Feature #8064
Generate postgres account credentials at install time
Status:
New
Priority:
Normal
Assignee:
-
Category:
Backend (packaging/deployment)
Target version:
-
% Done:
0%
Source:
other
Tags:
Backport:
Reviewed:
Affected Versions:
Description
This is for defense in depth.
Currently we ship a static postgres username/password for the calamari user. This is not a deal breaker because:
- Users are free to modify it and update our configuration files with their new password
- Postgres should not be listening on the network by default.
However, best practice would be to generate a unique password on each installation to protect against the case where someone had accidentally exposed their postgres server to the network.
We could achieve a per-installation password in a similar way to what we do with the django SECRET_KEY value: generate it in "calamari-ctl initialize" and update config files at that stage.