Add tls to Postgresql

This PS provides the capability to enable tls for the
Postgresql chart.

Change-Id: Ie1ebd693dbf23f98bef832e3c57defe3a4e026bd
This commit is contained in:
anthony.bellino 2020-09-24 21:09:19 +00:00 committed by Anthony Bellino
parent 1e892660d0
commit ce9d420ee5
5 changed files with 74 additions and 1 deletions

View File

@ -15,7 +15,7 @@ apiVersion: v1
appVersion: v9.6 appVersion: v9.6
description: OpenStack-Helm PostgreSQL description: OpenStack-Helm PostgreSQL
name: postgresql name: postgresql
version: 0.1.7 version: 0.1.8
home: https://www.postgresql.org home: https://www.postgresql.org
sources: sources:
- https://github.com/postgres/postgres - https://github.com/postgres/postgres

View File

@ -0,0 +1,14 @@
{{/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.certificates -}}
{{ dict "envAll" . "service" "postgresql" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end -}}

View File

@ -149,6 +149,13 @@ spec:
/bin/chown {{ .Values.pod.security_context.server.pod.runAsUser }} {{ .Values.storage.mount.path }}; /bin/chown {{ .Values.pod.security_context.server.pod.runAsUser }} {{ .Values.storage.mount.path }};
/bin/chmod 700 {{ .Values.storage.mount.path }}; /bin/chmod 700 {{ .Values.storage.mount.path }};
/bin/chmod 700 {{ .Values.storage.mount.path }}/*; /bin/chmod 700 {{ .Values.storage.mount.path }}/*;
{{- if .Values.manifests.certificates }}
/bin/cp /server_certs_temp/* /server_certs/.;
/bin/chown {{ .Values.pod.security_context.server.pod.runAsUser }} /server_certs;
/bin/chown {{ .Values.pod.security_context.server.pod.runAsUser }} /server_certs/*;
/bin/chmod 700 /server_certs;
/bin/chmod 600 /server_certs/*;
{{- end }}
{{ dict "envAll" $envAll "application" "server" "container" "set_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} {{ dict "envAll" $envAll "application" "server" "container" "set_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
volumeMounts: volumeMounts:
- name: pod-tmp - name: pod-tmp
@ -156,6 +163,14 @@ spec:
- name: postgresql-data - name: postgresql-data
mountPath: {{ .Values.storage.mount.path }} mountPath: {{ .Values.storage.mount.path }}
subPath: {{ .Values.storage.mount.subpath }} subPath: {{ .Values.storage.mount.subpath }}
{{- if .Values.manifests.certificates }}
- name: server-certs
mountPath: /server_certs
# server-cert-temp mountpoint is temp storage for secrets. We copy the
# secrets to server-certs folder and set owner and permissions.
# This is needed because the secrets are always created readonly.
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.postgresql.tls.server.internal "path" "/server_certs_temp" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- end }}
containers: containers:
- name: postgresql - name: postgresql
{{ tuple $envAll "postgresql" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll "postgresql" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -234,6 +249,10 @@ spec:
mountPath: /tmp/archive_cleanup.sh mountPath: /tmp/archive_cleanup.sh
subPath: archive_cleanup.sh subPath: archive_cleanup.sh
readOnly: true readOnly: true
{{- end }}
{{- if .Values.manifests.certificates }}
- name: server-certs
mountPath: /server_certs
{{- end }} {{- end }}
volumes: volumes:
- name: pod-tmp - name: pod-tmp
@ -247,6 +266,11 @@ spec:
secret: secret:
secretName: postgresql-bin secretName: postgresql-bin
defaultMode: 0555 defaultMode: 0555
{{- if .Values.manifests.certificates }}
- name: server-certs
emptyDir: {}
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.postgresql.tls.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- end }}
- name: postgresql-etc - name: postgresql-etc
configMap: configMap:
name: postgresql-etc name: postgresql-etc

View File

@ -303,6 +303,11 @@ conf:
max_worker_processes: '10' max_worker_processes: '10'
port: '5432' port: '5432'
shared_buffers: '2GB' shared_buffers: '2GB'
ssl: 'off'
ssl_cert_file: '/server_certs/tls.crt'
ssl_ca_file: '/server_certs/ca.crt'
ssl_key_file: '/server_certs/tls.key'
ssl_ciphers: 'TLSv1.2:!aNULL'
tcp_keepalives_idle: '900' tcp_keepalives_idle: '900'
tcp_keepalives_interval: '100' tcp_keepalives_interval: '100'
timezone: 'UTC' timezone: 'UTC'
@ -340,6 +345,9 @@ secrets:
exporter: postgresql-exporter exporter: postgresql-exporter
audit: postgresql-audit audit: postgresql-audit
backup_restore: postgresql-backup-restore backup_restore: postgresql-backup-restore
tls:
server:
internal: postgresql-tls-direct
identity: identity:
admin: keystone-admin-user admin: keystone-admin-user
postgresql: postgresql-backup-user postgresql: postgresql-backup-user
@ -441,6 +449,7 @@ endpoints:
internal: 5000 internal: 5000
manifests: manifests:
certificates: false
configmap_bin: true configmap_bin: true
configmap_etc: true configmap_etc: true
job_image_repo_sync: true job_image_repo_sync: true

View File

@ -0,0 +1,26 @@
---
conf:
postgresql:
ssl: 'on'
pod:
security_context:
server:
container:
perms:
readOnlyRootFilesystem: false
postgresql:
runAsUser: 0
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
endpoints:
postgresql:
host_fqdn_override:
default:
tls:
secretName: postgresql-tls-direct
issuerRef:
name: ca-issuer
kind: ClusterIssuer
manifests:
certificates: true
...