initdb script seems does not respect hba_file configuration option

[EugenKon]

It seems that location of pg_hba.conf file is just hardcoded: https://github.com/docker-library/postgres/blob/8a631b939a0b4197cb6bef49b50b6c40c80ddf5b/15/bookworm/docker-entrypoint.sh#L253

But If I set my custom hba_file, then initdb will create redundant $PGDATA/pg_hba.conf file.

[LaurentGoderre]

You should create your custom hba_file and volume mount it in the image at /var/lib/postgresql/data/pg_hba.conf

[tianon]

Is there some way we can ask PostgreSQL what the hba_file value is? Maybe a CLI incantation?

It might even make sense to wrap this up in a file existence check? (so if pg_hba.conf doesn't exist, we don't create it)

[yosifkit]

Is there some way we can ask PostgreSQL what the hba_file value is? Maybe a CLI incantation?

We ask for the password_encryption in the function appending to pg_hba.conf and we can do the same for hba_file. https://github.com/docker-library/postgres/blob/ef9747fb7fc9fbd703b9136b897ffa61314ca51f/docker-entrypoint.sh#L244

root@da94ae7a13df:/# postgres -C hba_file
postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
# need to run `initdb` or create and configure the `postgresql.conf` file
root@da94ae7a13df:/# gosu postgres initdb
root@da94ae7a13df:/# postgres -C hba_file
/var/lib/postgresql/data/pg_hba.conf

The initdb binary (part of PostgreSQL) is the one creating the pg_hba.conf file and I don't see a way to prevent it (https://www.postgresql.org/docs/16/app-initdb.html).

---

I would hesitate to append to a file in a different/custom location since users might be using that bug to skip/ignore our pg_hba.conf modification and we'd possibly make them less secure than they were expecting.