Skip to content

Respect postgres.passwordSecretName in presence of rr.agentSandbox.externalSecret#332

Open
ryanartecona wants to merge 2 commits into
mainfrom
ra/agent-sandbox-pgpassword
Open

Respect postgres.passwordSecretName in presence of rr.agentSandbox.externalSecret#332
ryanartecona wants to merge 2 commits into
mainfrom
ra/agent-sandbox-pgpassword

Conversation

@ryanartecona

@ryanartecona ryanartecona commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

In blueprints, we want the agentSandbox secrets to come from different places: jwt-public-key, jwt-private-key, and postgres-url from an agent-sandbox secret, but specifically the postgres password from the main retool secret, as that is the only one that gets auto rotated by e.g. RDS.

This allows agentSandbox.externalSecret to also be used with agentSandbox.postgres.passwordSecretName when both are present.

@greptile-apps

greptile-apps Bot commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown

Greptile Summary

This PR extends retool.agentSandbox.postgresUrlEnv so that when externalSecret.name supplies the postgres-url, a separately configured postgres.passwordSecretName (e.g. the main Retool secret auto-rotated by RDS) is also injected as PGPASSWORD. This enables the blueprint use-case where JWT keys and the postgres URL come from one external secret while the password comes from another.

  • Adds a conditional PGPASSWORD secretKeyRef block inside the $ext branch of retool.agentSandbox.postgresUrlEnv, mirroring the existing pattern already present in the $pg.host branch.
  • Bumps the chart to 6.11.1 and updates comments in both values.yaml copies to document the new combination.

Confidence Score: 4/5

The externalSecret path change is correct; the urlSecretName branch is left without equivalent passwordSecretName support, which could silently drop the password for users who pair those two options.

The new PGPASSWORD block in the externalSecret branch is logically correct and mirrors the existing host-path pattern. The concern is that the parallel urlSecretName branch still has no passwordSecretName support — a user storing a passwordless DSN via urlSecretName and setting passwordSecretName will silently get no PGPASSWORD at runtime.

charts/retool/templates/_helpers.tpl — specifically the urlSecretName branch around line 738

Important Files Changed
Filename Overview
charts/retool/Chart.yaml Patch version bump from 6.11.0 to 6.11.1 to reflect the bugfix change.
charts/retool/templates/_helpers.tpl Adds PGPASSWORD env var support to the externalSecret branch of retool.agentSandbox.postgresUrlEnv; the urlSecretName branch gets no equivalent treatment, creating an asymmetry.
charts/retool/values.yaml Comment-only update documenting that the postgres-url from externalSecret can omit the embedded password and use passwordSecretName instead.
values.yaml Mirrors the same comment-only update as charts/retool/values.yaml.

Flowchart

 
%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[retool.agentSandbox.postgresUrlEnv] --> B{pg.url set?}
    B -- Yes --> C[AGENT_SANDBOX_POSTGRES_URL = plaintext url]
    B -- No --> D{pg.host set?}
    D -- Yes --> E{passwordSecretName?}
    E -- Yes --> F[PGPASSWORD from secret]
    E -- No --> G{pg.password?}
    G -- Yes --> H[PGPASSWORD plaintext]
    F --> I[AGENT_SANDBOX_POSTGRES_URL assembled from host/user/db]
    H --> I
    G -- No --> I
    D -- No --> J{pg.urlSecretName set?}
    J -- Yes --> K[AGENT_SANDBOX_POSTGRES_URL from secret - NO PGPASSWORD support]
    J -- No --> L{externalSecret.name set?}
    L -- Yes --> M[AGENT_SANDBOX_POSTGRES_URL from external secret]
    M --> N{passwordSecretName? NEW}
    N -- Yes --> O[PGPASSWORD from passwordSecretName secret]
    N -- No --> P[no PGPASSWORD]
    L -- No --> Q[Inherit backend postgres - PGPASSWORD from config.postgresql secret]
Loading

Comments Outside Diff (2)

  1. charts/retool/templates/_helpers.tpl, line 701-702 (link)

    P2 The docblock says "plus a PGPASSWORD entry when assembling from fields" but after this PR, PGPASSWORD can also be emitted in the externalSecret path. The phrase "when assembling from fields" now understates the scope — callers reading this comment before the externalSecret branch won't expect PGPASSWORD to appear there.

    Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

  2. charts/retool/templates/_helpers.tpl, line 738-743 (link)

    P1 urlSecretName branch silently ignores passwordSecretName

    The externalSecret branch (just below) now respects passwordSecretName, but the urlSecretName branch does not. A user who stores a passwordless DSN in a Kubernetes secret via urlSecretName and sets passwordSecretName to provide the password separately will get no PGPASSWORD env var and a silent connection failure at runtime. The urlSecretName path could apply the same {{- if $pg.passwordSecretName }} block that was just added to the externalSecret path.

Reviews (1): Last reviewed commit: "bump patch" | Re-trigger Greptile

@JatinNanda JatinNanda mentioned this pull request Jun 12, 2026
Open
JatinNanda added a commit that referenced this pull request Jun 13, 2026
@JatinNanda
refactor(rr): replace postgres.fromExternalSecret with postgres.urlSe…
937c429 
…cretName

the fromExternalSecret boolean was redundant with the existing Option-3
postgres.urlSecretName/urlSecretKey: 'read postgres-url from externalSecret.name'
is identical to pointing urlSecretName at that same secret (urlSecretKey already
defaults to postgres-url). drop the bespoke flag and the externalSecret postgres
branch entirely, so externalSecret.name covers ONLY the JWT/encryption keys and
never sources postgres.

- remove rr.agentSandbox.postgres.fromExternalSecret (both values.yaml copies)
- postgresUrlEnv: delete the externalSecret postgres branch; move the
  passwordSecretName PGPASSWORD support (#332) into the urlSecretName branch, so
  'DSN from a secret + auto-rotated password from another secret' uses Option 3
- validateSecrets: drop the externalSecret term from $explicitPg; repoint both
  fail hints to postgres.urlSecretName
- ci: test-agent-sandbox-enabled-option uses postgres.urlSecretName (Option 3)
  pointed at its JWT secret instead of the removed flag
JatinNanda added a commit that referenced this pull request Jun 13, 2026
@JatinNanda
refactor(rr): replace postgres.fromExternalSecret with postgres.urlSe…
8fd12d9 
…cretName

the fromExternalSecret boolean was redundant with the existing Option-3
postgres.urlSecretName/urlSecretKey: 'read postgres-url from externalSecret.name'
is identical to pointing urlSecretName at that same secret (urlSecretKey already
defaults to postgres-url). drop the bespoke flag and the externalSecret postgres
branch entirely, so externalSecret.name covers ONLY the JWT/encryption keys and
never sources postgres.

- remove rr.agentSandbox.postgres.fromExternalSecret (both values.yaml copies)
- postgresUrlEnv: delete the externalSecret postgres branch; move the
  passwordSecretName PGPASSWORD support (#332) into the urlSecretName branch, so
  'DSN from a secret + auto-rotated password from another secret' uses Option 3
- validateSecrets: drop the externalSecret term from $explicitPg; repoint both
  fail hints to postgres.urlSecretName
- ci: test-agent-sandbox-enabled-option uses postgres.urlSecretName (Option 3)
  pointed at its JWT secret instead of the removed flag
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ryanartecona