pgadmin4 icon indicating copy to clipboard operation
pgadmin4 copied to clipboard
verified publisher icon pgadmin-org

Allow specifying password using Docker secrets

Open larsks opened this issue 2 years ago • 1 comments

Describe the solution you'd like

I would like to be able to use the same Docker secret to provision a password for Postgres and to configure a server in PgAdmin4. This is currently trivial with Postgres itself; we can write:

volumes:
  postgres_data:

secrets:
  pgpass:
    file: ./pgpass.txt

services:
  postgres:
    image: docker.io/postgres:14-alpine
    volumes:
      - "postgres_data:/var/lib/postgresql/data"
    environment:
      POSTGRES_USER: "$POSTGRES_USER"
      POSTGRES_PASSWORD_FILE: /run/secrets/pgpass
    secrets:
      - pgpass

If locally the file pgpass.txt contains our Postgres password, this will be configured as the password for the $POSTGRES_USER user.

Unfortunately we can't share this secret with pgadmin. There are two problems:

  1. The PassFile parameter isn't an absolute path -- if we write set PassFile to /run/secrets/pgpass, PgAdmin will never find it because it will be looking in /var/lib/pgadmin/storage/<user>//run/secrets/pgpass.

  2. Even if PgAdmin could locate the file, it couldn't use it. PgAdmin expects the file to contain a variety of unnecessary metadata. The passfile must be formatted as hostname:port:database:username:password, but everything other than the password itself is already provided by metadata contained in servers.json.

These two facts combined make it very difficult to create a simple turnkey postgres + pgadmin Docker compose environment.

larsks avatar Jan 26 '23 19:01 larsks

Yes, I strongly agree. A simple update to the entrypoint to parse templates should suffice to solve this. Unfortunately, this kind of issue has been around in pgadmin for years.. And they are simple ignored and closed with a non-useful solution.

Meanwhile, a hacky but working solution (without requiring to rebuild the container):

  1. create an entrypoint script (provision.sh) that makes the setup and calls the original entrypoint afterward (and chmod +x provision.sh)
#!/bin/sh
echo "it worked"
mkdir -p /var/lib/pgadmin/storage/${PGADMIN_USER_CONFIG_DIR}
cp /passfile /var/lib/pgadmin/storage/${PGADMIN_USER_CONFIG_DIR}/
chown -R 5050 /var/lib/pgadmin/storage/${PGADMIN_USER_CONFIG_DIR}

sh /entrypoint.sh
  1. update your docker-compose manifest with the requiring information:
  pgadmin:
    image: dpage/pgadmin4:7.0
    environment:
      # these are variables required for the provision entrypoint UPDATE THE USER HERE
      - PGADMIN_USER_CONFIG_DIR=<user>
    entrypoint: /provision.sh
    volumes:
      - ./provision.sh:/provision.sh

danielporto avatar Apr 22 '23 06:04 danielporto

Docs need to be updated.

Tested and verified on snapshot build Package: docker Environment: macOs Ventura 13.5.1

anilsahoo20 avatar Nov 19 '24 11:11 anilsahoo20