fix(fire-planner): grafana fire-planner-pg datasource survives pw rotation
Some checks failed
ci/woodpecker/push/default Pipeline failed
Some checks failed
ci/woodpecker/push/default Pipeline failed
The fire-planner-pg Grafana datasource baked the rotating fire_planner DB
password into its provisioning ConfigMap at terraform plan-time, so on every
7-day static-role rotation the password went stale and ALL fire-planner-pg
dashboards (fire-planner, cost-of-living, and the new wealth FIRE Countdown)
silently failed with "password authentication failed for user fire_planner"
until the next stack apply.
Switch to the same live-env pattern wealth-pg / payslips-pg already use:
- new ExternalSecret grafana-fire-planner-pg-creds (monitoring ns, Reloader
match) mirrors the rotating Vault static-creds/pg-fire-planner password
- datasource ConfigMap now references $__env{FIRE_PLANNER_PG_PASSWORD}
- Grafana mounts it via envFromSecrets; reloader (auto) restarts Grafana on
rotation so the provisioned datasource never goes stale
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
35c0057d83
commit
6f042ee239
2 changed files with 52 additions and 10 deletions
|
|
@ -86,6 +86,8 @@ envFromSecrets:
|
|||
optional: true
|
||||
- name: grafana-job-hunter-pg-creds
|
||||
optional: true
|
||||
- name: grafana-fire-planner-pg-creds
|
||||
optional: true
|
||||
env:
|
||||
GF_SERVER_ROOT_URL: https://grafana.viktorbarzin.me
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue