kubernetes: libpq-based PostgreSQL clients will no longer read a PGPASSFILE mounted from a secret

/kind bug

What happened: libpq refuses to load my PGPASSFILE, resulting in “no password provided” error messages.

What you expected to happen: libpq reads the database password from the PGPASSFILE I’m pointing to.

How to reproduce it (as minimally and precisely as possible):

1. Create a secret, containing a .pgpass file.
2. Create a volume from the secret, taking care to set the mode bits to e.g. r-------- (256 in decimal).
3. Mount the volume in a container.
4. Let the PGPASSFILE environment variable point to the .pgpass file.
5. Use SQLAlchemy to connect to a PostgreSQL database, providing all information except the password.

Anything else we need to know?:

• This approach used to work, but likely broke due to #25285.
• libpq not only demands that the PGPASSFILE is only accessible by its owner, but also requires that it is a regular file.
• I’ve tried pointing to secret-volume/..data/.pgpass instead of secret-volume/.pgpass directly, but that doesn’t seem to work either. I’m not sure, but maybe libpq really doesn’t like symbolic links in the path to the PGPASSFILE.
• I can work around this problem by setting PGPASSWORD instead, or by keeping the password in the database connection URL. It seems a tiny bit cleaner to me to be able to switch only the config mapped connection URL while keeping the same passwords file, but I’d understand a wontfix resolution.

Environment:

• Kubernetes version (use kubectl version): server v1.7.8-gke.0
• Cloud provider or hardware configuration: Google Cloud Platform
• OS (e.g. from /etc/os-release): Container-Optimized OS from Google
• Kernel (e.g. uname -a): 4.4.64+