Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS - add OpenShift compatibility #885

Merged
merged 3 commits into from Apr 1, 2020
Merged

TLS - add OpenShift compatibility #885

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2922139
solves https://github.com/zalando/postgres-operator/pull/798#issuecom…
ReSearchITEng Mar 27, 2020
876c424
solves documentation comment
ReSearchITEng Mar 30, 2020
98a9888
Update pkg/cluster/k8sres.go
FxKu Mar 31, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
10 changes: 6 additions & 4 deletions docs/user.md
View file
Open in desktop
Expand Up @@ -572,10 +572,12 @@ However, this certificate cannot be verified and thus doesn't protect from
active MITM attacks. In this section we show how to specify a custom TLS
certificate which is mounted in the database pods via a K8s Secret.

Before applying these changes, the operator must also be configured with the
`spilo_fsgroup` set to the GID matching the postgres user group. If the value
is not provided, the cluster will default to `103` which is the GID from the
default spilo image.
Before applying these changes, in k8s (not in OpenShift) the operator must also
be configured with the `spilo_fsgroup` set to the GID matching the postgres user
group. If you don't know the value, use `103` which is the GID from the default
spilo image (`spilo_fsgroup=103` in the cluster request spec).
If the value is not provided and you are in k8s (not OpenShift), the certificates
will not have proper permissions and the server will not work as desired.
ReSearchITEng marked this conversation as resolved.
Show resolved Hide resolved

Upload the cert as a kubernetes secret:
```sh
Expand Down
2 changes: 2 additions & 0 deletions manifests/complete-postgres-manifest.yaml
View file
Open in desktop
Expand Up @@ -109,3 +109,5 @@ spec:
certificateFile: "tls.crt"
privateKeyFile: "tls.key"
caFile: "" # optionally configure Postgres with a CA certificate
# When TLS is enabled, also set spiloFSGroup parameter above to the relevant value.
# if unknown, set it to 103 which is the usual value in the default spilo images.
12 changes: 2 additions & 10 deletions pkg/cluster/k8sres.go
View file
Open in desktop
Expand Up @@ -36,9 +36,6 @@ const (
localHost = "127.0.0.1/32"
connectionPoolContainer = "connection-pool"
pgPort = 5432

// the gid of the postgres user in the default spilo image
spiloPostgresGID = 103
)

type pgUser struct {
Expand Down Expand Up @@ -983,13 +980,8 @@ func (c *Cluster) generateStatefulSet(spec *acidv1.PostgresSpec) (*appsv1.Statef

// configure TLS with a custom secret volume
if spec.TLS != nil && spec.TLS.SecretName != "" {
if effectiveFSGroup == nil {
c.logger.Warnf("Setting the default FSGroup to satisfy the TLS configuration")
fsGroup := int64(spiloPostgresGID)
effectiveFSGroup = &fsGroup
}
// this is combined with the FSGroup above to give read access to the
// postgres user
// this is combined with the FSGroup in the section above will
// give read access to the postgres user
FxKu marked this conversation as resolved.
Show resolved Hide resolved
defaultMode := int32(0640)
volumes = append(volumes, v1.Volume{
Name: "tls-secret",
Expand Down