n namespace | base64 --decode | awk '{print $1}'
    

    I hope that it help you.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search