From f97c66574b6bb39b0de3af7088c16b737ec0d384 Mon Sep 17 00:00:00 2001 From: 2tvenom <2tvenom@gmail.com> Date: Mon, 13 Feb 2023 20:41:53 +0300 Subject: [PATCH 1/4] fix to pooler TLS support, security context fsGroup added (#2216) --- pkg/cluster/connection_pooler.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkg/cluster/connection_pooler.go b/pkg/cluster/connection_pooler.go index eed6c30f8..896a9b1f3 100644 --- a/pkg/cluster/connection_pooler.go +++ b/pkg/cluster/connection_pooler.go @@ -402,6 +402,12 @@ func (c *Cluster) generateConnectionPoolerPodTemplate(role PostgresRole) ( }, } + if spec.TLS != nil && spec.TLS.SecretName != "" && spec.SpiloFSGroup != nil { + podTemplate.Spec.SecurityContext = &v1.PodSecurityContext{ + FSGroup: spec.SpiloFSGroup, + } + } + nodeAffinity := c.nodeAffinity(c.OpConfig.NodeReadinessLabel, spec.NodeAffinity) if c.OpConfig.EnablePodAntiAffinity { labelsSet := labels.Set(c.connectionPoolerLabels(role, false).MatchLabels) From 468d9c214e8bce7d54d5c3a40e9eee6efda38d19 Mon Sep 17 00:00:00 2001 From: 2tvenom <2tvenom@gmail.com> Date: Thu, 16 Feb 2023 14:46:30 +0300 Subject: [PATCH 2/4] add environment variable of CA cert path in pooler pod template --- pkg/cluster/connection_pooler.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pkg/cluster/connection_pooler.go b/pkg/cluster/connection_pooler.go index 896a9b1f3..8f8b7e55a 100644 --- a/pkg/cluster/connection_pooler.go +++ b/pkg/cluster/connection_pooler.go @@ -348,12 +348,16 @@ func (c *Cluster) generateConnectionPoolerPodTemplate(role PostgresRole) ( // Env vars crtFile := spec.TLS.CertificateFile keyFile := spec.TLS.PrivateKeyFile + caFile := spec.TLS.CAFile if crtFile == "" { crtFile = "tls.crt" } if keyFile == "" { keyFile = "tls.key" } + if caFile == "" { + keyFile = "ca.crt" + } envVars = append( envVars, @@ -363,6 +367,9 @@ func (c *Cluster) generateConnectionPoolerPodTemplate(role PostgresRole) ( v1.EnvVar{ Name: "CONNECTION_POOLER_CLIENT_TLS_KEY", Value: filepath.Join("/tls", keyFile), }, + v1.EnvVar{ + Name: "CONNECTION_POOLER_CLIENT_CA_FILE", Value: filepath.Join("/tls", caFile), + }, ) // Volume From 675a47442df7534e35fd740f011343dbce13046a Mon Sep 17 00:00:00 2001 From: 2tvenom <2tvenom@gmail.com> Date: Thu, 16 Feb 2023 17:36:39 +0300 Subject: [PATCH 3/4] additional logic for custom CA secrets and mount path --- pkg/cluster/connection_pooler.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/pkg/cluster/connection_pooler.go b/pkg/cluster/connection_pooler.go index 8f8b7e55a..57e3ceaa5 100644 --- a/pkg/cluster/connection_pooler.go +++ b/pkg/cluster/connection_pooler.go @@ -349,6 +349,9 @@ func (c *Cluster) generateConnectionPoolerPodTemplate(role PostgresRole) ( crtFile := spec.TLS.CertificateFile keyFile := spec.TLS.PrivateKeyFile caFile := spec.TLS.CAFile + mountPath := "/tls" + mountPathCA := mountPath + if crtFile == "" { crtFile = "tls.crt" } @@ -358,17 +361,20 @@ func (c *Cluster) generateConnectionPoolerPodTemplate(role PostgresRole) ( if caFile == "" { keyFile = "ca.crt" } + if spec.TLS.CASecretName != "" { + mountPathCA = mountPath + "ca" + } envVars = append( envVars, v1.EnvVar{ - Name: "CONNECTION_POOLER_CLIENT_TLS_CRT", Value: filepath.Join("/tls", crtFile), + Name: "CONNECTION_POOLER_CLIENT_TLS_CRT", Value: filepath.Join(mountPath, crtFile), }, v1.EnvVar{ - Name: "CONNECTION_POOLER_CLIENT_TLS_KEY", Value: filepath.Join("/tls", keyFile), + Name: "CONNECTION_POOLER_CLIENT_TLS_KEY", Value: filepath.Join(mountPath, keyFile), }, v1.EnvVar{ - Name: "CONNECTION_POOLER_CLIENT_CA_FILE", Value: filepath.Join("/tls", caFile), + Name: "CONNECTION_POOLER_CLIENT_CA_FILE", Value: filepath.Join(mountPathCA, caFile), }, ) From 1c418a17b14c9c0a57194320426a0bbba5ab1182 Mon Sep 17 00:00:00 2001 From: 2tvenom <2tvenom@gmail.com> Date: Thu, 16 Feb 2023 22:41:09 +0300 Subject: [PATCH 4/4] fix ca file name --- pkg/cluster/connection_pooler.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/cluster/connection_pooler.go b/pkg/cluster/connection_pooler.go index 57e3ceaa5..1c7e7bcb8 100644 --- a/pkg/cluster/connection_pooler.go +++ b/pkg/cluster/connection_pooler.go @@ -359,7 +359,7 @@ func (c *Cluster) generateConnectionPoolerPodTemplate(role PostgresRole) ( keyFile = "tls.key" } if caFile == "" { - keyFile = "ca.crt" + caFile = "ca.crt" } if spec.TLS.CASecretName != "" { mountPathCA = mountPath + "ca"