Add tls to Postgresql
This PS provides the capability to enable tls for the Postgresql chart. Change-Id: Ie1ebd693dbf23f98bef832e3c57defe3a4e026bd
This commit is contained in:
parent
1e892660d0
commit
ce9d420ee5
@ -15,7 +15,7 @@ apiVersion: v1
|
|||||||
appVersion: v9.6
|
appVersion: v9.6
|
||||||
description: OpenStack-Helm PostgreSQL
|
description: OpenStack-Helm PostgreSQL
|
||||||
name: postgresql
|
name: postgresql
|
||||||
version: 0.1.7
|
version: 0.1.8
|
||||||
home: https://www.postgresql.org
|
home: https://www.postgresql.org
|
||||||
sources:
|
sources:
|
||||||
- https://github.com/postgres/postgres
|
- https://github.com/postgres/postgres
|
||||||
|
14
postgresql/templates/certificates.yaml
Normal file
14
postgresql/templates/certificates.yaml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
{{/*
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
{{- if .Values.manifests.certificates -}}
|
||||||
|
{{ dict "envAll" . "service" "postgresql" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||||
|
{{- end -}}
|
@ -149,6 +149,13 @@ spec:
|
|||||||
/bin/chown {{ .Values.pod.security_context.server.pod.runAsUser }} {{ .Values.storage.mount.path }};
|
/bin/chown {{ .Values.pod.security_context.server.pod.runAsUser }} {{ .Values.storage.mount.path }};
|
||||||
/bin/chmod 700 {{ .Values.storage.mount.path }};
|
/bin/chmod 700 {{ .Values.storage.mount.path }};
|
||||||
/bin/chmod 700 {{ .Values.storage.mount.path }}/*;
|
/bin/chmod 700 {{ .Values.storage.mount.path }}/*;
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
/bin/cp /server_certs_temp/* /server_certs/.;
|
||||||
|
/bin/chown {{ .Values.pod.security_context.server.pod.runAsUser }} /server_certs;
|
||||||
|
/bin/chown {{ .Values.pod.security_context.server.pod.runAsUser }} /server_certs/*;
|
||||||
|
/bin/chmod 700 /server_certs;
|
||||||
|
/bin/chmod 600 /server_certs/*;
|
||||||
|
{{- end }}
|
||||||
{{ dict "envAll" $envAll "application" "server" "container" "set_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
{{ dict "envAll" $envAll "application" "server" "container" "set_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -156,6 +163,14 @@ spec:
|
|||||||
- name: postgresql-data
|
- name: postgresql-data
|
||||||
mountPath: {{ .Values.storage.mount.path }}
|
mountPath: {{ .Values.storage.mount.path }}
|
||||||
subPath: {{ .Values.storage.mount.subpath }}
|
subPath: {{ .Values.storage.mount.subpath }}
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
- name: server-certs
|
||||||
|
mountPath: /server_certs
|
||||||
|
# server-cert-temp mountpoint is temp storage for secrets. We copy the
|
||||||
|
# secrets to server-certs folder and set owner and permissions.
|
||||||
|
# This is needed because the secrets are always created readonly.
|
||||||
|
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.postgresql.tls.server.internal "path" "/server_certs_temp" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||||
|
{{- end }}
|
||||||
containers:
|
containers:
|
||||||
- name: postgresql
|
- name: postgresql
|
||||||
{{ tuple $envAll "postgresql" | include "helm-toolkit.snippets.image" | indent 10 }}
|
{{ tuple $envAll "postgresql" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||||
@ -234,6 +249,10 @@ spec:
|
|||||||
mountPath: /tmp/archive_cleanup.sh
|
mountPath: /tmp/archive_cleanup.sh
|
||||||
subPath: archive_cleanup.sh
|
subPath: archive_cleanup.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
- name: server-certs
|
||||||
|
mountPath: /server_certs
|
||||||
{{- end }}
|
{{- end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: pod-tmp
|
- name: pod-tmp
|
||||||
@ -247,6 +266,11 @@ spec:
|
|||||||
secret:
|
secret:
|
||||||
secretName: postgresql-bin
|
secretName: postgresql-bin
|
||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
|
{{- if .Values.manifests.certificates }}
|
||||||
|
- name: server-certs
|
||||||
|
emptyDir: {}
|
||||||
|
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.postgresql.tls.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||||
|
{{- end }}
|
||||||
- name: postgresql-etc
|
- name: postgresql-etc
|
||||||
configMap:
|
configMap:
|
||||||
name: postgresql-etc
|
name: postgresql-etc
|
||||||
|
@ -303,6 +303,11 @@ conf:
|
|||||||
max_worker_processes: '10'
|
max_worker_processes: '10'
|
||||||
port: '5432'
|
port: '5432'
|
||||||
shared_buffers: '2GB'
|
shared_buffers: '2GB'
|
||||||
|
ssl: 'off'
|
||||||
|
ssl_cert_file: '/server_certs/tls.crt'
|
||||||
|
ssl_ca_file: '/server_certs/ca.crt'
|
||||||
|
ssl_key_file: '/server_certs/tls.key'
|
||||||
|
ssl_ciphers: 'TLSv1.2:!aNULL'
|
||||||
tcp_keepalives_idle: '900'
|
tcp_keepalives_idle: '900'
|
||||||
tcp_keepalives_interval: '100'
|
tcp_keepalives_interval: '100'
|
||||||
timezone: 'UTC'
|
timezone: 'UTC'
|
||||||
@ -340,6 +345,9 @@ secrets:
|
|||||||
exporter: postgresql-exporter
|
exporter: postgresql-exporter
|
||||||
audit: postgresql-audit
|
audit: postgresql-audit
|
||||||
backup_restore: postgresql-backup-restore
|
backup_restore: postgresql-backup-restore
|
||||||
|
tls:
|
||||||
|
server:
|
||||||
|
internal: postgresql-tls-direct
|
||||||
identity:
|
identity:
|
||||||
admin: keystone-admin-user
|
admin: keystone-admin-user
|
||||||
postgresql: postgresql-backup-user
|
postgresql: postgresql-backup-user
|
||||||
@ -441,6 +449,7 @@ endpoints:
|
|||||||
internal: 5000
|
internal: 5000
|
||||||
|
|
||||||
manifests:
|
manifests:
|
||||||
|
certificates: false
|
||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
configmap_etc: true
|
configmap_etc: true
|
||||||
job_image_repo_sync: true
|
job_image_repo_sync: true
|
||||||
|
26
postgresql/values_overrides/tls.yaml
Normal file
26
postgresql/values_overrides/tls.yaml
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
conf:
|
||||||
|
postgresql:
|
||||||
|
ssl: 'on'
|
||||||
|
pod:
|
||||||
|
security_context:
|
||||||
|
server:
|
||||||
|
container:
|
||||||
|
perms:
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
postgresql:
|
||||||
|
runAsUser: 0
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
|
readOnlyRootFilesystem: false
|
||||||
|
endpoints:
|
||||||
|
postgresql:
|
||||||
|
host_fqdn_override:
|
||||||
|
default:
|
||||||
|
tls:
|
||||||
|
secretName: postgresql-tls-direct
|
||||||
|
issuerRef:
|
||||||
|
name: ca-issuer
|
||||||
|
kind: ClusterIssuer
|
||||||
|
manifests:
|
||||||
|
certificates: true
|
||||||
|
...
|
Loading…
Reference in New Issue
Block a user