-
Notifications
You must be signed in to change notification settings - Fork 940
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix to pooler TLS support #2219
Conversation
i checked it with next configs
#!/bin/sh
set -ex
if [ "$PGUSER" = "postgres" ]; then
echo "WARNING: pgbouncer will connect with a superuser privileges!"
echo "You need to fix this as soon as possible."
fi
if [ -z "${CONNECTION_POOLER_CLIENT_TLS_CRT}" ]; then
openssl req -nodes -new -x509 -subj /CN=spilo.dummy.org \
-keyout /etc/ssl/certs/pgbouncer.key \
-out /etc/ssl/certs/pgbouncer.crt
else
ln -s /tls/tls.crt /etc/ssl/certs/pgbouncer.crt
ln -s /tls/tls.key /etc/ssl/certs/pgbouncer.key
ln -s /tls/ca.crt /etc/ssl/certs/ca.crt
fi
envsubst < /etc/pgbouncer/pgbouncer.ini.tmpl > /etc/pgbouncer/pgbouncer.ini
envsubst < /etc/pgbouncer/auth_file.txt.tmpl > /etc/pgbouncer/auth_file.txt
exec /bin/pgbouncer /etc/pgbouncer/pgbouncer.ini
|
Ok, you have one more line in the entrypoint script |
this endpoint show what this worked with |
What I meant is that I can change the entrypoint of our pgBouncer docker image to:
But the operator does not set this |
@FxKu done |
Thanks, but the code looks quite different to what we do with spilo pods. CA should not be set when it's not defined in the manifest. For spilo pods we also use a second volume mount ( |
@FxKu done |
} | ||
if spec.TLS.CASecretName != "" { | ||
mountPathCA = mountPath + "ca" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe, we need a second volume mount when introducing CA file support. Hm ... can you remove everything about CA file support from this PR as it looks pretty half baked at the moment and not tested.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i will mount CA
@@ -402,6 +415,12 @@ func (c *Cluster) generateConnectionPoolerPodTemplate(role PostgresRole) ( | |||
}, | |||
} | |||
|
|||
if spec.TLS != nil && spec.TLS.SecretName != "" && spec.SpiloFSGroup != nil { | |||
podTemplate.Spec.SecurityContext = &v1.PodSecurityContext{ | |||
FSGroup: spec.SpiloFSGroup, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why should it get the spilo FS group btw? Can it also get it's own? Would an extra config option make sense?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you mean additional fsGroup in CRD pooler block?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There could be extra settings in the pooler struct, yes. But, on the other hand we're already re-using TLS settings from postgresql.spec - so I'm fine by copying SpiloFSGroup, too, as it would be convenient to users of this feature. No extra config necessary in the manifest.
Was just wondering if somebody might want this FSGroup setting to be different from spilo...
👍 |
1 similar comment
👍 |
Ok @2tvenom. Thanks for your input so far. I will take it from here 😃 |
last PR #2216 checked and not work. added security context fsGroup for correct load tls cert from mounted volume