From 302a62e39bb9dac7a31249934f18eefe57f73c88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20R=C3=ADos=20Saavedra?= Date: Wed, 2 Jun 2021 09:56:56 +0200 Subject: [PATCH] =?UTF-8?q?[bitnami/postgresql-ha]Adds=20SSL=20connections?= =?UTF-8?q?=20between=20pgpool=20and=20postgr=E2=80=A6=20(#6497)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [bitnami/postgresql-ha]Adds SSL connections between pgpool and postgresql * Fixes _helpers subrutines. Link to documentation * Removes empty line in chart.yaml Co-authored-by: rafael --- bitnami/postgresql-ha/Chart.yaml | 2 +- bitnami/postgresql-ha/README.md | 34 +++---------- bitnami/postgresql-ha/templates/_helpers.tpl | 21 ++++++++ .../templates/postgresql/statefulset.yaml | 51 +++++++++++++++++++ bitnami/postgresql-ha/values.yaml | 30 +++++++++++ 5 files changed, 111 insertions(+), 27 deletions(-) diff --git a/bitnami/postgresql-ha/Chart.yaml b/bitnami/postgresql-ha/Chart.yaml index b0492d30ba..5fd5151966 100644 --- a/bitnami/postgresql-ha/Chart.yaml +++ b/bitnami/postgresql-ha/Chart.yaml @@ -27,4 +27,4 @@ name: postgresql-ha sources: - https://github.com/bitnami/bitnami-docker-postgresql - https://www.postgresql.org/ -version: 7.5.4 +version: 7.6.0 diff --git a/bitnami/postgresql-ha/README.md b/bitnami/postgresql-ha/README.md index 800a97a1a2..80ecdabf59 100644 --- a/bitnami/postgresql-ha/README.md +++ b/bitnami/postgresql-ha/README.md @@ -160,6 +160,12 @@ The following table lists the configurable parameters of the PostgreSQL HA chart | `postgresql.initdbScripts` | Dictionary of initdb scripts | `nil` | | `postgresql.initdbScriptsCM` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`). The value is evaluated as a template. | `nil` | | `postgresql.initdbScriptsSecret` | Secret with initdb scripts that contain sensitive information (Note: can be used with initdbScriptsCM or initdbScripts). The value is evaluated as a template. | `nil` | +| `postgresql.tls.enabled` | Enable TLS traffic support for end-client connections | `false` | +| `postgresql.tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` | +| `postgresql.tls.certificatesSecret` | Name of an existing secret that contains the certificates | `nil` | +| `postgresql.tls.certFilename` | Certificate filename | `""` | +| `postgresql.tls.certKeyFilename` | Certificate key filename | `""` | +| `postgresql.tls.certCAFilename` | CA Certificate filename. If provided, PgPool will authenticate TLS/SSL clients by requesting them a certificate. | `nil` | | **Pgpool** | | | | `pgpoolImage.registry` | Registry for Pgpool | `docker.io` | | `pgpoolImage.repository` | Repository for Pgpool | `bitnami/pgpool` | @@ -367,33 +373,9 @@ As an alternative, this chart supports using an initContainer to change the owne You can enable this initContainer by setting `volumePermissions.enabled` to `true`. -### Securing Pgpool traffic using TLS +### Securing traffic using TLS -TLS for end-client connections can be enabled in the chart by specifying the `pgpool.tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: - -- `pgpool.tls.enabled`: Enable TLS support. Defaults to `false` -- `pgpool.tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults. -- `pgpool.tls.certFilename`: Certificate filename. No defaults. -- `pgpool.tls.certKeyFilename`: Certificate key filename. No defaults. - -For example: - -- First, create the secret with the cetificates files: - - ```console - kubectl create secret generic certificates-pgpool.tls.secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt - ``` - -- Then, use the following parameters: - - ```console - pgpool.tls.enabled=true - pgpool.tls.certificatesSecret="certificates-pgpool.tls.secret" - pgpool.tls.certFilename="cert.crt" - pgpool.tls.certKeyFilename="cert.key" - ``` - - > Note TLS and VolumePermissions: PgPool requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, the `volumePermissions` init container will ensure everything works as expected. +Learn how to [configure TLS authentication](/<%= platform_path %>/infrastructure/postgresql-ha/administration/enable-tls/) ### LDAP diff --git a/bitnami/postgresql-ha/templates/_helpers.tpl b/bitnami/postgresql-ha/templates/_helpers.tpl index 32246d3bb6..17638d4640 100644 --- a/bitnami/postgresql-ha/templates/_helpers.tpl +++ b/bitnami/postgresql-ha/templates/_helpers.tpl @@ -674,3 +674,24 @@ Return the path to the CA cert file. {{- define "postgresql-ha.pgpool.tlsCACert" -}} {{- printf "/opt/bitnami/pgpool/certs/%s" .Values.pgpool.tls.certCAFilename -}} {{- end -}} + +{{/* +Return the path to the cert file. +*/}} +{{- define "postgresql-ha.postgresql.tlsCert" -}} +{{- required "Certificate filename is required when TLS in enabled" .Values.postgresql.