From 15ec6a920d71282d28ce8239423c0239c7b28e02 Mon Sep 17 00:00:00 2001 From: Aaron Miller <1521726+aaroniscode@users.noreply.github.com> Date: Wed, 3 Apr 2019 11:13:39 -0400 Subject: [PATCH 1/2] Config option to allow Spilo container to run non-privileged. (#525) * Config option to allow Spilo container to run non-privileged. Runs non-privileged by default. Fixes #395 * add spilo_privileged to manifests/configmap.yaml * add spilo_privileged to helm chart's values.yaml --- charts/postgres-operator/values.yaml | 1 + docs/reference/operator_parameters.md | 3 +++ manifests/configmap.yaml | 1 + manifests/postgresql-operator-default-configuration.yaml | 1 + pkg/apis/acid.zalan.do/v1/operator_configuration_type.go | 1 + pkg/cluster/k8sres.go | 3 ++- pkg/controller/operator_config.go | 1 + pkg/util/config/config.go | 1 + 8 files changed, 11 insertions(+), 1 deletion(-) diff --git a/charts/postgres-operator/values.yaml b/charts/postgres-operator/values.yaml index 5a4c48974..1f3397bad 100644 --- a/charts/postgres-operator/values.yaml +++ b/charts/postgres-operator/values.yaml @@ -25,6 +25,7 @@ config: secret_name_template: '{username}.{cluster}.credentials' super_username: postgres enable_teams_api: "false" + spilo_privileged: "false" # set_memory_request_to_limit: "true" # postgres_superuser_teams: "postgres_superusers" # enable_team_superuser: "false" diff --git a/docs/reference/operator_parameters.md b/docs/reference/operator_parameters.md index 6332e6d8a..11fee3846 100644 --- a/docs/reference/operator_parameters.md +++ b/docs/reference/operator_parameters.md @@ -212,6 +212,9 @@ configuration they are grouped under the `kubernetes` key. class](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass) that should be assigned to the Postgres pods. The priority class itself must be defined in advance. Default is empty (use the default priority class). + +* **spilo_privileged** + whether the Spilo container should run in privileged mode. Privileged mode is used for AWS volume resizing and not required if you don't need that capability. The default is `false`. * **master_pod_move_timeout** The period of time to wait for the success of migration of master pods from an unschedulable node. diff --git a/manifests/configmap.yaml b/manifests/configmap.yaml index 28babdfe6..9b951e582 100644 --- a/manifests/configmap.yaml +++ b/manifests/configmap.yaml @@ -15,6 +15,7 @@ data: secret_name_template: '{username}.{cluster}.credentials' super_username: postgres enable_teams_api: "false" + spilo_privileged: "false" # custom_service_annotations: # "keyx:valuez,keya:valuea" # set_memory_request_to_limit: "true" diff --git a/manifests/postgresql-operator-default-configuration.yaml b/manifests/postgresql-operator-default-configuration.yaml index 5b9de1073..ef88fdd25 100644 --- a/manifests/postgresql-operator-default-configuration.yaml +++ b/manifests/postgresql-operator-default-configuration.yaml @@ -23,6 +23,7 @@ configuration: secret_name_template: "{username}.{cluster}.credentials.{tprkind}.{tprgroup}" oauth_token_secret_name: postgresql-operator pod_role_label: spilo-role + spilo_privileged: false cluster_labels: application: spilo # inherited_labels: diff --git a/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go b/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go index dde9b624b..a13575de2 100644 --- a/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go +++ b/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go @@ -45,6 +45,7 @@ type KubernetesMetaConfiguration struct { PodServiceAccountDefinition string `json:"pod_service_account_definition,omitempty"` PodServiceAccountRoleBindingDefinition string `json:"pod_service_account_role_binding_definition,omitempty"` PodTerminateGracePeriod Duration `json:"pod_terminate_grace_period,omitempty"` + SpiloPrivileged bool `json:"spilo_privileged,omitemty"` WatchedNamespace