-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bitnami/postgresql-repmgr] use passfile on primary_conninfo #73542
base: main
Are you sure you want to change the base?
[bitnami/postgresql-repmgr] use passfile on primary_conninfo #73542
Conversation
…sible Signed-off-by: Yukha Dharmeswara <yukha.dw@samsung.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot @yukha-dw for your contribution!
I completely agree with your approach, this is a very interesting feature. I have some concerns that I'd like to discuss or suggest:
- File associated to
POSTGRESQL_REPLICATION_PASSFILE_PATH
seems not created by default, Should users provide it? - I see an overlapping with
REPMGR_USE_PASSFILE
andREPMGR_PASSFILE_PATH
env variables in lib. Not sure how they work together, have you seen this? - Could you add any documentation in the README file about the behaviour/use of the env variables?
- Could you provide the steps you followed to test the solution?
From what I understand, containers/bitnami/postgresql-repmgr/12/debian-12/rootfs/opt/bitnami/scripts/postgresql-env.sh Lines 450 to 457 in 69b7934
The file associated to containers/bitnami/postgresql-repmgr/12/debian-12/rootfs/opt/bitnami/scripts/librepmgr.sh Lines 493 to 496 in c41d3eb
containers/bitnami/postgresql-repmgr/12/debian-12/rootfs/opt/bitnami/scripts/librepmgr.sh Lines 493 to 496 in c41d3eb
I am not sure how to do this without introducing any breaking change. Current README is quite coupled with bitnami/charts. My apology.
I simply test this by altering Before change, After change, |
…sible Signed-off-by: Yukha Dharmeswara <yukha.dw@samsung.com>
f0ab664
to
b35bd30
Compare
I've added few changes here b35bd30:
|
Thanks a lot @yukha-dw for such detailed explanation, I really appreciate it! Your code is correct for |
Description of the change
Currently,
postgresql.conf
stores literal password onprimary_conninfo
, this could be a security issueBenefits
Let user to hide their password on
primary_conninfo
onpostgresql.conf
(often visible to anyone, 644) usingpassfile
Possible drawbacks
I haven't checked much about
POSTGRESQL_REPLICATION_
envs,POSTGRESQL_REPLICATION_USE_PASSFILE
isn't used at all and I don't know its backgroundApplicable issues
Additional information