initdb script seems does not respect hba_file configuration option

[EugenKon]

It seems that location of pg_hba.conf file is just hardcoded:

postgres/15/bookworm/docker-entrypoint.sh

Line 253 in 8a631b9

} >> "$PGDATA/pg_hba.conf"

But If I set my custom hba_file, then initdb will create redundant $PGDATA/pg_hba.conf file.

[LaurentGoderre]

You should create your custom hba_file and volume mount it in the image at /var/lib/postgresql/data/pg_hba.conf

[tianon]

Is there some way we can ask PostgreSQL what the hba_file value is? Maybe a CLI incantation?

It might even make sense to wrap this up in a file existence check? (so if pg_hba.conf doesn't exist, we don't create it)

[yosifkit]

Is there some way we can ask PostgreSQL what the hba_file value is? Maybe a CLI incantation?

We ask for the password_encryption in the function appending to pg_hba.conf and we can do the same for hba_file.

postgres/docker-entrypoint.sh

Line 244 in ef9747f

auth="$(postgres -C password_encryption "$@")"

root@da94ae7a13df:/# postgres -C hba_file
postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
# need to run `initdb` or create and configure the `postgresql.conf` file
root@da94ae7a13df:/# gosu postgres initdb
root@da94ae7a13df:/# postgres -C hba_file
/var/lib/postgresql/data/pg_hba.conf

The initdb binary (part of PostgreSQL) is the one creating the pg_hba.conf file and I don't see a way to prevent it (https://www.postgresql.org/docs/16/app-initdb.html).

---

I would hesitate to append to a file in a different/custom location since users might be using that bug to skip/ignore our pg_hba.conf modification and we'd possibly make them less secure than they were expecting.