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} +{{- end -}} + +{{/* +Return the path to the cert key file. +*/}} +{{- define "postgresql-ha.postgresql.tlsCertKey" -}} +{{- required "Certificate Key filename is required when TLS in enabled" .Values.postgresql.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} +{{- end -}} + +{{/* +Return the path to the CA cert file. +*/}} +{{- define "postgresql-ha.postgresql.tlsCACert" -}} +{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.postgresql.tls.certCAFilename -}} +{{- end -}} diff --git a/bitnami/postgresql-ha/templates/postgresql/statefulset.yaml b/bitnami/postgresql-ha/templates/postgresql/statefulset.yaml index c0fdca3666..0a04601c20 100644 --- a/bitnami/postgresql-ha/templates/postgresql/statefulset.yaml +++ b/bitnami/postgresql-ha/templates/postgresql/statefulset.yaml @@ -70,6 +70,32 @@ spec: serviceAccountName: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name}} {{- end }} initContainers: + {{- if .Values.postgresql.tls.enabled }} + - name: init-chmod-data + image: {{ template "postgresql-ha.volumePermissionsImage" . }} + imagePullPolicy: {{ .Values.volumePermissionsImage.pullPolicy | quote }} + command: + - /bin/sh + - -cx + - | + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ + {{- else }} + chown -R {{ .Values.postgresql.containerSecurityContext.runAsUser }}:{{ .Values.postgresql.securityContext.fsGroup }} /opt/bitnami/postgresql/certs/ + {{- end }} + chmod 600 {{ template "postgresql-ha.postgresql.tlsCertKey" . }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- end }} {{- if and .Values.persistence.enabled (or (or (not (empty .Values.postgresql.extendedConf)) (not (empty .Values.postgresql.extendedConfCM)) ) .Values.volumePermissions.enabled) }} - name: init-chmod-data image: {{ include "postgresql-ha.volumePermissionsImage" . }} @@ -212,6 +238,20 @@ spec: - name: POSTGRESQL_PGHBA_REMOVE_FILTERS value: {{ .Values.postgresql.pghbaRemoveFilters | quote }} {{- end }} + - name: POSTGRESQL_ENABLE_TLS + value: {{ ternary "yes" "no" .Values.postgresql.tls.enabled | quote }} + {{- if .Values.postgresql.tls.enabled }} + - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS + value: {{ ternary "yes" "no" .Values.postgresql.tls.preferServerCiphers | quote }} + - name: POSTGRESQL_TLS_CERT_FILE + value: {{ template "postgresql-ha.postgresql.tlsCert" . }} + - name: POSTGRESQL_TLS_KEY_FILE + value: {{ template "postgresql-ha.postgresql.tlsCertKey" . }} + {{- if .Values.pgpool.tls.certCAFilename }} + - name: POSTGRESQL_TLS_CA_FILE + value: {{ template "postgresql-ha.postgresql.tlsCACert" . }} + {{- end }} + {{- end }} # Repmgr configuration - name: MY_POD_NAME valueFrom: @@ -354,6 +394,10 @@ spec: - name: postgresql-password mountPath: /opt/bitnami/postgresql/secrets/ {{- end }} + {{- if .Values.postgresql.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- end }} - name: data mountPath: {{ .Values.persistence.mountPath }} - name: hooks-scripts @@ -480,6 +524,13 @@ spec: configMap: name: {{ template "postgresql-ha.postgresqlInitdbScriptsCM" . }} {{- end }} + {{- if .Values.postgresql.tls.enabled }} + - name: raw-certificates + secret: + secretName: {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.postgresql.tls.certificatesSecret }} + - name: postgresql-certificates + emptyDir: {} + {{- end }} {{- if and .Values.persistence.enabled .Values.persistence.existingClaim }} - name: data persistentVolumeClaim: diff --git a/bitnami/postgresql-ha/values.yaml b/bitnami/postgresql-ha/values.yaml index 537c37c564..67e6a64d8e 100644 --- a/bitnami/postgresql-ha/values.yaml +++ b/bitnami/postgresql-ha/values.yaml @@ -534,6 +534,36 @@ postgresql: ## # initdbScriptsSecret: + ## + ## TLS configuration + ## + tls: + ## Enable TLS traffic + ## + enabled: false + ## + ## Whether to use the server's TLS cipher preferences rather than the client's. + ## + preferServerCiphers: true + ## + ## Name of the Secret that contains the certificates + ## + certificatesSecret: "" + ## + ## Certificate filename + ## + certFilename: "" + ## + ## Certificate Key filename + ## + certKeyFilename: "" + ## + ## CA Certificate filename + ## If provided, PgPool will authenticate TLS/SSL clients by requesting them a certificate + ## ref: https://www.pgpool.net/docs/latest/en/html/runtime-ssl.html + ## + certCAFilename: + ## Pgpool parameters ## pgpool: