Operations
Backup And Restores
Custom Secret
Monitoring
tpl
Create a PostgreSQL Cluster With Custom Password Generation Policy on KubeBlocks
This guide explains how to deploy a PostgreSQL cluster in KubeBlocks with a custom password generation policy for the root user. By defining specific password rules, you can ensure strong, secure credentials for your cluster.
Prerequisites
Before proceeding, ensure the following:
- Environment Setup:
- A Kubernetes cluster is up and running.
- The kubectl CLI tool is configured to communicate with your cluster.
- KubeBlocks CLI and KubeBlocks Operator are installed. Follow the installation instructions here.
- Namespace Preparation: To keep resources isolated, create a dedicated namespace for this tutorial:
kubectl create ns demo
namespace/demo created
Deploying the PostgreSQL Replication Cluster
KubeBlocks uses a declarative approach for managing PostgreSQL clusters. Below is an example configuration for deploying a PostgreSQL cluster with 2 nodes (1 primary, 1 replicas) and custom password generation policy.
apiVersion: apps.kubeblocks.io/v1
kind: Cluster
metadata:
name: pg-cluster
namespace: demo
spec:
terminationPolicy: Delete
clusterDef: postgresql
topology: replication
componentSpecs:
- name: postgresql
serviceVersion: 16.4.0
labels:
apps.kubeblocks.postgres.patroni/scope: pg-cluster-postgresql
disableExporter: true
replicas: 2
systemAccounts:
- name: postgres
passwordConfig:
length: 20 # Password length: 20 characters
numDigits: 4 # At least 4 digits
numSymbols: 2 # At least 2 symbols
letterCase: MixedCases # Uppercase and lowercase letters
symbolCharacters: '!' # set the allowed symbols when generating password
resources:
limits:
cpu: "0.5"
memory: "0.5Gi"
requests:
cpu: "0.5"
memory: "0.5Gi"
volumeClaimTemplates:
- name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
Explanation of Key Fields
systemAccounts: Overrides system accounts defined in the referencedComponentDefinition.passwordConfig: Customizes the password generation policy for thepostgresuser.symbolCharacters: Sets the allowed symbols when generating password.
In KubeBlocks PostgreSQL Addon, a list of system accounts is defined. And only those accounts can be customized with a new secret.
To get the of accounts:
kubectl get cmpd postgresql-16-1.0.0 -oyaml | yq '.spec.systemAccounts[].name'
Expected Output:
postgres
kbadmin
...
Verifying the Deployment
Monitor the cluster status until it transitions to the Running state:
kubectl get cluster pg-cluster -n demo -w
Expected Output:
NAME CLUSTER-DEFINITION TERMINATION-POLICY STATUS AGE
pg-cluster postgresql Delete Creating 50s
pg-cluster postgresql Delete Running 4m2s
Once the cluster status becomes Running, your PostgreSQL cluster is ready for use.
If you are creating the cluster for the very first time, it may take some time to pull images before running.
Connecting to the PostgreSQL Cluster
KubeBlocks automatically creates a secret containing the PostgreSQL postgres credentials. Retrieve the credentials with the following commands:
PASSWORD=$(kubectl get secrets -n demo pg-cluster-postgresql-account-postgres -o jsonpath='{.data.password}' | base64 -d)
To connect to the cluster's primary node, use the PostgreSQL client with the custom password:
kubectl exec -it -n demo pg-cluster-postgresql-0 -c postgresql -- env PGUSER=postgres PGPASSWORD=$PASSWORD psql
Cleanup
To remove all created resources, delete the PostgreSQL cluster along with its namespace:
kubectl delete cluster pg-cluster -n demo
kubectl delete ns demo
Summary
In this guide, you:
- Deployed a PostgreSQL cluster in KubeBlocks with a custom password generation policy.
- Verified the deployment and connected to the cluster's primary node using the PostgreSQL client.