config: Add user and db creation in external postgresql

[akash4sh]

No description provided.

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The changes in this pull request primarily focus on updating the configuration and deployment of the "quality-trace" Helm chart, which is used to deploy the Tracetest application. The key changes include:

1. Helm Chart Version Update: The version of the "quality-trace" Helm chart has been updated from 1.0.4 to 1.0.5.
2. Database Configuration: The database configuration has been updated to separate the "quality-trace" database and user from other potential databases. The database password is now being retrieved from an environment variable or a Kubernetes secret, which is a security best practice.
3. Database Creation Job: The job responsible for creating the database and user has been updated to use the database password from an environment variable and to properly escape the input to prevent SQL injection vulnerabilities.
4. Postgres Configuration in ConfigMap: The changes to the ConfigMap update the Postgres connection settings, including the use of a separate set of credentials for the "quality-trace" component. However, there are some security considerations around the handling of sensitive information, such as passwords, in the ConfigMap.
5. Deployment Configuration: The deployment configuration has been updated to handle the database password retrieval from a Kubernetes secret when using an external Postgres instance.
6. OpenTelemetry Collector and Tracing Configuration: The chart includes updates to the configuration of the OpenTelemetry Collector and the tracing backends (Signoz and Tracetest), which is an important aspect of the application's security and observability.

Overall, the changes in this pull request seem to be focused on improving the security and maintainability of the "quality-trace" application's deployment, particularly in the areas of database configuration, password management, and telemetry/tracing setup. As an application security engineer, I would recommend thoroughly reviewing the changes and the associated documentation to ensure that the application's security posture is not compromised.

Files Changed:

1. charts/quality-trace/Chart.yaml: This file has been updated to bump the Helm chart version from 1.0.4 to 1.0.5.
2. charts/quality-trace/templates/configmap-db.yaml: The changes in this file separate the database configuration for the "quality-trace" application, improve the handling of the database password, and use conditional database creation.
3. charts/quality-trace/templates/create-user-db-job.yaml: The changes in this file update the job responsible for creating the database and user, including the use of environment variables for the database password and proper input validation.
4. charts/quality-trace/templates/configmap.yaml: The changes in this file update the Postgres configuration, including the introduction of a separate set of credentials for the "quality-trace" component. There are some security considerations around the handling of sensitive information in the ConfigMap.
5. charts/quality-trace/templates/deployment.yaml: The changes in this file update the deployment configuration to handle the database password retrieval from a Kubernetes secret when using an external Postgres instance.
6. charts/quality-trace/values.yaml: The changes in this file update the OpenTelemetry Collector image version and the external PostgreSQL configuration, which are important for the application's security and observability.

Powered by DryRun Security