set password for dbuser

[willzhang]

Please, answer some short questions which should help us to understand your problem / question better?

• Which image of the operator are you using?

  registry.opensource.zalan.do/acid/postgres-operator:v1.8.2

• Where do you run it - cloud or metal? Kubernetes or OpenShift?

  Bare Metal K8s

• Are you running Postgres Operator in production? [yes | no]

  no

• Type of issue? [Bug report, question, feature request, etc.]

  question & feature reques

question

i want install Automatic installation harbor ，when i install harbor helm with external database , i need database.password， the default one is Randomly generated， can i define password by myself in operator?

the harbor helm charts

database:
  external:
    host: "192.168.0.1"
    port: "5432"
    username: "user"
    password: "password"
    coreDatabase: "registry"
    notaryServerDatabase: "notary_server"
    notarySignerDatabase: "notary_signer"
    # "disable" - No SSL
    # "require" - Always SSL (skip verification)
    # "verify-ca" - Always SSL (verify that the certificate presented by the
    # server was signed by a trusted CA)
    # "verify-full" - Always SSL (verify that the certification presented by the
    # server was signed by a trusted CA and the server host name matches the one
    # in the certificate)
    sslmode: "disable"

the features i want password

apiVersion: "acid.zalan.do/v1"
kind: postgresql
metadata:
  name: acid-minimal-cluster
  namespace: postgres
spec:
  teamId: "acid"
  volume:
    size: 1Gi
  numberOfInstances: 2
  users:
    harbor:  # database owner
    - superuser
    - createdb
  password:
        harbor: password123
  databases:
    registry: harbor
    notary_server: harbor
    notary_signer: harbor
  preparedDatabases:
    registry: {}
    notary_server: {}
    notary_signer: {}
  postgresql:
    version: "14"

[FxKu]

You can also edit pg_hba.conf to trust all connections :smiling_face_with_tear: , then passwords are ignored. Seriously, I think, it's an anti pattern these days to set human readable passwords in conf files or yaml manifests. There must be a way in harbor to reference a K8s secret and password key.

[DrissiReda]

That doesn't answer the question. It is possible to set superuser password.

If I try setting a user password by creating the corresponding secrets with a certain password. After creating the custom resource for the cluster. The operator overwrites my secret with a randomly generated one. I don't have human readable passwords anywhere and RBAC manages access to passwords.

How would I make this work?

[leam18]

I have the same doubt, I want to create my own password. Is it possible?

[nick4fake]

@FxKu It's not about setting human-readable password, it's about generating it somewhere else (terraform, vault, whatever) and setting it in idempotent way that aligns with other services. Is there a way to set password for user instead of automatically generating it?

Other providers typically allow setting a secret name from where password is read

[nick4fake]

Relevant tickets:

https://github.com/zalando/postgres-operator/issues/1778 https://github.com/zalando/postgres-operator/issues/1227

Especially this one: https://github.com/zalando/postgres-operator/issues/553

[M0NsTeRRR]

Fully agree with @nick4fake also linked to https://github.com/zalando/postgres-operator/issues/847