Summary

When deploying Magda with external AWS RDS PostgreSQL, DB migrator hooks can fail during post-install / post-upgrade because:

1. Migrator credentials are driven by global.postgresql.postgresqlUsername (default postgres) + db-main-account-secret.postgresql-password.
2. Many RDS setups use a non-postgres master user (e.g. magda_admin), so the default can point to the wrong privileged account.
3. magda-db-migrator currently uses Flyway 4.2.0, which does not support SCRAM auth. On PostgreSQL 14/15+ (RDS defaults), this can fail with The authentication type 10 is not supported.

The result is failed migrator hooks and partial/broken app rollout.

Evidence

• Migrator uses env user (defaults to postgres):
  • magda-db-migrator/migrate.sh
    • CREATE DATABASE ... OWNER = ${PGUSER:-postgres}
    • flyway ... -user=${PGUSER:-postgres}
• Helm injects migrator user from global.postgresql.postgresqlUsername defaulting to postgres:
  • deploy/helm/magda-core/templates/_helpers.tpl (magda.postgres-migrator-env)
• Main DB secret design exposes only password key (postgresql-password), not username:
  • deploy/helm/magda-core/templates/db-main-account-secret.yaml
• Runtime errors observed in migrator hook pods:
  • psql: FATAL: password authentication failed for user "postgres"
  • Unable to obtain Jdbc connection ... The authentication type 10 is not supported

Reproduction

1. Configure chart for RDS:
   • global.useAwsRdsDb=true
   • global.awsRdsEndpoint=<rds endpoint>
2. Set app DB settings for non-postgres account (e.g. global.dbUser=magda_admin), but leave global.postgresql.postgresqlUsername at default.
3. Install/upgrade chart.
4. Observe DB migrator hook job crash/fail and dependent services failing startup.

Expected

RDS deployments should work out-of-the-box when global.dbUser points to the intended privileged account, and migrator connectivity should support modern PostgreSQL auth defaults.

Actual

Migrators can attempt postgres by default and/or fail SCRAM auth with Flyway 4.2.

Proposed fixes

1. Reduce config foot-gun:
   • When useAwsRdsDb/useCloudSql is enabled, align migrator privileged user with external DB settings (or fail fast with clear validation if global.postgresql.postgresqlUsername is left default and likely incorrect).
2. Add explicit docs/examples for external DB:
   • clearly require setting global.postgresql.postgresqlUsername and corresponding password secret for that account.
3. Upgrade migrator stack:
   • move off Flyway 4.2.0 / old JDBC to versions that support SCRAM (PostgreSQL 14/15/16 defaults).
4. Optional hardening:
   • support a dedicated migrator username key in secret (or explicit value key) to avoid implicit coupling.

Impact

• Helm release can fail or hang on hooks.
• Schema not migrated, causing follow-on service failures.
• Affects external managed PostgreSQL deployments (RDS/Cloud SQL), especially modern default auth settings.