Drop usage of postgres user#16
Conversation
|
Skipping CI for Draft Pull Request. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lpiwowar The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
e3cc994 to
cbe7495
Compare
The previous PostgreSQL setup had several security and consistency problems: Security issues: 1. POSTGRESQL_ADMIN_PASSWORD was set, making the postgres superuser accessible remotely (not just locally via `oc rsh` + `psql`). [1] 2. Both lightspeed-stack and llama-stack were connecting as the postgres superuser rather than a dedicated non-admin user. 3. The postgres superuser username usage was hardcoded and credential paths into the app and db pods were inconsistent. Naming/consistency issues: 4. lightspeed-stack used database "postgres" while llama-stack used "llamastack", with no explicit database name in llama-stack's config. 5. POSTGRES_USER/POSTGRES_PASSWORD env var names did not follow the POSTGRESQL_* convention of the PostgreSQL container image and also the usage of these env vars was insonsistent across the operator code. 6. Bootstrap SQL was embedded in postgres_bootstrap.sh, making it hard to read and maintain. Fixes: - Remove POSTGRESQL_ADMIN_PASSWORD. The postgres superuser is now only accessible locally via `oc rsh` + `psql` (no password required). - Introduce a dedicated non-admin user "lightspeed-app-user", stored in lightspeed-postgres-secret alongside the password. Both apps now connect as this user via POSTGRESQL_USER and POSTGRESQL_PASSWORD. - Rename the lightspeed-stack database from "postgres" to "lightspeed-stack" and make llama-stack's "llamastack" database selection explicit in its config. - Rename POSTGRES_USER/POSTGRES_PASSWORD -> POSTGRESQL_USER/POSTGRESQL_PASSWORD throughout to match the container image's naming convention. - Extract bootstrap SQL into postgres_bootstrap.sql to enable syntax highlighting and improve maintainability. [1] https://github.com/sclorg/postgresql-container/blob/master/src/root/usr/share/container-scripts/postgresql/README.md#postgresql-admin-account
Move generateRandomString from postgres_reconciler.go to common.go so the helper is available across the package. Add tests covering output length, hex character validity, and uniqueness.
cf56b81 to
be4035f
Compare
umago
left a comment
There was a problem hiding this comment.
Thanks Lukas! I know this is draft still but it looks good.
Only thing I would say is that a 16 character password seems a bit too weak. I would do at least 32 to be on the safe-side here.
| randomPassword := make([]byte, 12) | ||
| if _, err := rand.Read(randomPassword); err != nil { | ||
| if secret.Data[OpenStackLightspeedComponentPasswordFileName] == nil { | ||
| const PostgreSQLPasswordLen = 16 |
There was a problem hiding this comment.
Should we make the password a bit larger (entropy) ? I would say at least 32 characters
| SecretKeyRef: &corev1.SecretKeySelector{ | ||
| LocalObjectReference: corev1.LocalObjectReference{ | ||
| Name: PostgresSecretName, | ||
| // buildPostgresCredsEnvVars returns the POSTGRES_PASSWORD env var sourced from the postgres secret. |
There was a problem hiding this comment.
nit: s/POSTGRES_PASSWORD/POSTGRESQL_PASSWORD/g
No description provided.