string `json:"watched_namespace,omitempty"` PDBNameFormat config.StringTemplate `json:"pdb_name_format,omitempty"` SecretNameTemplate config.StringTemplate `json:"secret_name_template,omitempty"` diff --git a/pkg/cluster/k8sres.go b/pkg/cluster/k8sres.go index 6f86edd85..a156b89d6 100644 --- a/pkg/cluster/k8sres.go +++ b/pkg/cluster/k8sres.go @@ -358,8 +358,8 @@ func generateSpiloContainer( resourceRequirements *v1.ResourceRequirements, envVars []v1.EnvVar, volumeMounts []v1.VolumeMount, + privilegedMode bool, ) *v1.Container { - privilegedMode := true return &v1.Container{ Name: name, Image: *dockerImage, @@ -797,6 +797,7 @@ func (c *Cluster) generateStatefulSet(spec *acidv1.PostgresSpec) (*v1beta1.State resourceRequirements, spiloEnvVars, volumeMounts, + c.OpConfig.Resources.SpiloPrivileged, ) // resolve conflicts between operator-global and per-cluster sidecars diff --git a/pkg/controller/operator_config.go b/pkg/controller/operator_config.go index bca0f5b34..ea7ac1b3f 100644 --- a/pkg/controller/operator_config.go +++ b/pkg/controller/operator_config.go @@ -41,6 +41,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur result.PodServiceAccountRoleBindingDefinition = fromCRD.Kubernetes.PodServiceAccountRoleBindingDefinition result.PodEnvironmentConfigMap = fromCRD.Kubernetes.PodEnvironmentConfigMap result.PodTerminateGracePeriod = time.Duration(fromCRD.Kubernetes.PodTerminateGracePeriod) + result.SpiloPrivileged = fromCRD.Kubernetes.SpiloPrivileged result.WatchedNamespace = fromCRD.Kubernetes.WatchedNamespace result.PDBNameFormat = fromCRD.Kubernetes.PDBNameFormat result.SecretNameTemplate = fromCRD.Kubernetes.SecretNameTemplate diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go index b52c57873..b2374e042 100644 --- a/pkg/util/config/config.go +++ b/pkg/util/config/config.go @@ -26,6 +26,7 @@ type Resources struct { PodDeletionWaitTimeout time.Duration `name:"pod_deletion_wait_timeout" default:"10m"` PodTerminateGracePeriod time.Duration `name:"pod_terminate_grace_period" default:"5m"` PodPriorityClassName string `name:"pod_priority_class_name"` + SpiloPrivileged bool `name:"spilo_privileged" default:"false"` ClusterLabels map[string]string `name:"cluster_labels" default:"application:spilo"` InheritedLabels []string `name:"inherited_labels" default:""` ClusterNameLabel string `name:"cluster_name_label" default:"cluster-name"` From 67b2fc40c027b0674bd77d9b1a5039b918839f17 Mon Sep 17 00:00:00 2001 From: Felix Kunde Date: Thu, 4 Apr 2019 19:55:00 +0200 Subject: [PATCH 2/2] update db connection part in user docs (#536) --- docs/user.md | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/docs/user.md b/docs/user.md index a0569fe2b..bab09f8c9 100644 --- a/docs/user.md +++ b/docs/user.md @@ -43,13 +43,25 @@ $ kubectl get pods -w --show-labels ## Connect to PostgreSQL -We can use the generated secret of the `postgres` robot user to connect to our `acid-minimal-cluster` master running in Minikube: +With a `port-forward` on one of the database pods (e.g. the master) you can +connect to the PostgreSQL database. Use labels to filter for the master pod of +our test cluster. + +```bash +# get name of master pod of acid-minimal-cluster +export PGMASTER=$(kubectl get pods -o jsonpath={.items..metadata.name} -l application=spilo,version=acid-minimal-cluster,spilo-role=master) + +# set up port forward +kubectl port-forward $PGMASTER 6432:5432 +``` + +Open another CLI and connect to the database. Use the generated secret of the +`postgres` robot user to connect to our `acid-minimal-cluster` master running +in Minikube: ```bash -$ export PGHOST=db_host -$ export PGPORT=db_port $ export PGPASSWORD=$(kubectl get secret postgres.acid-minimal-cluster.credentials -o 'jsonpath={.data.password}' | base64 -d) -$ psql -U postgres +$ psql -U postgres -p 6432 ``` # Defining database roles in the operator