-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathconfig-database-passwordfile.yaml
More file actions
107 lines (98 loc) · 3.61 KB
/
config-database-passwordfile.yaml
File metadata and controls
107 lines (98 loc) · 3.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# Example configuration with pgpass file for database credentials
#
# This configuration shows how to provide database credentials securely using
# PostgreSQL's standard pgpass file mechanism, which supports the two-user
# security model with a single file containing credentials for both users.
#
# Two-User Security Model:
# This configuration uses two separate database users:
# - db_user: Application user with limited privileges (SELECT, INSERT, UPDATE, DELETE)
# - db_migrator: Migration user with elevated privileges (CREATE, ALTER, DROP)
#
# Password Management via pgpass file:
# The pgpass file provides credentials for both users in a single file.
# This is the recommended approach as it:
# - Uses PostgreSQL's standard mechanism (pgx/libpq native support)
# - Supports multiple users in a single file
# - Avoids passing passwords via environment variables
# - Works with all PostgreSQL client libraries
#
# Setup Instructions:
# 1. Create PostgreSQL users with appropriate privileges:
# ```sql
# -- Create application user (limited privileges)
# CREATE USER db_user WITH PASSWORD 'secure_password';
# GRANT CONNECT ON DATABASE toolhive_registry TO db_user;
# GRANT USAGE ON SCHEMA public TO db_user;
# GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO db_user;
# GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO db_user;
#
# -- Create migration user (elevated privileges)
# CREATE USER db_migrator WITH PASSWORD 'migration_password';
# GRANT CONNECT ON DATABASE toolhive_registry TO db_migrator;
# GRANT ALL PRIVILEGES ON SCHEMA public TO db_migrator;
# GRANT CREATE ON SCHEMA public TO db_migrator;
# GRANT ALL PRIVILEGES ON DATABASE toolhive_registry TO db_migrator;
# ```
#
# 2. Create pgpass file with credentials for both users:
# ```bash
# # Create the pgpass file
# cat > ~/.pgpass <<EOF
# localhost:5432:toolhive_registry:db_user:secure_password
# localhost:5432:toolhive_registry:db_migrator:migration_password
# EOF
#
# # Set secure permissions (required by PostgreSQL)
# chmod 600 ~/.pgpass
# ```
#
# 3. Optionally, use a custom pgpass file location:
# ```bash
# export PGPASSFILE=/path/to/custom/pgpass
# ```
#
# 4. Start the server (migrations run automatically):
# ```bash
# thv-registry-api serve --config examples/config-database-passwordfile.yaml
# ```
#
# pgpass file format:
# hostname:port:database:username:password
#
# See: https://www.postgresql.org/docs/current/libpq-pgpass.html
# Sources configuration (can have multiple sources)
sources:
- name: toolhive
# Git repository configuration
git:
repository: https://github.com/stacklok/toolhive-catalog.git
branch: main
path: pkg/catalog/toolhive/data/registry-legacy.json
# Per-registry automatic synchronization policy
syncPolicy:
interval: "30m"
registries:
- name: default
sources: ["toolhive"]
auth:
mode: anonymous
# PostgreSQL database configuration
# Uses two-user security model with pgpass file for credentials
database:
# Database connection details
host: localhost
port: 5432
database: toolhive_registry
sslMode: require
# Application user (limited privileges for runtime operations)
# Password is retrieved from pgpass file
user: db_user
# Migration user (elevated privileges for schema changes)
# Password is retrieved from pgpass file
# Optional: if not set, defaults to 'user' for backward compatibility
migrationUser: db_migrator
# Connection pool settings
maxOpenConns: 25
maxIdleConns: 5
connMaxLifetime: "5m"