POSTGRES_PASSWORD is required to be set when using POSTGRES_HOST_AUTH_METHOD=cert

[hxtk]

I'd like to be able to write a configuration that uses mutual TLS with the auth method cert, which does not require a password and instead enforces that the user is equal to the common name of the authenticated client certificate.

However, the only passwordless auth method permitted by by the docker entrypoint script's docker_verify_minimum_env function is trust:

https://github.com/docker-library/postgres/blob/74e51d102aede317665f2b4a9b89362135402fe7/docker-entrypoint.sh#L119

It seems like adding another case to this check to allow for using certificate-based authentication. One concern I have, though, is that there are auth options as well that may be needed, e.g., looking at the pg_setup_hba_conf function below, it appears that if I want to end up with a pg_hba.conf file with cert clientcert=verify-full, that full string (i.e., including the auth options) would need to be set in the POSTGRES_HOST_AUTH_METHOD environment variable as written. I'm not sure if it would make more sense to add a new environment variable for that purpose? There is also no way that I can identify to use hostssl instead of host, though with cert authentication I'm not sure that actually matters.

https://github.com/docker-library/postgres/blob/74e51d102aede317665f2b4a9b89362135402fe7/docker-entrypoint.sh#L251

[Kershi23]

Hi. People prefer open-source solutions. The current leader MySQL has been losing users since Oracle acquired it. So far, so good, but the view that at any time a company can introduce changes in licensing makes many people not want to take the risk and choose postgres explain plan.