feat: add --postgres-database-url-file flag for file-based DB credentials#1342
Conversation
There was a problem hiding this comment.
Pull request overview
Adds support for supplying the Postgres connection URL via a file, enabling secret-file based deployments (e.g., Kubernetes Secrets) while keeping existing direct-URL configuration.
Changes:
- Add
--postgres-database-url-fileflag /POSTGRES_DATABASE_URL_FILEenv var support and resolve URL from file with precedence over--postgres-database-url. - Add Helm values (
database.postgres.urlFile) and conditionally emitPOSTGRES_DATABASE_URL_FILEin the controller ConfigMap. - Add unit tests covering the new flag/env var and file-reading behavior.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
helm/kagent/values.yaml |
Adds database.postgres.urlFile value (defaults empty) with precedence comment. |
helm/kagent/templates/controller-configmap.yaml |
Emits POSTGRES_DATABASE_URL_FILE when urlFile is set, otherwise falls back to POSTGRES_DATABASE_URL. |
go/pkg/app/app.go |
Adds config field + flag and resolves DB URL from file during startup. |
go/pkg/app/app_test.go |
Adds tests for URL-file behavior and the new flag/env var mapping. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
345717b to
668b7bf
Compare
EItanya
left a comment
There was a problem hiding this comment.
Changes make sense to me. Any particular reason this is a file and not just an env var, isn't it just a single string
Hey @EItanya 👋 Our infrastructure uses a secrets management solution that injects credentials as files mounted into pods rather than environment variables. Without this change I cannot get the Postgres credentials I need to make kAgent happy |
EItanya
left a comment
There was a problem hiding this comment.
I understand why you implemented it this way for brevity, but I'm worried that this sort of change is hard to track overtime without regression test. Rather, if you also add the config to the actual manager then we can more easily test these changes in-situ. What do you think?
|
Hey @EItanya Not sure if I fully grasp your point unfortunately but, I personally see the value in resolving the file in That said, if you'd prefer it in NewManager I can add a URLFile field to PostgresConfig and resolve it there with a small helper. Happy either way! |
|
I do prefer the |
…ials Support reading the PostgreSQL connection URL from a file on disk. When set, takes precedence over --postgres-database-url. Useful for credential injection systems that write secrets to files rather than environment variables. Signed-off-by: Matteo Mori <matteo.mori@rvu.co.uk> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Matteo Mori <matteo.mori@rvu.co.uk> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Matteo Mori <matteo.mori@rvu.co.uk> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
88bb50c to
b81dacb
Compare
|
@EItanya - I think I am seeing what you mean. Something like the last change? |
go/pkg/app/app.go
Outdated
| ctrl.SetLogger(logger) | ||
|
|
||
| setupLog.Info("Starting KAgent Controller", "version", Version, "git_commit", GitCommit, "build_date", BuildDate, "config", cfg) | ||
| setupLog.Info("Starting KAgent Controller", "version", Version, "git_commit", GitCommit, "build_date", BuildDate) |
There was a problem hiding this comment.
I understand why you're removing this as there are now secrets, but I think we need redaction rather than removing this entirely, this log line is incredibly useful to know what the effective config is
There was a problem hiding this comment.
@EItanya - Fair enough! I have reverted the change and I will have a look at sorting out hiding sensitive info in another PR, if it helps
Yes this is what I meant :) |
Signed-off-by: Matteo Mori <matteo.mori@rvu.co.uk> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Summary
--postgres-database-url-fileCLI flag (auto-mapped toPOSTGRES_DATABASE_URL_FILEenv var) to read the PostgreSQL connection URL from a file--postgres-database-urlwhen setdatabase.postgres.urlFilevalue and conditional ConfigMap entry