From 773cb23d9772085fc2877445e38e3ff8b9374a70 Mon Sep 17 00:00:00 2001 From: HackWeasel Date: Fri, 12 Dec 2025 19:52:32 -0500 Subject: [PATCH] fix: sync tenant DB password from env during init MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Root cause: gt2_tenant_user was created with hardcoded password in init script, but tenant-backend connects with password from .env. Solution: Add 00c-sync-passwords.sh that runs immediately after role creation to sync passwords from environment variables. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- docker-compose.yml | 1 + .../postgresql/unified/00c-sync-passwords.sh | 34 +++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100755 scripts/postgresql/unified/00c-sync-passwords.sh diff --git a/docker-compose.yml b/docker-compose.yml index 7edfdd2..f47f760 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -229,6 +229,7 @@ services: - ./scripts/postgresql/unified/00-create-tenant-database.sql:/docker-entrypoint-initdb.d/00-create-database.sql - ./scripts/postgresql/tenant-extensions.sql:/docker-entrypoint-initdb.d/00a-init-extensions.sql - ./scripts/postgresql/unified/01-create-tenant-roles.sql:/docker-entrypoint-initdb.d/00b-create-roles.sql + - ./scripts/postgresql/unified/00c-sync-passwords.sh:/docker-entrypoint-initdb.d/00c-sync-passwords.sh - ./scripts/postgresql/unified/04-init-tenant-schema-complete.sql:/docker-entrypoint-initdb.d/01-init-tenant-schema.sql - ./scripts/postgresql/unified/05-create-tenant-test-data.sql:/docker-entrypoint-initdb.d/04-create-test-data.sql - ./scripts/postgresql/setup-tenant-tablespaces.sql:/docker-entrypoint-initdb.d/02-setup-tablespaces.sql diff --git a/scripts/postgresql/unified/00c-sync-passwords.sh b/scripts/postgresql/unified/00c-sync-passwords.sh new file mode 100755 index 0000000..c3a4ea9 --- /dev/null +++ b/scripts/postgresql/unified/00c-sync-passwords.sh @@ -0,0 +1,34 @@ +#!/bin/bash +# GT 2.0 Password Synchronization Script +# Runs AFTER role creation to sync passwords from environment variables +# This ensures passwords match what's in .env, not the hardcoded defaults + +set -e + +echo "🔐 GT 2.0 Password Sync - Updating passwords from environment..." + +# Wait for PostgreSQL to be ready +until pg_isready -U postgres -d gt2_tenants; do + echo "Waiting for PostgreSQL to be ready..." + sleep 1 +done + +# Update gt2_tenant_user password from environment +if [ -n "$TENANT_USER_PASSWORD" ]; then + psql -U postgres -d gt2_tenants -c "ALTER USER gt2_tenant_user WITH PASSWORD '$TENANT_USER_PASSWORD';" && \ + echo "✅ Synced gt2_tenant_user password from environment" || \ + echo "❌ Failed to sync gt2_tenant_user password" +else + echo "⚠️ TENANT_USER_PASSWORD not set - using default password" +fi + +# Update replicator password from environment +if [ -n "$POSTGRES_REPLICATION_PASSWORD" ]; then + psql -U postgres -d gt2_tenants -c "ALTER USER replicator WITH PASSWORD '$POSTGRES_REPLICATION_PASSWORD';" && \ + echo "✅ Synced replicator password from environment" || \ + echo "❌ Failed to sync replicator password" +else + echo "⚠️ POSTGRES_REPLICATION_PASSWORD not set - using default password" +fi + +echo "🔐 Password synchronization complete"