postgres-operator icon indicating copy to clipboard operation
postgres-operator copied to clipboard
verified publisher icon CrunchyData

Feature Request - Allow `PostgresCluster` to extract `spec.authentication.rules[].options` values from `Secret` manifest

Open Amphaal opened this issue 6 months ago • 2 comments

Right now, when trying to allow my LDAP users to access my postgres databases, I need to provide both LDAP bind user and password like this:

Image

... which is clearly not secure. A cleaner way of doing this would be to mimic what backups.pgbackrest.configuration[].secret allows us;

Here's what I had in mind =>

Image

It's kind of an edge case, and I think only the RADIUS method users would benefit from this also.

https://docs.postgresql.fr/12/auth-ldap.html https://docs.postgresql.fr/12/auth-radius.html

Does it make sense ? Are there alternatives I have not considered (like using patroni) ?

Amphaal avatar Jun 25 '25 08:06 Amphaal

I need to provide both LDAP bind user and password

Does it make sense ?

Yes, and I agree!

Are there alternatives I have not considered (like using patroni) ?

Unfortunately, no, we generate this HBA file in the operator and inject it into Postgres using a ConfigMap. Same with Patroni configuration.

What version of Postgres are you using? Postgres 16 has HBA include directives that we can support rather quickly. You would have to store the entire HBA line in a Secret in that case. Is that feasible for your environment?

This is on our roadmap to solve generally, if possible. Most tools with k/v configuration have one or two values that need to be secret. The challenge is getting those values into the container securely then adding them to the tools' config. As a general rule, the operator doesn't read your Secrets.

Do you have another tool that manages K8s Secrets? Vault or External Secrets or so?

cbandy avatar Jul 11 '25 19:07 cbandy

Thanks for your reply !

What version of Postgres are you using? Postgres 16 has HBA include directives that we can support rather quickly. You would have to store the entire HBA line in a Secret in that case. Is that feasible for your environment?

Postgres 17 :) Yes, that would be a nice trick. A bit cumbersome, but vastly superior to limit secret exposure, especially in an open-source context.

Do you have another tool that manages K8s Secrets? Vault or External Secrets or so?

Nope, only using plain k8s secrets.

Amphaal avatar Jul 30 '25 14:07 Amphaal