Problem using variables in password fields of patroni.yml

See original GitHub issue

Hello guys,

I’m having some trouble trying to not pass my passwords in plain text at the patroni.yml file. I’ve already deployed patroni successfully by filling the patroni.yml as the example (with plain-text passwords) and now I want to improve it… By passing this passwords as variables that will be filled in another file. Knowing ansible structure, I tried to put this variables in /etc/group_vars/all file but patroni doesn’t seem to find them.

Part of /etc/patroni.yml file:

authentication:
        replication:
            username: replicator
            password: "{{ replicator_pass }}"
        superuser:
            username: postgres
            password: "{{ postgres_pass }}"

Error in /var/log/messages:

Dec  2 19:41:35 postgresql01 patroni: 2018-12-02 19:41:35,810 INFO: Error communicating with PostgreSQL. Will try again later
Dec  2 19:41:37 postgresql01 patroni: 2018-12-02 19:41:37,265 ERROR: get_postgresql_status
Dec  2 19:41:37 postgresql01 patroni: Traceback (most recent call last):
Dec  2 19:41:37 postgresql01 patroni: File "/usr/lib/python2.7/site-packages/patroni/api.py", line 424, in get_postgresql_status
Dec  2 19:41:37 postgresql01 patroni: self.server.patroni.postgresql.lsn_name), retry=retry)[0]
Dec  2 19:41:37 postgresql01 patroni: File "/usr/lib/python2.7/site-packages/patroni/api.py", line 399, in query
Dec  2 19:41:37 postgresql01 patroni: return self.server.query(sql, *params)
Dec  2 19:41:37 postgresql01 patroni: File "/usr/lib/python2.7/site-packages/patroni/api.py", line 480, in query
Dec  2 19:41:37 postgresql01 patroni: raise PostgresConnectionException('connection problems')
Dec  2 19:41:37 postgresql01 patroni: PostgresConnectionException: 'connection problems'
Dec  2 19:41:40 postgresql01 patroni: 2018-12-02 19:41:40,274 ERROR: get_postgresql_status

/etc/systemd/system/patroni.service file:

[Unit]
Description=Runners to orchestrate a high-availability PostgreSQL
After=syslog.target network.target

[Service]
Type=simple

User=postgres
Group=postgres

ExecStart=/bin/patroni /etc/patroni.yml

KillMode=process

TimeoutSec=30

Restart=no

[Install]
WantedBy=multi-user.targ

Is passing variables supported by patroni code? Is there a specific place where I should put the variables file? If not, how is the recommended way to deploy patroni without the need of putting the passwords in plain-text?

Thank you!

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:9 (4 by maintainers)

github_iconTop GitHub Comments

3reactions
alago197commented, Dec 2, 2018

It would be great if patroni could read hashes (SHA256 for example) written in the config file, like (for example) haproxy. Via hashlib (https://docs.python.org/2/library/hashlib.html#module-hashlib) I guess this would need a PR from us…

2reactions
biarochacommented, Dec 2, 2018

Is passing variables supported by patroni code?

No, it is not supported. Actually keeping passwords in a different file doesn’t change anything. It is still possible to read them with the same permissions as the patroni config and therefore risks are absolutely the same.

I see… Actually my original idea was to use ansible vault. That’s why I would need the value of the variables in another file… Anyway, is there another way to accomplish this? Encrypt the passwords… Use another method… Anything that is not plain-text?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Consul + Patroni + Vault - HashiCorp Discuss
We are looking at using Patroni, which offers great cross-DC avaialbility and ... Problem using variables in password fields of patroni.yml.
Read more >
Patroni Documentation - Read the Docs
Patroni is a template for you to create your own customized, high-availability solution using Python and - for maximum.
Read more >
Patroni Cluster Management - runbooks - GitLab
Is located at /var/opt/gitlab/patroni/patroni.yml . It contains all the directives to configure patroni and PostgreSQL instance too.
Read more >
Release notes — Patroni 2.1.5 documentation
Kerberos and password authentication are mutually exclusive. Fixed little issues with custom bootstrap (Alexander). Start Postgres with hot_standby=off only ...
Read more >
Documentation: 15: 34.16. The Password File - PostgreSQL
Alternatively, the password file to use can be specified using the connection parameter passfile or the environment variable PGPASSFILE .
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found