mirror of
https://github.com/bitnami/charts.git
synced 2026-03-03 06:58:45 +08:00
[bitnami/postgresql-ha]Adds SSL connections between pgpool and postgr… (#6497)
* [bitnami/postgresql-ha]Adds SSL connections between pgpool and postgresql * Fixes _helpers subrutines. Link to documentation * Removes empty line in chart.yaml Co-authored-by: rafael <rafael@bitnami.com>
This commit is contained in:
Rafael Ríos Saavedra
committed by
GitHub
GitHub
parent
e197fde4ce
commit
302a62e39b
@@ -27,4 +27,4 @@ name: postgresql-ha
|
||||
sources:
|
||||
- https://github.com/bitnami/bitnami-docker-postgresql
|
||||
- https://www.postgresql.org/
|
||||
version: 7.5.4
|
||||
version: 7.6.0
|
||||
|
||||
@@ -160,6 +160,12 @@ The following table lists the configurable parameters of the PostgreSQL HA chart
|
||||
| `postgresql.initdbScripts` | Dictionary of initdb scripts | `nil` |
|
||||
| `postgresql.initdbScriptsCM` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`). The value is evaluated as a template. | `nil` |
|
||||
| `postgresql.initdbScriptsSecret` | Secret with initdb scripts that contain sensitive information (Note: can be used with initdbScriptsCM or initdbScripts). The value is evaluated as a template. | `nil` |
|
||||
| `postgresql.tls.enabled` | Enable TLS traffic support for end-client connections | `false` |
|
||||
| `postgresql.tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` |
|
||||
| `postgresql.tls.certificatesSecret` | Name of an existing secret that contains the certificates | `nil` |
|
||||
| `postgresql.tls.certFilename` | Certificate filename | `""` |
|
||||
| `postgresql.tls.certKeyFilename` | Certificate key filename | `""` |
|
||||
| `postgresql.tls.certCAFilename` | CA Certificate filename. If provided, PgPool will authenticate TLS/SSL clients by requesting them a certificate. | `nil` |
|
||||
| **Pgpool** | | |
|
||||
| `pgpoolImage.registry` | Registry for Pgpool | `docker.io` |
|
||||
| `pgpoolImage.repository` | Repository for Pgpool | `bitnami/pgpool` |
|
||||
@@ -367,33 +373,9 @@ As an alternative, this chart supports using an initContainer to change the owne
|
||||
|
||||
You can enable this initContainer by setting `volumePermissions.enabled` to `true`.
|
||||
|
||||
### Securing Pgpool traffic using TLS
|
||||
### Securing traffic using TLS
|
||||
|
||||
TLS for end-client connections can be enabled in the chart by specifying the `pgpool.tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart:
|
||||
|
||||
- `pgpool.tls.enabled`: Enable TLS support. Defaults to `false`
|
||||
- `pgpool.tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults.
|
||||
- `pgpool.tls.certFilename`: Certificate filename. No defaults.
|
||||
- `pgpool.tls.certKeyFilename`: Certificate key filename. No defaults.
|
||||
|
||||
For example:
|
||||
|
||||
- First, create the secret with the cetificates files:
|
||||
|
||||
```console
|
||||
kubectl create secret generic certificates-pgpool.tls.secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt
|
||||
```
|
||||
|
||||
- Then, use the following parameters:
|
||||
|
||||
```console
|
||||
pgpool.tls.enabled=true
|
||||
pgpool.tls.certificatesSecret="certificates-pgpool.tls.secret"
|
||||
pgpool.tls.certFilename="cert.crt"
|
||||
pgpool.tls.certKeyFilename="cert.key"
|
||||
```
|
||||
|
||||
> Note TLS and VolumePermissions: PgPool requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, the `volumePermissions` init container will ensure everything works as expected.
|
||||
Learn how to [configure TLS authentication](/<%= platform_path %>/infrastructure/postgresql-ha/administration/enable-tls/)
|
||||
|
||||
### LDAP
|
||||
|
||||
|
||||
@@ -674,3 +674,24 @@ Return the path to the CA cert file.
|
||||
{{- define "postgresql-ha.pgpool.tlsCACert" -}}
|
||||
{{- printf "/opt/bitnami/pgpool/certs/%s" .Values.pgpool.tls.certCAFilename -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the path to the cert file.
|
||||
*/}}
|
||||
{{- define "postgresql-ha.postgresql.tlsCert" -}}
|
||||
{{- required "Certificate filename is required when TLS in enabled" .Values.postgresql.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the path to the cert key file.
|
||||
*/}}
|
||||
{{- define "postgresql-ha.postgresql.tlsCertKey" -}}
|
||||
{{- required "Certificate Key filename is required when TLS in enabled" .Values.postgresql.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the path to the CA cert file.
