-
Notifications
You must be signed in to change notification settings - Fork 212
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: use secrets for postgres creds #145
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -43,7 +43,7 @@ You must either specify the following environment variables: | |
POSTGRESQL_DATABASE (regex: '$psql_identifier_regex') | ||
Or the following environment variable: | ||
POSTGRESQL_ADMIN_PASSWORD (regex: '$psql_password_regex') | ||
Or both. | ||
Or both (or mount secrets in /run/secrets/pgusers/user or /run/secrets/pgusers/admin). | ||
Optional settings: | ||
POSTGRESQL_MAX_CONNECTIONS (default: 100) | ||
POSTGRESQL_MAX_PREPARED_TRANSACTIONS (default: 0) | ||
|
@@ -55,8 +55,17 @@ EOF | |
exit 1 | ||
} | ||
|
||
check_cred_secret() { | ||
local credpath="$1" | ||
[ -f "$credpath/username" ] && \ | ||
[ -f "$credpath/password" ] && \ | ||
[[ "$(<"$credpath/username")" =~ $psql_identifier_regex ]] && \ | ||
[[ "$(<"$credpath/password")" =~ $psql_password_regex ]] && | ||
[ "$(wc -c < "$credpath/username")" -le 63 ] | ||
} | ||
|
||
function check_env_vars() { | ||
if [[ -v POSTGRESQL_USER || -v POSTGRESQL_PASSWORD || -v POSTGRESQL_DATABASE ]]; then | ||
if [[ -v POSTGRESQL_USER || -v POSTGRESQL_PASSWORD ]]; then | ||
# one var means all three must be specified | ||
[[ -v POSTGRESQL_USER && -v POSTGRESQL_PASSWORD && -v POSTGRESQL_DATABASE ]] || usage | ||
[[ "$POSTGRESQL_USER" =~ $psql_identifier_regex ]] || usage | ||
|
@@ -65,13 +74,31 @@ function check_env_vars() { | |
[ ${#POSTGRESQL_USER} -le 63 ] || usage "PostgreSQL username too long (maximum 63 characters)" | ||
[ ${#POSTGRESQL_DATABASE} -le 63 ] || usage "Database name too long (maximum 63 characters)" | ||
postinitdb_actions+=",simple_db" | ||
elif check_cred_secret "/run/secrets/pgusers/user" && [ -v POSTGRESQL_DATABASE ]; then | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This looks like we limit the container for one user, forever? Sounds like we start to define API and that should be defined with respects to future.. I tried to "veto" before, but nobody listened to me (so now we can create just one db with environment variables). And this looks like similarly limited approach. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I do agree. I feel it's kind of limited. But if having one container manage exactly one database (a good idea imo) I can understand doing an automatic createdb. Being able to set the database's superuser also feels right. I don't like the coupling though. As indicated above, I am fine with implementing any logic that makes sense to you, as long as it's possible to use it for many database users! |
||
# one var means all three must be specified | ||
[[ "$POSTGRESQL_DATABASE" =~ $psql_identifier_regex ]] || usage | ||
[ ${#POSTGRESQL_DATABASE} -le 63 ] || usage "Database name too long (maximum 63 characters)" | ||
POSTGRESQL_USER="$(</run/secrets/pgusers/user/username)" | ||
POSTGRESQL_PASSWORD="$(</run/secrets/pgusers/user/password)" | ||
postinitdb_actions+=",simple_db" | ||
fi | ||
|
||
if [ -v POSTGRESQL_ADMIN_PASSWORD ]; then | ||
[[ "$POSTGRESQL_ADMIN_PASSWORD" =~ $psql_password_regex ]] || usage | ||
postinitdb_actions+=",admin_pass" | ||
fi | ||
|
||
if check_cred_secret "/run/secrets/pgusers/admin"; then | ||
[ "$(<"/run/secrets/pgusers/admin/username")" = "postgres" ] || usage | ||
POSTGRESQL_ADMIN_PASSWORD="$(<"/run/secrets/pgusers/admin/password")" | ||
postinitdb_actions+=",admin_pass" | ||
fi | ||
|
||
if check_cred_secret "/run/secrets/pgusers/master"; then | ||
POSTGRESQL_MASTER_USER="$(<"/run/secrets/pgusers/master/username")" | ||
POSTGRESQL_MASTER_PASSWORD="$(<"/run/secrets/pgusers/master/password")" | ||
fi | ||
|
||
case ",$postinitdb_actions," in | ||
*,admin_pass,*|*,simple_db,*) ;; | ||
*) usage ;; | ||
|
@@ -172,19 +199,52 @@ function create_users() { | |
fi | ||
} | ||
|
||
create_user_if_not_exists() { | ||
psql --set user="$1" <<EOF | ||
DO | ||
\$body$ | ||
BEGIN | ||
IF NOT EXISTS ( | ||
SELECT * FROM pg_catalog.pg_user | ||
WHERE usename = :'user' ) | ||
THEN | ||
CREATE USER :"user" LOGIN; | ||
END IF; | ||
END | ||
\$body$ | ||
EOF | ||
} | ||
|
||
function set_password() { | ||
psql --set user="$1" --set pass="$2" \ | ||
--command "ALTER USER :\"user\" WITH ENCRYPTED PASSWORD :'pass';" | ||
} | ||
|
||
function set_passwords() { | ||
if [[ ",$postinitdb_actions," = *,simple_db,* ]]; then | ||
psql --command "ALTER USER \"${POSTGRESQL_USER}\" WITH ENCRYPTED PASSWORD '${POSTGRESQL_PASSWORD}';" | ||
set_password "$POSTGRESQL_USER" "$POSTGRESQL_PASSWORD" | ||
fi | ||
|
||
if [ -v POSTGRESQL_MASTER_USER ]; then | ||
psql --command "ALTER USER \"${POSTGRESQL_MASTER_USER}\" WITH REPLICATION;" | ||
psql --command "ALTER USER \"${POSTGRESQL_MASTER_USER}\" WITH ENCRYPTED PASSWORD '${POSTGRESQL_MASTER_PASSWORD}';" | ||
psql --set user="$POSTGRESQL_MASTER_USER" \ | ||
--command "ALTER USER :\"user\" WITH REPLICATION;" | ||
set_password "$POSTGRESQL_MASTER_USER" "$POSTGRESQL_MASTER_PASSWORD" | ||
fi | ||
|
||
if [ -v POSTGRESQL_ADMIN_PASSWORD ]; then | ||
psql --command "ALTER USER \"postgres\" WITH ENCRYPTED PASSWORD '${POSTGRESQL_ADMIN_PASSWORD}';" | ||
set_password postgres "$POSTGRESQL_ADMIN_PASSWORD" | ||
fi | ||
|
||
# This does not check for recurring user names nor overlaps with passwords | ||
# set above | ||
for cred in /run/secrets/pgusers/*; do | ||
if check_cred_secret "$cred"; then | ||
local username; username="$(< "$cred/username" )" | ||
local password; password="$(< "$cred/password" )" | ||
create_user_if_not_exists "$username" | ||
set_password "$username" "$password" | ||
fi | ||
done | ||
} | ||
|
||
function set_pgdata () | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that we need to bother doing the regexps, but I understand that this is sort of guideline. Reason: That's just re-implementing of the checks which are done by PostgreSQL itself. I bet this check exists in OpenShift gui, too.