Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor pooler tls support and set pooler pod security context #2255

Merged
merged 9 commits into from Apr 17, 2023
Merged

refactor pooler tls support and set pooler pod security context #2255

merged 9 commits into from Apr 17, 2023

Conversation

FxKu
Copy link
Member

@FxKu FxKu commented Mar 7, 2023
edited

This is a follow up PR to #2219 which refactors the way the volume mounts are generated for spilo and pooler pods when spec.TLS is specified. My idea here is to unify have just one function in k8sres.go which generates environment variables and additional volumes to be used for the pod templates. For pooler pods we do not use generatePodTemplate function so the rest of the code is a little different there.

There are a few fixes along the way:

  • Do not set CONNECTION_POOLER_CLIENT_CA_FILE when spec.TLS.CAFile is emty
  • Make sure we define two volumes for pooler TLS support for spec.TLS.SecretName AND spec.TLS.CASecretName
  • Set not only FSGroup of pooler pod securityContext but also RunAsUser and RunAsGroup. See also Set SecurityContext for connection pooler #2225 which uses hardcoded values user: 100 and group: 101. Seems that this is burned into our pgbouncer image so we should not reuse the spilo config values.

Bumping the pooler image which support of CONNECTION_POOLER_CLIENT_CA_FILE.

@FxKu FxKu added this to the 1.9.1 milestone Mar 7, 2023
@FxKu FxKu changed the title set pooler pod security context refactor pooler tls support and set pooler pod security context Mar 7, 2023
@FxKu
Copy link
Member Author

FxKu commented Mar 13, 2023

@heilerich could you check for me that with this PR, your problems with Pooler TLS will be solved?

Thie image you can use is: registry.opensource.zalan.do/acid/postgres-operator-test:c9f4e9c-pr-2255-3

@heilerich
Copy link

I tested with

registry.opensource.zalan.do/acid/postgres-operator-test:1954846-pr-2255-5
registry.opensource.zalan.do/acid/pgbouncer:master-27

and could find no apparent problems. Thanks for the effort 👍🏻

@FxKu FxKu mentioned this pull request Apr 10, 2023
Closed
@idanovinda
Copy link
Member

👍

1 similar comment
@FxKu
Copy link
Member Author

FxKu commented Apr 17, 2023

👍

@FxKu FxKu merged commit 0e7beb5 into master Apr 17, 2023
8 of 9 checks passed
@FxKu FxKu deleted the pooler-tls-ca-file branch April 17, 2023 09:38
This was referenced Apr 17, 2023
Closed
Closed
@MarkCupitt MarkCupitt mentioned this pull request May 4, 2023
Closed
@cdmikechen
Copy link
Contributor

@FxKu
Setting runAsUser directly is not allowed on, for example, Openshift.
So I think we should change the serviceaccount of the pooler to postgres-pod as well, otherwise the pooler will not be created correctly.

Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

@cdmikechen cdmikechen mentioned this pull request Jun 13, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sdudoladov sdudoladov Awaiting requested review from sdudoladov sdudoladov is a code owner

@Jan-M Jan-M Awaiting requested review from Jan-M Jan-M is a code owner

@jopadi jopadi Awaiting requested review from jopadi jopadi is a code owner

@idanovinda idanovinda Awaiting requested review from idanovinda idanovinda is a code owner

@hughcapet hughcapet Awaiting requested review from hughcapet hughcapet is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.10.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@FxKu @heilerich @idanovinda @cdmikechen