Bitnami Helm Chart PostgreSQL – Automate Database/User/Password Creation in Kubernetes

bitnamihelmkubernetespostgresql

I'm deploying the https://github.com/bitnami/charts/tree/master/bitnami/postgresql into k8s and wondering how can I automate the following

creation of a database
create a role with password as owner of the database above

I've seen the extraDeploy https://github.com/bitnami/charts/blob/master/bitnami/postgresql/values.yaml#L43
parameter but this seems like will create a k8s specific resource (not touching pg).

The only idea I have leveraging the extraDeploy is to create a job which deploys a custom pod that will connect to pg and create the db, role and password …

thanks!

Best Answer

Bitnami Engineer here, you can use an initial script to create the database and all the things you need with initdbScripts: https://github.com/bitnami/charts/blob/931b597c43f6cd37919569acda4432a9bdd59a71/bitnami/postgresql/values.yaml#L298-L307

You can check the "Initialize a fresh instance" part of the README.md for more information.

Related Solutions

PostgreSQL – Default Superuser Username/Password After New Install

CAUTION The answer about changing the UNIX password for "postgres" through "$ sudo passwd postgres" is not preferred, and can even be DANGEROUS!

This is why: By default, the UNIX account "postgres" is locked, which means it cannot be logged in using a password. If you use "sudo passwd postgres", the account is immediately unlocked. Worse, if you set the password to something weak, like "postgres", then you are exposed to a great security danger. For example, there are a number of bots out there trying the username/password combo "postgres/postgres" to log into your UNIX system.

What you should do is follow Chris James's answer:

sudo -u postgres psql postgres

# \password postgres

Enter new password:

To explain it a little bit. There are usually two default ways to login to PostgreSQL server:

By running the "psql" command as a UNIX user (so-called IDENT/PEER authentication), e.g.: sudo -u postgres psql. Note that sudo -u does NOT unlock the UNIX user.
by TCP/IP connection using PostgreSQL's own managed username/password (so-called TCP authentication) (i.e., NOT the UNIX password).

So you never want to set the password for UNIX account "postgres". Leave it locked as it is by default.

Of course things can change if you configure it differently from the default setting. For example, one could sync the PostgreSQL password with UNIX password and only allow local logins. That would be beyond the scope of this question.

Postgresql – MD5 pw encryption in postgresql using CREATE USER WITH PASSWORD

So is there any benefit to using a MD5 hash in the CREATE USER command?

The only benefit to supplying a pre-hashed input to CREATE USER ... WITH PASSWORD is that if log_statement = 'all' is on there's no risk of the cleartext going into the logs. However, since knowing the hash is sufficient to authenticate as the user, that doesn't help you any.

In general you should just use CREATE USER ... WITH ENCRYPTED PASSWORD and be done with it.

PostgreSQL's protocol lacks support for strong digest functions and a proper HMAC exchange, so it's wise to use SSL over anything except a trusted local network anyway.

Best Answer

Related Solutions

PostgreSQL – Default Superuser Username/Password After New Install

Postgresql – MD5 pw encryption in postgresql using CREATE USER WITH PASSWORD

Related Topic