postgres-operator icon indicating copy to clipboard operation
postgres-operator copied to clipboard

Published 20 hours ago verified publisher icon CrunchyData

Set Postgres users' passwords declaratively

Open gricey432 opened this issue 2 years ago • 19 comments

Overview

#2807 provided a way to set a password for a user using kubectl patch. But there doesn't seem to be a way to do this declaratively in my postgres.yaml file.

Use Case

We're importing existing databases into a LAN-only k8s cluster and these clusters have existing passwords we'd like to keep using.

We're destroying and re-creating PGO clusters, but I can't fix their passwords in place.

Desired Behavior

PostgresCluster.spec.users[index].password would provide a passthrough for stringData and/or data.

Or maybe explicit password and verifier fields, whatever makes more sense.

Environment

Tell us about your environment:

Please provide the following details:

  • Platform: EKS
  • Platform Version: eks.2 k8s 1.22
  • PGO Image Tag: ubi8-14.2-1
  • Postgres Version: 14
  • Storage: gp3
  • Number of Postgres clusters: 2

gricey432 avatar Jun 16 '22 05:06 gricey432

any way of providing a password through secret/configmap ref would suffice, actually

pere3 avatar Aug 08 '22 14:08 pere3

https://access.crunchydata.com/documentation/postgres-operator/5.1.2/architecture/user-management/#custom-passwords there is a way tho

pere3 avatar Aug 08 '22 15:08 pere3

https://access.crunchydata.com/documentation/postgres-operator/5.1.2/architecture/user-management/#custom-passwords there is a way tho

Yeah, I've mentioned that in the first line of my ticket. This is about being able to do it declaratively through manifests (AWS CDK in my case), this helps with repeatable deployments or high volumes.

gricey432 avatar Dec 05 '22 23:12 gricey432

Ist there any commitment or workaround (not the manual patch-way) for this enhancement?

I would like to set a custom password by using a secretRef. The referenced secret would be created for example via sealedsecrets-operator.

I would like to use this enhancement for a Gitops-workflow.

0x86f avatar Dec 16 '22 10:12 0x86f

Hello, @gricey432! We've captured this request in our backlog. Thanks.

tony-landreth avatar Feb 23 '23 16:02 tony-landreth

bump, this would be very useful for us to allow the usage of secretRefs. We store our secrets in an external secret manager and would like to use this secret.

arnouthoebreckx avatar Jun 02 '23 11:06 arnouthoebreckx

+1

hdiass avatar Jul 07 '23 11:07 hdiass

+1 We would definitely love the possibility of secretRef for the external secret with password. Currently, in our gitops workflow we have to create Kyverno policy to patch pguser secret (To allow sealed secrets controller patch and manage existing file) and then patching the password key using sealed secret. Not a very nice gitops/declarative approach at all.

lukastopiarz avatar Aug 24 '23 07:08 lukastopiarz

+1

kkapper avatar Sep 26 '23 17:09 kkapper

+1

rj-home avatar Oct 26 '23 15:10 rj-home

+1

dominik0711 avatar Mar 26 '24 09:03 dominik0711

+1

rj-home avatar Mar 26 '24 09:03 rj-home

+1

hdiass avatar Mar 26 '24 10:03 hdiass