Skip to content

Commit 838318d

Browse files
authored
fix: restore analytics user password via shell interpolation (#17)
1 parent aefd2b2 commit 838318d

1 file changed

Lines changed: 6 additions & 3 deletions

File tree

src/controllers/restore/builders.rs

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -599,16 +599,19 @@ fi
599599
600600
echo "Detected PG major version: $PG_MAJOR"
601601
602+
# ANALYTICS_PASSWORD is generated by the operator (see replica.rs generate_password)
603+
# and stored in a Kubernetes secret - it is not user-controlled input, so
604+
# interpolating it directly into the SQL string is safe.
602605
psql -U postgres -d postgres << SQLEOF
603-
\getenv analytics_password ANALYTICS_PASSWORD
604606
DO \$\$
605607
BEGIN
606608
IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = '${{ANALYTICS_USERNAME}}') THEN
607-
CREATE ROLE ${{ANALYTICS_USERNAME}} WITH LOGIN;
609+
CREATE ROLE ${{ANALYTICS_USERNAME}} WITH LOGIN PASSWORD '${{ANALYTICS_PASSWORD}}';
610+
ELSE
611+
ALTER ROLE ${{ANALYTICS_USERNAME}} WITH PASSWORD '${{ANALYTICS_PASSWORD}}';
608612
END IF;
609613
END
610614
\$\$;
611-
ALTER ROLE ${{ANALYTICS_USERNAME}} WITH PASSWORD :'analytics_password';
612615
SQLEOF
613616
614617
if [ "$PG_MAJOR" -ge 14 ] && [ "{read_only}" = "true" ]; then

0 commit comments

Comments
 (0)