diff --git a/README.md b/README.md
index 27430070e..3151cc647 100644
--- a/README.md
+++ b/README.md
@@ -72,6 +72,8 @@ docker pull ghcr.io/voxpupuli/puppetdb:7.13.0-v1.2.1
| **PUPPETDB_POSTGRES_DATABASE** | The name of the puppetdb database in postgres
`puppetdb` |
| **PUPPETDB_USER** | The puppetdb database user
`puppetdb` |
| **PUPPETDB_PASSWORD** | The puppetdb database password
`puppetdb` |
+| **PUPPETDB_READ_USER** | The puppetdb database read-only user
(optional) |
+| **PUPPETDB_READ_PASSWORD** | The puppetdb database read-only password
(optional) |
| **PUPPETDB_NODE_TTL** | Mark as ‘expired’ nodes that haven’t seen any activity (no new catalogs, facts, or reports) in the specified amount of time
`7d` |
| **PUPPETDB_NODE_PURGE_TTL** | Automatically delete nodes that have been deactivated or expired for the specified amount of time
`14d` |
| **PUPPETDB_REPORT_TTL** | Automatically delete reports that are older than the specified amount of time
`14d` |
diff --git a/puppetdb/Dockerfile b/puppetdb/Dockerfile
index ae6a9ae2e..54bb8e755 100644
--- a/puppetdb/Dockerfile
+++ b/puppetdb/Dockerfile
@@ -22,6 +22,8 @@ ENV PUPPETDB_POSTGRES_HOSTNAME="postgres" \
WAITFORCERT="" \
PUPPETDB_USER=puppetdb \
PUPPETDB_PASSWORD=puppetdb \
+ PUPPETDB_READ_USER="" \
+ PUPPETDB_READ_PASSWORD="" \
PUPPETDB_NODE_TTL=7d \
PUPPETDB_NODE_PURGE_TTL=14d \
PUPPETDB_REPORT_TTL=14d \
diff --git a/puppetdb/conf.d/read-database.conf b/puppetdb/conf.d/read-database.conf
new file mode 100644
index 000000000..74aa211f7
--- /dev/null
+++ b/puppetdb/conf.d/read-database.conf
@@ -0,0 +1,5 @@
+read-database: {
+ subname: "//"${PUPPETDB_POSTGRES_HOSTNAME}":"${PUPPETDB_POSTGRES_PORT}"/"${PUPPETDB_POSTGRES_DATABASE}
+ username: ${PUPPETDB_READ_USER}
+ password: ${PUPPETDB_READ_PASSWORD}
+}
diff --git a/puppetdb/docker-entrypoint.sh b/puppetdb/docker-entrypoint.sh
index 33d8567a4..c0528e9be 100755
--- a/puppetdb/docker-entrypoint.sh
+++ b/puppetdb/docker-entrypoint.sh
@@ -3,6 +3,11 @@
set -e
+# Remove optional config files if values are not set
+if [[ ( -z "$PUPPETDB_READ_USER" || -z "$PUPPETDB_READ_PASSWORD" ) && -e /etc/puppetlabs/puppetdb/conf.d/read-database.conf ]]; then
+ rm /etc/puppetlabs/puppetdb/conf.d/read-database.conf
+fi
+
for f in /docker-entrypoint.d/*.sh; do
echo "Running $f"
"$f"