Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workload Identity not working in logical backups for GCS #2589

Open
pavars opened this issue Mar 21, 2024 · 0 comments
Open

Workload Identity not working in logical backups for GCS #2589

pavars opened this issue Mar 21, 2024 · 0 comments

Comments

@pavars
Copy link

pavars commented Mar 21, 2024

  • Which image of the operator are you using?
    registry.opensource.zalan.do/acid/postgres-operator:v1.11.0
  • Where do you run it - cloud or metal?
    GKE cloud
  • Are you running Postgres Operator in production?
    yes
  • Type of issue?
    Bug report

Steps to reproduce

  1. Deploy Zalando Postgres Operator with Workload Identity/ Application default credentials using k8s service account that is linked to GCP IAM service account and has permissions to GCS bucket
  2. Enable logical backups to GCS
  3. Wait for backup jobs to start failing
  4. Seems like WAL archiving is working properly only logical backups are having issues

Expected outcome
Logical backups are uploaded without issues to GCS bucket. It seems to me that gsutil used in backup job is not properly inheriting service account or doesn't even try to expand Application Default Credentials

Actual Outcome
Logical backups are failing constantly, WAL archiving works
image

Configuration

        image:
          registry: registry.opensource.zalan.do
          repository: acid/postgres-operator
          tag: v1.11.0
          pullPolicy: "Always"

        enableJsonLogging: true
        configGeneral:
          workers: 8
        podServiceAccount:
          name: postgres-operator-gcp

        configUsers:
          replication_username: standby
          super_username: postgres

        configKubernetes:
          cluster_name_label: dev-k8s
          enable_cross_namespace_secret: true
          enable_pod_antiaffinity: true 
          pod_antiaffinity_topology_key: "kubernetes.io/hostname"
          pod_environment_configmap: "postgres/pod-env-overrides"
          secret_name_template: "{username}.{cluster}.credentials"
          delete_annotation_date_key: "delete-date"
          delete_annotation_name_key: "delete-clustername"

        configLoadBalancer:
          db_hosted_zone: db.dev.internal.com

        configAwsOrGcp:
          wal_gs_bucket: "postgres-wal"

        configLogicalBackup:
          # this is used also for gcs despite name
          logical_backup_s3_bucket: "postgres-backups"
          logical_backup_provider: "gcs"
          logical_backup_schedule: "30 00 * * *"

        configTeamsApi:
          pam_role_name: db

        resources:
          limits:
            cpu: 500m
            memory: 500Mi
          requests:
            cpu: 100m
            memory: 250Mi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pavars