Create a PostgreSQL Cluster With Custom Password Generation Policy on KubeBlocks

This guide explains how to deploy a PostgreSQL cluster in KubeBlocks with a custom password generation policy for the root user. By defining specific password rules, you can ensure strong, secure credentials for your cluster.

Prerequisites

Before proceeding, ensure the following:

Environment Setup:
- A Kubernetes cluster is up and running.
- The kubectl CLI tool is configured to communicate with your cluster.
- KubeBlocks CLI and KubeBlocks Operator are installed. Follow the installation instructions here.
Namespace Preparation: To keep resources isolated, create a dedicated namespace for this tutorial:

kubectl create ns demo
namespace/demo created

Deploying the PostgreSQL Replication Cluster

KubeBlocks uses a declarative approach for managing PostgreSQL clusters. Below is an example configuration for deploying a PostgreSQL cluster with 2 nodes (1 primary, 1 replicas) and custom password generation policy.


apiVersion: apps.kubeblocks.io/v1
kind: Cluster
metadata:
  name: pg-cluster
  namespace: demo
spec:
  terminationPolicy: Delete
  clusterDef: postgresql
  topology: replication
  componentSpecs:
    - name: postgresql
      serviceVersion: 16.4.0
      disableExporter: true
      replicas: 2
      systemAccounts:
        - name: postgres
          passwordConfig:
            length: 20           # Password length: 20 characters
            numDigits: 4         # At least 4 digits
            numSymbols: 2        # At least 2 symbols
            letterCase: MixedCases # Uppercase and lowercase letters
            symbolCharacters: '!' # set the allowed symbols when generating password
      resources:
        limits:
          cpu: "0.5"
          memory: "0.5Gi"
        requests:
          cpu: "0.5"
          memory: "0.5Gi"
      volumeClaimTemplates:
        - name: data
          spec:
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: 20Gi

Explanation of Key Fields

systemAccounts: Overrides system accounts defined in the referenced ComponentDefinition.
passwordConfig: Customizes the password generation policy for the postgres user.
symbolCharacters: Sets the allowed symbols when generating password.

TIP

In KubeBlocks PostgreSQL Addon, a list of system accounts is defined. And only those accounts can be customized with a new secret.

To get the of accounts:


kubectl get cmpd postgresql-16-1.0.0         -oyaml | yq '.spec.systemAccounts[].name'

Expected Output:

postgres
kbadmin
...

Verifying the Deployment

Monitor the cluster status until it transitions to the Running state:

kubectl get cluster pg-cluster -n demo -w

Expected Output:

NAME         CLUSTER-DEFINITION   TERMINATION-POLICY   STATUS     AGE
pg-cluster   postgresql           Delete               Creating   50s
pg-cluster   postgresql           Delete               Running    4m2s

Once the cluster status becomes Running, your PostgreSQL cluster is ready for use.

TIP

If you are creating the cluster for the very first time, it may take some time to pull images before running.

Connecting to the PostgreSQL Cluster

KubeBlocks automatically creates a secret containing the PostgreSQL postgres credentials. Retrieve the credentials with the following commands:


PASSWORD=$(kubectl get secrets -n demo pg-cluster-postgresql-account-postgres -o jsonpath='{.data.password}' | base64 -d)

To connect to the cluster's primary node, use the PostgreSQL client with the custom password:


kubectl exec -it -n demo pg-cluster-postgresql-0 -c postgresql -- env PGUSER=postgres PGPASSWORD=$PASSWORD psql

Cleanup

To remove all created resources, delete the PostgreSQL cluster along with its namespace:

kubectl delete cluster pg-cluster -n demo
kubectl delete ns demo

Summary

In this guide, you:

Deployed a PostgreSQL cluster in KubeBlocks with a custom password generation policy.
Verified the deployment and connected to the cluster's primary node using the PostgreSQL client.

Create a PostgreSQL Cluster With Custom Password Generation Policy on KubeBlocks

Prerequisites

Before proceeding, ensure the following:

Environment Setup:
- A Kubernetes cluster is up and running.
- The kubectl CLI tool is configured to communicate with your cluster.
- KubeBlocks CLI and KubeBlocks Operator are installed. Follow the installation instructions here.
Namespace Preparation: To keep resources isolated, create a dedicated namespace for this tutorial:

kubectl create ns demo
namespace/demo created

Deploying the PostgreSQL Replication Cluster


apiVersion: apps.kubeblocks.io/v1
kind: Cluster
metadata:
  name: pg-cluster
  namespace: demo
spec:
  terminationPolicy: Delete
  clusterDef: postgresql
  topology: replication
  componentSpecs:
    - name: postgresql
      serviceVersion: 16.4.0
      disableExporter: true
      replicas: 2
      systemAccounts:
        - name: postgres
          passwordConfig:
            length: 20           # Password length: 20 characters
            numDigits: 4         # At least 4 digits
            numSymbols: 2        # At least 2 symbols
            letterCase: MixedCases # Uppercase and lowercase letters
            symbolCharacters: '!' # set the allowed symbols when generating password
      resources:
        limits:
          cpu: "0.5"
          memory: "0.5Gi"
        requests:
          cpu: "0.5"
          memory: "0.5Gi"
      volumeClaimTemplates:
        - name: data
          spec:
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: 20Gi

Explanation of Key Fields

systemAccounts: Overrides system accounts defined in the referenced ComponentDefinition.
passwordConfig: Customizes the password generation policy for the postgres user.
symbolCharacters: Sets the allowed symbols when generating password.

TIP

In KubeBlocks PostgreSQL Addon, a list of system accounts is defined. And only those accounts can be customized with a new secret.

To get the of accounts:


kubectl get cmpd postgresql-16-1.0.0         -oyaml | yq '.spec.systemAccounts[].name'

Expected Output:

postgres
kbadmin
...

Verifying the Deployment

Monitor the cluster status until it transitions to the Running state:

kubectl get cluster pg-cluster -n demo -w

Expected Output:

NAME         CLUSTER-DEFINITION   TERMINATION-POLICY   STATUS     AGE
pg-cluster   postgresql           Delete               Creating   50s
pg-cluster   postgresql           Delete               Running    4m2s

Once the cluster status becomes Running, your PostgreSQL cluster is ready for use.

TIP

If you are creating the cluster for the very first time, it may take some time to pull images before running.

Connecting to the PostgreSQL Cluster

KubeBlocks automatically creates a secret containing the PostgreSQL postgres credentials. Retrieve the credentials with the following commands:


PASSWORD=$(kubectl get secrets -n demo pg-cluster-postgresql-account-postgres -o jsonpath='{.data.password}' | base64 -d)

To connect to the cluster's primary node, use the PostgreSQL client with the custom password:


kubectl exec -it -n demo pg-cluster-postgresql-0 -c postgresql -- env PGUSER=postgres PGPASSWORD=$PASSWORD psql

Cleanup

To remove all created resources, delete the PostgreSQL cluster along with its namespace:

kubectl delete cluster pg-cluster -n demo
kubectl delete ns demo

Summary

In this guide, you:

Deployed a PostgreSQL cluster in KubeBlocks with a custom password generation policy.
Verified the deployment and connected to the cluster's primary node using the PostgreSQL client.