Troubleshooting Cloud SQL password authentication issue with Kubernetes secret in Datahub deployment

Original Slack Thread

Hi there :wave:

I am trying to deploy Datahub to GKE.
I chose to use Cloud SQL to host my postgres Database.

However, the postgresql-setup-job fails if I gives it the password in a secret instead of passing it as a value

In the yml, if I set

      username: datahub
        value: myPassword```
everything works

If on the contrary I set it like that
```  sql:
      username: datahub
        secretRef: postgres-secret
        secretKey: fmdp-psql-password```
I always get the following error:
`psql: error: connection to server at "prerequisites-gcloud-sqlproxy" (, port 3306 failed: FATAL:  password authentication failed for user "datahub"`

Anyone has a clue about why it does that and how to fix this issue?

Thanks! :pray:

Several checks I have done :
• My password is base64 encoded in the kube secret
• The environment variable is correctly set attachment

<@U03MF8MU5P0> any idea on this?

Hello <@U0670CBQ5U6>, how do you create the secret? Could it be related to the encoding? If I’m not mistaken, the secrets are stored unencrypted in k8s. Have you considered using an external provider? For example we’re using AKS which integrates with Azure Key Vault and keep the secrets there.


I create the secret using kube, just the same as for other services. I get the problem only with postgresql. I did not try with a vault for now

So if I look at your yaml file, the command to create the secret would be: kubectl create secret generic postgres-secret --from-literal=fmdp-psql-password=&lt;your password in plain text here&gt; Could you confirm? Maybe first delete and re-create it just in case?

To be exact, I create it using a yml definition and running kubectl apply -f postgres_secret.yml

kind: Secret
  name: postgres-secret
type: Opaque
  fmdp-psql-password: &lt;base64 encoded password&gt;```
I have tried several time to change the password, delete and re-create the secret.

It still does not work :disappointed:

What response do you get when running the command I provided?

Looks like it works!! :tada:

I don’t get why, because there should be no difference from the way I created it but weirdly, it works

Happy that it works. It works because you created the secret in plain text. Otherwise the password is sent in it’s base64 encoded representation and the database rejects it.

Ok, thank you very much!