|
||||
*/}}
|
||||
{{- define "postgresql-ha.postgresql.tlsCACert" -}}
|
||||
{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.postgresql.tls.certCAFilename -}}
|
||||
{{- end -}}
|
||||
|
||||
@@ -70,6 +70,32 @@ spec:
|
||||
serviceAccountName: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name}}
|
||||
{{- end }}
|
||||
initContainers:
|
||||
{{- if .Values.postgresql.tls.enabled }}
|
||||
- name: init-chmod-data
|
||||
image: {{ template "postgresql-ha.volumePermissionsImage" . }}
|
||||
imagePullPolicy: {{ .Values.volumePermissionsImage.pullPolicy | quote }}
|
||||
command:
|
||||
- /bin/sh
|
||||
- -cx
|
||||
- |
|
||||
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
|
||||
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
|
||||
chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
|
||||
{{- else }}
|
||||
chown -R {{ .Values.postgresql.containerSecurityContext.runAsUser }}:{{ .Values.postgresql.securityContext.fsGroup }} /opt/bitnami/postgresql/certs/
|
||||
{{- end }}
|
||||
chmod 600 {{ template "postgresql-ha.postgresql.tlsCertKey" . }}
|
||||
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
|
||||
securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }}
|
||||
{{- else }}
|
||||
securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: raw-certificates
|
||||
mountPath: /tmp/certs
|
||||
- name: postgresql-certificates
|
||||
mountPath: /opt/bitnami/postgresql/certs
|
||||
{{- end }}
|
||||
{{- if and .Values.persistence.enabled (or (or (not (empty .Values.postgresql.extendedConf)) (not (empty .Values.postgresql.extendedConfCM)) ) .Values.volumePermissions.enabled) }}
|
||||
- name: init-chmod-data
|
||||
image: {{ include "postgresql-ha.volumePermissionsImage" . }}
|
||||
@@ -212,6 +238,20 @@ spec:
|
||||
- name: POSTGRESQL_PGHBA_REMOVE_FILTERS
|
||||
value: {{ .Values.postgresql.pghbaRemoveFilters | quote }}
|
||||
{{- end }}
|
||||
- name: POSTGRESQL_ENABLE_TLS
|
||||
value: {{ ternary "yes" "no" .Values.postgresql.tls.enabled | quote }}
|
||||
{{- if .Values.postgresql.tls.enabled }}
|
||||
- name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
|
||||
value: {{ ternary "yes" "no" .Values.postgresql.tls.preferServerCiphers | quote }}
|
||||
- name: POSTGRESQL_TLS_CERT_FILE
|
||||
value: {{ template "postgresql-ha.postgresql.tlsCert" . }}
|
||||
- name: POSTGRESQL_TLS_KEY_FILE
|
||||
value: {{ template "postgresql-ha.postgresql.tlsCertKey" . }}
|
||||
{{- if .Values.pgpool.tls.certCAFilename }}
|
||||
- name: POSTGRESQL_TLS_CA_FILE
|
||||
value: {{ template "postgresql-ha.postgresql.tlsCACert" . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
# Repmgr configuration
|
||||
- name: MY_POD_NAME
|
||||
valueFrom:
|
||||
@@ -354,6 +394,10 @@ spec:
|
||||
- name: postgresql-password
|
||||
mountPath: /opt/bitnami/postgresql/secrets/
|
||||
{{- end }}
|
||||
{{- if .Values.postgresql.tls.enabled }}
|
||||
- name: postgresql-certificates
|
||||
mountPath: /opt/bitnami/postgresql/certs
|
||||
{{- end }}
|
||||
- name: data
|
||||
mountPath: {{ .Values.persistence.mountPath }}
|
||||
- name: hooks-scripts
|
||||
@@ -480,6 +524,13 @@ spec:
|
||||
configMap:
|
||||
name: {{ template "postgresql-ha.postgresqlInitdbScriptsCM" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.postgresql.tls.enabled }}
|
||||
- name: raw-certificates
|
||||
secret:
|
||||
secretName: {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.postgresql.tls.certificatesSecret }}
|
||||
- name: postgresql-certificates
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
|
||||
@@ -534,6 +534,36 @@ postgresql:
|
||||
##
|
||||
# initdbScriptsSecret:
|
||||
|
||||
##
|
||||
## TLS configuration
|
||||
##
|
||||
tls:
|
||||
## Enable TLS traffic
|
||||
##
|
||||
enabled: false
|
||||
##
|
||||
## Whether to use the server's TLS cipher preferences rather than the client's.
|
||||
##
|
||||
preferServerCiphers: true
|
||||
##
|
||||
## Name of the Secret that contains the certificates
|
||||
##
|
||||
certificatesSecret: ""
|
||||
##
|
||||
## Certificate filename
|
||||
##
|
||||
certFilename: ""
|
||||
##
|
||||
## Certificate Key filename
|
||||
##
|
||||
certKeyFilename: ""
|
||||
##
|
||||
## CA Certificate filename
|
||||
## If provided, PgPool will authenticate TLS/SSL clients by requesting them a certificate
|
||||
## ref: https://www.pgpool.net/docs/latest/en/html/runtime-ssl.html
|
||||
##
|
||||
certCAFilename:
|
||||
|
||||
## Pgpool parameters
|
||||
##
|
||||
pgpool:
|
||||
|
||||
Reference in New Issue
Block a user