Skip to content

allow in place pw rotation of system users #1953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Aug 18, 2022
Merged

allow in place pw rotation of system users #1953

merged 12 commits into from
Aug 18, 2022

Conversation

FxKu
Copy link
Member

@FxKu FxKu commented Jul 6, 2022
edited
Loading

First approach to support password rotation for system users except postgres superuser. The tricky part: We can make the operator change the password, but the pods have to be replaced immediately afterwards to keep the system (replication) running.

Therefore, the idea of this PR is to tag pods with rolling update annotation from within the updateSecret method. Because the secret is only updated at the end of updateSecret we cannot rotate pods immediately. For pooler pods this requires some extra login while syncing pooler objects: Listing pods, check for annotation and delete if found.

ToDos for future PRs:

  • System users can only be rotated when mentioned in the manifest. Should the global toggle enable_password_rotation incl. system users as well, or should there be an extra config option instead?
  • Passwords can also be rotated if we mount the secrets as volumes and provide a config structure within the secret. updateSecret can update that structure and only call the Patroni reload endpoint, without replacing the pods.

@FxKu FxKu added this to the 1.9 milestone Jul 15, 2022
@FxKu
Copy link
Member Author

FxKu commented Aug 16, 2022

👍

1 similar comment
@Jan-M
Copy link
Member

Jan-M commented Aug 18, 2022

👍

@FxKu FxKu merged commit b2642fa into master Aug 18, 2022
@FxKu FxKu deleted the pw-rotation-systen-users branch August 18, 2022 12:14
@d0x2f d0x2f mentioned this pull request Aug 18, 2022
Open
@FxKu FxKu mentioned this pull request Aug 24, 2022
Merged
@FxKu FxKu mentioned this pull request Oct 10, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sdudoladov sdudoladov Awaiting requested review from sdudoladov sdudoladov is a code owner

@Jan-M Jan-M Awaiting requested review from Jan-M Jan-M is a code owner

@CyberDem0n CyberDem0n Awaiting requested review from CyberDem0n

@jopadi jopadi Awaiting requested review from jopadi jopadi is a code owner

@idanovinda idanovinda Awaiting requested review from idanovinda idanovinda is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.9
Development

Successfully merging this pull request may close these issues.
2 participants
@FxKu @Jan-M