public_git
/
postgres-operator
mirror of https://github.com/zalando/postgres-operator.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

TLS - add OpenShift compatibility (#885) 

* solves https://github.com/zalando/postgres-operator/pull/798#issuecomment-605201260
Co-authored-by: Felix Kunde <felix-kunde@gmx.de>
This commit is contained in:
ReSearchITEng 2020-04-01 10:39:54 +03:00 committed by GitHub
parent 64d816c556
commit 6ed1030838
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
docs/user.md
View File

@ -572,10 +572,15 @@ However, this certificate cannot be verified and thus doesn't protect from
active MITM attacks. In this section we show how to specify a custom TLS active MITM attacks. In this section we show how to specify a custom TLS
certificate which is mounted in the database pods via a K8s Secret. certificate which is mounted in the database pods via a K8s Secret.
Before applying these changes, the operator must also be configured with the Before applying these changes, in k8s the operator must also be configured with
`spilo_fsgroup` set to the GID matching the postgres user group. If the value the `spilo_fsgroup` set to the GID matching the postgres user group. If you
is not provided, the cluster will default to `103` which is the GID from the don't know the value, use `103` which is the GID from the default spilo image
default spilo image. (`spilo_fsgroup=103` in the cluster request spec).
OpenShift allocates the users and groups dynamically (based on scc), and their
range is different in every namespace. Due to this dynamic behaviour, it's not
trivial to know at deploy time the uid/gid of the user in the cluster.
This way, in OpenShift, you may want to skip the spilo_fsgroup setting.
Upload the cert as a kubernetes secret: Upload the cert as a kubernetes secret:
```sh ```sh

2
manifests/complete-postgres-manifest.yaml
View File

@ -109,3 +109,5 @@ spec:
certificateFile: "tls.crt" certificateFile: "tls.crt"
privateKeyFile: "tls.key" privateKeyFile: "tls.key"
caFile: "" # optionally configure Postgres with a CA certificate caFile: "" # optionally configure Postgres with a CA certificate
# When TLS is enabled, also set spiloFSGroup parameter above to the relevant value.
# if unknown, set it to 103 which is the usual value in the default spilo images.

12
pkg/cluster/k8sres.go
View File

@ -37,9 +37,6 @@ const (
localHost = "127.0.0.1/32" localHost = "127.0.0.1/32"
connectionPoolContainer = "connection-pool" connectionPoolContainer = "connection-pool"
pgPort = 5432 pgPort = 5432
// the gid of the postgres user in the default spilo image
spiloPostgresGID = 103
) )
type pgUser struct { type pgUser struct {
@ -990,13 +987,8 @@ func (c *Cluster) generateStatefulSet(spec *acidv1.PostgresSpec) (*appsv1.Statef
// configure TLS with a custom secret volume // configure TLS with a custom secret volume
if spec.TLS != nil && spec.TLS.SecretName != "" { if spec.TLS != nil && spec.TLS.SecretName != "" {
if effectiveFSGroup == nil { // this is combined with the FSGroup in the section above
c.logger.Warnf("Setting the default FSGroup to satisfy the TLS configuration") // to give read access to the postgres user
fsGroup := int64(spiloPostgresGID)
effectiveFSGroup = &fsGroup
}
// this is combined with the FSGroup above to give read access to the
// postgres user
defaultMode := int32(0640) defaultMode := int32(0640)
volumes = append(volumes, v1.Volume{ volumes = append(volumes, v1.Volume{
Name: "tls-secret", Name: "tls-secret",