Skip to content

Drop usage of postgres user#16

Draft
lpiwowar wants to merge 2 commits into
openstack-k8s-operators:mainfrom
lpiwowar:lpiwowar/postgresql-password
Draft

Drop usage of postgres user#16
lpiwowar wants to merge 2 commits into
openstack-k8s-operators:mainfrom
lpiwowar:lpiwowar/postgresql-password

Conversation

@lpiwowar

Copy link
Copy Markdown
Collaborator

No description provided.

@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lpiwowar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@lpiwowar lpiwowar force-pushed the lpiwowar/postgresql-password branch from e3cc994 to cbe7495 Compare July 10, 2026 11:54
lpiwowar added 2 commits July 10, 2026 12:10
The previous PostgreSQL setup had several security and consistency
problems:

Security issues:
1. POSTGRESQL_ADMIN_PASSWORD was set, making the postgres superuser
   accessible remotely (not just locally via `oc rsh` + `psql`). [1]
2. Both lightspeed-stack and llama-stack were connecting as the postgres
   superuser rather than a dedicated non-admin user.
3. The postgres superuser username usage was hardcoded and credential
   paths into the app and db pods were inconsistent.

Naming/consistency issues:
4. lightspeed-stack used database "postgres" while llama-stack used
   "llamastack", with no explicit database name in llama-stack's config.
5. POSTGRES_USER/POSTGRES_PASSWORD env var names did not follow the
   POSTGRESQL_* convention of the PostgreSQL container image and also
   the usage of these env vars was insonsistent across the operator
code.
6. Bootstrap SQL was embedded in postgres_bootstrap.sh, making it hard
   to read and maintain.

Fixes:
- Remove POSTGRESQL_ADMIN_PASSWORD. The postgres superuser is now only
  accessible locally via `oc rsh` + `psql` (no password required).
- Introduce a dedicated non-admin user "lightspeed-app-user", stored in
  lightspeed-postgres-secret alongside the password. Both apps now
  connect as this user via POSTGRESQL_USER and POSTGRESQL_PASSWORD.
- Rename the lightspeed-stack database from "postgres" to
  "lightspeed-stack" and make llama-stack's "llamastack" database
  selection explicit in its config.
- Rename POSTGRES_USER/POSTGRES_PASSWORD ->
POSTGRESQL_USER/POSTGRESQL_PASSWORD
  throughout to match the container image's naming convention.
- Extract bootstrap SQL into postgres_bootstrap.sql to enable syntax
  highlighting and improve maintainability.

[1]
https://github.com/sclorg/postgresql-container/blob/master/src/root/usr/share/container-scripts/postgresql/README.md#postgresql-admin-account
Move generateRandomString from postgres_reconciler.go to common.go so
the helper is available across the package. Add tests covering output
length, hex character validity, and uniqueness.
@lpiwowar lpiwowar force-pushed the lpiwowar/postgresql-password branch 2 times, most recently from cf56b81 to be4035f Compare July 10, 2026 16:15

@umago umago left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Lukas! I know this is draft still but it looks good.

Only thing I would say is that a 16 character password seems a bit too weak. I would do at least 32 to be on the safe-side here.

randomPassword := make([]byte, 12)
if _, err := rand.Read(randomPassword); err != nil {
if secret.Data[OpenStackLightspeedComponentPasswordFileName] == nil {
const PostgreSQLPasswordLen = 16

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we make the password a bit larger (entropy) ? I would say at least 32 characters

SecretKeyRef: &corev1.SecretKeySelector{
LocalObjectReference: corev1.LocalObjectReference{
Name: PostgresSecretName,
// buildPostgresCredsEnvVars returns the POSTGRES_PASSWORD env var sourced from the postgres secret.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: s/POSTGRES_PASSWORD/POSTGRESQL_PASSWORD/g

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants