minor fixes to password rotation

2022-02-23 16:13:49 +01:00 · 2022-02-23 16:13:49 +01:00 · 1e0b7286bd
parent 2d2386f519
commit 1e0b7286bd
3 changed files with 17 additions and 13 deletions
--- a/docs/administrator.md
+++ b/docs/administrator.md
@ -306,10 +306,10 @@ The interval of days can be set with `password_rotation_interval` (default
 are replaced in the K8s secret. They belong to a newly created user named after
 the original role plus rotation date in YYMMDD format. All priviliges are
 inherited meaning that migration scripts should still grant and revoke rights
-against the original role. The timestamp of the next rotation is written to the
-secret as well. Note, if the rotation interval is decreased it is reflected in
-the secrets only if the next rotation date is more days away than the new
-length of the interval.
+against the original role. The timestamp of the next rotation (in RFC 3339
+format, UTC timezone) is written to the secret as well. Note, if the rotation
+interval is decreased it is reflected in the secrets only if the next rotation
+date is more days away than the new length of the interval.

 Pods still using the previous secret values which they keep in memory continue
 to connect to the database since the password of the corresponding user is not
--- a/manifests/complete-postgres-manifest.yaml
+++ b/manifests/complete-postgres-manifest.yaml
@ -17,8 +17,12 @@ spec:
    - superuser
    - createdb
    foo_user: []
-#  usersWithSecretRotation: "foo_user"
-#  usersWithInPlaceSecretRotation: "flyway,bar_owner_user"
+#    flyway: [] 
+#  usersWithSecretRotation:
+#  - foo_user
+#  usersWithInPlaceSecretRotation:
+#  - flyway
+#  - bar_owner_user
  enableMasterLoadBalancer: false
  enableReplicaLoadBalancer: false
  enableConnectionPooler: false # enable/disable connection pooler deployment
--- a/pkg/cluster/sync.go
+++ b/pkg/cluster/sync.go
@ -611,11 +611,6 @@ func (c *Cluster) checkAndSetGlobalPostgreSQLConfiguration(pod *v1.Pod, patroniC
 	return requiresMasterRestart, nil
 }

-func (c *Cluster) getNextRotationDate(currentDate time.Time) (time.Time, string) {
-	nextRotationDate := currentDate.AddDate(0, 0, int(c.OpConfig.PasswordRotationInterval))
-	return nextRotationDate, nextRotationDate.Format("2006-01-02 15:04:05")
-}
-
 func (c *Cluster) syncSecrets() error {

 	c.logger.Info("syncing secrets")
@ -673,6 +668,11 @@ func (c *Cluster) syncSecrets() error {
 	return nil
 }

+func (c *Cluster) getNextRotationDate(currentDate time.Time) (time.Time, string) {
+	nextRotationDate := currentDate.AddDate(0, 0, int(c.OpConfig.PasswordRotationInterval))
+	return nextRotationDate, nextRotationDate.Format(time.RFC3339)
+}
+
 func (c *Cluster) updateSecret(
 	secretUsername string,
 	generatedSecret *v1.Secret,
@ -718,7 +718,7 @@ func (c *Cluster) updateSecret(

 		// initialize password rotation setting first rotation date
 		nextRotationDateStr = string(secret.Data["nextRotation"])
-		if nextRotationDate, err = time.ParseInLocation("2006-01-02 15:04:05", nextRotationDateStr, time.Local); err != nil {
+		if nextRotationDate, err = time.ParseInLocation(time.RFC3339, nextRotationDateStr, time.Now().UTC().Location()); err != nil {
 			nextRotationDate, nextRotationDateStr = c.getNextRotationDate(currentTime)
 			secret.Data["nextRotation"] = []byte(nextRotationDateStr)
 			updateSecret = true
@ -748,7 +748,7 @@ func (c *Cluster) updateSecret(
 			}
 			secret.Data["password"] = []byte(util.RandomPassword(constants.PasswordLength))

-			_, nextRotationDateStr = c.getNextRotationDate(nextRotationDate)
+			_, nextRotationDateStr = c.getNextRotationDate(currentTime)
 			secret.Data["nextRotation"] = []byte(nextRotationDateStr)

 			updateSecret = true