Skip to content

Commit 6cf036d

Browse files
Add support for reading passwords from files
Allow providing passwords via `_FILE` environment variables for Etcd and PostgreSQL users (standby, admin, superuser). If the primary password environment variable is not set, the configuration script will read the password from the filesystem path specified in the corresponding `_FILE` variable. This change also adds support for the `ETCD_USER` environment variable.
1 parent f332b91 commit 6cf036d

File tree

2 files changed

+30
-0
lines changed

2 files changed

+30
-0
lines changed

ENVIRONMENT.rst

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,10 @@ Environment Configuration Settings
99
- **ETCD_CACERT**: Etcd CA certificate. If present it will enable validation.
1010
- **ETCD_CERT**: Etcd client certificate.
1111
- **ETCD_KEY**: Etcd client certificate key. Can be empty if the key is part of certificate.
12+
- **ETCD_USER**: Etcd client username.
13+
- **ETCD_PASSWORD**: Etcd client password. Takes precedence over ``ETCD_PASSWORD_FILE`` when both are set.
14+
- **ETCD_PASSWORD_FILE**: Etcd client password file. The file content is used as Patroni etcd password when
15+
``ETCD_PASSWORD`` is not set.
1216
- **PGHOME**: filesystem path where to put PostgreSQL home directory (/home/postgres by default)
1317
- **APIPORT**: TCP port to Patroni API connections (8008 by default)
1418
- **BACKUP_SCHEDULE**: cron schedule for doing backups via WAL-G ('00 01 * * *' by default)
@@ -19,14 +23,20 @@ Environment Configuration Settings
1923
- **PGDATA**: location of PostgreSQL data directory, by default PGROOT/pgdata.
2024
- **PGUSER_STANDBY**: username for the replication user, 'standby' by default.
2125
- **PGPASSWORD_STANDBY**: a password for the replication user, 'standby' by default.
26+
- **PGPASSWORD_STANDBY_FILE**: password file for ``PGPASSWORD_STANDBY``. Used when
27+
``PGPASSWORD_STANDBY`` is not set.
2228
- **STANDBY_HOST**: hostname or IP address of the primary to stream from.
2329
- **STANDBY_PORT**: TCP port on which the primary is listening for connections. Patroni will use "5432" if not set.
2430
- **STANDBY_PRIMARY_SLOT_NAME**: replication slot to use on the primary.
2531
- **PGUSER_ADMIN**: username for the default admin user, 'admin' by default.
2632
- **PGPASSWORD_ADMIN**: a password for the default admin user, 'cola' by default.
33+
- **PGPASSWORD_ADMIN_FILE**: password file for ``PGPASSWORD_ADMIN``. Used when
34+
``PGPASSWORD_ADMIN`` is not set.
2735
- **USE_ADMIN**: whether to use the admin user or not.
2836
- **PGUSER_SUPERUSER**: username for the superuser, 'postgres' by default.
2937
- **PGPASSWORD_SUPERUSER**: a password for the superuser, 'zalando' by default
38+
- **PGPASSWORD_SUPERUSER_FILE**: password file for ``PGPASSWORD_SUPERUSER``. Used when
39+
``PGPASSWORD_SUPERUSER`` is not set.
3040
- **ALLOW_NOSSL**: set to allow clients to connect without SSL enabled.
3141
- **PGPORT**: port PostgreSQL listens to for client connections, 5432 by default
3242
- **PGVERSION**: Specifies the version of postgreSQL to reference in the bin_dir variable (/usr/lib/postgresql/PGVERSION/bin) if postgresql.bin_dir wasn't set in SPILO_CONFIGURATION

postgres-appliance/scripts/configure_spilo.py

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -529,6 +529,23 @@ def has_dual_stack():
529529
return info[0][4][0]
530530

531531

532+
def set_password_from_file(placeholders, password_keys):
533+
for password_key in password_keys:
534+
if placeholders.get(password_key):
535+
continue
536+
537+
password_file_key = password_key + '_FILE'
538+
password_file = placeholders.get(password_file_key)
539+
if not password_file:
540+
continue
541+
542+
try:
543+
with open(password_file) as f:
544+
placeholders[password_key] = f.read().rstrip('\r\n')
545+
except Exception as e:
546+
raise ValueError('Failed to read {0}: {1}'.format(password_file_key, e))
547+
548+
532549
def get_placeholders(provider):
533550
placeholders = {}
534551
for key, value in os.environ.items():
@@ -541,6 +558,9 @@ def get_placeholders(provider):
541558
else:
542559
placeholders[key] = value
543560

561+
set_password_from_file(placeholders, ('ETCD_PASSWORD', 'ETCD3_PASSWORD',
562+
'PGPASSWORD_STANDBY', 'PGPASSWORD_ADMIN', 'PGPASSWORD_SUPERUSER'))
563+
544564
placeholders.setdefault('PGHOME', os.path.expanduser('~'))
545565
placeholders.setdefault('APIPORT', '8008')
546566
placeholders.setdefault('BACKUP_SCHEDULE', '0 1 * * *')

0 commit comments

Comments
 (0)