Passwords should be referenced from secrets

[chambridge]

I do not want to have my Admin RDS password in the clear within a CR when trying to use an external DB.

There are numerous cases within KieApp CRD where passwords are requested to be provided in the clear.

I would much prefer to see the operator request secret names for many of these items. Where the operator is asking for things like user and password it would be nice to have these both within the secret. Then just providing documentation on the expected secret format.

[chambridge]

Is it possible to work around any of this by providing a mounted volume from a secret?

[chambridge]

Also would like to be able to support a CA certificate for SSL connectivity to an external DB.

[tchughesiv]

@chambridge we will definitely discuss the merits of moving to secrets in a future release. I'll update this issue with a decision when we have one.

In the meantime, you can simply customize your KieApp DC resources however you'd like. For example, you can change the following env var to a secret... instead of the default KieApp field. https://github.com/kiegroup/kie-cloud-operator/blob/b99504caaef4bdf1e5c92be57830ab414354c670/config/7.9.1/dbs/servers/external.yaml#L34-L35

This is done by modifying the versioned, external db ConfigMap. These CMs are created by the BA operator, in the same namespace, and will contain the above yaml. The are reconciled against the KieApp configs. Please let me know if you have further Q's or issues.