Skip to content

fix(gcp): fall back to 'host' key when 'clusterHost' missing from DB secret#800

Open
arniechops wants to merge 1 commit intomainfrom
arnavchopra/support-host-key-in-db-secret
Open

fix(gcp): fall back to 'host' key when 'clusterHost' missing from DB secret#800
arniechops wants to merge 1 commit intomainfrom
arnavchopra/support-host-key-in-db-secret

Conversation

@arniechops
Copy link
Copy Markdown
Collaborator

@arniechops arniechops commented Apr 3, 2026
edited by greptile-apps bot
Loading

Summary

  • When using DB_SECRET_NAME on GCP, the code only looks for clusterHost/clusterHostRo keys in the secret JSON
  • GCP secrets (e.g. those created by Terraform) use host instead of clusterHost
  • This causes host to resolve to None, resulting in [Errno -2] Name or service not known DNS failures
  • Falls back to host key when clusterHost/clusterHostRo are not present in the secret

Test plan

  • Deploy to GCP dev cluster with DB_SECRET_NAME set and secret containing host (not clusterHost)
  • Verify DB connection succeeds
  • Verify secrets with clusterHost/clusterHostRo still work (backwards compatible)

Greptile Summary

This PR fixes a DNS resolution failure ([Errno -2] Name or service not known) that occurred when GCP's DB_SECRET_NAME environment variable was set and the referenced secret was created by Terraform — which uses host instead of clusterHost/clusterHostRo as the key name. The one-line ternary is expanded into an if/else block that uses Python's or short-circuit to prefer clusterHostRo/clusterHost when present, then falls back to host. The fix is backwards-compatible with secrets that already use the original key names.

Key points:

  • Change is minimal and correct: the or fallback correctly mirrors the precedence described in the PR (prefer clusterHost*, fall back to host).
  • Both read-only and read-write paths fall back to the same host key when the specialised keys are absent — consistent with the on-premises path which already does DB_HOST_RO or DB_HOST.
  • AWS path (line 120) is unchanged — Terraform-managed AWS secrets are assumed to always contain clusterHost/clusterHostRo.
  • Minor: the new precedence relationship between the two key name conventions lacks an inline comment, which makes the intent less obvious to future readers.

Confidence Score: 4/5

Safe to merge; the change is a targeted, backwards-compatible fallback with no risk of regression for existing secrets.

The logic is straightforward and correct. The or short-circuit ensures existing secrets using clusterHost/clusterHostRo are unaffected, and secrets that only contain host will now resolve properly. The only gap is a missing comment explaining the two secret formats, which is a style concern and doesn't affect correctness.

No files require special attention beyond the single changed block in model-engine/model_engine_server/db/base.py.

Important Files Changed

Filename Overview
model-engine/model_engine_server/db/base.py GCP DB secret host resolution updated to fall back to 'host' key when 'clusterHost'/'clusterHostRo' are absent; logic is correct and backwards-compatible, only missing an inline comment explaining the precedence.

Flowchart

 
%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[get_engine_url called] --> B{cloud_provider == 'gcp'?}
    B -- No --> C[Other provider path]
    B -- Yes --> D{DB_SECRET_NAME set?}
    D -- No --> E[Use env vars DB_HOST_RO / DB_HOST]
    D -- Yes --> F[Fetch secret from GCP Secret Manager]
    F --> G{read_only?}
    G -- Yes --> H["host = creds.get('clusterHostRo') or creds.get('host')"]
    G -- No --> I["host = creds.get('clusterHost') or creds.get('host')"]
    H --> J[Build postgresql:// URL]
    I --> J
    E --> J
Loading
Prompt To Fix All With AI 
This is a comment left during a code review.
Path: model-engine/model_engine_server/db/base.py
Line: 81-84

Comment:
**Add comment explaining the fallback precedence**

The code now introduces a non-obvious precedence relationship between `clusterHostRo`/`clusterHost` and `host`. Per the project's commenting convention, workarounds and field-precedence logic like this should include a brief explanation for future readers.

```suggestion
                # GCP secrets created by Terraform use 'host' instead of 'clusterHost'/'clusterHostRo'.
                # Fall back to 'host' so both secret formats are supported.
                if read_only:
                    host = creds.get("clusterHostRo") or creds.get("host")
                else:
                    host = creds.get("clusterHost") or creds.get("host")
```

**Rule Used:** Add comments to explain complex or non-obvious log... ([source](https://app.greptile.com/review/custom-context?memory=928586f9-9432-435e-a385-026fa49318a2))

**Learnt From**
[scaleapi/scaleapi#126958](https://github.com/scaleapi/scaleapi/pull/126958)

How can I resolve this? If you propose a fix, please make it concise.

Reviews (1): Last reviewed commit: "fix(gcp): fall back to 'host' key when '..." | Re-trigger Greptile

Context used:

  • Rule used - Add comments to explain complex or non-obvious log... (source)

Learnt From
scaleapi/scaleapi#126958

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lilyz-ai lilyz-ai lilyz-ai approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arniechops @lilyz-ai