Feature Request - Allow `PostgresCluster` to extract `spec.authentication.rules[].options` values from `Secret` manifest

[Amphaal]

Right now, when trying to allow my LDAP users to access my postgres databases, I need to provide both LDAP bind user and password like this:

... which is clearly not secure. A cleaner way of doing this would be to mimic what backups.pgbackrest.configuration[].secret allows us;

Here's what I had in mind =>

It's kind of an edge case, and I think only the RADIUS method users would benefit from this also.

https://docs.postgresql.fr/12/auth-ldap.html
https://docs.postgresql.fr/12/auth-radius.html

Does it make sense ? Are there alternatives I have not considered (like using patroni) ?

[cbandy]

I need to provide both LDAP bind user and password

Does it make sense ?

Yes, and I agree!

Are there alternatives I have not considered (like using patroni) ?

Unfortunately, no, we generate this HBA file in the operator and inject it into Postgres using a ConfigMap. Same with Patroni configuration.

What version of Postgres are you using? Postgres 16 has HBA include directives that we can support rather quickly. You would have to store the entire HBA line in a Secret in that case. Is that feasible for your environment?

This is on our roadmap to solve generally, if possible. Most tools with k/v configuration have one or two values that need to be secret. The challenge is getting those values into the container securely then adding them to the tools' config. As a general rule, the operator doesn't read your Secrets.

Do you have another tool that manages K8s Secrets? Vault or External Secrets or so?

[Amphaal]

Thanks for your reply !

What version of Postgres are you using? Postgres 16 has HBA include directives that we can support rather quickly. You would have to store the entire HBA line in a Secret in that case. Is that feasible for your environment?

Postgres 17 :) Yes, that would be a nice trick. A bit cumbersome, but vastly superior to limit secret exposure, especially in an open-source context.

Do you have another tool that manages K8s Secrets? Vault or External Secrets or so?

Nope, only using plain k8s secrets.