Implement ENV secrets for PostgreSQL user accounts #27
Comments
|
What other parameters should it be possible to set via environment variables (except passwords)?
What about order of precedence? I think config file should have a priority. |
|
What about PATRONI_CONFIGURATION? As since 9744019 In that way you can run patroni totally with an |
|
Yeah, but with PATRONI_CONFIG it's not possible to change config and reload it... |
|
It is actually called 'PATRONI_CONFIGURATION' and it's mutually exclusive with the actual configuration files, so you cannot read from both. I think we only move the actual secrets to the envdir, obviously, the passwords, but also RESTAPI_AUTH, RESTAPI_CERTFILE and RESTAPI_KEYFILE. |
|
It is not only about passwords, but about running Patroni in a docker. For example it's not always possible to figure out your "connect_address" from inside docker. |
|
Exactly. For example, when starting Patroni in Kubernetes, I can pass the Pod IP address as an ENV; it's not visible inside the container. |
|
@CyberDem0n @alexeyklyukin @feikesteenbergen @jberkus What's the next step to take for this issue? |
|
I believe #211 covers most of the use-cases. Closing this issue. If something is missing we will create a new one. |
We need a better way to set passwords for the three PostgreSQL accounts we need to use than keeping them in a configuration file which may be in poorly secured CMS repo. I suggest that we use envdir, as several other Python projects (like WAL-E) do.
Other ideas?
The text was updated successfully, but these errors were encountered: