fix to pooler TLS support (#2219)

* fix to pooler TLS support, security context fsGroup added (#2216) * add environment variable of CA cert path in pooler pod template * additional logic for custom CA secrets and mount path * fix ca file name
2023-03-07 18:20:28 +03:00 · 2023-03-07 18:20:28 +03:00 · 6953f72bee
parent d504aeba6a
commit 6953f72bee
1 changed files with 21 additions and 2 deletions
--- a/pkg/cluster/connection_pooler.go
+++ b/pkg/cluster/connection_pooler.go
@ -348,20 +348,33 @@ func (c *Cluster) generateConnectionPoolerPodTemplate(role PostgresRole) (
 		// Env vars
 		crtFile := spec.TLS.CertificateFile
 		keyFile := spec.TLS.PrivateKeyFile
 		caFile := spec.TLS.CAFile
 		mountPath := "/tls"
 		mountPathCA := mountPath
 		if crtFile == "" {
 			crtFile = "tls.crt"
 		}
 		if keyFile == "" {
 			keyFile = "tls.key"
 		}
 		if caFile == "" {
 			caFile = "ca.crt"
 		}
 		if spec.TLS.CASecretName != "" {
 			mountPathCA = mountPath + "ca"
 		}
 		envVars = append(
 			envVars,
 			v1.EnvVar{
-				Name: "CONNECTION_POOLER_CLIENT_TLS_CRT", Value: filepath.Join("/tls", crtFile),
+				Name: "CONNECTION_POOLER_CLIENT_TLS_CRT", Value: filepath.Join(mountPath, crtFile),
 			},
 			v1.EnvVar{
-				Name: "CONNECTION_POOLER_CLIENT_TLS_KEY", Value: filepath.Join("/tls", keyFile),
+				Name: "CONNECTION_POOLER_CLIENT_TLS_KEY", Value: filepath.Join(mountPath, keyFile),
 			},
 			v1.EnvVar{
 				Name: "CONNECTION_POOLER_CLIENT_CA_FILE", Value: filepath.Join(mountPathCA, caFile),
 			},
 		)
@ -402,6 +415,12 @@ func (c *Cluster) generateConnectionPoolerPodTemplate(role PostgresRole) (
 		},
 	}
 	if spec.TLS != nil && spec.TLS.SecretName != "" && spec.SpiloFSGroup != nil {
 		podTemplate.Spec.SecurityContext = &v1.PodSecurityContext{
 			FSGroup: spec.SpiloFSGroup,
 		}
 	}
 	nodeAffinity := c.nodeAffinity(c.OpConfig.NodeReadinessLabel, spec.NodeAffinity)
 	if c.OpConfig.EnablePodAntiAffinity {
 		labelsSet := labels.Set(c.connectionPoolerLabels(role, false).MatchLabels)