From 6ed10308380cbe87e63c92eed0490bde05811229 Mon Sep 17 00:00:00 2001 From: ReSearchITEng Date: Wed, 1 Apr 2020 10:39:54 +0300 Subject: [PATCH] TLS - add OpenShift compatibility (#885) * solves https://github.com/zalando/postgres-operator/pull/798#issuecomment-605201260 Co-authored-by: Felix Kunde --- docs/user.md | 13 +++++++++---- manifests/complete-postgres-manifest.yaml | 2 ++ pkg/cluster/k8sres.go | 12 ++---------- 3 files changed, 13 insertions(+), 14 deletions(-) diff --git a/docs/user.md b/docs/user.md index 8c79bb485..dba157d90 100644 --- a/docs/user.md +++ b/docs/user.md @@ -572,10 +572,15 @@ However, this certificate cannot be verified and thus doesn't protect from active MITM attacks. In this section we show how to specify a custom TLS certificate which is mounted in the database pods via a K8s Secret. -Before applying these changes, the operator must also be configured with the -`spilo_fsgroup` set to the GID matching the postgres user group. If the value -is not provided, the cluster will default to `103` which is the GID from the -default spilo image. +Before applying these changes, in k8s the operator must also be configured with +the `spilo_fsgroup` set to the GID matching the postgres user group. If you +don't know the value, use `103` which is the GID from the default spilo image +(`spilo_fsgroup=103` in the cluster request spec). + +OpenShift allocates the users and groups dynamically (based on scc), and their +range is different in every namespace. Due to this dynamic behaviour, it's not +trivial to know at deploy time the uid/gid of the user in the cluster. +This way, in OpenShift, you may want to skip the spilo_fsgroup setting. Upload the cert as a kubernetes secret: ```sh diff --git a/manifests/complete-postgres-manifest.yaml b/manifests/complete-postgres-manifest.yaml index c82f1eac5..27dfc5f93 100644 --- a/manifests/complete-postgres-manifest.yaml +++ b/manifests/complete-postgres-manifest.yaml @@ -109,3 +109,5 @@ spec: certificateFile: "tls.crt" privateKeyFile: "tls.key" caFile: "" # optionally configure Postgres with a CA certificate +# When TLS is enabled, also set spiloFSGroup parameter above to the relevant value. +# if unknown, set it to 103 which is the usual value in the default spilo images. diff --git a/pkg/cluster/k8sres.go b/pkg/cluster/k8sres.go index c4919c62d..ee46f81e7 100644 --- a/pkg/cluster/k8sres.go +++ b/pkg/cluster/k8sres.go @@ -37,9 +37,6 @@ const ( localHost = "127.0.0.1/32" connectionPoolContainer = "connection-pool" pgPort = 5432 - - // the gid of the postgres user in the default spilo image - spiloPostgresGID = 103 ) type pgUser struct { @@ -990,13 +987,8 @@ func (c *Cluster) generateStatefulSet(spec *acidv1.PostgresSpec) (*appsv1.Statef // configure TLS with a custom secret volume if spec.TLS != nil && spec.TLS.SecretName != "" { - if effectiveFSGroup == nil { - c.logger.Warnf("Setting the default FSGroup to satisfy the TLS configuration") - fsGroup := int64(spiloPostgresGID) - effectiveFSGroup = &fsGroup - } - // this is combined with the FSGroup above to give read access to the - // postgres user + // this is combined with the FSGroup in the section above + // to give read access to the postgres user defaultMode := int32(0640) volumes = append(volumes, v1.Volume{ Name: "tls-secret",