The External Secrets Enterprise product suite is a premium product. It requires a specific subscription. Contact us for more information.
In order to use the PostgreSQL User Generator, you must have the Enterprise Distribution of ESO available via ESI Agent or via our Helm chart bundle

Introduction

The PostgreSQL User Generator for ESO allows you to dynamically create and rotate database users with native integration. This is useful when providing applications with scoped credentials to PostgreSQL, reducing the operational overhead of manual user management and improving security posture.

Output Keys and Values

KeyDescription
usernameThe generated PostgreSQL username
passwordThe generated PostgreSQL password

Parameters

KeyDefaultDescription
databasepostgresThe name of the PostgreSQL database to connect to.
hostRequiredThe hostname or IP of the PostgreSQL server.
port5432The port used to connect to the PostgreSQL server.
auth.usernamepostgresAdmin username for authentication.
auth.password.nameRequiredKubernetes secret name containing the admin password.
auth.password.keyRequiredKey in the secret that holds the admin password.
user.usernameRequiredThe username to create. A random suffix will be appended.
user.suffixSize8Length of the random suffix appended to the username. If set to 0, no suffix is appended.
user.attributes[]List of PostgreSQL attributes to assign. Each item must be an object with a name field (e.g., CREATEDBT) and an optional value field for attributes that require a parameter (e.g.,CONNECTION LIMIT).
user.roles[]List of existing roles to grant to the user. Non-existent roles are created with no attributes.
user.destructiveCleanupfalseIf true, all owned objects are dropped during cleanup. Otherwise, ownership is reassigned to the reassignTo user.
user.reassignTo-The name of the role to which all owned objects should be reassigned during cleanup. auth.username is used if not set.

Set up

PostgreSQL Permissions

The admin user provided in the spec must have sufficient permissions to create and delete users in PostgreSQL. Typically, the built-in postgres admin account has the required permissions.

Generator Config

apiVersion: generators.external-secrets.io/v1alpha1
kind: PostgreSql
metadata:
  name: postgres-generator
  namespace: default
spec:
  host: postgres.default.svc.cluster.local
  port: "5432"
  database: postgres
  auth:
    username: postgres
    password:
      name: pg-admin-secret
      key: password
  user:
    username: appuser
    suffixSize: 6
    attributes:
      - name: CREATEDB
      - name: "CONNECTION LIMIT"
        value: "10"
    roles:
      - pg_read_all_data
      - custom_role
    destructiveCleanup: false

ExternalSecret Config

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: postgres-credentials
  namespace: default
spec:
  refreshInterval: 1h # Rotates every 1 hour
  dataFrom:
    - sourceRef:
        generatorRef:
          apiVersion: generators.external-secrets.io/v1alpha1
          kind: PostgreSql
          name: postgres-generator

Using the Generated Secret

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
        - name: my-container
          image: my-image:latest
          env:
            - name: POSTGRES_USER
              valueFrom:
                secretKeyRef:
                  name: postgres-credentials
                  key: username
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: postgres-credentials
                  key: password

Notes and Considerations

  • If destructiveCleanup is true, owned objects are dropped before dropping the user.
  • If destructiveCleanup is false, ownership is reassigned to the user defined in user.reassignTo.
  • If user.reassignTo is not set, the admin user defined in auth.username is used for reassignment.
  • If user.reassignTo does not exists, it will be created with no attributes or roles.
  • Roles listed in user.roles are created if missing and assigned to the generated user.
  • Only the standard PostgreSQL attributes (SUPERUSER, CREATEDB, CREATEROLE, REPLICATION) are supported.