Description:
The currently auto-generated passwords for PostgresUser resources are inflexible, which causes issues when interacting with managed Postgres instances that enforce strict password policies (e.g., GCP Cloud SQL, AWS RDS).
Problem:
- Limited Character Set: The GetSecureRandomString function in pkg/utils/random.go only utilizes alphanumeric characters (
[a-zA-Z0-9]). It explicitly lacks support for special characters, which are frequently a requirement for strong passwords.
- Fixed Length: The password length is hardcoded to
15 characters in internal/controller/postgresuser_controller.go, which may not meet minimum length requirements for some organizations or compliance standards.
- Inefficient Retry Behavior: If a generated password fails the database's validation policy (e.g., "password must contain a special character"), the operator simply receives an error and retries the reconciliation loop with the same inadequate generation logic, never resolving the issue.
Suggested Approach:
Update the PostgresUser CRD, the operator logic, and the Helm chart to support configurable password generation standards.
Desired Features:
- Backward Compatibility:
- The default behavior must remain unchanged to prevent breaking changes for existing users.
- Configurable Length:
- Minimum Length: Ability to specify the minimum length.
- Maximum Length: Ability to specify a maximum length to comply with specific system constraints (e.g., legacy systems or interface limits).
- Complexity Requirements: Introduce fields to enforce minimum counts of:
- Uppercase letters
- Lowercase letters
- Numeric digits
- Special characters (e.g.,
!@#$%^&*)
- Character Restrictions:
- Excluded Characters: Ability to explicitly exclude specific characters (e.g.,
@, /, ", ', or spaces) that might break connection strings or are forbidden by specific cloud providers (e.g. AWS RDS often has restrictions on /, @, ").
- First Character Requirement: Option to enforce that the password must start with a letter (some systems/parsers do not accept passwords starting with a number or special character).
- Helm Chart Configuration:
- Expose equivalent configuration options in values.yaml to allow setting global defaults for the operator, which can be overridden by individual PostgresUser CRs if needed.
Reference:
Implementing these changes would greatly enhance the operator's compatibility with managed database services and allow users to adhere to their internal security best practices.
Description:
The currently auto-generated passwords for PostgresUser resources are inflexible, which causes issues when interacting with managed Postgres instances that enforce strict password policies (e.g., GCP Cloud SQL, AWS RDS).
Problem:
[a-zA-Z0-9]). It explicitly lacks support for special characters, which are frequently a requirement for strong passwords.15characters in internal/controller/postgresuser_controller.go, which may not meet minimum length requirements for some organizations or compliance standards.Suggested Approach:
Update the PostgresUser CRD, the operator logic, and the Helm chart to support configurable password generation standards.
Desired Features:
!@#$%^&*)@,/,",', or spaces) that might break connection strings or are forbidden by specific cloud providers (e.g. AWS RDS often has restrictions on/,@,").Reference:
Implementing these changes would greatly enhance the operator's compatibility with managed database services and allow users to adhere to their internal security best practices.