Add support for handling sensistive data on pgcat.toml and dynamically adding users to pools
Opened this issue · 2 comments
Is your feature request related to a problem? Please describe.
Every user connecting through PgCat must be specified with their username and password on the pgcat.toml
configuration file. This approach has two problems: 1) we are storing the username/password information in a plain text file which is insecure, and 2) To add a user, one must manually need to update the pgcat.toml
and rebuild the PgCat Image.
Describe the solution you'd like
A way to dynamically set users without modifying the pgcat.toml
configuration file. Also, leverage exisiting security practices like docker secrets or Kubernetes secrets to get the sensitive data and dynamically change the pgcat.toml
.
Describe alternatives you've considered
I considered a temporary solution for feature (2). I could load the users using Python's toml library and take each user and password from environments. How this works is each environment that starts with US_
will be added a user with the corresponding PW_
password to the pgcat.toml
. This allows us to pass the environment as secrets, and let the image inside add users and passwords.
Additional context
None
and rebuild the PgCat Image.
You can instead do one of these:
- enable
autoreload
kill -HUP $(pgrep pgcat)
- issue a
RELOAD
query to the admin database
You don't need to rebuild an image of PgCat to update the config.
docker secrets or Kubernetes secrets
This is deployment-specific and not coupled to pgcat. You can store the entire pgcat.toml
as a Kubernetes secret.
Although it's no blocker on deploying PgCat, being able to inject some configurations by environment variables would still be great. In our deployment, we are storing the whole pgcat.toml
as a Kubernetes secret, as you mentioned. Still, it would be better to version the configuration on Git (we are using GitOps) as a ConfigMap and only sensitive data as a database password as secrets.