fix: encode postgres secret credentials in database uri#484
Conversation
|
Warning Review limit reached
Next review available in: 43 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (5)
WalkthroughThis PR fixes incorrect handling of special-character passwords by URL-escaping Postgres credentials into a new derived Kubernetes secret, and updates environment variable generation and controller reconciliation (including RBAC and resource ownership) to use the encoded credentials when constructing connection URIs. ChangesEncoded Postgres credentials
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant Reconcile
participant SecretLogic as reconcileEncodedPostgresCredentialsSecret
participant SourceSecret as Source K8s Secret
participant EncodedSecret as Encoded K8s Secret
participant EnvBuilder as GetPostgresEnvVars
Reconcile->>SecretLogic: secret param present
SecretLogic->>SourceSecret: fetch username/password
SourceSecret-->>SecretLogic: raw credentials
SecretLogic->>SecretLogic: URL-escape values
SecretLogic->>EncodedSecret: CreateOrUpdate with owner reference
Reconcile->>EnvBuilder: build env vars for database
EnvBuilder->>EncodedSecret: reference POSTGRES_URL_ENCODED_USERNAME/PASSWORD
EnvBuilder-->>Reconcile: env vars with escaped credential refs
Estimated code review effort: 3 (Moderate) | ~25 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
b0e9086 to
114ad55
Compare
✅ Approve — automated reviewThe PR correctly encodes PostgreSQL credentials for use in database URIs. The previously raised concern about No findings. |
NumaryBot
left a comment
There was a problem hiding this comment.
NumaryBot posted 1 new inline finding.
Summary: #484 (comment)
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@internal/resources/databases/secret.go`:
- Around line 44-54: The credential encoding in the Secret creation flow uses
url.QueryEscape, which is not safe for URI userinfo and can corrupt
usernames/passwords containing spaces. Update the encoding logic in the secret
update path around CreateOrUpdate in secret.go to use a userinfo-safe escaping
method, and make the matching decode/encode handling in env.go consistent so
credentials round-trip correctly through libpq URI userinfo.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: ead86b76-9132-4821-b8fe-bad6ba974da9
⛔ Files ignored due to path filters (1)
docs/09-Configuration reference/settings.catalog.jsonis excluded by!**/*.json
📒 Files selected for processing (5)
internal/resources/databases/env.gointernal/resources/databases/env_test.gointernal/resources/databases/init.gointernal/resources/databases/secret.gointernal/resources/databases/secret_test.go
114ad55 to
b3cd1b4
Compare
NumaryBot
left a comment
There was a problem hiding this comment.
NumaryBot review complete: no remaining inline findings.
Resolved 1 stale NumaryBot review thread (0 fixed, 1 outdated).
Summary: #484 (comment)
Summary
POSTGRES_URIPOSTGRES_USERNAMEandPOSTGRES_PASSWORDsourced from the original Secret for existing consumersRoot cause
Database credentials loaded through
?secret=...were injected raw and then interpolated intopostgresql://user:password@host:port, so special URI characters such as^could break the resulting connection string.Fixes #481
Validation
CGO_ENABLED=0 go test ./internal/resources/databasesKUBEBUILDER_ASSETS="$(pwd)/bin/k8s/1.32.0-darwin-arm64" CGO_ENABLED=0 go test ./...nix develop -c just pc