New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor pooler tls support and set pooler pod security context #2255
Conversation
@heilerich could you check for me that with this PR, your problems with Pooler TLS will be solved? Thie image you can use is: registry.opensource.zalan.do/acid/postgres-operator-test:c9f4e9c-pr-2255-3 |
I tested with
and could find no apparent problems. Thanks for the effort 👍🏻 |
👍 |
1 similar comment
👍 |
@FxKu
|
This is a follow up PR to #2219 which refactors the way the volume mounts are generated for spilo and pooler pods when spec.TLS is specified. My idea here is to unify have just one function in k8sres.go which generates environment variables and additional volumes to be used for the pod templates. For pooler pods we do not use generatePodTemplate function so the rest of the code is a little different there.
There are a few fixes along the way:
spec.TLS.SecretName
ANDspec.TLS.CASecretName
FSGroup
of pooler pod securityContext but alsoRunAsUser
andRunAsGroup
. See also Set SecurityContext for connection pooler #2225 which uses hardcoded values user: 100 and group: 101. Seems that this is burned into our pgbouncer image so we should not reuse the spilo config values.Bumping the pooler image which support of CONNECTION_POOLER_CLIENT_CA_FILE.