Skip to content

feat: added support for WAL-G SSH_PASSWORD #1165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kevinvalk wants to merge 1 commit into
base: trigger
Choose a base branch
from
Open

feat: added support for WAL-G SSH_PASSWORD #1165

kevinvalk wants to merge 1 commit into from

Conversation

@kevinvalk
Copy link

@kevinvalk kevinvalk commented Dec 23, 2025
edited
Loading

The original omission of SSH_PASSWORD in #549 was motivated by general SSH best practices, which primarily apply to interactive, internet-exposed SSH usage. In the Spilo + WAL-G context, this assumption does not necessarily hold.

In Kubernetes-based, GitOps-managed deployments, both SSH identities and SSH passwords are ultimately stored as Kubernetes Secrets and therefore have the same protection level inside the cluster (RBAC, etcd encryption at rest, namespace isolation). From that perspective, there is no inherent security difference between the two once they are mounted into a pod.

Moreover, in many GitOps setups, SSH keys are generated outside the cluster and stored (encrypted) in Git, then decrypted by Flux or CI at deploy time. In contrast, an SSH_PASSWORD can be generated directly inside the cluster using standard secret generators, never leaving the cluster boundary at all. For those environments, this can reduce secret sprawl and external handling of long-lived credentials, which is a concrete and practical security improvement.

This PR does not argue that password-based SSH is universally preferable. It simply acknowledges that:

  • Spilo is used in tightly controlled, often cluster-local backup topologies
  • operational constraints differ between environments
  • users should be able to choose the authentication mechanism that best fits their security model

When used as intended (cluster-local SSH, restricted network access, non-root users), enabling SSH_PASSWORD does not meaningfully weaken the security model, while significantly improving deployment flexibility and GitOps ergonomics.

For environments where SSH is exposed outside the cluster, SSH key or certificate-based authentication remains the recommended option.

closes #788 and #819

@zalando-robot
Copy link

zalando-robot commented Dec 23, 2025

Cannot start a pipeline due to:

No accountable user for this pipeline: no Zalando employee associated to this GitHub username

Click on pipeline status check Details link below for more information.

@kevinvalk kevinvalk changed the title feat: added support for WAL-G SSH_PASSWORD (closes #788 and #819) feat: added support for WAL-G SSH_PASSWORD Dec 23, 2025
@kevinvalk kevinvalk mentioned this pull request Dec 23, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add SSH_PASSWORD environment variable for wal-g

2 participants

@kevinvalk @zalando-robot